Digital certificates - the basis for secure communication
Mar 11, 2022
Digital certificates are the basis for secure communication on the internet. They are used to authenticate communication partners and initialise encryption. Therefore, users should be familiar with some basics on this topic.
Digital certificates are used to authenticate participants on the internet. However, they are also the basis for most types of transport encryption. Nowadays, data should no longer be transmitted in plain text in public networks. In order to be able to use secure encryption, however, it is necessary that the keys used have been exchanged between the communication partners on a protected channel beforehand.
If the data transfer takes place between two previously unknown participants, as is the rule when sending e-mails or calling up any website, special requirements must be met for establishing the secure connection. An essential requirement is to contact the correct addressee. In addition, the exchange of keys is often secured by asymmetric encryption procedures - for which a public and a private key are necessary. Both can be guaranteed with the use of digital certificates.
How do digital certificates work
Digital certificates are files that conform to a pre-determined format. Among other things, they contain the following contents:
- Holder: This is the person or company for whom the certificate was created.
- Validity: Certificates are only valid for a limited time, but usually for several years.
- Public key: The certificate contains the public key of the holder, which can be retrieved by third parties to initialise an encrypted connection or to verify the holder's identity.
- Issuer: The issuing certificate authority is listed here.
- Digital signature: Hash value of the certificate encrypted with the issuer's private key.
It is essential to be able to verify the content and issuer using the digital signature. The principle of asymmetric encryption is also used for this. With this form of encryption, there is a public and a private key. Content encrypted with one of the two can only be decrypted with the other.
A hash value is created over the content of the issued certificate. This is a unique "fingerprint" of the data set, which is calculated using a cryptological algorithm. This hash value is encrypted with the private key of the certificate issuer. Anyone who subsequently wants to check the content of the certificate can decode the hash value again with its public key and compare it with the content. If an attacker falsifies the data record and encodes it with his private key, a false hash value will inevitably be displayed if the decoding is done with the public key of the correct issuer. This makes it possible to check digital signatures for correctness.
Public key infrastructure as the basis of trust
A public key infrastructure (PKI) is necessary for issuing and managing certificates. There, a Certificate Authority is responsible for signing issued certificates. Corresponding registration authorities (RA) take over the identity verification of an applicant. They then vouch, so to speak, for the contents entered in the certificate. A PKI is usually structured hierarchically. Thus, providers can also be subordinate to the main certification authorities. As in a branching tree, the next higher instance can be traced and verified by means of the signature.
Digital certificates of the upper instances (root) are usually stored in the processing software, for example in web browsers. This makes it possible for a browser to check the correctness of a certificate of a website that is to be called up via HyperText-Transfer-Protocol-Secure (HTTPS). The PKI provides a directory service in which the issued certificates are stored. There is also a revocation list, the so-called Certificate Revocation List. Revoked certificates are stored in this list.
Types and use cases of certificates
Various standards for digital certificates have emerged over the years. Among the best known are:
- X.509: This international standard is widespread and is used, among other things, to establish encrypted connections on the Internet. The HTTPS protocol, for example, uses X.509 certificates for authentication and key exchange. They are also used for SecureShell (SSH). E-mail encryption via S/MIME also uses X.509 certificates.
- PGP: The Pretty Good Privacy standard is also known from the encryption of e-mails. The user can create the corresponding certificate files himself, for example with the software GPG. The owner is then responsible for publishing his public key. He can do this, for example, via key servers and on his website.
- CVC: Card-Verifiable-Certificates are compact certificates that can be stored on smart cards and electronic ID cards, for example.
For commercial use, it is recommended to use only certificates from recognised service providers. Otherwise, there may be a risk of warning messages being displayed when establishing a connection and unsettling customers.
Verify digital certificates
In principle, the verification is automated by the accessing software after the correct setup. The best known is the certificate check in the browser. All common web browsers display a corresponding symbol, often a lock, when accessing an encrypted web server.
A distinction can still be made between different validation classes of the providers:
- Domain-validated certificates (DV): Here, the registration authority checks whether it is the owner of the domain who also has access to the deposited mail address.
- Organisation-validated certificates (OV): With this form of validation, the existence of the company or organisation is checked on the basis of submitted documents and criteria such as a published telephone number.
- Extended validated certificates (EV): Here, separate identity checks of the applicants and, for example, checks against the commercial register are carried out. This protection class is marked with a green address bar in some browsers.
In addition, the user can display the certificates used in the browser by clicking on the lock symbol. All stored information is displayed in corresponding submenus.
In mail programmes, certificates for end-to-end encryption must be integrated once. Afterwards, they are accessible in the settings and can be viewed. It is different with digital signatures that are sent by third parties with an e-mail. Programmes such as Microsoft Outlook show the signature with a small symbol. The recipient of a message can call up the corresponding details by clicking on the symbol.
Digital certificates - you can't do without them
The use of digital certificates signed by a PKI has become indispensable in modern communication technology. They are used for all activities via the browser, in the Virtual Private Network (VPN) and for e-mail transmission. This usually happens in the background. However, since digital certificates are something like an identity card of the communication partner, the user's alarm bells should ring immediately in the event of any discrepancies. Sensitive transactions must not be carried out if there are doubts about the integrity of a digital certificate.