What are the different authorities involved in the process of issuing a digital certificate?

5.3.4 Digital Certificate

Digital certificate is an electronic file which can be used to verify the identity of a party on the Internet. We can consider it an “electronic passport.” Both individuals and corporations can be identified by checking the digital certificate. We trust a passport because we trust that the issuing body (i.e., the government in this case) does a good job in identifying the passport holder. However, there are some governments with corrupted officers or poor efficiency. The strength of identification depends on the trustworthiness of the issuing government.

Digital certificate is similar to the passport case. It is issued by an organization called a certificate authority (CA). However, there are many CAs which can issue the digital certificates. An attacker can also issue a certificate to himself. In addition to checking the digital certificate, users must check the issuing body. Unfortunately users have very limited knowledge on the trustworthiness of CAs. Corporations should protect a list of trusted CAs to their users.

2.2.1.1.3 User Certificates

Digital certificates can also be used to authenticate users. Digital certificates contain a unique key pair that is associated with the certificate. This is how certificates can be differentiated from one another. There is a certain type of digital certificate called a user certificate that is specifically designed for user authentication. After the certificate is created, the certificate is then mapped back to a user account. This user account is used to determine what access the user should have. When the user attempts to access a resource, a certificate will be requested. Depending on the client device and server configuration, a user certificate may automatically be submitted or the user may have to specify which certificate to submit. The certificate is accepted by the resource and processed. During the processing, the backend authentication system will look up the certificate and find the corresponding user account for that certificate. This information is then submitted to the resource. The resource will then make authorization decisions based on the user account.

In order to use certificate-based authentication, the certificate must be somehow stored and transported. There are a few options. One option is to have the operating system on your computer storing the certificate. The problem with this is that the certificate is not portable. You can only use it from that system. Another, more popular alternative is to use a smartcard. A smartcard uses integrated circuits to store the digital certificate. When you attempt to access a resource and the site requests a certificate, you type in your PIN to unlock your smartcard and the certificate is submitted to the resource. Smartcards also have a portability issue. They require specialized hardware (smartcard readers) to be attached to computer systems to enable and allow the systems to retrieve information from the smartcards. The need for this personalized hardware is the reason smartcards haven’t taken off for Internet application authentication, compared to their adoption at the enterprise level.

Understanding the Function of a PKI

Digital certificates are becoming more and more common in today's computing environment. These certificates offer a way for individuals to verify the authenticity of e-mail messages, encrypt files, and so on. Several third-party organizations have been providing digital certificates or other key services for a number of years. There can be a number of drawbacks to relying solely on third-party certificate providers to generate and verify user keys. One of the most significant roadblocks is cost. While the per-user cost of issuing a valid certificate has decreased recently, it can still be cost-prohibitive for a large organization to rely solely on external resources for certificate security. Ease of management is another drawback. Again, managing certificates through an external organization can be cumbersome, confusing, and time-consuming, especially for large organizations.

With a Windows-based network infrastructure, you have the option of developing and hosting your own PKI within your organization. Microsoft provides a number of tools for creating and managing digital certificates within Active Directory. There are a number of advantages to using an internal PKI structure. First, there is no per-user cost to generate digital certificates. So these certificates can be created for every individual within the organization, no matter how large. Second, certificates can be managed internally. You can monitor use of certificates within the organization and automatically revoke certificates when a user leaves the organization or no longer has the need to use a certificate. One of the drawbacks to using a completely internal PKI is that of trust. If all your certificates are generated and managed internally, you may have difficulty getting external organizations to recognize the validity of the certificates created within your organization.

The most complete implementation of a PKI includes certificates generated internally and externally. Acquiring a certificate from a trusted third-party organization lends credence to the validity of certificates used in your organization. Generating and managing internal certificates cuts down on the costs associated with public key security. Ultimately, how you implement your PKI depends largely on the needs you have for public key security within your organization.

Certificate Authorities and Organizational Registration Authorities

Digital certificates are issued by Certificate Authorities (CAs). Organizational Registration Authorities (ORAs) authenticate the identity of a certificate holder before issuing a certificate to them. An organization may operate as a CA or ORA (or both).

CAs may be private (run internally) or public (such as VeriSign or Thawte). Anyone off the street cannot simply request and receive a certificate for www.ebay.com, for example; they must prove that they have the authority to do so. This authentication is done by the CA, and can include business records research, emails sent to domain contacts, and similar methods.

Certificates

Digital certificates are nothing more than a way to verify your identity through a CA using public key cryptography. NetScreen appliances support the use of digital certificates as a method of validating your identity during VPN negotiations. There are certain steps you must take before you can use a certificate to validate your identity. First, you must generate a certificate request from within the NetScreen appliance. When this is done, the NetScreen appliance generates a public/private key pair. You then send a request with the public key to your CA. A response, which incorporates the public key, will be forwarded to you that will have to be loaded into the NetScreen appliance. This response generally includes three parts:

The CA's certificate, which contains the CA's public key.

The local certificate identifying your NetScreen device.

In some cases a certificate revocation list (CRL). This lists any certificates revoked by the CA.

You can load the reply into the NetScreen device either through the WebUI or via TFTP (Thin File Transport Protocol) through the CLI (command line interface), whichever you prefer. Loading the certificate information into NetScreen gives us the following:

Your identity can be verified using the local certificate.

The CA's certificate can be used to verify the identity of other users.

The CRL list can be used to identify invalid certificates.

Public Key Infrastructure

Public Key Infrastructure (PKI) leverages all three forms of encryption to provide and manage digital certificates. A digital certificate is a public key signed with a digital signature. Digital certificates may be server-based or client-based. If client and server certificates are used together, they provide mutual authentication and encryption. The standard digital certificate format is X.509.

Certificates

Digital certificates are nothing more than a way to verify your identity through a CA using public key cryptography. There are certain steps you must take before you can use a certificate to validate your identity. First, you must generate a certificate request from within the VPN appliance. Then, the VPN appliance generates a public/private key pair. You then send a request with the public key to your CA. A response, which incorporates the public key, will be forwarded to you that will have to be loaded into the VPN appliance. This response generally includes three parts:

The CA’s certificate, which contains the CA’s public key

The local certificate identifying your VPN device

In some cases, a certificate revocation list (CRL), which lists any certificates revoked by the CA

You can load the reply into the VPN device either through the Web UI or via TFTP (Thin File Transport Protocol) through the CLI (command line interface), whichever you prefer. Loading the certificate information into the VPN gives the following:

Your identity can be verified using the local certificate.

The CA’s certificate can be used to verify the identity of other users.

The CRL list can be used to identify invalid certificates.

Computer Identification

An important task in the functioning of the Internet, or any large network, is to verify that the computer the defender is communicating with is the correct one. Early in the development of the Internet, this identification was implicitly asserted with the IP address. Even though there was no formal method protecting the IP address from modification or hijacking in the operation of the IP protocol, in the 1970s the network was a research network shared by a small enough number of people that they all could call one another on the phone. In this environment, it was adequate to know who the operation of an IP address was assigned to in order to trust that the connection was to that computer. This implicit assumption worked its way into several early remote tools, such as rlogin and rcp (remote copy).

Implicit computer identification caused several security problems once the Internet grew large enough. The older remote-access programs (rcp and telnet) have been replaced by programs with more robust authentication that replicate the function, such as scp (secure copy). However, at the most basic level, the IP protocol has not been updated. It is too ingrained in the operation of the network to be easily changed. Efforts have been made, namely IPsec, to improve this situation, however, they have not been adopted on a large scale. In this environment, host identification is an important service that needs to be provided independent of the IP protocol.

Secure Socket Layer (SSL), the new version of which was renamed Transport Layer Security (TLS), is a common distributed computer identification protocol in use on the Internet. The original SSL protocol was developed privately by web browser pioneer Netscape [30], however, it was later standardized publicly by the IETF (Internet Engineering Task Force) as TLS [31]. When a URL (uniform resource locator) begins with https://, rather than just http://, this means “HTTP over SSL/TLS.”

TLS provides a number of security services besides computer identification, and the protocol does not require the parties perform the identification step. However, in practice, most of the services provided by the protocol require at least one computer to identify itself [31, p. 3]. The identification uses asymmetric key cryptography. The crux of the work is done by a network of digital certificates. A discussion of computer identification would be incomplete without an understanding of the digital certificates. In some ways, the digital certificate infrastructure is the keystone of the system, and TLS is just a flexible specification for utilizing the certificates.

Digital certificates are containers for public keys

A digital certificate is a data structure that contains identity information along with an individual's public key and is signed by a certificate authority (CA). By signing the certificate the CA is vouching for the identity of the individual described in the certificate. Therefore RPs can trust the public key also contained in the same certificate.

Bob, the RP, must be certain that this is really Alice's key. He does this by checking the identity of the CA that signed this certificate (how does he trust them in the first place?) and by verifying both the identity and integrity of the certificate through the CA's attached signature. A validity date included in X.509 certificates helps insure against compromised (or out of date and invalid) keys.

The X.509 digital certificate trust model is a very general one. Each identity has a distinct name. The identity must be certified by the CA using some well-defined certification process they must describe and publish in a certification practice statement (CPS). The CA assigns a unique name to each user and issues a signed certificate containing the name and the user's public key.