Unit 12: Security Solution




          12.11 Certifi cate Authority                                                           Notes

          The certifying authority is an digital entity that binds the identity of a person to his public key.

          The certifying authority certifies that a person is the holder of a valid key pair and that person’s
          identity has been authenticated by the certifying authority or its agents. The certifying authority
          thus performs functions that are quasi-governmental and by their very nature require a high
          amount of trust and security.

          A certifying authority creates the digital certificate and digitally signs it using its own private

          key. When any third person wishes to verify the authenticity of a subscriber’s certificate, he uses

          the CA’s public key. The certifying authority thus validates the certificate and establishes a trust
          model for the third party into a transaction with the subscriber.
          Digital certificate is defined as a method to verify (ex. Public Key’s) electronically for


          authenticity.

          A certificate authority will accept merchant public key, along with some proof of the identity of

          the merchant who sends it. Others (correspondents) can request fro verification of merchant’s
          public key from the certifi cate authority.
          Contents of ONES Digital Certifi cate

          It includes:
          1.   Holder’s name, organization, address.
          2.   The name of certifi cate authority
          3.   Public key of the holders for cryptographic use.

          4.   Time limit, these certificate are issued for 6 months to a year long
          5.   Class of certifi cate
          6.   Digital certifi cate identifi cation number
          Class: Based on degree of verifi cation

           Class 1:  Easiest to obtain, it involves the fewest checks on the user’s back-round. (only the name of
                   e-mail address are verifi ed
           Class 2:  I includes user’s driver’s license. Social security number & date of birth along with the other
                   (class 1)
           Class 3:  In addition to class 2 checks, user’s credit card check is added.
           Class 4:  In addition to class 3 checks, user’s position within the organization is added.

          Higher the class, higher the degree of verification and hence higher the fee payable to commercial



          or government certificate authorities. Certificate Revocation List (CRL) is maintained by


          certificate authority. So that the user know which certificate are no longer valid. The CRL doesn’t
          include expired certificate, because each certificate has a built in expiration. Certificate lost may



          be revoked.
          One encryption system is not ideal for all situations. One can use more than one encryption
          method. Table below shows few algorithms for encryption used by PGP (Pretty Good Privacy).
           Function       Algorithms used  Process
           Message encryption IDEA, RSA  Use IDEA with one time session key generated by sender to
                                        encrypt message
                                        Encrypt session key with RSA using recipient’s public key
           Digital signature  MD5, RSA  Generate hash code of message with MD5
                                        Encrypt message digest with RSA using sender’s private key.


                                           LOVELY PROFESSIONAL UNIVERSITY                                   237