Establish authentication through the use of digital certificates.
Digital Certificates -Establish authentication
In e-commerce, authentication and secure transactions occur in two fundamental ways:
Public key algorithms allow relatively secure data exchange, so hackers can't sniff packets as they come across the Web.
Digital certificates prove a server's identity to help authentication and institute encryption.
Digital certificate: A way to prove your identity. You can use it to encrypt and decrypt messages from individuals and servers.
In technical terms, it is a public key that has been signed by a certificate authority.
Digital certificates are the primary means of authenticating unknown users.
Click the link below to learn more about why certificates are important. What is Digital Certificate
Creating digital certificates
A digital certificate involves creating a key pair, then getting the public key signed by a certificate authority (CA). There are many different ways to generate keys. IIS 4.0, for
example, contains its own key generator. An e-commerce site must get its public key signed by a respected CA.
CAs are to the digital world what notary publics are to the physical world: trusted third parties. A CA's job is to verify the identity of an individual or organization before endorsing a key and creating a certificate. When it is satisfied, the CA digitally signs the key using a hash algorithm and private key. Then anyone who has the CA's public key can verify the signature. Most browsers already have the public keys of most
CAs. If you trust the CA, you can trust that the certificate holder is who he or she claims to be. You should note that this process simply authenticates a user, host,
or site to many people. Digital certificates are not the same as digital signatures.
The most widely accepted CA on the Internet is VeriSign Technology. VeriSign's
digital IDs feature strong cryptographic techniques to ensure that they are not tampered with or forged. VeriSign's e-commerce grade certificates
use an RSA 1024-bit key for protection.
To ensure the integrity of the IDs issued by VeriSign, its facilities use comprehensive security systems, including multilevel physical access controls, biometric scanners, and sound firewall technology. If VeriSign's master CA key were ever stolen, all certificates issued by VeriSign would be compromised. As you can see, the practice of authentication using digital certificates is highly trust oriented and hierarchical; if one element is compromised, then all other elements are compromised.
Personal and server certificates from VeriSign
Currently, VeriSign offers two types of personal certificates, Level 1 and Level 2. Levels 3 and 4 are proposed. Level 1 certificates use only email recipient verification. Level 2 certificates require additional information, such as driver's license and social security number. VeriSign checks this information for authenticity.
VeriSign issues server certificates on a domain name basis. When a company registers for a server certificate, information about the company is requested. VeriSign performs a Dun & Bradstreet search on the company to verify that the information supplied is true.
One additional benefit of VeriSign is insurance. VeriSign backs its certificates by varying amounts of insurance that guarantee the security of the certificate. If the certificate is forged and is used to damage the individual or organization, the insurance will reimburse up to the limit set for each individual certificate.
In the next lesson, we will introduce the concept of a public key infrastructure (PKI).
Certificate authority (CA): A respected, trusted body that creates and manages certificates. A certificate authority signs other people\'s certificates and acts as a trusted third party. You can obtain personal, software publisher, server, and certificate authority certificates, depending on your needs.
Trust: A trust relationship is a logical link that combines two domains into a single administrative unit. With appropriate trust relationships in place, users from a trusted domain can access resources in a
trusting domain transparently.