Digital Certificates

Public key encryption is more secure than secret key encryption, but implementing it on a large scale is more difficult to manage. If public keys are posted to the Internet without any oversight, someone could provide a public key that purports to be that of another user. Then, data encrypted with that key and intended for the user whose name was associated with it could be intercepted and accessed by the unauthorized user who posted the key with the fraudulent information.

To verify a user's or computer's identity, we need a mechanism for a trusted third party to confirm that the user or computer advertising the public key is in fact who he, she, or it claims to be.

This is the function of a digital certificate. The way a driver's license or state ID card works is a useful analogy. Persons with whom you do business may require that you prove your identity by providing such a document. Because the document was issued by a trusted third party—in this case, the state government or Department (or Bureau) of Motor Vehicles—the potential business partner accepts it as proof of your identity, just as another computer with which you want to exchange data or make transactions accepts the digital certificate as proof of your identity.

In the case of digital certificates, the trusted third party is a certification authority (CA). The CA verifies that a particular identity is bound to the public key that is included in the certificate.

A digital certificate issued by a Windows 2000 CA is shown in Figure 9.1.

The digital certificate contains the following components:

• The public key

• Information about the user

• Certificate information (such as expiration date, issuing authority, and so on)

• Digital signature(s) of the issuing entity

We discuss digital certificates and CAs in more detail later in the chapter, in the section “Introduction to PKI.”