The ability to use public key encryption over the Inter-net makes it possible to send sensitive information (such as credit card numbers) to a Web site without electronic eavesdroppers being able to decode it and use it for crimi-nal purposes (see encryption and computer crime and security). Any user can send information by using a per-son or organization’s public key, and only the owner of the public key will be able to decode that information.
However, the user still needs assurance that a site actu-ally belongs to the company that it says it does, rather than being an imposter. This assurance can be provided by a trusted third party certification authority (CA), such as VeriSign, Inc. The CA verifies the identity of the appli-cant and then provides the company with a digital certifi-cate, which is actually the company’s public key encrypted together with a key used by the CA and a text message. (This is sometimes called a digital signature.) When a user queries the Web site, the user’s browser uses the CA’s pub-lic key to decrypt the certificate holder’s public key. That public key is used in turn to decrypt the accompanying message. If the message text matches, this proves that the certificate is valid (unless the CA’s private key has somehow been compromised).
The supporting technology for digital certification is included in a standard called Secure Sockets Layer (SSL), which is a protocol for sending encrypted data across the Internet. SSL is supported by leading browsers such as Microsoft Internet Explorer and Netscape. As a result, digi-tal certification is usually transparent to the user, unless the user is notified that a certificate cannot be verified.
Digital certificates are often attached to software such as browser plug-ins so the user can verify before installation that the software actually originates with its manufacturer and has not been tampered with (such as by introduction of a virus).
The use of digital certification is expanding. For exam-ple, VeriSign and the federal General Services Administra-tion (GSA) have begun an initiative called ACES (Access Certificates for Electronic Services) that will allow citizens a secure means to send information (such as loan applica-tions) and to view benefits records. The IRS has a pilot program for accepting tax returns that are digitally certified and signed.
However, the user still needs assurance that a site actu-ally belongs to the company that it says it does, rather than being an imposter. This assurance can be provided by a trusted third party certification authority (CA), such as VeriSign, Inc. The CA verifies the identity of the appli-cant and then provides the company with a digital certifi-cate, which is actually the company’s public key encrypted together with a key used by the CA and a text message. (This is sometimes called a digital signature.) When a user queries the Web site, the user’s browser uses the CA’s pub-lic key to decrypt the certificate holder’s public key. That public key is used in turn to decrypt the accompanying message. If the message text matches, this proves that the certificate is valid (unless the CA’s private key has somehow been compromised).
The supporting technology for digital certification is included in a standard called Secure Sockets Layer (SSL), which is a protocol for sending encrypted data across the Internet. SSL is supported by leading browsers such as Microsoft Internet Explorer and Netscape. As a result, digi-tal certification is usually transparent to the user, unless the user is notified that a certificate cannot be verified.
Digital certificates are often attached to software such as browser plug-ins so the user can verify before installation that the software actually originates with its manufacturer and has not been tampered with (such as by introduction of a virus).
The use of digital certification is expanding. For exam-ple, VeriSign and the federal General Services Administra-tion (GSA) have begun an initiative called ACES (Access Certificates for Electronic Services) that will allow citizens a secure means to send information (such as loan applica-tions) and to view benefits records. The IRS has a pilot program for accepting tax returns that are digitally certified and signed.
No comments:
Post a Comment