A scribbled signature may have been enough to verify your identity 20 years ago, but today’s online world requires more advanced — and authenticated or encrypted — methods of proving who, or what, you are online or within a digital environment.
Enter digital certificates — an authentication method that has an increasingly widespread role in today’s online world. Found in e-mails, mobile devices, machines, websites, advanced travel documents and more, digital certificates are the behind-the-scenes tool that helps keep identities and information safe.
What are digital certificates?
Developed during the eCommerce boom of the 1990s, digital certificates are electronic files that are used to identify people, devices and resources over networks such as the Internet.
Digital certificates also enable secure, confidential communication between two parties using encryption. When you travel to another country, your passport provides a way to establish your identity and grant you entry. Digital certificates provide similar identification in the electronic world.
Certificates are issued by a certification authority (CA). Much like the role of the passport office, the responsibility of the CA is to validate the certificate holder’s identity and to “sign” the certificate so that it is trusted by relying parties and cannot be tampered with or altered.
Once a CA has signed a certificate, the holders can present their certificate to people, websites and network resources to prove their identity and establish encrypted, confidential communication. A standard certificate typically includes a variety of information pertaining to its owner and to the CA that issued it, such as:
- The name of the holder and other identification information required to identify the holder, such as the URL of the Web server using the certificate, or an individual’s e-mail address
- The holder’s public key, which can be used to encrypt sensitive information for the certificate holder or to verify his or hers digital signature
- The name of the certification authority that issued the certificate
- A serial number
- The validity period (or lifetime) of the certificate (i.e., start and end date)
- The length and algorithm of any keys included.
In creating the certificate, the identity information is digitally signed by the issuing CA. The CA’s signature on the certificate is like a tamper-detection seal on packaging — any tampering with the contents is easily detected.
Digital certificates are based on public-key cryptography, which uses a pair of keys for encryption and decryption. With public-key cryptography, keys work in pairs of matched “public” and “private” keys.
In cryptographic systems, the term key refers to a numerical value used by an algorithm to alter information, making that information secure and visible only to individuals who have the corresponding key to recover the information.
The public key can be freely distributed without compromising the private key, which must be kept secret by its owner. Since these keys only work as a pair, an operation (e.g., encryption) executed with the public key can only be undone or decrypted with the corresponding private key, and vice versa. A digital certificate can securely bind your identity, as verified by a trusted third party, with your public key.
Core to a digital world
At one point, the use of digital certificates was limited to secure sockets layer (SSL) implementations and public key infrastructure (PKI) environments. And while those remain two cornerstones for the technology, their value has been realized and expanded to help secure people, machines, devices and environments alike.
The SSL start
The use of SSL digital certificates to encrypt transmissions between Web browsers and Web servers remains a monumental development of the eCommerce boom. From Internet shopping to online-banking to Web-based stock trading, SSL certificates were the catalyst for innovation that made today’s online world possible.
Based on a publicly trusted certificate, SSL technology was created to help prevent theft, fraud and other criminal activity within the new online frontier. Personal data had to be protected, credit card numbers secured, and transactions safeguarded. And while SSL technology has advanced since, the understanding gained from its development has helped extend digital certificates to secure all aspects of today’s connected world.
In your everyday devices
An electronic document that is embedded into a hardware device and can last as long as the device is used, a device certificate’s purpose is similar to that of a driver’s license or passport: it provides proof of the device’s identity and, by extension, the identity of the device owner.
Popular examples of devices that are secured by certificates include cable-ready TVs, smart meters, mobile smartphone devices, wireless routers, satellite receivers and others. Using device certificates helps protect services from unauthorized access, possibly by cloned devices. Typically, an organization injects certificates into devices that are then distributed across a large user base.
Protecting your identity
A technology that is rarely seen but always relied upon, digital certificates help secure important identity aspects of everyday lives. Specialized digital certificates authenticate identities everywhere from typical office environments to border security checkpoints.
Also, as the backbone of the ePassport trust infrastructure, PKI and digital certificates help secure domestic and international borders by implementing technology that makes it difficult for criminals to duplicate, deceive or circumvent identity documents.
Securing the machines
By issuing certificates to machines, organizations permit authorized machines to access a network by authenticating to other machines, devices or servers — typically in either Microsoft Windows or UNIX environments — using a certificate. This allows authorized machines to access and share confidential data. Many other solutions for securing networks, including firewalls or network isolation (which prevents access to the Intranet/Internet), are either susceptible to attack or are not practical. Using certificate-based authentication for machines is the best way to secure a network.
This approach prevents unauthorized machines from accessing a network; encrypts machine-to-machine communication; and permits machines, both attended and unattended, to authenticate to the network over a wired or wireless network connection. Typical deployment scenarios include hospitals, law enforcement, government and more.
Popular with enterprises, desktop certificates enable secure e-mail, file and folder encryption, secure remote access (VPN) and the secure use of electronic forms and PDFs. As data breaches, identity theft and information loss continue being commonplace occurrences, digital certificates in the enterprise enable organizations to solve security challenges quickly, easily and in a cost-effective manner.
While there are many factors that contribute to the increase of use of digital certificates, one of the most compelling is the widespread presence of mobile devices. From 8-year-olds to retired grandparents, many people have now access to or use mobile devices daily. And many of those devices are embedded with a digital certificate that authenticates its identity and ties it to the owner.
According to a recent Gartner report, global mobile phone end-user sales grew 35 percent in Q3 2010 over Q3 2009, accounting for 417 million devices sold. The report also noted that smartphone growth increased 96 percent in the third quarter compared to 2009. With many of these brands and models either including digital certificates out of the box or providing the option to install them, the increase in digital certificate use is easy to understand.
Of course, the ubiquity of mobile devices isn’t the only catalyst. As digital certificate products and capabilities become available from different vendors, the cost of implementing them decreases.
But this raises an important question: is it all happening too fast? The answer is yes – in some cases. As organizations rely more and more on digital certificates, they can be overwhelmed with the day-to-day management of large certificate pools.
It’s really not an arduous chore if you have only a handful of digital certificates, but many organizations deploy thousands of digital certificates with their products, services and even within the organization itself. Without a proven system in place, it’s easy to lose track of thousands of expiry dates, deployment locations and certificate copies, not to mention errors introduced by the human element.
So, what’s the best approach for mitigating these difficulties? To date, one of the most relied upon methods is to employ a two-pronged strategy — certificate discovery and management.
The most trusted and successful security vendors offer certificate discovery services that use network scans to search for certificates on both internal and external hosts. This solution can typically be configured to scan given IP addresses or IP ranges, looking for certificates, with a goal of exposing potential problems on the network.
Certificate discovery solutions often highlight pending issues such as certificates about to expire or certificates from unauthorized vendors.
Once an organization fully understands its certificate environment, it’s best to employ a proven tool or service to help streamline the day-to-day management of large certificate pools. These services range from simple (and often limited) software products to robust hosted services that provide more functionality, customization and control.
The more advanced services — whether deployed on-site or realized via a cloud-based model — enable organizations to easily circumvent the issues that plague unmanaged certificate environments (e.g. self-signed certificate creation, certificate copies, expiring certificates, etc.).
Cryptography and compliance
Organizations that are subject to regulations typically implement a security policy concerning the use of digital certificates. This often results in certificate-reporting and audit requirements. Typically, organizations provide a list of certificates issued from their known CAs to adhere to these requirements. In most cases, however, these lists are incomplete because some CAs are unknown and certificates have been copied.
That might present a problem. An organization’s policy might require 2048-bit keys, and it’s likely enforced with known CAs. But with unknown CAs, organizations could have weak cryptography deployed and be unaware of the oversight, leaving them vulnerable to a data breach.
The potential presence of unknown CAs or copied certificates also means IT departments cannot provide a complete list of all certificates — leaving an organization non-compliant and at risk during an audit.
Side with a security expert
As digital certificates become a more critical component in our daily lives, security experts are available to help organizations leverage the technology, regardless of their current deployment status.
Proven security companies are available to help organizations understand which certificates are best suited to meet their business objectives. And they also provide the tools and service to manage all certificates — regardless of type, purpose or environment.
If not properly managed from the onset, large certificate pools can quickly become unorganized. This may lead to higher costs, non-compliance and the unnecessary use of workforce bandwidth. And this doesn’t even account for the negative effect that may occur to a brand, product or service in the consumer’s eyes.
And even if an organization didn’t deploy certificates via a management tool or service, it’s not too late to partner with a provider that can help deploy the necessary discovery and management tools to make sense of all digital certificates — no matter how many are deployed.