Digital Certificates & Logic Behind

Digital certificates are electronic credentials that are used to assert the online identities of individuals, computers, and other entities on a network. Digital certificates function similarly to identification cards such as passports and drivers licenses. They are issued by certification authorities (CAs) that must validate the identity of the certificate-holder both before the certificate is issued and when the certificate is used. Common uses include business scenarios requiring authentication, encryption, and digital signing.

Certificate Architecture:
A digital certificate binds a user, computer, or service’s identity to a public key by providing information about the subject of the certificate, the validity of the certificate, and applications and services that can use the certificate. Certificates issued in Windows Server 2003 and earlier PKIs are structured to meet these objectives based on standards established by the Public-Key Infrastructure (X.509) Working Group (PKIX) of the Internet Engineering Tasks Force (IETF). The following figure shows the contents of X.509 version 3

  • Subject. Provides the name of the computer, user, network device, or service that the CA issues the certificate to. The subject name is commonly represented by using an X.500 or Lightweight Directory Access Protocol (LDAP) format.
  • Serial Number. Provides a unique identifier for each certificate that a CA issues.
  • Issuer. Provides a distinguished name for the CA that issued the certificate. The issuer name is commonly represented by using an X.500 or LDAP format.
  • Valid From. Provides the date and time when the certificate becomes valid.
  • Valid To. Provides the date and time when the certificate is no longer considered valid.
    • The date when an application or service evaluates the certificate must fall between the Valid From and Valid To fields of the certificate for the certificate to be considered valid.
  • Public Key. Contains the public key of the key pair that is associated with the certificate.

Basic Cryptographic Operations

A certificate contains information that identifies the certificate’s owner (called the subject) as an entity on the network. A certificate also contains the owner’s public key. Furthermore, a certificate identifies the CA (called the issuer) that issued the certificate.
A CA uses its private key to digitally sign each certificate it issues. To create the digital signature, the CA generates a message digest from the certificate, encrypts the digest with its private key, and includes the digital signature as part of the certificate. Anyone can use the message digest function and the CA’s public key to verify the certificate’s integrity. If a certificate becomes corrupted or someone tampers with it, the message digest for the altered certificate does not match the digest in the CA’s digital signature. The following figure shows how a certificate is signed by the issuing CA.
Digital Signature for a Certificate

Public Key Encryption

In public key encryption, different keys are used to encrypt and decrypt information. The first key is a private key (a key that is known only to its owner), while the second key — called the public key — can be made known and available to other entities on the network.
The two keys are different but complementary in function. For example, a user’s public key can be published in a certificate in a directory so that it is accessible to other people in the organization. The sender retrieves the recipient’s certificate from Active Directory, retrieves the public key from the certificate, and then encrypts their communication by using this public key. Information that is encrypted with the public key can be decrypted only by using the corresponding private key of the set, which remains with its owner. The following figure shows basic encryption and decryption with asymmetric keys.
Encryption and Decryption with Asymmetric Keys

Message Digest Functions

Message digest functions, also called hash functions, are frequently used in conjunction with asymmetric keys to further strengthen public key encryption. Message digests are commonly 128 bits to 160 bits in length and provide a unique digital identifier for each digital file or document. Two copies of a document will have the same message digest, but if even one of the bits for the document changes, the message digest changes. The following figure shows the basic message digest process.
Example of the Message Digest Process
 Message digests are commonly used in conjunction with public key technology to create digital signatures or “digital thumbprints” that are used for authentication, integrity, and nonrepudiation. Message digests also are commonly used with digital signing technology to provide data integrity for electronic files and documents.
If the two message digests do not match, the recipient knows the message was altered or corrupted. The following figure shows a basic integrity check process with a digitally signed message digest.
Example of an Integrity Check with a Digitally Signed Message Digest

Digital Signatures

A common use of public key encryption is to provide digital signatures. Just as handwritten signatures or physical thumbprints are commonly used to uniquely identify people for legal proceedings or transactions, so digital signatures are commonly used to identify electronic entities for online transactions. A digital signature uniquely identifies the originator of digitally signed data and also ensures the integrity of the signed data against tampering or corruption.
One possible method for creating a digital signature is for the originator of data to create the signature by encrypting all of the data with the originator’s private key and enclosing the signature with the original data. Anyone with the originator’s public key can decrypt the signature and compare the decrypted message to the original message. Because only someone with the private key can create the signature, the integrity of the message is verified when the decrypted message matches the original. Even if an intruder intercepts and alters the original message while it is in transit, the intruder cannot create a new valid signature. If an intruder alters the signature during transit, the signature will not be properly verified and therefore will be invalid.

Is it helpful for you? Kindly let me know your comments / Questions.