Digital Certificates

A digital certificate is a virtual ID, much like a passport, a driver’s license, or any other form of identification. It can be described as a digital credential that contains information identifying an entity, along with other supporting data.

Digital certificates are issued by a Certification Authority. It is the Certification Authority that guarantees the accuracy of data in a certificate and its validity during a given period of time.

A digital certificate solves the problem of finding and validating a user’s public key as it matches a public key to a particular individual and its authenticity is guaranteed by the Certification Authority. In this sense, digital certificates support public key cryptography as they contain the keys of the entities they are used to identify.

A user can obtain the public key of another, because both parties are related by the digital certificate. Since the certificate was issued by a trusted Certification Authority, the user can be sure the key is valid.

When a certificate is issued, the issuing Certification Authority uses its own private key to sign it. When validating the certificate, a user uses the Certification Authority’s public key to check if the Certificate was indeed signed by this Authority.

Structure

To be useful, a digital certificate must have a clear and reliable structure so that the information contained in it can be easily retrieved and understood. The structure has been standardized to make digital certificates easy to understand by anyone, regardless of the issuer.

Generally, digital certificates are structured in accordance with the X.509 standard of the International Telecommunications Union (ITU) and include, but are not limited to, the following fields:

• Version number: X.509 standard version to which the certificate conforms 
• Serial number: a unique ID of the certificate issued by the Certification Authority
• Algorithm ID: the specific public key algorithm used by the Certification Authority to sign the digital certificate
• Issuer name: the Certification Authority that issued the Certificate
• Validity period: the time during which the digital certificate is valid and the start/end date
• Subject name: the owner of the digital certificate
• Subject public key info: the public key associated with the digital certificate owner and the related public key algorithms
• Issuer unique ID: information used to uniquely identify the issuer of the digital certificate
• Subject unique ID: information used to uniquely identify the owner of the digital certificate
• Extensions: additional information related to using and managing the certificate
• Digital signature of the Certification Authority: the digital signature created with the Certification Authority’s private key using the algorithm specified above.

It should be noted that digital certificates can be used not only on desktop computers, but also on laptops, tablets, and smartphones, since their structure allows any device and application that complies with the standard to understand them.

Digital Certificates and PKI

One of the benefits of public key-infrastructure (PKI) is that it simplifies key management by using one pair instead of multiple symmetric ones. Digital certificates add to this advantage, allowing public keys to be distributed and managed.

PKI offers the means for digital certificates to be used by issuing them and making them accessible via a directory. It also validates them by verifying their authenticity and trustworthiness through Certification Authorities.

For secure messaging, digital certificates provide access to the senders and recipients’ public keys, while PKI uses them to simplify key management through a Certification Authority, thus eliminating the need to exchange keys manually.

The issuing Certification Authority guarantees the validity of a digital certificate by signing it with its own public key. Thus, verifying the authenticity of a certificate means verifying the digital signature of the issuing Certification Authority. If it cannot be done, the certificate is deemed not trustworthy.

Digital certificates need a functioning infrastructure to manage them in each particular scenario. Another service provided by PKI as a part of the verification process is the revocation of certificates.

PKI and digital certificates are inseparable. PKI’s functions include issuing the certificates, distributing them through a directory, validating and revoking them. PKI ensures that digital certificates are trustworthy, making it indispensable.

Digital Certificates and Digital Signatures

The recipient authenticates and validates the sender’s message by matching the public key to the private key. Digital certificates use public key cryptography to provide a trusted means to distribute and access public keys.

When signing a message, the sender uses their private key (associated with their public key) contained in their digital certificate. When validating a digital signature, the recipient obtains the public key from the sender’s digital certificate to verify it.

The steps of signing a message with a certificate-supported digital signature are shown below: 

• Write a message.
• Calculate its hash value.
• Take the private key from the sender’s digital certificate and use it to encrypt the hash value.
• Add the encrypted hash value to the message as a digital signature.
• Send the message.

After receiving the message, the steps of verifying the digital signature using the digital certificate are as follows:

• Receive a message.
• Retrieve the encrypted digital signature hash value from the message.
• Calculate the hash value of the message.
• Take the public key from the sender’s digital certificate and use it to decrypt the encrypted hash value.
• Compare the decrypted hash value with the one calculated upon receipt. If they match, the message is valid. 

As evident from these sequences, digital certificates provide access to public keys for verification of digital signatures.

Digital Certificates and Encryption

Just as digital certificates support verification of digital signatures by making public keys available, they also facilitate message encryption by providing public keys to be used for the encryption process.

The sender can access the recipient’s public key and use it to encrypt the message, knowing that only the recipient can decrypt it. In this case, the recipient’s digital certificate is used. As with digital signatures, the public key from the digital certificate makes the operation possible.

The steps of encrypting a message using a digital certificate are shown below:

• Write a message.
• Generate a unique symmetric session key.
• Encrypt the message using the generated symmetric session key.
• Obtain the public key from the recipient’s digital certificate.
• Encrypt the session key with the recipient’s public key.
• Add the encrypted session key to the encrypted message.
• Send the message.

On the receiving side, the steps of decrypting a message encrypted using a digital certificate are as follows:

• Receive a message.
• Retrieve the encrypted session key from the encrypted message.
• Obtain the recipient’s private key from the recipient’s digital certificate and use it to decrypt the encrypted session key.
• Decrypt the encrypted message using the decrypted session key and read the message.

Complementarity

Digital certificates complement digital signatures and message encryption. Together, they constitute the fundamental core of secure electronic messaging.

As mentioned above, the sender’s digital certificate is used to sign a message with an electronic signature, while the recipient’s digital certificate is used to encrypt it.

The steps of signing and encrypting a message using digital certificates are shown below:

• Write a message.
• Calculate the hash value of the message.
• Take the private key from the sender’s digital certificate and use it to encrypt the hash value.
• Add the encrypted hash value to the message as a digital signature.
• Generate a unique symmetric session key and use it to encrypt the message (already containing the digital signature).
• Obtain the recipient’s public key from the recipient’s digital certificate and use it to encrypt the generated symmetric session key.
• Add the encrypted session key to the encrypted message.
• Send the message.

After receiving the message, the steps of decrypting and verifying the digital signature are as follows:

• Receive a message.
• Retrieve the encrypted session key from the encrypted message.
• Obtain the recipient’s private key from the recipient’s digital certificate and use it to decrypt the encrypted session key.
• Decrypt the encrypted message using the decrypted session key.
• Retrieve the message itself and the encrypted digital signature hash value from the message.
• Calculate the hash value of the message.
• Take the public key from the sender’s digital certificate and use it to decrypt the encrypted hash value.
• Compare the decrypted hash value with the one calculated upon receipt. If they match, the message is valid.
• Read the decrypted message.

Currently, digital certificates help us face one of the main challenges of electronic communication: verifying the identities of the parties involved in any operation, both for the user accessing a service and the company providing it.

Digital certificates can offer a degree of reliability and trust when sending information via electronic means by ensuring the integrity of the content and authenticating the sender and the recipient.