Certificate Authorities: How Valuable Are They? By Greg Shipley   After completing his most recent quest to uphold the interests of queen and country, our favorite secret agent finds himself at home, surfing the Web for a new Aston Martin to replace the one he drove off a bridge in Istanbul. Discovering one to his liking on the Secret Agent Shopping Network, 007 realizes that if he uses his credit card, he won't be required to leave the bedroom. After verifying that the server supports secure transmissions, he's ready to approve the transfer--poised to send his credit-card number out onto the Internet, secured by an SSLv2-compliant browser. A fter all, it is secure--isn't it? Unbeknownst to our intrepid 007, the evil terrorist organization ZIFFWEC (Zealots Into Fraudulent Fantasies With Electronic Commerce) is engaged in typically nefarious activities. ZIFFWEC is determined not only to compromise 007's Internet service provider (ISP), but also to capture as many credit-card numbers as possible to support its mission to import mass quantities of the outlawed Fabio icons. To accomplish this, ZIFFWEC has created a Web site that cleverly impersonates the Secret Agent Shopping Network. Meanwhile, an anxious Q tosses and turns in his sleep, dreaming of the certificate authentication system he wishes he had implemented on the popular spy shopping site. The world of Certificate Authorities (CAs) and certificate-based authentication is populated by high-level cryptographers, ex-National Security Agency agents, small start-ups headed by young visionaries and private s ervice providers using biometrics-based security systems. Where does corporate America fit into this community, where hardware gets a TEMPEST rating instead of a MHz sticker and key signing units will self-destruct if tampered with? For many, the acceptance--and implementation--of systems based o n the International Telecommunication Union (ITU) X.509 certificate standard offers the promise of secure transmissions across the Web. However, to say that certificates are primarily for use on the Web is like saying Bond--James Bond--is just a spy. We spent some time digging for clues about the commercial status of this technology, searching both for service providers and software that integrates current technology with future-oriented cryptography features. We found that these services slip comfortably into many niches, including electronic commerce, but we didn't need to break any codes to figure out that certificate authentication has not yet hit networking full force. One of the obstacles to the widespr ead acceptance and use of certificate authentication may well be its underlying technological complexity: People are reluctant to use what they don't understand. Our mission is to demystify the subject. Undercover Agents To understand how certificates are used, we must burrow into the world of cryptography. Certificate authentication relies on public key cryptography, which in turn is based on the use of public and private "key pairs." Each half in this pair works in conjunction with the other half. For example, say User A wishes to send User B an encrypted message. User A first must retrieve User B's public key. With this public key, User A encrypts the data using algorithm X. Only User B's private key--which only User B possesses--can decrypt the data. Although these keys are functional inverses of one another, with large key sizes it becomes very hard--if not impossible--to determine the unknown half of someone's key pair simply by using a known half. But suppose you're suspicious: Was t hat User B's public key that User A obtained? Is User B who he says he is? And how does User B know if User A can be trusted? This is where Certificate Authorities come in. The CA issues an x.509 certificate containing the user's public key, which the CA "stamps" or "signs" as authentic. This stamp of a pproval is how the CA says, "I stand by this User A with this public key X, and he is who he says he is--I've checked him out," (See "Example of Certificate Application") To download an Adobe Acrobat .pdf format version of "Example of Certificate Application", click here. Glossary of Encryption and Hashing Terms

Updated March 25, 1997