Management Information Systems
Topic: The Governing Dynamics of Digital Certificates
(The evaluation of the adoption of digital certificates in the e-business environment.) Date: December 16, 2004
By Nainil Chheda ([email protected])
Website: http://www.nainil.com Temple University, Fox School of Business
Contents
• The importance and significance of Authentication and Encryption on the Internet
• Domain of customers “Who needs a Digital Certificate”.
• Life cycle of Digital Security.
• Buyer trends in case of an expiry of a digital certificate.
• Overview of Digital Certificates and its’ Functioning
• Understanding How SSL works. Differentiating between the various versions of SSL encryptions used in Digital Certificates.
• Defining Code Signing and knowing its implications.
• Study Digital Signature and the technology behind it.
• Explore further details on encryption
• Certificate Authority
• The market type Certificate Authorities currently operate in. (Monopolistic, Oligopolistic Markets etc.)
• The issues faced by newly emerging Certificate Authorities keeping in mind the competitive environment.
• Role of resellers in the Digital Certificate market.
• Importance of digital certificates in securing mobile technology over the web.
• Scope of Digital Certificates in the long run.
The Importance and Significance of Authentication and
Encryption on the Internet
In the 1990s [1], “the development and delivery of e-commerce initiatives, along with rapid commercial development of the Internet, created a need for new, secure ways of creating and managing digital identities over insecure public networks”.
The challenge of verifying identity when conducting transactions with unknown persons is by no means new. Long before the Internet, such problems needed to be addressed. For example, traveling from country to country requires a passport, and documented paper transactions must often be notarized. In both cases, however, the document is accepted to authenticate the identity of the bearer or signer because it was attested to by a trusted third party. For the passport, the passport agency requires several forms of identification to satisfy its requirement, and before certifying the signature on the document, the notary public must see identification. And, in both cases, the applicant needs to be present.
E-security is evolving from an IT infrastructure concern to a business concern. As with the lack of privacy, integrity or confidentiality, systems slowdowns or downtime can damage businesses. With internal systems, the top security priority has traditionally been to secure the IT infrastructure inside the corporate network. That is where antivirus, strong authentication, firewalls and virtual private networks are useful. Security and
attract customers, security concerns are quickly expanded to include business transaction availability and privacy concerns. When the system is off-line, revenue stops. A lack of confidentiality or the violation of privacy laws can affect an enterprise's image and reputation, generating customer dissatisfaction and business damage.
E-security [2] “needs to be extended to embrace the complete business transaction. Consumers and suppliers can now link to an enterprise and execute e-transactions that previously were impossible”. The difference between insider and outsider is fading away. E-business transactions are executed and can run outside and inside an organization. Users and suppliers are outside, as well as some parts of the transaction's logical and technical architecture. Each transaction has its own risk and security-level requirements.
“For strategic e-business activity [3], all large organizations must 1) address risk from both a business and a technical perspective, considering both internal and external threats, 2) apply security levels to the end-to-end flow of transactions, and 3) control, measure and update security levels in real time 24 hours a day. Organizations failing to implement such processes will be unable to secure transactions, which is what business units expect. Rather, they can provide infrastructure security without aligning to the business risks.”
The need for security comes from front consumer transactions where payment services must be secure, as well as from transactions within the enterprise extranet (that is, transactions with business partners). [4] “Companies are beginning to accept the idea that this type of integration is necessary for more streamlined business processes that, in turn, can bring substantial cost savings”.
In e-business, security issues can be viewed from two perspectives, namely the consumer and the business. Consumers are primarily concerned with the privacy and security of their personal information. For businesses, enterprises are concerned with user identification and protecting business assets against malicious external forces. [5] “The advent of the Internet has seen the emergence of tools and distributed security technologies helping enterprises actively collaborate within their networks to keep the corporate environment secure.”
Standard security software and hardware are only as protective as the processes behind them. Ultimately, information security demands attention, customization, education and oversight. It will also demand a set of procedures, monitoring and a response plan. Security systems today are policy-based because this allows for customization according to individual needs.
Sin Phua [6] in “Is Information Security a Greater Issue today” mentions: Information security uses the security policy needed to address three challenges:
• Defining an appropriate, applicable security model
• Deriving information control rules based on that model
• Implementing a control mechanism that applies those rules consistently and without fail when users from inside or outside the organization, want to access information assets.
The prevalence of the Internet, client/server applications, electronic commerce and electronic communications offers tremendous opportunities for business, while simultaneously increasing the opportunity for security breaches that can cost an organization dearly.
“In person-to-person transactions, security is based on physical clues. Consumers have come to accept the risks of using credit cards in places like chain stores because they can see and touch the products and make judgments about the store.
There are various forms of attacks that can hamper the website and/or the data in the same. The details are mentioned below:
Spoofing - the low cost of Website design and ease with which existing pages can be copied makes it all too easy to create illegitimate sites that appear to be published by established organizations. In fact, con artists have illegally obtained credit card numbers by setting up professional-looking storefronts that mimic legitimate businesses.
Unauthorized Action - a competitor or disgruntled customer can alter your Website so that it malfunctions or refuses service to potential clients.
Unauthorized Disclosure - when transaction information is transmitted "in the clear", hackers can intercept the transmissions to obtain sensitive information from your customers.
Data Alteration - the content of a transaction can be intercepted and altered en route, either maliciously or accidentally. User names, credit card numbers and dollar amounts sent "in the clear" are all vulnerable to alteration.”
What is Encryption?
“Encryption is the security technology [7], which protects the privacy of information sent over a network. Encryption changes a data stream of bits from information to something that appears random.” Anyone who intercepts the encrypted data gets a data stream that doesn't represent any information. It is noise, garbage, and worthless data. In a well-designed system, only the intended recipient is able to decrypt the encrypted data stream to recover the information.
Why is Encryption Important?
Web or eBusiness systems may hold data that you wish to protect, such as business critical or personal information. Encryption increases the security of data transmissions, reducing the risk of third-party observers being privy to content. Encryption can also be used for stored data. Encryption can help protect your website or eBusiness information assets from unauthorized access
What is Authentication?
According to NIU.edu Authentication is : “(1) the process of verifying identity, origin, or lack of modification of a subject or object. Authentication of a user is generally based on
file or message which purports to come from a given individual or company actually does. Many authentication systems are now looking towards public key encryption, and the calculation of a check based upon the contents of the file or message as well as a password or key.”
Why Is Authentication Important?
In the age of faceless e-commerce, “Authentication [8] provides crucial online identity. Notions of identity and authentication are fundamental concepts in every marketplace. People and institutions need to get to know one another before conducting business.” In traditional commerce, people rely on physical credentials - such as a business license or letter of credit - to prove their identities and assure the other party of their ability to transact online.
Authentication and security technology supports e-commerce transactions. These provide transaction security for e-commerce applications. Authentication is a must in order to achieve the necessary trust.
Information is a critical asset to your business. To ensure the integrity and safety of your information, it is important to identify with whom you are dealing, and that the data you are receiving is trustworthy. Authentication can help establish trust between parties involved in transactions.
Authentication: What you need to know?
A complete understanding of authentication services demands a full explanation of each of the following areas.
Establishing Identity
A business partner's identity must be established before it can be trusted in conducting trade. At the most basic level, there must be a process which verifies that an organization or individual exists, has a name, and is entitled to use that name. This process may also establish other identification attributes: for example, organizational affiliation ("Jim Smith works for Philips"); industry segment ("Vivendi is in the entertainment industry"); or occupational certification ("John Smith is a board-certified dentist in England"). Trusted third parties or delegated authorities often play a key role in confirming the identity attributes of participants at the time identification takes place.
Credential Management
Once the participant's basic identity and identification attributes are established and verified, it must be issued with a credential that can be used to prove identity. In the "real" world, a credential might be an ID document or a business license. In the digital world, the most robust form of credential is the digital or Server Certificate signed by a trusted Certification Authority.
Domain of customers “Who needs a Digital Certificate”.
A public key is a value provided by authority as an encryption key that, combined with a private key which is derived from the public key can be employed to quantify encryption measures easily. The risk in this system of public and private key is that if any party looses the key or it is stolen, the system is broken. A more recent alternative must employ a combination of the public and private keys.
NFC (Government Certificate Authority Services) define Digital Certificate [9] as “a digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies its Subscriber, (3) contains the Subscriber's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it. A Digital Certificate is a data structure used in a public key system to bind a particular, authenticated individual to a particular public key.”
Number of Endpoint Issue arguing for Public Key Environment:
Secret key (or symmetric) encryption, using shared secret keys, has been used by banks and private networks for some time for point-to-point transactions, such as automated teller machines (ATMs). In spite of its speed, symmetric encryption has proven ill suited to distributed networks like the Internet. As the number of endpoints increases, secret key point solutions become too cumbersome to be practical due to the sheer number of secret keys issued and managed. For example, for 100 companies to communicate secretly with
each other using secret keys, 4,950 secret keys would need to be created, managed, and safeguarded (99 for the first company, 98 for the second, etc.). On the other hand, in a public key environment, only 100 key pairs would be required.
Kristen Noakes-Fry [10] in “Certification Authorities and Digital Certificates: Perspective “ argues: “Increasingly, businesses and individuals are discovering the power of conducting a multitude of large and small transactions--from ordering flowers to bidding on a contract--via the Internet. E-business, like the technical advances of the past, brings with it risks as well as rewards”.
The FAQ section [11] at Eliteral.com mentioned by Nainil Chheda clearly states “Anyone who intends to conduct business or wants to provide for secure communications and data transmission through their Web site should have a digital certificate installed on their Web server”.
In the anonymous world of the web, customers and web merchants must deal with a new array of faceless threats:
1. Unauthorized access 2. Data alteration 3. Monitoring 4. Spoofing 5. Service denial
SSL Certificate is required if:
- You are a web site owner whose web site has online ordering facilities.
- You want to assure customers that they are not exposed to any risks associated with sending data over an open network.
The wide use of the Internet has attracted an assortment of virus writers, hackers, and impersonators. To create law and order on the frontier of Internet e-commerce, one very promising technology is a public key cryptography scheme called digital certificates.
Within a public key infrastructure (PKI), a certification authority (CA) organization issues digital certificates, which act like a driver's license or passport to authenticate the participants in a transaction. The many security applications of digital certificate technology--often out-of-the-box--include secure VPN, Web, and e-mail.
Many organizations consider digital certificates to secure communications over the Internet because of the wide-ranging functions provided, such as Web site access authentication and credit card verifications. Because of the tamper-proof authentication that the CA provides for the digital certificates some applications for digital certificate authentication include VPN, Web, secure e-mail, system access control, electronic credit card transactions, identification to healthcare organizations, digital "shrink wrapping" of software, customer identification, and more.
Netscape the internet browser company was one of the founders of Digital Certificate technology. On their website, they mention [12] “If you're a webmaster with a killer site and a great product or service to sell on it, customers will be eager to buy online. But first, your customers need to know your site is safe.”
There are different market needs that drive the interest in digital certificates:
• Internet commerce support by the business.
• Transfer of internal traffic of the companies by means VPN to the Internet; helps the Companies save money.
• A company's need for security when its internal network connects to the Internet, providing access to customers, sales teams, or partner organizations.
• The need of companies to keep consistent security on their applications throughout the company intranet.
• Security previously was kept by means of passwords. This never did prove highly authentic. The need for a reliable replacement for traditional passwords has grown. Hence digital certificates come into the rescue.
Through an SSL enabled web server and certificate authority (CA) SSL certificate, the person connecting to a secure website is assured of three things:
1. Authentication. 2. Message privacy. 3. Message integrity.
The Life Cycle of Digital Security
There are process cycles that many businesses follow. In the critical field of IT Security, a Security Life Cycle process can effectively guide and cover the stages leading to a successful secured operations and business. [13]
Source: DIY Assessment. Lee Wan Wai. [13]
Policies, Standards and Guidelines
These are the cores that govern the four stages of the Security Life Cycle. Policies will ensure that various important areas such as controls, legal and information classifications are sufficiently covered. Standards will ensure proper control over configurations of various component and software involved. Guidelines ensure practices and tasks are
1. Assessment
Assessment is a critical event that determines the security bill of health for any system. Activities such as audits, penetration testing and reviews are to be conducted periodically or when the needs arise, e.g. Major changes. Normally, risk assessments are computed from the data gathered.
2. Design
Designing a proper and effective security configuration based on organizational and industry standards is an important stage of the security life cycle. Designing also encompasses activities such as formulating process and improvement over existing design.
3. Deploy
Once the design is developed and ready for implementation it should be deployed. Specialized and skilled personnel have to be employed for these activities. The deployment stage is a very crucial stage as the main tension of implementation layers on it.
4. Manage
Managing and monitoring is crucial to ensure the system is functional and also serves as a problem detection mechanism.
It is this stage of “manage & support” which incorporates Digital Certificates; the technical support to the end-users is provided. Many a times the amount of time spend on the management and support of the system is more than the time spent for the development of the security system
5. Educate
The most important aspect of any life cycle is the training to the users. Education helps understand security in a much better way.
Every E-commerce website has to go through all these very stages of security life cycle to be fully functional and secure.
Buyer trends in case of an expiry of a digital certificate.
A digital certificate allows you to establish secure communications between your browser and a server. However all digital certificates have an expiry date. After this date, browsers with expired certificates will display this additional dialogue box. However, you should still be able to establish a secure connection.
Incase of expiry of a digital certificate two things are possible: 1. Buyer does not purchase the product/service.
2. Buyer purchases the product/service.
There are two trends in the class of buyers. One is that of adopters to change and the other is that of Non-adopters
The adopters to change are those who easily adopt change and are ready to buy from a website they trust. However the Non-adopters are the ones who do not make purchases from a website due to security constraints.
Case #1 (Buyer does not purchase the product/service.)
In this case, the buyer does not purchase the product/service considering the expiry of the digital certificate to be a security threat.
Possible Outcome:
• No purchases made from the website.
• When returning to the website again for any purchase the buyer would think twice.
• The buyer would not recommend the website to any other person.
• The buyer might loose a good deal by not purchasing from the website due to security reasons.
Case #2 (Buyer purchases the product/service.)
In this case, in spite of the expiry of the certificate, the buyer purchases the product/service for two reasons:
1. The buyer has previously purchased a product/service from the website with out any trouble.
2. The buyer has gained trust on the website by means of the goodwill earned by the particular website.
Possible Outcome:
a. Buyer buys from the website
b. The sense of satisfaction is found when the purchase is made completely. c. Goodwill is earned by the website
Overview & Functionality of Digital Certificates
Digital certificates within the PKI (Public Key Infrastructure) are a widely adopted technology. Digital certificates are similar to virtual credit cards. Both the credit cards and digital certificates contain information about you, such as your name and information of the business group that issued the certificate or the card to you.
Credit card companies usually “Authenticate” you to ensure that you can be trusted to be financially responsible. In terms of Public Key Infrastructure this is known as the registration process which authenticates that you are really yourself, after which the CA (Certificate Authority) would approve a digital certificate to be issued to you. Digital certificates are generated and themselves digitally signed by organizations known as certificate authorities.
Once a credit card or a digital certificate is issued; both should be managed with HIGH care. While generating a digital certificate an application provides a unique pair of keys which contain two denominations; (a Public Key & a Private Key). Then the certificate authority (CA) creates a digital certificate by encapsulating information about you and the organization around the public key and signing it.
Each key (public & private) is like a unique encryption device. To identify the owner of the key, no two keys are ever identical. These keys always work in pairs. Public keys are distributed freely to anyone who wants to exchange secure information. The private key
is never distributed or copied. It remains secure to your own computer or the place where it is first stored.
“When you install a digital certificate on your computer or server, your computer or web site now has its own private key. Its matching public key is freely available as part of your digital certificate posted on your computer or web site.” [14]
When some other computer wishes to exchange information with your server or computer, it accesses your digital certificate, which possesses your public key. The other computer uses your public key to validate and encrypt the information it wants to share with you using SSL (Secure Socket Layer Technology). The decryption of this information is possible by only your private key, so it remains secure from tampering or interception while traveling across the Internet.
How SSL request from the “Browser-to-Server Level” works? Figure Source: http://www.ingeo.com/content.asp?pid=168
A better explanation of the same can be observed below:
How is a SSL Session Set-Up?
Source: Thawte Website: Article “Securing your Online Data Transfer with SSL”.
“During this process, the web browser checks that:
• the CA who signed the certificate is trusted by the web browser
The process is seamless thus; the user does not see the above steps taking place.
The certificate serves as proof that an independent trusted third party, such as a Certificate Authority has verified that the domain belongs to a real company and can therefore be trusted. A valid certificate gives customer’s confidence that they are sending personal information securely to the authenticated party.”
There are more than 60 digital certificates that come preinstalled with Internet Explorer or the Netscape browser. These certificates come from digital certificate vendors like Thawte, Verisign etc. Many a times the web browser uses them to access the web without us being even aware of it.
There are different types of digital certificates; namely [15]:
• “Root or authority certificates. These are self-signed certificates that create the base (or root) of a certification authority, such as Thawte, or CREN.
• Institutional certificates. These certificates are also called campus certificates. They are signed by a third party verifying the authenticity of a campus authority. Campuses then use their “authority” to issue client certificates for faculty, staff, and students.
• Client certificates. These are also known as end-entity certificates, individual certificates, or personal certificates.
• Web server certificates. These certificates are used to secure Web communications to and from servers and are also called server-side certificates.”
[Digital Certificates: What Are They, and What Are They Doing in My Browser? By Judith V. Boettcher
The Functionality of Digital Certificates
• Restrict access to specified content to certain consumers
• Instantly authenticate a visitor's identity.
• Increase customer satisfaction.
• Increase ad revenue by tracking the personalized information contained in individual digital certificates.
• Enhance the value of your site by delivering a more personalized web experience.
Digital certificates encrypt data using the Netscape developed industry method of protecting web communications - SSL (Secure Socket Layer) technology. The SSL security protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. Installing a digital certificate turns on the SSL capabilities of the browsers as SSL is already built into all the major web browsers and web servers.
In order to make an SSL connection, the SSL protocol requires that a server should have a digital certificate installed. SSL provides secure communication by combining two elements; namely:
• Authentication and
• Encryption.
SSL comes in two strength levels, 40-bit and 128-bit. These refer to the length of the session key generated by every encrypted transaction. The longer the key, the more
secure the encryption is and the more difficult it is to break it. The 128-bit session is trillions of times stronger than the 40-bit sessions. Global companies that require international transactions over the web can use global server certificates program to offer strong encryption to their customers.
Another key difference between 128-bit Global Server IDs and 40-bit SSL Certificates is the number of server platforms that support them. Global Server IDs are supported by many major platforms, while SSL Certificates are supported by a much longer, more comprehensive list of platforms.
As an ecommerce business, one must deliver the highest level of trusts and security so the customers can be certain that the website is real, and that the information that they send to the Web via the browser stays private. Hence the 128-bit SSL is of very high importance.
As per DigitalCertificate.US: “The U.S Government determines the categories of companies that can implement the powerful encryption technology included with the Global Site solutions outside the U.S and across the U.S borders”.
Web Browsers Compatibility & Strength.
Customers or users connecting to the Web server should have a compatible client application to take advantage of the security facilitated by 128-bit Global Server IDs:
• Microsoft Internet Explorer 4.0 or later
• Microsoft Internet Explorer 3.02 (Windows NT 4.0+ only) with a special patch or later
• Netscape Navigator 4.06 or later
• Microsoft Money 98
• Intuit Quicken
Gordon Moore, co-founder of Intel, observed that the number of transistors per square inch on integrated circuits had doubled every year since the integrated circuits was invented. In subsequent years the pace has slowed down, but data density has doubled approximately every 18 months. This by the press has been stated as the “Moore’s Law”.
If you consider the encryption level of SSL it has been stagnant. It has varied from a 40-bit encryption to a 128-40-bit strength level. This shows two very important things:
• The need for an increase in the encryption strength has not been encouraged; and/or
Figure Source: http://www.intel.com/research/silicon/mooreslaw.htm
Browser issues solved using SGC SuperCerts: [16]
“SGC SuperCerts are SSL certificates that allow international browsers to step-up to 128-bit encryption. In a nutshell - SGC SuperCerts will bump up the encryption level to 128-bits, even when communicating with the latest 40-bit browsers. A SGC SuperCert provides the full 128-bit crypto for compatible browsers and therefore unlocks the full potential of these browsers. It is important to secure your web site with a SGC SuperCert if your customers send highly confidential information such as financial transactions and personal information to your web site. You need a SGC SuperCert if you are a web site owner whose customers mostly use the export versions of browsers that do not by default support the full 128-bit crypto strength. This usually applies to web sites with a significant international customer base.”
CODE SIGNING DIGITAL IDS
“Customers trust software they buy in a store because they can tell who published the product and can see whether the package has been opened or not. The Internet cannot offer the reassurance provided by shrink-wrapped software. When customers download software from the Internet, the most they see is a message warning them about the risks of using downloaded software. They have no clue of the software's integrity. Code Signing is a solution developed for major software vendors like Microsoft and Netscape. Code signing allows a developer to sign his/her application digitally. On the strength of the signature, the browser or operating system then decides whether or not to trust the software.” [17]
Shrink-wrapped software: These software packages are sold in shops and have a company manufacturer SEAL or a wrap. Once the seal is broken, it can easily be identified that the code was hampered and/or is not of a true nature.
Code signing enables developers digitally sign code written by them. It can either be used to sign software or macros for secure delivery over the Internet. There are different codes that a customer can download from your site; namely:
1. Active X Controls 2. Java Applets
3. Dynamic Link Libraries 4. .Cab Files
5. .Jar Files
6. Or Html Content
The customer can now be confident that the code has not been altered or corrupted and that it really comes from the developer since it was created and signed.
Features and Benefits of Code-Signing
1. Customer Confidence: Once the code is signed digitally by the developer, the customers feel a sense of confidence that the code has not been tampered and/or altered.
2. Ease of Use: Code signing certificates are easy to use in conjunction with the vendor software tools that the developers use to create products, macros and objects.
3. Authenticity: Once the code is downloaded, the end-user is assured that the code was sent by the developer itself. This preserves the business reputation and intellectual property of the developer.
4. Seamless Integration with Industry-Standard Technology: Most browsers will not accept commands from downloaded code unless the code is signed from a trusted Certificate Authority.
How Code Signing Works with a Certificate Authority
1. First a public/private key pair as per the software (that you develop) instructions should be generated.
2. Then the code-signing enrollment process begins. Herein one must enroll to a Certificate Authority by submitting a portion of the public/private key along with documentation to prove the identity.
3. By checking the documentation, the Certificate Authority will verify your identity. It will then issue a Digital ID, which will include your full organization name and your public key.
4. Using tools supplied by the software vendor, sign the code. When these signed objects and/or codes are downloaded, they contain a copy of your certificate so that the recipients are able to identify you as the author.
5. These signed codes and downloadable objects can now be purchased by the end-users from your website. The customers download the applet, code object and macro. Their browser verifies the signature on the code.
6. The certificate now downloaded by the customer thru’ the code confirms the authenticity of the code.
There has not been any market survey YET taken place to determine the greater importance and market share of Code-Signing.
(Paraphrased from Verisign Website) http://www.verisign.com/products-services/security-services/code-signing/digital-ids-code-signing/
Digital Signature
It is an electronic signature that; can be used to authenticate the identity of the sender of a message, or of the signer of a document. It can also be used to ensure the original content of the message or document that has been conveyed is unchanged. A digital signature is not simply a typed name or image of a handwritten signature. It is based on public-key encryption and is associated with a digital document. For a digital signature, the private key creates the signature and the public key verifies the signature. Only the owner can create the digital signature. Hence, it can be verified who created a message. Generally, only a part of the document is signed.
“The US Digital Signature Standard
The Digital Signature Standard (DSS) is a cryptographic standard promulgated by the National Institute of Standards and Technology (NIST) in 1994. It has been adopted as the federal standard for authenticating electronic documents, much as a written signature verifies the authenticity of a paper document. The DSS was the first cryptographic standard developed under the regime established by the Computer Security Act, which was intended to limit the role of the National Security Agency (NSA) in the development of civilian standards. Documents obtained by EPIC under the Freedom of Information Act have demonstrated that the DSS development process was, in fact, dominated by NSA.” This is explained in a much-detailed fashion at Electronic Privacy Information Center http://www.epic.org/crypto/dss/ .
Signature in a broader sense is any mark made on a document for the intention of authenticating it. Signatures serve:
1. Evidence: The signature identifies the signer of a document
2. Ceremony: Signature leads to legal trials. An Authenticate signature provides a mean of binding the actor into a legal agreement.
3. Approval: In certain contexts, a signature expresses the author’s approval legally. 4. Efficiency and logistics: A signature on a written document makes the document
complete. Thus, no further details need to be verified for inquiry.
Characteristics of a Digital Signature:
1. Signer authentication: The signature should authenticate the signer of the document. It should be almost impossible for any other person to replicate the signature.
2. Document authentication: There are possibilities of tampering digital documents. This should be taken care of by the digital signatures. They should not allow tampering of digitally signed documents.
Use of Digital Signature involves two steps:
1. Digital signature creation: It uses a hash result, which is unique to both the private key and the signed message.
2. Digital signature verification: It checks the digital signature by reference to the original message and the given public key. This hence determines whether the digital certificate is authentic or falsified.
Either the digital signature can be stored together with its message or it can also be stored separately and sent as a separate data element, as long as it maintains its association with the document.
Challenges and Opportunities
While fully implementing digital signatures there are both “Challenges” and “Costs”:
1. Subscriber and Relying Party costs:
Software is required to sign a document. The certificate authority is needed to be paid a premium for issuing a digital certificate. This adds to the overheads. Many a time’s special hardware for securing the digital signatures would be considered as expenditure.
2. Institutional overhead: There is a cost of utilizing services from Certificate Authorities and institutions for maintaining the quality and validity of the certificate.
Digital signatures if properly implemented offer promising solutions to:
1. Open systems: Information sent over open systems (insecure systems) can be sent securely with the help of digital signatures.
2. Former legal requirements: Digital signatures can now act in par with the paper signatures. Thus, it binds the author and the end-user legally.
3. Message integrity: Unaltered messages promote message integrity.
Digital Signature and its Functioning
(Source: http://www.youdzone.com/signature.html)
Here is a fictitious example showing how digital signatures function. “
Bob
(Bob's public key)
(Bob's private key)
Bob has been given two keys. One of Bob's keys is called a Public Key,
the other is called a Private Key.
Bob's Co-workers:
Anyone can get Bob's Public Key, but Bob keeps his Private Key to himself
Bob's Public key is available to anyone who needs it, but he keeps his Private Key to himself. Keys are used to encrypt information. Encrypting information means "scrambling it up", so that only a person with the appropriate key can make it readable again. Either one of Bob's two keys can encrypt data, and the other key can decrypt that data.
Susan (shown below) can encrypt a message using Bob's Public Key. Bob uses his Private Key to decrypt the message. Any of Bob's coworkers might have access to the message Susan encrypted, but without Bob's Private Key, the data is worthless.
"Hey Bob, how about lunch at Taco Bell. I hear they have free refills!" HNFmsEm6Un BejhhyCGKOK JUxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A HNFmsEm6Un BejhhyCGKOK JUxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A "Hey Bob, how about lunch at Taco Bell. I hear they have free refills!"
With his private key and the right software, Bob can put digital signatures on documents and other data. A digital signature is a "stamp" Bob places on the data which is unique to Bob, and is very difficult to forge. In addition, the signature assures that any changes made to the data that has been signed can not go undetected.
To sign a document, Bob's software will crunch down the data
into just a few lines by a process called "hashing". These few
lines are called a message digest. (It is not possible to change a
message digest back into the original data from which it was
created.)
Bob's software then encrypts the message digest with his private key. The
Finally, Bob's software appends the digital signature to document. All of
the data that was hashed has been signed.
Bob now passes the document on to Pat.
First, Pat's software decrypts the signature (using Bob's public key) changing it back
into a message digest. If this worked, then it proves that Bob signed the document,
because only Bob has his private key. Pat's software then hashes the document data into
Encryption
Encryption is the method of scrambling or encoding data to prevent unauthorized users to read or tamper with the data. Only the users with the key can decrypt the data. It is the transformation of clear data (clear text) into unintelligible data (cipher text) such that the original data cannot be recovered (one-way encryption) or cannot be recovered without using an inverse decryption process (two-way encryption).
Some glossary terms for encryption:
Algorithm: A specific mathematical formula for encryption and decryption.
Back door: A security leak known to the hackers.
Cipher: A simple encryption system where each character is substituted for another.
Key: A special piece of data used for encryption and/or decryption.
Codes and ciphers have been used for centuries to keep messages for the EYES only of the intended recipient. In the earlier days, the encoding used to be done on a piece of paper. Now we have a digitized world. The encoding and decoding for encryption is done in computers. It has been known to all that the more complicated the key is, there is more data needed on both sides to encrypt / decrypt the same.
The encryption breakthrough was in 1970 with the invent of Public Key Encryption.
With Public Key Encryption, communication of messages can be done more securely, even if all the communications are intercepted. The basic idea of a key based
cryptography is to take plain text and scramble it into cipher text. Thus the original form of text is hidden beneath the encryption level.
Only the machine doing the encryption (scrambling) and the recipient of the cipher text knows how to decrypt (unscramble) it, because the encryption is done based on the knowledge of the keys decided by the owner and the receiver of the cipher text. The keys used in encryption have the problem of being lost, stolen, bought or sold.
In public key encryption, a user has a pair of keys: public key and private key. The private key is kept private and is never shared to any one. The public key is distributed to other users. The public key is used as a basis for encrypting a message, while the private key can decrypt the message. The strength of the encryption system are based on the quality of the algorithm and the key combination to create a cipher.
The more bits used for the key the more secure the encryption is. Currently the legal key length is 40 bit and 128 bit.
Data Encryption Standard (DES)
DES is an encryption algorithm – 3DES is a federal standard. There are different types of standards in DES. Symmetric system uses the same key to encrypt / decrypt data. The triple DES (3DES) uses 3 stages of DES to give better protection.
Security for DES
♦ Methods of Attack:
– Brute Force. ( 255 )
– Linear / Differential cryptanalysis ( 243 / 247 )
♦ Attacks on DES:
– Challenge II (56 hrs using a supercomputer) 1998 – Challenge III (22 hrs using distibuted.net) 1999 – Dedicated hardware ($1 million) can crack it in 1 hr
♦ Attacks on 3DES
– Theoretical attacks but impractical right now”.
Cryptography is the science of encrypting and/or decrypting secure information. There are different types of cryptography:
1. Single Key Cryptography: The same key is used to encode and decode the messages.
2. Double Key Cryptography: Only one person holds the key to decrypt the message. Two keys are used: one to encrypt the message whilst the other is to decrypt the message.
Certificate Authority (CA)
This organization/company issues certificates that state the authenticity of the parties involved in an exchange or agreement. A System Administrator generates a certificate request, which in turn creates two encrypted keys: one private, one public. The System Administrator sends off the public one to a trusted organization referred to as a Certificate Authority (CA). The heart of trust in a public key infrastructure is the CA. Fundamental to this trust is the CA's root cryptographic signing key, which is used to sign the public keys of certificate holders, and more importantly its own public key. The compromise of a CA's root key by malicious intent, inadvertent errors, or system failures can be of catastrophic proportions.
“The Certification Authority provides a level of assurance that the public key contained in the certificate does indeed belong to the entity named in the certificate. The digital signature placed on the public key certificate by the CA provides the cryptographic binding between the entity's public key, the entity's name, and other information in the certificate, such as a validity period. For an end user to determine whether a legitimate CA issued the certificate, the end user must verify the issuing CA's signature on the certificate.” [18]
Not just everyone can issue an SSL Certificate. If this would have been the case, the SSL Certificate could not be used commercially as there would have been no trust. Instead, only Certificate Authorities can issue SSL Certificates.
CA’s generally invest in:
1. Establishing the SSL Technology 2. Support / Trouble shooting for SSL 3. Legal Matters for privacy and security
4. Commercial Infrastructure to maintain that authenticity of SSL Certificates. There are less than 10 CA’s issuing commercial SSL Certificates. Until recently the SSL market was monopolized by Verisign and Thawte. Recently, players like GeoTrust, EquiFax etc. have also joined the digital certificate market. Even small and medium sized businesses are now starting to become a certificate authority.
Who are the top 2 CAs?
Each month Netcraft (www.netcraft.com) publishes the market share of each CA.
The following chart summarizes the market share of the top 2 enterprise players in the .net market, namely Verisign and GeoTrust. The chart also shows the market share of Thawte (Thawte is a Verisign company).
Certificate Authorities are aiming for:
1. Broad applicability: Email certification, server certification, etc. The diversification of the certificates could lead into cross-certification among various other Certificate Authorities.
2. International Alignment: The CA’s are aiming for aligning the international market of digital certificates so as to make the browsers compatible with the 128 bit standards for certification acceptability.
3. CA Ratings: The CA’s are aiming for a better rating among themselves. This will enable better services and security means to the end-users.
For a fee, a CA issues a public key certificate stating that it has verified the public key; that it belongs to the person (or organization) as stated in the certificate. The main concept is that if the user trusts the CA and can authenticate the CA’s signature, then he can also verify that a certain public key does indeed belong to the respective person as identified in the certificate.
The main obligation of a CA is to verify the identity of an applicant, so that the users can trust certificates and the public key issued by that CA so as to prevent the thought of it being an imposter [19]
Market in economics refers to an effective arrangement by which the buyers and sellers are brought into close and free contact, directly or indirectly, to affect an exchange between them. In a web-site market, they deal indirectly.
Features of a Certificate Authority Market:
1. Market need not necessarily refer to a particular place. It includes the entire area of operation where digital certificates are sold and bought.
2. Market can be an arrangement facilitating transaction between the buyer and seller indirectly. No personal meeting is required. This is how e-commerce works. In addition, digital certificates aid the security process of e-commerce.
Market Models
1. Perfect competitive market :
Perfect competition is characterized by many buyers and sellers, and many products that are similar in nature and hence many substitutes. Perfect competition means there are few if any barriers to entry for companies, and prices are determined by supply and demand. Thus, producers in a perfectly competitive market are subject to the prices determined by the market and do not have any leverage. For example, in a perfectly competitive market, should one single firm decide to increase its selling price of a good, the consumers can just to turn to the nearest competitor for a better price, and the firm that increased its prices would be losing market share and profits.
The features of perfectly competitive market (or Perfect Competition) are:
i. Large number of buyers and sellers ii. Homogeneous products/services iii. Free entry and free exit for firms
iv. Perfect knowledge on the part of buyers and sellers v. Perfect mobility of the factors of service production vi. Absence of transport cost
vii. Full and perfect competition viii. No government intervention
2. Pure competition
ii. Homogeneous products/services iii. Free entry and free exit for firms
3. Monopoly
Monopoly is a market where a single seller controls the supply of a service/commodity. He faces no competition as there is no close substitute for his service/commodity. The features of monopoly are:
i. Existence of a single firm ii. No close substitute iii. Barriers to entry
iv. A monopolist cannot fix price as well as output to be sold v. Firm and industry are same
vi. Large number of buyers
vii. Downward sloping demand curve
4. Monopsony: Similar to a monopoly, but where a large buyer (not seller) controls a large proportion of the market and drives the prices down. Sometimes referred to as the buyers monopoly.
5. Oligopoly: When a particular market is controlled by a small group of firms. A monopoly is when only one company exerts control over most of a market. An oligopoly is similar except that there are at least two firms. The retail gas market is a good example of oligopoly, there are a small number of firms that control a large majority of the market.
In a market structure of an oligopoly there are only a few firms that make up an industry. The few firms making up the industry have control over the price, and, like a monopoly, an oligopoly has high barriers to entry. The products are almost identical and thus the companies, competing for market share, are interdependent via market forces. If, for example, an economy needs only 100 widgets but Company X produces 50 and its competitor, Company Y, produces the other 50, the prices of the two brands will be interdependent upon one another and therefore similar. So, if Company X starts selling the widgets for cheaper, it will get a greater market share and force Company Y also to sell for cheaper.
6. Oligopsony: Similar to an oligopoly, but where a small number of large buyers (not sellers) control a large proportion of the market and drive prices down. A good example of oligopsony could be the tomato market. There might be only a couple large companies who purchase from growers. Therefore, they have the ability to drive prices down. The growers are in tough, because if they don't sell at the lower price then they risk not selling their tomatoes at all.
7. Cartel: A small group of producers of a good or service who agree to regulate supply in an effort to control or manipulate prices. The best known example of a cartel is probably the organization of Petroleum Exporting Countries (OPEC).
Netcraft (in January 2001) (http://www.netcraft.com) on its website clearly showed the Market Share of Certificate Authorities. [20]
The following graph and table are restricted to recognized certification authorities.
Note that certificates issued by Verisign are shown here as RSA Data Security, as that is the name it uses to sign the certificates.
The below graph depicts that there are a number of Certificate Authorities and that Verisign (RSA Data Security) and Thawte Consulting are the major players of the market having approximately 50% of the market share.
Figure 1 Source:
More Certificate Authorities are mentioned in the Netcraft website.
2000 2001
Authority
Weighted %
Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
RSA Data Security, Inc. 49.38 30665 33244 36745 41178 41800 44285 46161 47925 48812 49212 50907 51054 Thawte Consulting cc 42.81 25414 27932 30510 33822 34759 37354 39629 40581 41961 43060 45040 45867 Verisign Trust Network 5.25 1237 1629 2043 2507 2910 3451 3973 4623 5173 5904 6428 7049 Equifax Secure Inc 1.61 234 262 319 491 667 833 1085 1276 1600 1865 2074 2503 Entrust.net 0.38 87 123 167 203 234 259 303 342 381 434 456 500 TC Trust Center for Security in Data Networks GmbH 0.17 0 0 0 121 127 138 137 158 173 190 216 225
The digital certificate market is growing 100 to 200 percent annually. (Source: Entrust targets Verisign on certs; http://news.com.com/2100-1017-226393.html?legacy=cnet ). Verisign has been the most visible issuer of digital certificates. Verisign recently acquired Thawte. Verisign, which formerly had a 60% market share and Thawte, with 35%, now constitute an overwhelming MONOPOLY in the digital certificate marketplace. Verisign reports that it has 4,000,000 active digital certificates, which it estimates to be 90% of the market. (Source: Internetnews; Verisign nCipher Team on Hardware SSL Certs;
http://www.internetnews.com/infra/article.php/2177991 ).
As we have seen earlier, Digital Certificates market now can be easily classified into a particular market set. Ie. Perfect Competition.
1. Large number of buyers and sellers
There are a number of buyers and sellers of Digital Certificates. The web hosting companies, resellers, domain name registrars, website designers, individuals etc. come into the buyers category. Mainly the resellers of various service providers along with the Certificate Authority themselves join the seller category.
2. Homogeneous products/services
Homogeneous can be defined as: “All of the same kind or nature”. The various services such as digital certificates, code signing, encryption etc. are related to each other as regards their main motive of providing security and hence homogeneous.
3. Free entry and free exit for firms
All the players in the digital certificate market have a free entry and exit policy. No one can deny any other an entry/exit in the market. For example: Recently ICICI which was a Certificate Authority ceased to be one.
4. Perfect knowledge on the part of buyers and sellers
The buyers and sellers have a right to ask and give information on the certificates, their security limitations and strengths. There are websites which provides intense knowledge on digital certificates. The buyers and sellers during the time of a transaction usually have a very high amount of knowledge to know and define digital certificates.
5. Perfect mobility of the factors of service production
The digital certificate is a service and it can easily be transferred to any other owner and or be cancelled by the main certificate authority.
6. Absence of transport cost
Being an online service there is no transport cost associated with digital certificate.
7. No government intervention
There are regulatory bodies formed for controlling the standards for digital certificates. However the government usually does not intervene in the process of implementation of digital certificates. The government can lay standards for its own personal benefits. However it does not have the power to control the various Certificate Authorities.
Since all the above points are applicable to Digital Certificates Market, I conclude that there is Perfect Competition.
Newly Emerging Certificate Authorities
Every year there are a number of new Immerging Certificate Authorities. A web browser is supplied with a limited number of known certificates. This means that every time a new Certificate Authority gives a certificate to end users they must also be embedded onto the next release of browser software versions.
The process of embedding is not simple and the CA in question must pass a third party review and accreditation. In the mean time (i.e. the time between the release of the web browser software); new CA’s can still operate but the users must manually associate the certificate associated with the new CA. Association of a certificate to the browser is the process of embedding the CA software encryption code to the browser for authenticating the certificates generated by the CA.
There are a few issues concerning Newly Emerging Certificate Authorities: 1. Trust
2. Compatibility 3. Simplicity
Trust: Usually, The end-user would not trust a digital certificate issued from a newly immerging CA. The value of security and authentication comes into the play.
Compatibility: The old web browsers might not be compatible with the newly issued certificates from the new CA’s. Thus, there would be popup windows saying that this is not a valid certificate. This again makes the end-user uncomfortable.
Simplicity: The procedure to install a newly issued certificate to a web browser should be simple. At present, the procedure is very complicated and not user friendly.
Price Competition: Initially it would be very difficult for a new CA to match the pricing of an old competitor.
“Make sure that the site you are dealing with has an SSL certificate” is no longer entirely true. To be more confident one should not only make sure that they have an SSL certificate but also click on the lock and look at the certificate to know more about the company issuing it and the expiry of the certificate.
Previously, to get an SSL certificate, one had to provide documents to prove you are who you say; i.e. articles of Incorporation, business license, DBA, bank statements etc. This is still valid for most of the BIG certificate authorities. However, it is not always true. A
the certificate. Instead, they just make sure that the domain is controlled by you. Such certificates would definitely encrypt the data; but they would void the idea of the legitimacy of whom you are dealing with.
Current versions of the Microsoft & Netscape browsers have the facility for users to add new certificate authorities, and, as older versions of the browsers have been replaced, there has been an opportunity for new certificate authorities such as EquiFax, ICICI to emerge.
The figure below shows the number of sites with matching certificates. Matching certificates are those certificates which are authentic and have not expired. Netcraft used various methodologies to determine the same.
To know more about the methodologies used by Netcraft please visit:
http://www.netcraft.com/surveys/analysis/https/2000/Oct/index.html#wrongnames The slope of the Matching certificates is an upward sloping curve. It indicates that other things remaining unchanged; the supply of matching Certificates expands with a rise in awareness of the importance of Certificates and contracts with lack of knowledge or demand of the same.
Number of these Sites with Correctly Matching Certificates for 2001
Figure 2 Source:
http://www.netcraft.com/surveys/analysis/https/2001/Jan/CMatch/certsfrm.html
The graph below shows the issue dates of certificates during the year. It shows a varied movement indicating that the issuance of certificates usually tends to be more during the first three quarters of the year and it gradually declines during the last quarter. However, there was a sharp decrease in the number of certificates issued during the period of March and April for the year of 2001.
Certificate Issue Dates in Year to January 2001
Figure 3 Source:
http://www.netcraft.com/surveys/analysis/https/2001/Jan/CMatch/certsfrm.html
Most, though not all, certificates are valid for one year.
7654 out of the total 12500 sites (approximately) were using certificates, which had already expired at the time of the survey. This low number indicates that sites are retaining confidence and commitment in using ssl-encryption.
Some certificates had issuers listed that were not known to us as Certificate Authorities. The most plausible explanation for this is that these certificates were actually self-signed, but not in a way that we were able determine automatically. However, new certificate issuers would also be treated in the same way.
The distribution of certificates that were expired or were signed by implausible certificate authorities is shown in the following chart.
Figure 4 Source:
Role of Resellers in Digital Certificates market
A reseller is an intermediary. He buys goods/services for a cheaper rate in bulk and sells them at a higher rate. Thus keeping the difference as his profit.
In a Digital Certificate market, the resellers are usually: 1. Web Application Developers
2. Domain Name Sellers
3. Payment Gateway Processors 4. Web Hosting Companies 5. Individuals
6. Security Experts
Usually the resellers have a huge network. They have lots of clients. It is easier to find more clients who have the same need through a reseller than to market a particular service directly.
Thus, the Certificate Authorities tend to give more perks to the resellers so as to find more customers through the resellers. This will lead to more volume of sales from digital certificates. Hence, the profits for the resellers are usually from 20% to 30% of their NET SALES.
Resellers in the Digital certificate market usually enjoy:
1. Recurring Income – Future sales and renewals lead to recurring incomes to the resellers
2. No Investment – No initial reseller joining cost.
3. No Work – Usually when a customer purchases a Digital Certificate, it is the Certificate Authority who does all the work. Typically, the reseller just tends to bring the customer closer to the Certificate Authority.
4. No Back Office Maintenance – All the billing and technical aspects of a Digital Certificate can be handled by the Certificate Authority. The reseller basically just earns his commission in between the two.
5. High Profits – Usually the profit margins in a Digital Certificate reseller program is very high.
6. No Liability – It is the Certificate Authority who is liable to the end-user and not the reseller. The reseller can have TOS (Terms of Service) created in such a way that it acts as a NO LIABILITY proof to it.
The below chart is provided by Eliteral.com. It states the various certificate prices as mentioned by the Certificate Authorities and as provided to its resellers. This chart shows the profit margin earned by resellers for Digital Certificates. [21]
Verisign Digital Certificate
Certificates Reseller’s
Cost Price
Reseller‘s Selling Price Secure Server Id (New for US
companies) [40 bit] US$280 US$329 Secure Server Id (renewal /
additional for US companies) [40 bit]
US$200 US$229
Secure Server Id (for non-US companies) [40bit]
US$360 US$409
Secure Server Id (renewal / additional for non-US companies)[40 bit]
US$280 US$329
Global Server Id [128 bit] US$640 US$729
Thawte Digital Certificate
Thawte Digital Certificate SSL
Thawte Digital Certificate Super Cert [128 bit]
US$427 US$439
Geo- Cert
Geo -Cert Quick SSL (Two days processing time)
US$119 US$139
In the above chart, it is clearly visible that the main Certificate Authorities charge a lot more than the common resellers do. The aggregate demand for Digital Certificates thus forces the end-user market to tilt towards the resellers.
Aggregate demand refers to the total amount of money which the people are ready to spend on the purchase of goods and services during a given period. Since expenditure indicates demand, aggregate expenditure indicates aggregate demand.
Importance of Digital Certificates in Securing Mobile
Technology.
Wireless systems are so obvious a boon to business that they have to be seriously considered in any implementation/upgrade plan. Mobile computing devices such as notebook PCs, PDAs and smart phones have become an indispensable part of the modern enterprise. Unfortunately, the mobility factors which make these devices so popular also make them highly vulnerable to potential risks. User-controlled authentication and file encryption cannot provide sufficient security. Sufficient security can be achieved when there is Zero possibility of an attacker getting into the system and/or knowing the back-door entrance to the same unless authorized to do so.
Mobile technologies face a series of problems such as:
1. Updating: Mobile devices are usually away from the network. Hence, they are not usually available for regular security patches/updates. This can delay the process of distributing new signatures and activity logs.
2. Compact: Due to the fact that everyone now likes things which are smaller, mobile devices are now coming in even smaller units. Accordingly, the implementation of additional security tools for mobile devices seems to be a very big issue.
3. Processor: Processor intensive operations due to security updates might bring down the computer battery life.
4. Removable Storage: Removable storage device should be of very secure nature. Thus to eliminate the loss of highly important data, digital certificates must be used for authentication.
These mobile technologies since being widely promoted and are coming handy in use need a lot of security. The current situation allows people to perform stock market trades and banking transactions on their PDA’s and cell phones. Now if security of such vital information is not taken care of there would not only be a tremendous loss of finance but there would also be privacy issues that can concern the same.
The use of digital certificates on transactions over these wireless / mobile devices would act as a boon. The browser capability and compatibility for these devices should virtually act positive to the digital certificates that will be installed. If security is taken care of the use of the mobile devices would be taken to a next level and at a higher volume.
Scope of Digital Certificates in the long run
“There is a broad range of applications for digital certificates: electronic banking, electronic payment systems, e-mail communication, identification in communication with public authorities (e.g. tax declaration, court documents, electronic passports, public health service, etc.), electronic contracts, elective web access, selective database access, etc.” [22]
There are number of week links in the security chain. They can be classified as: 8. Virus programs
9. Trojan Horses
10.Web browser plugins 11.Programming Bugs 12.ActiveX controls 13.Java Scripts 14.Trusted Users
Attackers can exploit the naivety and gullibility of trusting users to extract information from them. Unless you keep your wits about you, you (Trusted user) are one of the weakest links in your computer security chain.
The only reason that SSL continues to work so well, is that it is not yet the weakest link in the security chain. All the research that has been conducted suggests that digital certificates will be very important in the long run.
