Hot Topics - Messmer The Brain House
Hot Topics - Messmer The Brain House
Hot Topics - Messmer The Brain House
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Security alert: Do you want to proceed?<br />
BY WAI CHOI AND RICH GUSKI<br />
How would you answer this question when<br />
you go to a Web site and a Security Alert<br />
window pops up telling you that there is<br />
a problem with the site’s certificate – Yes,<br />
No or View Certificate? Or you might hope<br />
there’s a fourth option – I don’t know.<br />
This article helps explain Digital<br />
Certificates in a simple way, starting from<br />
a daily experience—online shopping.<br />
When you click Check Out after you pick<br />
the product you want, do you know what<br />
happens before it displays a page for you to<br />
enter your personal information and your<br />
credit card number?<br />
Actually, quite a bit happens. Your<br />
browser and the host site negotiate what<br />
is called a Secure Socket Layer (SSL)<br />
handshake, a process that goes<br />
like this: the Web site sends its<br />
certificate to your browser<br />
to prove its identity to<br />
ensure you that you are<br />
really dealing with the<br />
Web site that you think<br />
you are. Your browser<br />
then determines<br />
whether it can trust that<br />
certificate. If it can’t<br />
decide, it will ask you to<br />
make a decision. That’s<br />
why the Security Alert<br />
window pops up.<br />
But how does the<br />
browser decide whether<br />
to trust the certificate?<br />
<strong>The</strong> first thing it checks<br />
is whether it knows the<br />
issuer of the certificate<br />
by checking whether a<br />
certificate for the issuer<br />
is in the browser’s trusted certificate store.<br />
Certificates are issued by a Certificate<br />
Authority (CA). <strong>The</strong> CA must have its<br />
own certificate, either issued by another<br />
CA or issued by itself, before it can issue<br />
certificates for other parties. When you<br />
install your browser, there are a number of<br />
well-known CA certificates that are placed<br />
in your browser’s trusted certificate store.<br />
Usually, a Web site applies for a certificate<br />
from a well-known CA, so when a user<br />
visits the site, the certificate it sends is<br />
known by the browser.<br />
Let’s dive a little deeper. How does the<br />
browser know which certificate in the<br />
trusted certificate store is the site’s issuer<br />
certificate? If you look at the certificate,<br />
you find the following:<br />
• Version<br />
• Serial number<br />
• Signature algorithm ID<br />
• Issuer’s name<br />
• Validity period<br />
• Subject’s name<br />
• Subject’s public key<br />
• Extension(s)<br />
• Issuer’s signature.<br />
<strong>The</strong> browser finds the issuer’s name from<br />
the host site’s certificate. It then tries<br />
to find a certificate in the store, whose<br />
subject name is the same as that issuer’s<br />
name. After it finds the issuer’s certificate,<br />
it can verify the signature on that site’s<br />
certificate by using the public key from the<br />
issuer’s certificate.<br />
Public Key cryptography involves<br />
a function in which encryption and<br />
decryption are using associated keys from<br />
a mathematically related key pair. <strong>The</strong><br />
content encrypted with one key can only<br />
be decrypted by the other. One key of the<br />
pair, which is called the public key, is put<br />
in a digital certificate for public use, while<br />
the other key, which is called the private<br />
key, is kept securely by the owner. When<br />
a CA issues a certificate, it vouches for<br />
the binding between the owner’s public<br />
key and the owner’s name by<br />
cryptographically signing the<br />
certificate with its own private<br />
key. Public Key cryptography<br />
is the soul of a digital certificate when<br />
contrasted with Secret Key cryptography<br />
in which only one key is used to encrypt<br />
and decrypt.<br />
Now you can understand why the<br />
verification on the certificate’s signature<br />
is done using the issuer’s public key<br />
– because that signature was generated<br />
using the issuer’s private key. Let’s review<br />
the verification steps involved so far.<br />
<strong>The</strong> browser identifies the issuer of<br />
the incoming certificate from the<br />
issuer’s name in the certificate.<br />
<strong>The</strong> browser then verifies the<br />
certificate by checking<br />
the signature with the<br />
issuer’s public key. <strong>The</strong><br />
public key is located in<br />
the issuer’s certificate,<br />
which is stored<br />
in the trusted<br />
certificate store.<br />
But wait<br />
there’s more!<br />
Validity period<br />
and revocation<br />
status also play a part<br />
in the validation process. If a certificate<br />
has expired or is revoked, it should not<br />
be trusted. While validity period can be<br />
checked directly from the information<br />
within the certificate itself, revocation<br />
status is checked from a Certificate<br />
Revocation List (CRL) which is located<br />
elsewhere, as indicated by the Certificate<br />
Revocation List Distribution Points<br />
extension.<br />
After a certificate is issued, its owner<br />
can use it until it expires. However, if,<br />
during that period, the certificate needs<br />
to be revoked, the CA of that certificate<br />
puts that certificate on the Certificate<br />
February 2006 z/OS HOT TOPICS Newsletter, Issue 14 25