Digital Certificate Operation in a Complex Environment
navigation search
search query:

PKI Primer and Project Background

6. Authentication via digital certificates

6.1. How do we use digital certificates safely?

To everyone's relief, the mathematical arena of cryptography - putting messages and data into virtually unbreakable codes - has come to our rescue. It is possible to send encrypted data over a network and for the encryption to be strong enough to be secure. Therefore, the server - or your correspondent - will be happy that the proof that you show (possibly with your digital certificate) is actually genuine if your code can be decrypted.

6.2. How reliable are they?

After reading a few web pages and going to the right places, anyone can create a digital certificate. However, for that certificate to be trusted, it needs either to have been issued by or endorsed by a trusted, and reliable, authority.

Again, 'trust' is becoming an enormous subject in its own right (see the appendix for more resources about trust). However, trust is a basic element of the use of X.509 digital certificates with a public key infrastructure (PKI). We will talk about public key infrastructure more in the next section, but in short, you can have your certificate endorsed by an authority that most people will trust.

A parallel for this concept was mentioned on the previous page by a person using her driving licence, national passport and gym membership card as means of authentication. Staff at the gym may be happy with the latter, but it is unlikely that staff at the bank will trust this form of authentication, thinking that it could be easier to forge or that it may be easier to 'fool' staff at the gym into giving you a card with someone else's name on it. The authority of the issuer of the document must be trusted. One advantage of using digital certificates within a public key infrastructure is that many bodies can generate certificates but they must gain the approval of a trusted authority and that authority verifies - for the rest of the world - that the certificates are believable.

6.3. Summary of the authentication challenges

So, what we need for this system to work is:

  • an agreed method of encryption and decryption;
  • an agreed format for a digital certificate;
  • a method of generating the certificate;
  • a general set-up whereby we can rely upon and trust the certificate.

The last point is really about 'infrastructure', as are the previous points to a greater or lesser degree, both in terms of human management and machines. All of these points show why 'public key infrastructure' (which we still haven't defined yet) is both a technology and an administration system.

We shall soon investigate what we mean by 'public key infrastructure'. However, the next section raises some common questions that may be bothering you!

Up: Contents Previous: 5. What is authentication? Next: 7. Security and digital certificates

Oxford University Computing Services Mimas Athens access management services Oxfore e-Science Centre Systems and Electronic Resources Service Joint Information Systems Committee