What are Digital Certificates? Explain steps for creating a digital certificate.
A digital certificate is a way to confirm the identity of a public key owner. Normally, a third
party organization, known as CA (certification authority), is responsible for confirming or
binding the identity of a digital certificate owner. It is used to establish secure communication
between two parties who are unknown to each other or have a lack of trust. Digital certificate can
assure that the person who you want to establish communication with is actually the person who
he claims to be.
So, the main reason for using a digital certificate is building trust between two parties who want
to communicate securely. We can verify an unknown person’s identity when a well-known
organization endorses the identity of that person. In the case of a digital certificate, the CA or
certificate authority endorses the identity of the certificate owner, in simple words, a CA offers a
notarization server to give reasonable assurance that the owner of the certificate is authentic.
Steps for Digital Certificate Creation:
● Step-1: Key generation is done by either user or registration authority. The public key
which is generated is sent to the registration authority and the private key is kept secret
by the user.
● Step-2: In the next step the registration authority registers the user.
● Step-3: Next step is verification which is done by registration authority in which the
user’s credentials are being verified by registration authority. It also checks that the user
who sends the public key has a corresponding private key or not.
● Step-4: In this step the details are sent to certificate authority by the registration
authority who creates the digital certificate and gives it to users and also keeps a copy to
itself.
What is the purpose of PKI? Explain the role of PKI?
Public Key Infrastructure (PKI) is a system that allows for secure communication over the
internet by using public key cryptography. The purpose of PKI is to provide a way for people to
securely exchange information, such as sensitive data or confidential documents, without fear of
interception or eavesdropping.
PKI accomplishes this by using digital certificates, which are essentially electronic documents
that serve as proof of identity for a particular user or entity. These certificates are issued by
trusted third-party organizations, called Certificate Authorities (CAs), who verify the identity of
the certificate holder and vouch for their authenticity. By using PKI, users can be confident that
their communications are secure and that they are communicating with the intended recipient.
The role of Public Key Infrastructure (PKI) in cryptography is to provide a framework for
securely transmitting and verifying cryptographic keys. PKI uses public key cryptography to
encrypt and decrypt messages, and it relies on a network of trusted entities to manage and
validate the digital certificates that are used to identify users and devices. Some of the key roles
that PKI plays in cryptography include:
Authentication: PKI provides a way to authenticate the identity of users and devices, which
helps to prevent unauthorized access and ensure the integrity of communications.
Encryption and decryption: PKI allows for secure transmission of messages by using public
key cryptography to encrypt messages and decrypt them with the corresponding private key.
Integrity and non-repudiation: PKI ensures the integrity of messages by providing a digital
signature that verifies that the message has not been tampered with, and it provides
non-repudiation by making it difficult for users to deny that they sent a message.
Key management: PKI provides a framework for managing and distributing cryptographic keys,
which helps to ensure that keys are used securely and that they remain confidential.
Overall, PKI plays a critical role in cryptography by providing a secure and trusted framework
for managing cryptographic keys and protecting communications.
Explain PKIX Model.
● As we know, the X.509 standard defines the digital-certificate structure, format and
fields.
● It also specifies the procedure for distributing the public keys.
● In order to extend such standards and make them universal, the Internet Engineering Task
Force (IETF) formed the Public Key Infrastructure X.509(PKIX) working group.
● This extends the basic philosophy of the X.509 standard, and specifies how the digital
certificates can be deployed in the world of the Internet.
● Services of PKIX : PKIX identifies the primary goals of a PKI infrastructure in the form
of the following broad level services:
Registration -It is the process where an end-entity (subject) makes itself known to a CA.
Usually, this is via an RA.
Initialization– This deals with the basic problems, such as the methodology of verifying
that the end-entity is talking to the right CA.
Certification-In this step, the CA creates a digital certificate for the end-entity and
returns it to the end-entity, maintains a copy for its own records, and also copies it in
public directories, if required.
Key-Pair Recovery Keys– used for encryption may be required to be recovered at a later
date for decrypting some old documents. Key archival and recovery services can be
provided by a CA or by an independent key-recovery system.
Key Generation PKIX specifies that the end-entity should be able to generate
private-and public-key pairs, or the CA/RA should be able to do this for the end-entity
(and then distribute these keys securely to the end-entity).
Key Update
This allows a smooth transition from one expiring key pair to a fresh one, by the
automatic renewal of digital certificates. However, there is a provision for manual digital
certificate renewal request and response.
Cross-certification
Helps in establishing trust models, so that end-entities that are certified by different CAs
can cross-verify each other.
Revocation PKIX provides support for the checking of the certificate status in two
modes: online (using OCSP) or offline (using CRL).
Explain Public Key Cryptography Standards (PKCS).
The PKCS model was initially developed by RSA Laboratories with help from representatives
of the government, industry, and academia.
The main purpose of PKCS is to standardize Public Key Infrastructure (PKI).
The standardization is in many respects, such as formatting, algorithms and APIs.
This would help organizations develop and implement inter-operable PKI solutions, rather than
everyone choosing their own standard.
PKCS standard :
● PKCS#5—Password Based Encryption (PBE) Standard
● PKCS#11—Cryptographic Token Interface Standard
● PKCS#12—Personal Information Exchange Syntax
● PKCS#8—Private Key Information Syntax Standard
● PKCS#10—Certificate Request Syntax Standard
● PKCS#14—Pseudo-Random Number Generation Standard
Important PKCS standard :
PKCS#5—Password Based Encryption (PBE) Standard
● we first encrypt the plain-text message with the symmetric key, and
● then encrypt the symmetric key with a Key Encryption Key (KEK).
● This protects the symmetric key from an unauthorized access
PKCS#11—Cryptographic Token Interface Standard :
● This standard specifies the operations performed using a hardware token, such as
a smart card.
● A smart card is similar to a credit card or an ATM card in terms of its look and
feel. However, a smart card is smart in the sense that it has its own cryptographic
processor and memory on the card itself.
● In simple terms, a smart card is a small microprocessor with its own memory,
inside a plastic cover.
PKCS#12—Personal Information Exchange Syntax :
● The PKCS#The 12 standard was developed to solve the problem of certificate and
private-key storage and transfer.
● More specifically, how does one store/transfer one’s certificate and private key
securely, without worrying about their tampering? This is especially true in the
case of Web-browser users.
PKCS#8—Private Key Information Syntax Standard :
● This standard describes the syntax for storing the private key of a user securely.
● This standard also describes how to store a few other attributes along with the
private key.
● The standard also describes the syntax for encrypting private keys, so that they
cannot be attacked.
● A Password Based Encryption algorithm (using PKCS #5) could be used to
encrypt the private-key information.
PKCS#10—Certificate Request Syntax Standard :
● A certification request consists of three aspects: certification-request information,
signature-algorithm identifier, and a digital signature on the certification-request
information.
● The certification-request information consists of the entity’s distinguished name,
the entity’s public key, and a set of attributes providing other information about
the entity
● The entity requesting for the certificate then signs these values together with
his/her private key and sends the certificate-request information, the signed
request and the signature algorithm used to the CA.
● The CA verifies the signature and other aspects regarding the entity, and if
they are found alright, and issued a certificate.
PKCS#14—Pseudo-Random Number Generation Standard :
● A Random Number Generator (often abbreviated as RNG) is a device that is very
specifically designed to generate a series of numbers or symbols that do not
exhibit any specific pattern. Programming language may be used to generate
random numbers.
Discuss the XML, PKI and Security.
The EXtensible Markup Language (XML) is at the centerstage of the modern world of
technology. XML forms the backbone of the upcoming technologies, such as Web services.
Almost every aspect of Internet programming is concerned with XML. The overall technology
related to XML and security can be summarized as shown in Fig.
XML and security
XML Encryption
The most interesting part about XML encryption is that we can encrypt an entire document, or
its selected portions. This is very difficult to achieve in the non-XML world. We can encrypt one
or all of the following portions of an XML document:
● The entire XML document
● An element and all its sub-elements
● The content portion of an XML document
● A reference to a resource outside of an XML document
The steps involved in XML encryption are quite simple, and are as follows:
1. Select the XML to be encrypted (one of the items listed earlier, i.e. all or part of
an XML document).
2. Convert the data to be encrypted in a canonical form (optional).
3. Encrypt the result using public key encryption.
4. Send the encrypted XML document to the intended recipient.
Figure shows a sample XML document, containing the details of a credit card user.
Sample XML document showing a user’s credit-card details
XML Digital Signature
As we can see, a digital signature is calculated over the complete message. It cannot be
calculated only for specific portions of a message. The simple reason for this is that the first step
in a digital signature creation is the calculation of the message digest over the whole message.
Many practical situations demand that users be able to sign only specific portions of a message.
For instance, in a purchase request, the purchase manager may want to authorize only the
quantity portion, whereas the accounting manager may want to sign only the rate portion. In such
cases, XML digital signatures can be used.
They are also useful from the perspective of new technologies such as XML digital signature.
This technology treats a message or a document as consisting of many elements, and provides for
the signing of one or more such elements. This makes the signature process flexible and more
practical in nature.
Encrypted credit card details
The steps in performing XML digital signatures are as follows.
1. Create a SignedInfo element with Signature Method, Canonicalization Method
and References.
2. Canonicalize the XML document.
3. Calculate the SignatureValue, depending on the algorithms specified in the
SignedInfo element.
4. Create the digital signature (i.e. Signature element), which also includes the
SignedInfo, KeyInfo, and SignatureValue elements.
A simplistic example of an XML digital signature is shown in Fig. 5.47. We shall also explain
the
important aspects of the signature.
XML Digital signature example (simplified)
PKI
Public Key Infrastructure (PKI) is a system that allows for secure communication over the
internet by using public key cryptography. The purpose of PKI is to provide a way for people to
securely exchange information, such as sensitive data or confidential documents, without fear of
interception or eavesdropping.
PKI accomplishes this by using digital certificates, which are essentially electronic documents
that serve as proof of identity for a particular user or entity. These certificates are issued by
trusted third-party organizations, called Certificate Authorities (CAs), who verify the identity of
the certificate holder and vouch for their authenticity. By using PKI, users can be confident that
their communications are secure and that they are communicating with the intended recipient.
The role of Public Key Infrastructure (PKI) in cryptography is to provide a framework for
securely transmitting and verifying cryptographic keys. PKI uses public key cryptography to
encrypt and decrypt messages, and it relies on a network of trusted entities to manage and
validate the digital certificates that are used to identify users and devices. Some of the key roles
that PKI plays in cryptography include:
1. Authentication: PKI provides a way to authenticate the identity of users and devices,
which helps to prevent unauthorized access and ensure the integrity of communications.
2. Encryption and decryption: PKI allows for secure transmission of messages by using
public key cryptography to encrypt messages and decrypt them with the corresponding
private key.
3. Integrity and non-repudiation: PKI ensures the integrity of messages by providing a
digital signature that verifies that the message has not been tampered with, and it provides
non-repudiation by making it difficult for users to deny that they sent a message.
4. Key management: PKI provides a framework for managing and distributing cryptographic
keys, which helps to ensure that keys are used securely and that they remain confidential.
Overall, PKI plays a critical role in cryptography by providing a secure and trusted framework
for managing cryptographic keys and protecting communications.
Security:
Security is a critical aspect of cryptography as it ensures that digital communication is protected
from unauthorized access, interception, modification, or deletion. Cryptography provides several
security measures to safeguard digital communication, including:
1. Confidentiality: Cryptography ensures that data is kept confidential by encrypting it so
that only authorized users can access it.
2. Integrity: Cryptography provides data integrity by using hashing algorithms to ensure that
the data has not been modified during transmission.
3. Authentication: Cryptography provides authentication by using digital signatures to verify
the identity of the sender and receiver of data.
4. Non-repudiation: Cryptography provides non-repudiation by using digital signatures to
ensure that a sender cannot deny having sent a message.
5. Key Management: Cryptography provides secure key management to ensure that
encryption keys are kept secure and are only accessible by authorized users.
Cryptography plays a critical role in ensuring the security of digital communication. It provides
several security measures, including confidentiality, integrity, authentication, non-repudiation,
and secure key management. By using these measures, digital communication can be protected
from unauthorized access, interception, modification, or deletion.
Time-Stamp Protocol
The Time-Stamp Protocol, or TSP is a cryptographic protocol for certifying timestamps using
X.509 certificates and public key infrastructure. The timestamp is the signer's assertion that a
piece of electronic data existed at or before a particular time. The protocol is defined in RFC
3161. One application of the protocol is to show that a digital signature was issued before a point
in time, for example before the corresponding certificate was revoked.
Secure Electronic Transaction or SET
It is a security protocol designed to ensure the security and integrity of electronic transactions
conducted using credit cards. Unlike a payment system, SET operates as a security protocol
applied to those payments. It uses different encryption and hashing techniques to secure
payments over the internet done through credit cards. The SET protocol was supported in
development by major organizations like Visa, Mastercard, and Microsoft which provided its
Secure Transaction Technology (STT), and Netscape which provided the technology of Secure
Socket Layer (SSL).
SET protocol restricts the revealing of credit card details to merchants thus keeping hackers and
thieves at bay. The SET protocol includes Certification Authorities for making use of standard
Digital Certificates like X.509 Certificate.
Before discussing SET further, let’s see a general scenario of electronic transactions, which
includes client, payment gateway, client financial institution, merchant, and merchant financial
institution.
Requirements in SET: The SET protocol has some requirements to meet, some of the important
requirements are:
● It has to provide mutual authentication i.e., customer (or cardholder) authentication
by confirming if the customer is an intended user or not, and merchant authentication.
● It has to keep the PI (Payment Information) and OI (Order Information) confidential
by appropriate encryptions.
● It has to be resistive against message modifications i.e., no changes should be allowed
in the content being transmitted.
● SET also needs to provide interoperability and make use of the best security
mechanisms.
Participants in SET: In the general scenario of online transactions, SET includes similar
participants:
1. Cardholder – customer
2. Issuer – customer financial institution
3. Merchant
4. Acquirer – Merchant financial
5. Certificate authority – Authority that follows certain standards and issues
certificates(like X.509V3) to all other participants.
SET functionalities:
● Provide Authentication
○ Merchant Authentication – To prevent theft, SET allows
customers to check previous relationships between merchants and
financial institutions. Standard X.509V3 certificates are used for
this verification.
○ Customer / Cardholder Authentication – SET checks if the use
of a credit card is done by an authorized user or not using
X.509V3 certificates.
● Provide Message Confidentiality: Confidentiality refers to preventing unintended
people from reading the message being transferred. SET implements confidentiality
by using encryption techniques. Traditionally DES is used for encryption purposes.
● Provide Message Integrity: SET doesn’t allow message modification with the help
of signatures. Messages are protected against unauthorized modification using RSA
digital signatures with SHA-1 and some using HMAC with SHA-1.
What is 3D Secure?
3D Secure is a protocol that allows for two-factor authentication, or 2FA, when making cardless
payments. If your card provider uses 3D Secure, then you’ll be prompted to take an extra step to
confirm your identity when making payments that don’t involve a physical card.
The extra step might be a special PIN that you input in the payment portal, or it could involve
biometric authentication — your thumbprint, for example. The system is designed to make
cardless payments dependent on some element that a criminal is unlikely to have access to, even
if they’ve stolen your card details.
The name is derived from the fact that, during the secure payment process, three domains are
involved — the domain making the payment, the domain receiving it, and the interoperability
domain (essentially, all the systems in between).
How 3D Secure works?
3D Secure works by prompting users to fulfill an extra authentication process when paying for
something online. The specific step required can be different for each card provider, but will
usually involve a PIN or password, or some form of biometric authentication.
For example, imagine that you are purchasing some gig tickets from an online vendor. You input
your card details and click “Pay.” Without 3D Secure, your payment goes through as long as the
details you’ve typed in so far are correct. That would mean that anyone who had access to your
card details could potentially spend your money.
If your card is set up with 3D Secure, an additional step is required to complete the transaction.
You might have to input a random number generated by your banking app (which will require
authentication to open) or engage with the biometric scanners on your device. Whatever the
specific system involves, it will depend on something that a bad actor would not easily be able to
steal or copy.
3D Secure is set up by your card provider so in most cases there’s nothing you need to do from
the consumer side to use it. As long as you’ve gone through all the required steps when acquiring
your card, the authentication process will automatically trigger when you make an online
payment.
Benefits of 3D Secure
The main benefit of 3D Secure for consumers is that it helps to keep their money safe. It’s a lot
harder for criminals to make fraudulent payments from an account that uses 3D Secure than one
without.
Businesses on the other side of the transaction also benefit from 3D Secure, thanks to something
called liability shifting. This is an important feature of 3D Secure — if a fraudulent payment is
made, despite the 3D Secure system, the card provider is responsible for the chargeback
(returning the lost money to the card owner) rather than the vendor.
The 3D Secure protocol also minimizes cybersecurity risks for consumers, because the vendor in
a transaction doesn’t get access to the authentication data. A consumer’s unique PIN or biometric
data can’t be viewed or logged by the domain they’re sending money to. If the vendor suffers a
data breach later, that information doesn’t leak.
In short, 3D Secure protects users from the threats of data leakage, identity theft, and financial
losses, and shields vendors from costly chargebacks.