The increasing use of the Internet for business activities ? whether for sending confidential documents or handling financial transactions ? has meant that security has become a key issue.
In the early days of Internet commerce, ad hoc solutions were acceptable. For example, you could send a message securely to someone by encrypting it with a password. However, the password had to be sent to the recipient beforehand so they could decode the message. This posed the problem of how to send sensitive information to create a safe channel before that safe channel could be used to send the sensitive information.
In practice, the password was usually transmitted in some physical way, such as by courier. But this is now considered impractical because of the scale of electronic transactions envisaged on the Internet.
Fortunately, there is one encryption method that manages to break this vicious circle of password transmission. Called public key encryption, it is the basis of a practical way of making Internet transactions secure.
Public key encryption uses two keys; one is placed in the public domain, while the other ? the private key ? is kept secret. The public key is then used by someone who wants to send a message to the owner of the keys. Even though the public key is known to everyone, it cannot be used to decode a message it has encrypted: only the private key, held securely by the owner of the keys, can do this.
This magic is the result of some fairly complex mathematics from the field of number theory, and is concerned with the problem of factoring large numbers. Basically, it is much easier to multiply two large prime numbers than to split up a large number into a product of primes.
This fact has been cleverly exploited in the public key encryption approach. Although public keys solve the problem of sending encryption keys across an open network, there is still a fundamental difficulty. The user of a public key can indeed be sure that only the holder of the corresponding private key can decode any message encrypted with the public key, but cannot guarantee that this person is who he or she claims to be. For example, a malicious third party might publish a public key and claim to be the person it is whose messages they want to intercept.
So, what is needed is some way of confirming that the public key really does belong to the claimant. This has led to the creation of digital certificates, also called public key certificates or digital IDs.
The idea is to bind or securely associate a public key with the name of its owner in a way that can be checked by third parties.
A certificate is created by an authority that then acts as a guarantor of the relationship between the public key and the person named on it. This guarantee can be of varying trustworthiness. For example, the certificate authority (CA) may require the person claiming a public key to personally appear with a document, such as a passport, to prove their identity, or it may carry out only minimal checks.
To preserve the integrity of the certificate, it is signed with the private key of the CA. This means that a unique number is generated (using what is called a one-way hash function) from the contents of the certificate, and then encrypted using the private key of the CA.
When users want to check a digital certificate, they calculate the same unique number from its contents, and retrieve the encrypted hash function corresponding to this certificate from the CA.
By applying the CA?s public key to the encrypted hash function they can obtain the original number derived from the certificate ? which should be the same as the number they themselves calculated. If it isn?t, this could mean that the certificate has been tampered with, and so should not be trusted.
An official standard for certificates has now been agreed. It is called X.509. In addition to the public key and its owner, further information will be included with the certificate, for example about who issued it and when it expires.
Of course, using the public key of a certificate authority leads to another problem ? establishing that it does indeed belong to that CA. In practice, this will probably result in a hierarchy of CAs, with some overall highly-trusted CA at the top.
Indeed, there are already many organisations jockeying to become one of the main CAs. Leading companies include Verisign (at www.verisign.com/), GTE (www.cybertr-ust.gte.com/), and Cylink (at www.cylin-k.com/).
It is likely that similar public bodies in the UK will become involved with certification, along with established companies such as banks and building societies.
Once this certificate infrastructure has been set up, it can be applied to various types of transaction. For example, in a company, certificates can be used to allow a one-time log-in and establish who is allowed to access what across the corporate network. They can also be used to ensure that email messages have not been forged (using a standard called S/Mime ? see www.rsa.com/rsa/S-Mime/). Clearly, no reference to an external CA is necessary if this remain purely internal to a company.
In the outside world, digital certificates are being used with the Secure Electronic Transaction scheme (SET) for safe credit-card payment. This scheme not only protects credit-card details as they are being sent between purchaser and vendor, but hides personal information from the vendor completely. You can find out more about this at www.visa.com/cgi-bin/vee/ sf/set/faq.html?2+0.
More recently, certificates have been applied to electronic data interchange (EDI) across the Internet (see www.verisi-gn.com/pr/pr_edi.html). The benefits of using an open, public system such as the Internet for EDI are great ? interoperability and far lower costs ? but potentially so are the risks. The use of certificates promises the best of both worlds.
Alongside this infrastructure, there are several products that support certificates. For example, Netscape?s new Communicator browser/groupware suite includes extensive certificate capabilities. Netscape has also launched a Certificate Server for using certificates within an organisation.
Also, what's a USB stick?
Gravitational waves become extremely weak by the time they reach the Earth and require highly sensitive equipment for detection
The reactor topped out at 100 million° C
Cosmic event will not cause any disruption on Earth, say scientists