The Basics of Cryptography and Digital Certificates
If you think about it, it takes a great deal of trust, even courage, to go on the Internet, especially if you're sending credit card information, personal history, medical information and more.
On its own, the network is simply a highway for data—a super highway, as it's always been called. But on its own, it is an unsecured network. Everyone with a connection can hop on and be themselves, or pretend to be themselves.
Some people are out there not simply to receive information, but to steal or obtain it with trickery. That's where security data protection measures like cryptography come into the picture.
One way to keep our data protected is to make it unreadable by anyone for whom it's not intended. A cryptosystem is a process of encrypting data—altering and rearranging it—so that it looks like gibberish to someone who gets it...that is, unless they were the intended recipient.
In that case, as part of the cryptosystem, their computer will have the "key" to turn the unreadable data into its original format and understandable information.
At the heart of a cryptosystem are keys—keys are secret values that computer programs, in conjunction with an algorithm, use to encrypt and decrypt (code and decode) data. An algorithm is simply a complex mathematical formula, which means there's nothing that simple about it.
When a company sending data encrypts it with a key, only someone with the right digital key can unlock it and decrypt the message.
On the Internet, there are two kinds of keys used in encryption:
- Public-key encryption, also known as "asymmetric" cryptography, the one most used on the Internet
- Secret-key encryption
Here's how those work between the sender and receiver of an encrypted transmission:
Two keys are better than one.
Public-key encryption uses two keys, one private and one public, and the sender and receiver must have both keys. The public key is just that: out there and available. The private key, however, is kept secret and hidden on a person's computer.
- The public key can encrypt a message.
- The private key can only decrypt a message the public key encrypted.
If somebody wants to send a coded message intended only for you, they would encrypt it with your public key. But only you with your private key would be able to decrypt the message and read it.
That concept isn't too foreign to most of us. Here's an example that doesn't involve encryption:
We give hundreds of people and companies our public email address but we don't give them a means to access and open our email. Our email account password, which is private, is the key to opening that email.
Digital certificates: secret-key encryption.
The other type of encryption uses a different process. A digital certificate is one example. Digital certificates are issued to individuals by a certificate authority (CA), a private company that charges either the user or the receiver for issuing a certificate. The company DocuSign is an example of an issuer of digital certificates.
Organizations will use digital certificates to verify the identities of people and organizations they do business with...and need to trust. For example, an online retail store, or even an organization accepting a payment for merchandise, wants to make sure that someone sending credit card information is the actual owner of the card and not someone with a stolen credit card number trying to use it from a foreign country.
A digital certificate contains information that helps guarantee a person is not an impostor. You get a digital certificate by request by visiting a CA website and providing information that identifies you.
Your digital certificate will contain:
- your name
- the name of the certificate authority
- a unique certificate serial number, its expiration date, etc.
- a unique private key (to include with messages you send)
- the digital signature of the CA
Once it's issued, the CA will put the certificate on your hard drive, along with a private key. Once that's all in place, you're ready to send certified emails. Oftentimes, an organization will request that you obtain a digital certificate before you can communicate with them digitally, for their own protection.
When you send an email using a digital certificate, it contains only the public information of the user such as ID, name, and public key. The personal component of your signature credentials, the private key, is not included in the certificate.
Compared to a handwritten signature, which few people bother to verify, a digital signature is hard to forge or imitate because of all the safeguards that are in place.