Lecture 11: Digital Certificates (Mar 1st)

The lecture of Monday, March 1st consisted of the description and usage of Digital Certificates. Dr. Gunes began by explained what digital certificates were, and their relationship with Certificate Authorities (CA). CAs can verify someone's identity and issue them a unique certificate. However, there are multiple CAs, and an attacker could pose as his own CA. This leads to cross-verification, in which certificates are verified by a generally-trusted CA, or by a CA closer to a root CA.

Certificates can solve legal disputes since they provide proof of the integrity and origin of data. However, certificates expire, and their keys can be stolen. The certificate is then revoked, and placed on a Certificate Revocation List (CRL). This CRL should be checked every time user uses a public key to access a message. However, these lists are suspect to DOS attacks. Short-lived (1 day) certificates expire quickly.

Certificates are granted when a subscriber generates a public/private key pair and sends the public to a CA. CAs will verify the subscriber identity, then issue and publish a certificate with the public key. To use it, the subscriber signs a message with his private key. The receiver verifies the digital signature with sender's public key and asks for verification of signature from the CA repository.

The X.500 directory service has the X.509 extension for public key certificates. Message recipients are generally responsible for finding the necessary certificate. X.509 has a general certificate format that includes at least the algorithm, the CA, and who owns the key. X.500 requires each entry to have a unique name, so general information about the location/organization is used, as well as a student/employee ID number. X.509 version 3 contains extensions that allow for a set of extra information to be added to a CA's certificates.