I’ve spoken about Certificate Authorities and Certificates already. Remember that Certificates include: a public key, the owner and a digital signature. Well you’ve probably asked “what is a digital signature” and how do you “digitally sign” a certificate?

A digital signature is basically some value, a checksum. It is a data value based on a block of data and a private key. The digital signature associates the data with the owner of a specific private key. You can be confident that the person indicated as the owner of a specific private key is not an imposter. You can safely open the email you received from the “certificated” owner then respond to that person, the owner, without fear or apprehension that the email will go to the wrong person. This also allows you to trust that the contents of the email were written and encrypted by the owner of the private key.

If you decrypt a message successfully with a particular public key – a key that was certified by means of a digitally signed certificate – then you can certain that it could have only been encrypted with the corresponding private key.

You can obtain a digital certificate from a commercial certification authority, such as VeriSign, Inc., or Thawte, or from your internal security administrator or Information Technology (IT) professional. Or, you can create a digital signature yourself using a tool such as Selfcert.exe. SelfCert.exe is installed as part of Office XP and can be found in C:\Program Files\Microsoft Office\Office10

Keep in mind that certificates you create yourself are considered unauthenticated and will generate a warning in the Security Warning box if the security level is set to High or Medium. Microsoft Office will only trust a self-signed certificate on a computer that has the private key for that certificate available which is usually only the computer that actually created the certificate, unless the private key was shared with other computers. Any macro projects that you create and sign by using such certificates are considered to be self-signed projects.

If you wish to use digital certificates that are signed by commercial certification authorities, such as VeriSign, Inc., you or your organization must submit an application to that authority. You can also get a list of Microsoft trusted third-party commercial certificate authorities at http://msdn.microsoft.com/en-us/library/ms995347.aspx.

So I’ve written about different ciphers recently such as: RC4, RC5, RC6, DES, 3DES, IDEA and AES. And I’ve explained the use of public keys and private keys during the encryption/decryption process.

When using public keys the sender can make available their public keys to their intended receivers through various means like email, fax, etc. But how does a receiver know that the public key which they have received is indeed from the purported sender? How can we be really sure that the owner of a public key is who they say they are?

One method is to mutually rely on a trusted third party to verify the true ownership of a public key. Such a trusted third party is called a Certificate Authority (CA).

Certification Authorities are trusted entities that safely distribute public keys and sign public key certificates. A certificate always contains three pieces of information: a name, a public key and a digital signature computed over the name and the public key. The certificate associates a name with a public key. But how do you obtain a certificate?

Let’s suppose that Paul wants to send his public key to Rhonda so that he can later send a secure email to Rhonda which she will decrypt using Paul’s public key. Both Paul and Rhonda must trust a third party which we’ll call Tim, the CA. Paul requests that Tim, the CA, sign Paul’s certificate that contains Paul’s public key. Tim signs the certificate and now Paul can safely send it to Rhonda. Upon receiving the certificate Rhonda will validate it by checking the digital signature with a copy of Tim’s public key.

You’re probably asking “…but how did Rhonda get Tim’s public key?” As it turns out very few public keys are actually exchanged thanks to the existence of Certificate Authorities. It is the public keys of Certificate Authorities that are manually exchanged by email, fax, etc.

Some well known Certificate Authorities include VeriSign and Thawte. Thawte is owned and operated by VeriSign, Inc (Nasdaq: VRSN). Following acquisition in 2000, thawte continues to prosper as a distinct brand within the VeriSign stable.