Security Solutions: The Digital ID System

Given the security risks involved in conducting business online, what does it take to make your Internet transactions and company communications safe? Industry leaders agree that the answer is the SSL certificate. Over 607,000 SSL certificates have been issued as of this writing. Companies using SSL certificates include 92 of the Fortune 100 companies and all of the RelevantKnowledge, Inc. Top 20 Commerce Sites.

What Is a Digital ID?

A digital identification (ID), also known as a digital certificate, is the electronic equivalent to a passport or business license. It is a credential, issued by a trusted authority, that individuals or organizations can present electronically to prove their identity or their right to access information.

When a CA issues digital IDs, it verifies that the owner is not claiming a false identity. Just as when a government issues a passport, it is officially vouching for the identity of the holder. When a CA gives your business a digital certificate, it is putting its name behind your right to use your company name and Web address.

How Do Digital IDs Work?

The solution to problems of identification, authentication, and privacy in computer-based systems lies in the field of cryptography. Because of the nonphysical nature of electronic communication, traditional methods of physically marking transactions with a seal or signature are useless. Rather, some mark must be coded into the information itself in order to identify the source and provide privacy against eavesdroppers.

One widely used tool for privacy protection is what cryptographers call a “secret key.” Logon passwords and cash card PINs are examples of secret keys. Consumers share these secret keys only with the parties they want to communicate with, such as an online subscription service or a bank. Private information is then encrypted with this password, and it can only be decrypted by one of the parties holding that same password.

Despite its widespread use, this secret-key system has some serious limitations. As network communications proliferate, it becomes very cumbersome for users to create and remember different passwords for each situation. Moreover, the sharing of a secret key involves inherent risks. In the process of transmitting a password, it can fall into the wrong hands. Or, one of the sharing parties might use it maliciously and then deny all action.

Digital ID technology addresses these issues because it does not rely on the sharing of secret keys. Rather than using the same key to both encrypt and decrypt data, a digital ID uses a matched pair of keys that are unique complements to one another. In other words, what is done by one key can only be undone by the other key in the pair.

In this type of key-pair system, your “private key” gets installed on your server and can only be accessed by you. Your “public key” gets widely distributed as part of a digital ID. Customers, partners, or employees who want to communicate privately with your server can use the public key in your digital ID to encrypt information, and you are then the only one who can decrypt that information. Because the public key alone does not provide access to communications, you do not need to worry about who gets ahold of this key.

Your digital ID tells customers and correspondents that your public key in fact belongs to you. Also, your digital ID contains your name and identifying information, your public key, and digital signature as certification.

How Do SSL Certificates Work?

Secure server digital IDs allow any server to implement the SSL protocol, which is the standard technology for secure, Web-based communications. SSL capability is built into server hardware, but it requires a digital ID in order to be functional. So, with the latest SSL and a secure server digital ID, your Web site should support the following functions:

• Mutual authentication

• Message privacy

• Message integrity^[1]

Mutual Authentication

With mutual authentication, the identity of both the server and the customer can be verified. The reason for this is so that all parties know exactly who is on the other end of the transaction.

Message Privacy

With message privacy, all traffic between the server and the customer is encrypted using a unique “session key.” Each session key is only used with one customer during one connection, and that key is itself encrypted with the server’s public key. These layers of privacy protection guarantee that information cannot be intercepted or viewed by unauthorized parties.

Message Integrity

With message integrity, the contents of all communications between the server and the customer are protected from being altered en route. All those involved in the transaction know that what they’re seeing is exactly what was sent out from the other side.

Figure 18.1 illustrates the process that guarantees protected communications between a server and a client^[1]. All exchanges of digital IDs happen within a matter of seconds and appear seamless to the client.

Figure 18.1: Protected communications process.

All of this technology translates to online communications that are safe for you and your customers. End users know exactly who they are dealing with and feel comfortable that the information they send is not falling into unknown hands. You know that your server is receiving accurate transmissions that have not been tampered with or viewed en route.

What Do End Users See?

Both the Netscape Navigator and Microsoft Internet Explorer browsers have built-in security mechanisms to prevent users from unwittingly submitting sensitive information over insecure channels. If a user tries to submit information to an unsecured site, the browsers will, by default, show a warning such as the one shown in Figure 18.2^[1].

Figure 18.2: Warning if a user tries to submit information to an unsecured site.

By contrast, if a user attempts to submit information to a site with a valid digital ID and an SSL connection, no such warning is sent. Furthermore, both the Microsoft and Netscape browsers provide users with a positive visual clue that they are at a secure site. In Netscape Navigator 3.0 and earlier, the key icon in the lower-left corner of the browser, which is normally broken, is made whole. In Netscape Navigator 4.0 and later, as well as in Microsoft Internet Explorer, the normally open padlock icon becomes shut, as shown in Figure 18.3^[1].

Figure 18.3: A visual cue that you are on a secure site.

For more information, users may visually inspect the site’s digital ID by double-clicking on the security icon. They will then see a display similar to the one shown in Figure 18.4^[1].

Figure 18.4: Digital ID certificate information page.

This digital ID display establishes that the site (webtrust.resource-marketing.com) really does belong to Resource Marketing, Inc. of Fort Thomas, Kentucky. It also establishes that VeriSign issued the digital ID and is vouching for the site’s validity.

These positive visual cues only occur if the site has a valid digital certificate, issued by a CA that is trusted by the browser. Technically, this means the CA’s public key must be listed in the browser’s directory of trusted roots. By contrast, if a site has a certificate issued by an untrusted authority, the browser displays a warning such as the one shown in Figure 18.5^[1].

Figure 18.5: Warning if a site has a certificate issued by an untrusted authority.

Similarly, if a site is falsifying its claim to a certificate (if www.hacker.com tries to use a certificate for www.bookstore.com), the user will also receive a warning, such as the one shown in Figure 18.6^[1]. So, when you install a digital ID on your server and enable SSL, your customers and partners see clearly that they are operating in a secure environment.

Figure 18.6: Warning if a site is falsifying its claim to a certificate.

^[1]“Managed PKI For SSL Certificates,” 2003 VeriSign, Inc. All rights reserved. VeriSign Worldwide Headquarters, 487 East Middlefield Road, Mountain View, CA 94043.