Digital Certificates Digital certificates are data files used to establish the identity of people and electronic assets on the Internet. They allow for secure, encrypted online communication and are often used to protect online transactions. Digital certificates are issued by a trusted third party known as a certification authority (CA). The CA validates the identity of a certificate holder and “signs” the certificate to attest that it hasn’t been forged or altered in any way. New Uses For Digital Certificates Digital certificates are now being used to provide security and validation for wireless connections, and hardware manufacturers are one of the latest groups to use them. Not long ago, VeriSign Inc. announced its Cable Modem Authentication Services, which allow hardware manufacturers to embed digital certificates into cable modems to help prevent the pirating of broadband services through device cloning. Using VeriSign software, hardware makers can generate cryptographic keys and corresponding digital certificates that manufacturers or cable service providers can use to automatically identify individual modems. This ‘ast-mile’authentication not only protects the value of existing content and services but also positions cable system operators to bring a broad new range of content, applications and value-added services to market. When a certificate is digitally signed by a CA, its owner can use it as an electronic passport to prove his identity. It can be presented to Web sites, networks or individuals that require secure access. Identifying information embedded in the certificate includes the holder’ s name and e-mail address, the name of the CA, a serial number and any activation or expiration data for the certificate. When a user’s identity is verified by the CA, the certificate uses the holder’s public encryption key to protect this data. Public keys are also employed by certificates that a Web server uses to confirm the authenticity of a Web site for a user’s browser. When a user wants to send confidential information to a Web server, such as a credit-card number for an online transaction, the browser will access the public key in the server’s digital certificate to verify its identity. Role of Public-Key Cryptography The public key is one half of a pair of keys used in public-key cryptography, which provides the foundation for digital certificates. Public-key cryptography uses matched public and private keys for encryption and decryption. These keys have a numerical value that’s used by an algorithm to scramble information and make it readable only to users with the corresponding decryption key. A person’s public key is used by others to encrypt information meant only for that person. When he receives the information, he uses his corresponding private key, which is kept secret, to decrypt the data. A person's public key can be distributed without damaging the private key. A Web server using a digital certificate can use its private key to make sure that only it can decrypt confidential information sent to it over the Internet. The Web server’s certificate is validated by a self-signed CA certificate that identifies the issuing CA. CA certificates are preinstalled on most major Web browsers, including Microsoft Internet Explorer and Netscape Navigator. The CA certificate tells users whether they can trust the Web server certificate when it’s presented to the browser. If the validity of the Web server certificate is affirmed, the certificate’s public key is used to secure information for the server using Secure Sockets Layer (SSL) technology. Digital certificates are used by the SSL security protocol to create a secure “pipe” between two parties that seek confidential communication. SSL is used in most major Web browsers and commercial Web servers. 时文选读 数字证书 数字证书是用来在因特网上建立人员和电子资产身份的数据文件，允许它们进行安全的、加密的在线通信。数字证书常常用于保护在线交易。 数字证书由受委托的第三方机构颁发，该机构叫做CA，即证书颁发权威机构。CA确认证书持有者的身份，并为证书“背书”，证明证书没有伪造或者没有任何的改变。 数字证书的新用途 数字证书现在正被用于为无线连接提供安全和确认。不久前，VeriSign公司宣布了有线电视调制解调器认证服务，该项服务允许硬件制造商将数字证书嵌入有线电视调制解调器中，用以帮助避免通过设备克隆而盗用宽带服务。 利用VeriSign软件，硬件制造商可以生成密钥和相应的数字证书，制造商或有线电视服务提供商就能利用它们自动识别各台Modem。 这个“最后一英里”认证方案不仅保护现有内容和服务的价值，而且使有线电视系统运营商能将范围广泛的内容、应用和增值服务带入市场。 当一份证书由CA数字地签署后，该证书的拥有者就能把它当作电子护照来证明他的身份。它可以出示给需要安全接入的网站、网络或个人。 嵌入在证书内的识别信息包括持有人的姓名和电子邮件地址、CA的名称、序列号、以及证书的激活或到期失效的日期数据。当用户的身份得到CA的验证时，证书就使用持有者的公开密钥，保护此数据。 公开密钥也为证书使用，Web服务器利用证书帮助用户的浏览器确认网站的真实性。当用户需要给Web服务器发送保密信息（如为在线交易发送信用卡号）时，浏览器就访问服务器上的数字证书的公开密钥以验证身份。 公开密钥加密术的作用 公开密钥是公开密钥加密术的一对密钥中的一半，它是数字证书的基础。 公开密钥加密术使用一对匹配的公开和私人密钥来加密和解密。这些密钥含有数值，算法使用这些数值将信息打乱（即加密），使之只让拥有相应的解密密钥的用户能读出来。 某人的公开密钥可由其他人使用，意味着只为此人加密信息。当他收到该信息时，他使用相应的私人密钥对数据进行解密，而私人密钥是秘密保存的。某人的公开密钥可以发布出去，不会破坏私人密钥。使用数字证书的Web服务器可以使用其私人密钥，以确保只有它能对从因特网上发送过来的保密信息进行解密。 Web服务器的证书由自行签署的、识别发证CA的CA证书加以验证。多数重要的浏览器（包括微软的Explorer和网景的Navigator）都预装了CA证书。 CA证书告诉用户，当Web服务器证书出示给浏览器时，他们是否能信任它。如果Web服务器的合法性得到确认，证书的公开密钥用来为采用SSL（安全套接层）技术的服务器确保信息安全。 数字证书由SSL安全协议用于在寻求保密通信的两方之间生成安全“管道”。SSL被大多数重要的Web浏览器和商业Web服务器所采用。 （计算机世界报 第50期 C16）

评论