What are the two network types that provide trust in digital certificates?

Introduction to Digital Certificate

The following article provides an outline for Digital Certificate Types. Digital certificate types ensure the integrity of the data exchanged, be it between clients with servers or one client with another client or software seller with consumers. It resolves the privacy issues prevailing in internet communication ever since its inception and allows sender and receiver to transact in private mode in the public domain. It helps in identifying the entities involved in the data exchange and develops trust between the communicating parties. It provides a central mechanism of generating all types of certificates and consume them in authenticating the identity and ensuring no interception of data during the exchange. It doesn’t require a costly infrastructure to maintain certificate setup.

Digital certificates are issued to an entity. Entity may be an individual or Organisation or Institution or Public company. It is administered by a separate agency known as Certificate Authority. Important attributes of the entity are embedded into the certificates along with the public key of the entity. The attribute includes name, location, and other personal information. A digital certificate is shared with the receiver of the communication who will authenticate it and get assured that the information had come from the right person. Digital certificates address the security gap in communication through digital signatures with the authentication and verification processes.

Types of Digital Certificates

There are three major types of Digital Certificates:

• SSL/TLS Certificate
• Code Signing Certificate
• Client Certificate

1. SSL/TLS Certificate

It is a server-based certificate and the server could be a mail server or application server or a web server or a file server or LDAP server. It ensures the data exchange between server and client takes place in a private and encrypted way.

a. What is TLS/SSL?

• TLS stands for Transport Layer Security and SSL stands for Secure Socket Layer. The transport layer is the fourth layer in the network architecture standard prescribed by Open Systems Interconnection (OSI) model. TLS splits the data that has to be transferred to the other side, into segments and sends it. It reassembles the data at the destination.
• It is a security protocol that sets up an encrypted environment between client and server over the internet and it authenticates server identity before the communication and ensures the data pockets are not intercepted on the way by anybody.
• TLS has replaced its predecessor SSL and it uses HTTPS a secured network protocol to connect to the web. TLS is mostly deployed in an Email exchange, banking, password authentication modules, and other critical applications.

b. TLS Certificate

A typical TLS certificate contains Name of the applicant (Web Domain name, Server Name), Organisation name to which the server belong, Certificate Issuing authority’s name (CA), Additional information on the server, Date of issue/expiry, Public key of the applicant and the digital signature of the issuing Authority.

c. How it works?

Server sends its TLS certificate to the client whenever the client establishes a connection with it.

Client,

• Verifies the details of the server using the attributes present in the certificate.
• Validate the public key present in the certificate with the certificate stored in the client machine.
• Checks the authenticity of the certificate and its issuing authority using ECC / RSA cryptography.

With the above three methods client can feel reassured, trust the server and start safely and securely communicating with the server.

d. Lacunae in TLS

Though TLS certificates are considered to be safe, it has got few potential vulnerabilities as listed below to get compromised:

• Hackers can gain access to the certificate stores of the client machine and maliciously insert a dummy certificate and respond to the client’s request fraudulently by impersonating the server and gain access to the data sent to the client by the server.
• Sometimes CA generates wrong certificates which can be exploited by hackers to expose your connection to the servers.
• Certificate Authority environment can be attacked and fake certificates can be generated and used by hackers. Though this has happened rarely, it has is plugged. Still, the CA environment known as Public key infrastructure (PKI) has multiple checkpoints and an audit framework that makes it reliable and trustworthy.

2. Code Signing Certificate

a. What is it?

While the TLS certificate is for establishing safe connectivity between servers and clients, this code signing certificate is used while downloading software or specific files from its source using the internet. The developer of the software or the publisher of the file will sign the certificates.

b. Purpose

• Purpose of this certificate is to assure the buyers of the software that it is genuine software and it is published from that software house only.
• Publisher of software distributes their product either directly or through intermediate vendors and this certificate will boost the confidence of the buyers and enhance the trust. It also ensures that the software files are not tempered during download and act as evidence.

c. Who issues it?

Certificate Authorities like IdenTrust, GlobalSign issue this certificate. The private key of the developer or software publisher is used to sign the code files and the consumer uses the public key of the developer to verify the publisher’s identity.

d. Signing

• Digital signature in the certificate helps to sign the code and it has got its own timestamp. This timestamp gets recorded when the signature is applied and the code file is distributed.
• The code is valid till that time period recorded in the timestamp and it remains valid even if the certificate expires before.

3. Client Certificate

• This certificate enables a client to prove its identity to the server. This certificate includes the machine information also along with client information. A user will have two different certificates when he works from two different systems.
• Passwords can be cracked easily and they are no more a reliable tool for authenticating a user’s identity.
• Confidential information can be shared with a user after validating the user and his system credentials. Over and above this certificate multi-factor authentication can be used to avoid a data breaches.

Conclusion – Digital Certificate Types

Usage of the internet is on the increase and we have to rely on it more to complete our day-to-day activities. Various types of Digital certificates provide security layers for all the use cases and protect our data from hackers.

Recommended Articles

This is a guide to Digital Certificate Types. Here we discuss the introduction and types of digital certificates respectively. You may also have a look at the following articles to learn more –

There are three types of SSL Certificate available today; Extended Validation (EV SSL), Organization Validated (OV SSL) and Domain Validated (DV SSL). The encryption levels are the same for each certificate, what differs is the vetting and verification processes needed to obtain the certificate.

Over the last few years the number of organizations using SSL Certificates has increased dramatically. The applications for which SSL is being used have also expanded. For example:

• you might need SSL for privacy in communication (to ensure you are not being snooped on),
• or you might wish to prove you can trust who you are talking to (identity in private communication).

With encryption, you are able to hide communications from a hacker but you cannot stop them from intercepting communications and posing as your website to steal information from your customers. As people move away from brick and mortar stores and increase their online shopping and banking habits, consumers have to be able to trust they are visiting the true website of the store they are shopping on. This is more difficult to prove online.

You can prove your identity by having an external third-party (like GlobalSign) vet your personal and company information. Based on this verification or vetting procedure, SSL Certificates can be broken down into three categories.

Extended Validation (EV SSL) Certificates

With an EV SSL, the Certificate Authority (CA) checks the right of the applicant to use a specific domain name plus, it conducts a thorough vetting of the organization. The issuance process of EV SSL Certificates is strictly defined in the EV Guidelines, as formally ratified by the CA/Browser forum in 2007. All the steps required for a CA before issuing a certificate are specified here including:

• verifying the legal, physical and operational existence of the entity
• verifying that the identity of the entity matches official records
• verifying that the entity has exclusive right to use the domain specified in the EV SSL Certificate
• and verifying that the entity has properly authorized the issuance of the EV SSL Certificate

The latest, and possibly most significant, advancement in SSL technology since its initial inception follows the standardized Extended Validation guidelines. New high security browsers such as Microsoft Internet Explorer 7+, Opera 9.5+, Firefox 3+, Google Chrome, Apple Safari 3.2+ and iPhone Safari 3.0+ identify Extended SSL Certificates and activate the browser interface security enhancements. For customers who wish to assert the highest levels of authenticity, this is the ideal solution.

EV SSL Certificates are available for all types of businesses, including government entities and both incorporated and unincorporated businesses. A second set of guidelines, the EV Audit Guidelines, specify the criteria under which a CA needs to be successfully audited before issuing EV SSL Certificates. The audits are repeated yearly to ensure the integrity of the issuance process.

Organization Validated (OV SSL) Certificates

The CA checks the right of the applicant to use a specific domain name PLUS it conducts some vetting of the organization. Additional vetted company information is displayed to customers when clicking on the Secure Site Seal, giving enhanced visibility in who is behind the site and associated enhanced trust. Organization name also appears in the certificate under the ON field.

Domain Validated (DV SSL) Certificates

The CA checks the right of the applicant to use a specific domain name. No company identity information is vetted and no information is displayed other than encryption information within the Secure Site Seal. While you can be sure that your information is encrypted, you cannot be sure who is truly at the receiving end of that information.

DV SSL Certificates are fully supported and share the same browser recognition with OV SSL, but come with the advantage of being issued almost immediately and without the need to submit company paperwork. This makes DV SSL ideal for businesses needing a low cost SSL quickly and without the effort of submitting company documents.

• Secure multiple domains and
• sub domains on the same server with a single SSL Certificate &
• single IP address with Wildcard and Subject Alternative Names (SANs).