Introduction to Electronic Certificates – Part 1

October 9, 2012 by Adrian Stolarski

As we all know, our e-mail messages can be viewed, modified and censored in thousands of places that are located between the sender and the receiver, and this practice is strictly used by some of our employers. It must be remembered that no longer can a very small amount of knowledge and use of communal software lead to almost complete protection of our e-mails. Hiding the message before unauthorized persons are able to read and confirming the authenticity are already provided by even the most basic algorithms used to generate a digital signature and encryption of virtually any messages.

What really is what is pompously called a digital signature?

A digital signature is usually additional information that is attached to the data in order to confirm their source. You can digitally sign not just any kind of files, but also all your e-mails. A signature contains mostly information such as your name, business data, or e-mail address. A digital signature is usually a function of the message or file. For us, this means that if the signed message is later changed even as low as one bit, the signature will not fit. Note that the correct digital signature generated not only serves to confirm the source of the data, but also ensures that we have received them intact.

For the digital signature algorithms, public-key cryptography is used. A user who wishes to digitally sign a document must have a pair of keys, which is a couple of very large numbers related in a mathematical way . The private key is the secret key and should be well protected from any unwanted people. However, the second key is the public key, which can be safely provided to all interested persons. The entire message, or rather its acronym, is created by a one-way hash function, in combination with all the data identifying the author, and the exact date of the creation of secret key is encrypted. Complete, encrypted in this way, a data block is called a digital signature.

During the verification of the signature, the recipient decrypts it using the public key of the sender . After comparing the data from the original message, we can be 100% sure that the signature data is actually correct. As practice shows, the fraudulent digital signature key is impossible without an interception or knowledge of the private key. So as you can see, our private key must be very well protected and can be made available to any other person.

Of course, if each generated a key in its own way, it would create a huge chaos and messages that were almost impossible to read and not verifiable. So, to help you digitally sign data and verify signatures, there are developed standards, known as a digital certificate. Its most important part is the public key of the owner, who may also, as I mentioned, contain additional data, among other things: the name of the owner, e-mail address, name of the institution that issued the certificate, and the period of validity after which you cannot use it. A digital certificate can be sent in each message with a digital signature. This is very convenient, especially when dealing with people who previously did not know us, because together with a letter signed by us, they receive all the information that is necessary to verify the signature.

How can we be sure that this is definitely our key?

The digital signature really only made him the owner of the corresponding public key. However, this fact does not mean that all other information about the author is in some way true. But you can imagine a situation where Mr. A gives us a public key, saying that it really is the key of beautiful, long-legged lady B. If we completely trust the key of Mr. A, he will be able to impersonate Mrs. B and send us messages on her behalf. So we see that the same mechanism of a digital signature does not give us the full assurance that the person administering it does not deliberately not falsify their identity.

How can we really be sure that all the information that is stored on the digital certificate is really true? This is not hard and goes beyond the capabilities of the task, especially if you know the sender of the message. The sender can then transmit the aisles of your public key details in printed form or by telephone. To confirm the key is usually sufficient, also fingerprint generated by a hash function. The fingerprint is usually stored as a string of hexadecimal digits.

However, completely different is the case of Internet correspondence with people who you previously did not know. In this case the user has no possibility to transfer the technology before a trusted key information channel. But the person responsible for the specification invented the digital signature as a solution to this problem. In practice, there are two ways to verify the public key:

First, the so-called trusted network, which is used in the PGP (Pretty Good Privacy). Each of the participants in the PGP system will generate your key pair using readily available software. Sets of public keys are published on special servers, and identity is confirmed by the owner of the key digital signature users who know the person personally. It may happen that the public key of a foreign person will be signed to us by a friend, in whom we have confidence. Then our friend verifies the signature key authentication of a person. PGP certificates can be very powerful.

A single certificate, known in the jargon of a computer key, may contain a few or a dozen identity data of the owner, which can be used in different situations. They may contain additional comments, or other e-mail address than the one we know. It is interesting that part of the PGP key can also be a photo in JPG format.

Second, sometimes the public key infrastructure supports X.509 certificates. In this case, the matter is a little more complicated, because some keys are for us and the whole issue is a certificate certifying authority. In fact, the institution confirms that all data contained in the certificate with reality. In addition, the same institution’s key digital certificate encrypts its own secret key. Amazingly basic certificates used to encrypt e-mail, do not really have any data except e-mail address. Before issuing any digital certificate that is used in this method, the certification authority verifies that the email is sent to us and to our e-mail test message. However, if we want to put our name on the certificate, we must immediately be verified by the authority issuing electronic certificates.

Theoretically, they are just using the same principles of displaying any electronic certificates, which are designed to identify websites. So as you can see, it is of any benefit given by the so-called authorities. Certification really depends on the security and confidence of all Internet connections. So it follows directly that the private key organizations involved in the allocation of certificates have very well guarded information, and their level of security and can be compared to a network of military and government networks.

In fact, every e-mail program and any Web browser already have a built in list of several or dozens of trusted CAs issuing electronic certificates. The program does not even know all their private keys and public keys. Of course, each of these keys contains some of power, such as the identification of sites, identification of software developers that we use more often, or e-mail senders. A good e-mail program or Web browser needs to also allow the user to delete any electronic certificates, and add new ones. It should also allow you to manually change the permissions of any certificate.

Checking and key generation software

All attempts to verify the authenticity of the keys will always be the weakest link in network communication. There is really no perfect solution to this problem. There is no trust in the network or key infrastructure. But in fact, these two systems come with contradictory assumptions. Take, for example on the web of trust. You must e-mail the recipient to decide whether the key received is really authentic, based on the recommendations of other users of the domain. In the case of public key infrastructure, all responsibility falls on certification authorities and we have to accept that each of the keys signed by a CA is a trusted key.

This raises another question. How, then, to digitally sign e-mails? Usually we apply two standards for electronic signature to the e-mail signature. These are PGP and S / MIME. In fact, of the two there is a problem, because both require special software. Standard S / MIME spreads a little more in the Internet. It uses X.509 certificates and public key infrastructure. S / MIME uses most of the available e-mail programs such as Microsoft Outlook or Outlook Express. Regarding the PGP software, Microsoft apparently did not like it. As for the Linux environment and Thunderbird to handle PGP, you need a special supplement such as Enigmail and GnuPG.

Nevertheless, regardless of the standard used by us, sending signed messages will always require us to install the certificate in the mail.

A PGP Certificate can independently generate the program or directly Enigmail GnuPG command. Be sure to place the certificate in one of the public servers (the software will prompt the list), because the PGP signed message does not contain a public key and the recipient must be retrieved from the server itself. PGP keys are identified by a 32-bit number, traditionally saved by your hex. For example, the article’s key identifier is 0xBE932848.

PGP keys can be assigned an expiration date, after which you cannot use them. For practical reasons (all signatures submitted in the past, the key will expire and you have to collect them again), many users choose to allow keys to be valid indefinitely. In the case of a suspected stolen secret key, the certificate may be claimed PGP (void), but it cannot be removed from the key server.

X.509 certificates we receive from the selected CA – see description below. The procedure to install the certificate and sign mail in Mozilla Thunderbird is described here. X.509 mail certificates are usually valid for a year or two (server certificates often longer) and after this date validity need to be renewed. Invalid certificates, however, should not be removed from the e-mail program, especially if the archive stores them in an encrypted list – after the removal of the expired private key we will not be able to read the e-mail archive.

Please note that the digital signature verification is impossible if the recipient does not have the appropriate software. Digital signatures are useless, for example, for people who read the e-mail web interface!

In this case, the recipient will see your message with an attachment containing an electronic signature, but in practice will not be able to use it. Annex is the name of smime.p7s standard S / MIME or PGP signature.asc for. Some users of PGP send mail in their old standard, with the signature contained in the body of the message (the so-called signature “inline”). The letter does not have the Annex, but the software that does not support PGP recipient will see specific annotations.


We got slowly to the end of this article. I hope it was a quick introduction and you all loved it. Cryptography and cryptanalysis are the most difficult of the tasks of science, so as I said the same generation of certificates and electronic signatures is extremely difficult and time consuming. In the next part of the article I will show you how to deal with PGP and how it really takes a safe and trusted key. I hope that I can create another article, with which you will be extremely pleased. It really will be worth the wait for the next part of this topic. I wish you good luck and may your data be really safe.

Posted: October 9, 2012
Adrian Stolarski
View Profile

Adrian Stolarski is a freelance security tech blogger, specializing in Java, PHP, and JQuery. In his own words, he does the hard work of training the unemployed. Currently, he handles Evaluation Visualization for real-time systems with XWT and Eclipse RAP. If he sees that something works, he asks how it works and why it works, then sets out to make it work better. A researcher for InfoSec Institute, he currently lives in Poland, but plans to move to London.