Digital Certificate

Previously, in digital signature, we mentioned that it is possible that an attacker may pretend to be someone else, generate the pair of keys, make a fake message, generate a digest using hash function and encrypt the digest with the private key, then send the message with the encrypted digest to the recipient. The recipient can decrypt the digest and think the message is from the one who claims he/she is because the recipient gets the attacker’s public key.
The problem is how to guarantee that the recipient gets the correct public key of the real sender. This is where the digital certificate come in.

Digital Certificate

A digital certificate is an electronic document which proves the ownership of a public key. It is also called public-key certificate. It is issued by a CA (Certificate authority) to the owner. A CA is an entity, an organization or a company, which confirms the identity of the applicant and issues a digital certificate to the applicant. The owner of a digital certificate is called the subject.
The applicant starts with generating the pair of keys and give the public key to a CA. The CA then checks the identity of the applicant carefully and then issues a digital certificate to the applicant. The digital certificate contains the public key of the subject, details about the identity of the subject, a digital signature of the CA, valid date, serial number, hash algorithm etc. The applicant still has to keep its private key safe.

Digital certificate and Digital Signature

A Digital certificate is like a passport or a driver’s license. A passport is an official document given by your government. It proves who you are. A driver’s license is an official document given by your government. It allows you to drive. A digital certificate is an electronic document issued by CA (usually very well-known certificate authority). It proves that the public key belongs to the subject.
A Digital signature is a mathematical scheme used to verify the authenticity of a message or document. It relies on asymmetric cryptography. The essence of asymmetric cryptography is that a pair of keys are generated and if the message or document is encrypted using one of them, the ciphertext can only be decrypted using the other one. In this scheme, private key is used to encrypt the digest, and public key is used to decrypt it. So, the public key indicates the identity of the sender. But this cannot guarantee the identity. Digital certificate then can be used to prove that the public key belongs to the subject, thus the identity of the sender is guaranteed.
The CA issues the certificate which contains the detail information about the subject and the public key. In other words, the CA guarantees the identity of the public key and it issued the certificate to prove that. The CA vouches for the subject.

Process of sending a digitally signed message or document

Now, the sender can send a digitally signed message or document to the recipient and the recipient can be pretty sure that the message or document is sent from a certain sender and the sender cannot deny it. The process is:

1. The sender hashed the message and get the digest
2. The digest is encrypted using the sender’s private key.
3. The sender’s certificate, the message and the encrypted digest are sent to the recipient together.
4. The recipient checks the certificate, if it trusts the certificate issuer, it then uses the public key in the certificate to decrypt the ciphertext of received digest.
5. If the decrypted digest is identical to the hash value from the received message, it havs a very strong reason to believe that the message is from the sender which is the subject in the certificate and that the message is not changed in transit.