What is it that makes the modern web work? If your answer has something to do with the software and hardware that the physical infrastructure of the web is built from, well you’re partly right. What I’m talking about, however, is trust. Without trust, it’s impossible to do business on the web. We need ways of letting users and website owners on the web trust each other so that they can get on with business.
You’d think the internet would have been designed with this sort of trust system built in. What we tend to forget, however, is that no one who worked on the early internet had any idea that it would be something everyone and increasingly everything would use. It was meant to connect universities and government installations. Institutions that are already trusted. As the web began to develop as a technology that ran on the internet, the need to build a robust authentication system became a top priority.
It’s from these efforts that we today have digital signatures and certificates. Understanding how they work and what they do is key to understanding internet security.
A digital signature is in principle exactly the same thing as the signature you put on a contract or cheque. It’s a unique signifier that the document really comes from you and that the person receiving it should accept it as authentic.
Of course, signatures can be forged, and an entire industry of fraud exists centering around faking them. When we think of fraud in a digital world, the problem becomes much more complex. Today there are billions and billions of transactions, files and other digital objects flying all over the web. How does one ensure that each of those transactions is verified with little or no fraud taking place?
That’s where digital signatures come in to play.
There are a few specific use cases that mandate using a signature. The most obvious one is authenticating the sender of a message. If you get a confidential message from your lawyer, you want to know it comes from your lawyers and not someone impersonating them.
Signatures also include a timestamp, which means you can also use them to determine if any changes have been made to the data after it was signed. If so, then you know not to trust the document.
Digital signatures today have the same legal weight as traditional handwritten signatures. In fact, since they are much harder to fake or deny having been made, they should carry more weight!
The core component of a digital signature uses something known as public key cryptography. Here there are two keys used to encrypt information. In this case the signature. They key that encrypts the information is known as the private key. The person in question keeps their private key secret and does not share a copy of it with anyone.
The neat thing is that the other key, the public key, can decrypt the message but can’t be used to impersonate the signer. No other key can decrypt the message, so if the public key provided by the sender successfully unlocks the encryption, it must really be from them.
The private and public key pair don’t make up a digital signature by themselves. Yet another component, known as a “hash” is used to build the signature. A hash is the product of a hash function. This is a special algorithm that takes any string of data and then turns it into an output of fixed length. The hash itself doesn’t contain any of the data that was run through the function. However, only that exact string of data will produce a particular hash output. So it’s a great way to make sure that the message was not modified in any way.
In a digital signature, a hash of the original content, as well as a description of the hash method is what gets encrypted by the signer. When the message is received on the other end and decrypted, the hash can be used to confirm that no changes have been made since the signature was made.
A digital certificate is, as its name suggests, a digital certification that someone is who and what they say they are. A central certificate authority usually issues it. The authority is the one that keeps trust. It verifies that the certificate requester is all the things they say they are and then issues a digital certificate which can be presented to the rest of the world.
This makes it much harder for people to set up fake websites and redirect you to them. If the fake site can’t present the right certificate to your browser, then it won’t accept it, and you’ll get a warning about it. It's also the perfect way to send secure encrypted emails.
Let’s dig a little deeper into digital certificates and see how it is they work.
Although there are various formats for digital certificates to come in, the X.509 standard is probably the most used and best known. X.509 defines what information is contained within the certificate and is an integral part of security technologies such as HTTPS and SSL.
Here’s what you should find inside an X.509 certificate:
So private and public keys have a job with certificates too? Well, that brings us to the next important information on how digital certificates work.
Digital certificates are a key component in public key cryptography. The certificate does the job of providing you with the public key so that you can verify the signature. It also means you can decrypt anything else sent to you that was encrypted with the certificate owners private key. The digital certificate is, therefore, the vehicle that allows for key exchanges, where public keys are exchanged, and a secure, encrypted channel is created between the two points of the transaction.
Industry standard encryption is incredibly strong these days. Barring a massive leap in computing power, there is basically no practical way of breaking it. Digital signatures and certificates are a practical application of this encryption technology which makes the internet safe. At least, much safer than it would be without it. Every time you order an Uber or buy something from Amazon, this ultra-secure set of technologies works in the background to make sure you don't get cheated.