Digital Certificate
Digital Certificate is a modern alternative to the classical personal identificator (personal or medical identification card, passport, bank cards...) with a specific purpose - ensuring secure and legitimate E-commerce. Presented as a computer record, it contains data about the holder (name, e-mail, unique number, ...), his public key, data about the Certification Authority or the issuer of the digital certificate and the validity period of the digital certificate, which is digitally signed with a private key of the issuer of the certificate (SIGOV-CA or SIGEN-CA).
Digital certificates are an integral element of technological solutions, which offer two basic possibilities for privacy in electronic commerce and communication:
- data encryption, which assures confidentiality,
- digital signature, which represents a modern alternative to the autographic classical signature and assures:
- identity of the holder of the digital certificate
- non-repudiation of ownership of sent e-data
- integrity of a message, which means that it is not possible to change any data without the knowledge of the signatory.
The Certification Authority represents an institution that the holders of digital certificates trust. The holders mandate it to manage their digital certificates.
Principle of Confidentiality Among Holders of Digital Certificates Through a Third Person
Similarly, the Certification Authority is an institution that other Certification Authorities or individuals and indirectly also holders of digital certificates, which the Certification Authority issued and verified, trust. In this manner, various Certification Authorities can associate in various fashion, either horizontally, where they certify each other and enable secure and reliable communication among holders of digital certificates of both institutions (e.g., similarly as in mutual recognition of passports among citizens) or vertically, when one Certification Authority mandates another institution for issuing digital certificates in their name, which is necessary in managing a greater number of digital certificates. In addition, with mutual recognition the number of e-services, which are available with individual digital certificates, increases.
The Basic Characteristics of Digital Certificates SIGOV-CA and SIGEN-CA
Digital certificates are designed for internal E-commerce or communication in public administration (SIGOV-CA) and for services, which the public administration offers to citizens and legal persons electronically (SIGEN-CA). Both certification authorities issue two types of certificates : enterprise and web which have different purpose of use. This is made possible by specific technology and specific characteristics of software and infrastructure.
While one pair of keys (public and private) belongs to web digital certificates, two separate pairs of keys belong to enterprise digital certificates - for digital signing or certification and for encryption/decryption. Each pair consists of a private and a public key. The key being public means that it is publicly accessible or published in a so-called public directory of certificates. Privacy means that only the holder of the digital certificate has access to this key.
A pair of keys for encryption/decryption consists of:
- a private key for decryption,
- a public key for encryption.
A pair of keys for signing/verifying consists of:
- a private key for signing
- a public key for verifying a signature.
Procedure of Encryption and Decryption
Person A wishes to send person B an encrypted message. A uses person B's public key for encryption, which can be found in the public directory of certificates. Person A sends an encrypted message to person B. When person B receives the encrypted message, he decrypts it by using his private key. On condition that person A chose person B as the sole recipient of his message, only he can decrypt it.
The Procedure of Digital Signing
Person A digitally signs his message. The digital signature is designed so that it, first of all, according to a special procedure, creates a so-called "fingerprint" of the message - the hash (which assures that it is not possible to change the messages later - for this fingerprint would not be the same), this number is encrypted with the private key of the signer (A). Due to the fact that only person A has access to his private key, this is a guarantee that the signature is really person A's. The digitally signed message, received by person B, is composed of a clear text, encrypted hash, and person A's public key for verifying the signature.
Verifying Digital Signature
Person B, first of all, decrypts the hash with person A's public key. Once again he calculates the fingerprint of the message from the clear text with the same hash algorithm as used by person A. If the two hashes match, this means that the sent message was truly signed by person A.
A signed electronic message can be read by everyone, but the content cannot be changed without the changes being noted. By taking into account that only the signatory (holder of the digital certificate) knows his own private key, we can be sure that the message was indeed signed by him.
Two pairs of keys with enterprise digital certificates give us access and the ability to decrypt encrypted data - also in cases when the digital certificate, used for encrypting data, is not valid, or when normal use of the certificate is not possible due to various reasons. This enables access (readability) of e-data also in unexpected and unwanted cases, e.g., loss of password for access of the private key for decrypting data, damaged smart cards, etc. In such cases, the private key for decrypting data is securely stored under a specific regime inside the infrastructure of the Certification Authority at MJU and is issued only on the request of the holder of the digital certificate, the head of the organization (whether official digital certificates or digital certificates for legal persons), or at the request of the court of competent jurisdiction. The procedure for issuing a private key for decrypting data is defined in SIGOV-CA Policy and SIGEN-CA Policy. Based on the above-mentioned characteristics, enterprise digital certificates are above all designed for official use (for public administration and for legal persons), and web digital certificates for citizens.
The other important difference between enterprise and web digital certificates is validity and regeneration of keys. The validity of keys for enterprise digital certificates for signing, encryption and decryption is 3 years and for verification 5 years, the validity of web digital certificates is 5 years. Enterprise digital certificate keys are renewed automatically prior to expiration of validity, web digital certificates, on the other hand, are not automatically renewed. It is necessary to re-apply for the digital certificate.