The Complete Digital Id Faq

How do I use Digital IDs?

When you receive digitally signed messages, you can verify the signers Digital ID to determine that no forgery or false representation has occurred.

When you send messages, you can sign the messages and enclose your Digital ID to assure the recipient of the message that the message was actually sent by you. Multiple Digital IDs can be enclosed with a message, forming a hierarchical chain, wherein one Digital ID testifies to the authenticity of the previous Digital ID. The more familiar you are to the recipient of the message, the less need there is to enclose Digital ID.

You can also use a Digital ID to identify yourself to secure servers.

Can using digital signatures help detect altered documents and transmission errors?

A digital signature is superior to a handwritten signature in that it attests to the contents of a message as well as to the identity of the signer. As long as a secure hash function is used, there is no way to take someones signature from one document and attach it to another, or to alter the signed message in any way. The slightest change in a signed document will cause the digital signature verification process to fail.

What applications support Digital IDs?

Client Digital IDs are currently supported by Netscape Navigator 3.0 and by Microsoft Internet Explorer 3.0.

Server Digital IDs are currently used in server products from IBM, Microsoft, Netscape, OpenMarket, Oracle and many more. Sun, CyberCash, Premenos, National Semiconductor and Lotus are planning to implement VeriSigns Digital ID services. VeriSign products are being used internally in many institutions, including branches of the U.S. government, major corporations, national laboratories, and universities.

How do I get a Digital ID?

You can request Digital IDs for yourself or for a secure server at VeriSigns Digital ID Center. Class 1 and Class 2 Digital ID requests are processed on-line, and take only a few minutes in most cases. Digital IDs for secure servers and for software publishing) require additional processing time. Generating a Digital ID request is part of the initial installation or setup procedures for many applications that are Digital ID enabled.

Who issues Digital

IDs and how?

Digital IDs are issued by a Certification Authority (CA), which can be any trusted central administration willing to vouch for the identities of those to whom it issues Digital IDs. A company may issue Digital IDs to its employees, a university to its students, a town to its citizens. In order to prevent forged Digital IDs, the CAs public key must be trustworthy: A CA must either publicise its public key or provide a Digital ID from a higher level CA attesting to the validity of its public key. The latter solution gives rise to hierarchies of CAs.

A person, say Amrita, generates her own key pair and sends the public key to an appropriate CA with some proof of her identification. The CA checks the identification and takes any other steps necessary to assure itself that the request really did come from Amrita, and then sends her a Digital ID attesting to the binding between Amrita and her public key, along with a hierarchy of Digital IDs verifying the CAs public key. Amrita can present this Digital ID chain whenever desired in order to demonstrate the legitimacy of her public key.

Are Certification Authorities susceptible to attack?

One can think of many attacks aimed at the Certification Authority, which must be prepared to defend against said attacks. Consider the following attack. Suppose Ravi wishes to impersonate Amrita. If Ravi can convincingly sign messages as Amrita, he can send a message to Amritas bank saying I wish to withdraw $10,000 from my account. Please send me the money. To carry out this attack, Ravi generates a key pair and sends the public key to a Certification Authority saying Im Amrita. Here is my public key. Please send me a Digital ID. If the CA is fooled and sends him such a Digital ID, he can then fool the bank, and his attack will succeed.

In order to prevent such an attack the CA must verify that a Digital ID request did indeed come from its purported author -- the CA may, for example, require Amrita to appear in person and show a birth certificate.

In another attack, Amrita bribes Ravi, who works for the Certification Authority, to issue to her a Digital ID in the name of Amitabh. Now Amrita can send messages signed in Amitabhs name and anyone receiving such a message will believe it authentic because a full and verifiable Digital ID chain will accompany the message. This attack can be hindered by requiring the cooperation of two (or more) employees to generate a Digital ID; the attacker now has to bribe two employees rather than one.

What is a key pair and how is it used?

Rather than using the same key to both encrypt and decrypt the data, public key encryption uses a matched pair of encryption and decryption keys. Each key performs a one-way transformation on the data. Each key is the inverse function of the other; what one does, only the other can undo. A Public Key is made publicly available by its owner, while the Private Key is kept secret. To send a private message, an author scrambles the message with the intended recipients Public Key. Once so encrypted, the message can only be decoded with the recipients Private Key.

Inversely, the user can also scramble data using their Private Key; in other words, key pairs work in either direction. This provides the basis for the digital signature," for if the user can unscramble a message with someones Public Key, the other user must have used their Private Key to scramble it in the first place. Since only the owner can utilize their own private key, the scrambled message becomes a kind of electronic signature a document that nobody else can produce. A Digital ID binds an identity to a public key, assuring the identity of the person or entity who owns the public key and the associated private key.

Who needs a key pair?

Anyone who wants to sign messages or receive encrypted messages must have a key pair. Individuals might have more than one key. For example, you might have a key affiliated with your work and a separate key for personal use. Other entities will also have keys, including electronic entities such as modems, workstations, and printers, as well as organizational entities such as a corporate department, a hotel registration desk, or a university registrars office.

How do I get a key pair?

In most cases, the security-enabled applications that you use will be able to generate a key pair for you in conjunction with generating a request for a Digital ID. For security, key pairs should be generated locally and private keys should not be transmitted over a network.

Once generated, you must register your public key with a Certification Authority (CA). The CA then sends you a Digital ID attesting to the veracity of your public key along with other information. To simplify bookkeeping tasks associated with the key, most users should not obtain more than one Digital ID for the same key.

How do I find someone elses public key?

Suppose you want to find Bobs public key. There are several possible ways. You could call him up and ask him to send you his public key via e-mail; you could request it via e-mail as well. Certification Authorities may provide directory services; if Bob works for company Z, look in the directory kept by Zs Certification Authority. Directories must be secure against unauthorized tampering, so that users can be confident that a public key listed in the directory actually belongs to the person listed. Otherwise, you might send private encrypted information to the wrong person.

What is a message digest?

A message digest concisely represents a longer message or document from which it was computed; one can think of a message digest as the digital fingerprint; of a larger document. A message digest is used to create a digital signature thats unique to a particular document.

How do I protect my

Digital ID?

Digital IDs make use of a technology called public key cryptography. During the initial enrollment process for obtaining a Digital ID, your computer creates two keys: one public, which is published within your certificate and posted within VeriSigns repository, and one private, which is stored on your computer. VeriSign does not have access to your private key. It is generated locally on your computer and is never transmitted to VeriSign. The integrity of your certificate (your digital identification) depends on your private key being controlled exclusively by you.

Your private key is protected in two ways:

It is stored on your computers hard drive so you can control access to it.

When you generate your private key, the software you use (such as your browser) will probably asked you for a password. This password protects access to your private key. For Microsoft Explorer users, your private key is protected by your Windows password.

A third party can access your private key only by (i) having access to the file your key is stored in (which is usually part of your systems configuration information) and (ii) knowing your private password.

How should I protect my private key?

Protect your computer from unauthorized access by keeping it physically secure. Use access control products or operating system protection features (such as a system password).

Where do I enter the password that protects my private key?

Netscape refers to your private key password as your Netscape Password Netscape will prompt you when the browser requires you to enter it. Note: You should *never* enter your Netscape Password in a form retrieved over the Internet. Only enter it on local generated Netscape dialog boxes.

I use Microsoft Explorer 3.0. Why didnt it ask me for a password when I generated my key?

Microsoft Explorer protects your private key with the Windows log on password, not with a separate password.

No one can help me if I forgot my password.

That doesnt sound very friendly. Why?

There is a trade-off between security and convenience. If there was some way for another person to recover your private key password for you, then he or she could steal it. In the future it will be possible to save an unencrypted copy of your private key (so no password is required) on a floppy disk which you could then put in a safe place, such as a safe deposit box.

A digital signature is superior to a handwritten signature in that it attests to the contents of a message as well as to the identity of the signer.

The integrity of your certificate or your digital identification depends on your private key being controlled exclusively by you.