Basic security on any website.
The workflow for this trusting mechanism has minimum 3* layer.
- At top there are organizations trusted by all called Root Certificate Authorities (Root CA). They have their own private key which they securely keep with them. Their public keys will be stored in devices like computers, smart phones etc. Root CAs provide digital certificates to Intermediate Certificate Authorities (ICA) by digitally signing it with Root CA’s private key.
- Then comes the ICAs. As mentioned above, ICAs will get its digital certificate which contains ICAs public key and also Digital signature from Root CA. Along with this they also get a private key which they securely keep with them. ICAs public key is available in its digital certificate.
- ICAs provide digital certificate to website domains after verification of domain ownership. This is SSL(Secure Socket Layer) certificate which will contain public key of domain owner. It is digitally signed by ICAs with ICA’s private key.
Here we can see a chain of certificate ( called chain of trust, marked in red dotted lines in the diagram) from Root CA to the domain owner SSL certificate. The web browsers in the operating system will verify this chain of trust.
To clearly understand the above workflow, we need a subset of fundamentals of cyber security,
- Public key cryptography
- Digital Signature
Public Key Cryptography
This is a type of encrypting and decrypting data using a pair of keys (alphanumeric string of a particular length) so that the data is readable only by people having the keys.
The pair of keys will contain A private key and a public key.
A private key, as the name says it is used in secret, and a public key can be used by anybody. The data encrypted using private key can only be decrypted using public key and vice versa.
There are 2 uses of this type of encryption in this scenario of secure website,
- Data privacy
- Website Identity Validation
Data privacy : The server of the website will have a pair of public and private key. Before any important data transmission from browser side, the website will first return a public key to the browser (as soon as the HTTPS URL, say https://abcd.com is hit). The data sent from the browser will be encrypted using this public key. This can only and only be decrypted using the private key at the server side. So, no other entity in between will be able see the data transmitted. (the actual HTTPS communication is obviously a little more complicated. You can get more details here).
The public key will be a part of Certificate. We also see some more details along with it. The Certificate used here, is actually called as Digital Certificate , is a file containing public key of website owner and some more details like subject, issuer of the certificate etc. In this case the ‘subject’ is the owner of the website. ‘Issuer’ is the authority who has issued the certificate. This gives the base knowledge for the next use of public key cryptography.
Website Identity Validation
From the previous step we are assured that data can be kept private by sending encrypted data. Now the question “how sure are we that the data, which is sent, is actually sent to the trustworthy recipient server?”. Framing the question in another way, how do I trust the website owner? For this, the concept of Digital Signature is used.
Digital signature is an encrypted hash value of a document. Hash is an alphanumeric string generated from a document using a standard algorithm like SHA256. This hash value is a fixed value for a document i.e. Every time when the algorithm is run for the document, given the document is not altered, it generates the same hash value. This hash value is then encrypted with the private key of some authority. This encrypted value is the Digital Signature of the document.
Digital signatures are used for checking the validity of the document, to make sure it is authorized by an Authority and also it is not tampered.
How is that done ? After a document is digitally signed by an authority, the document is sent with its Digital Signature and also the Digital Certificate of the authority which contains public key of the authority . The recipient of the document will generate hash value of the document and then decrypt the Digital Signature using public key of the authority and match the hash value. If hash value is same then it means the document is valid and not tampered.
In our case, the Digital Certificate of the website has to be checked for validity. The certificate contains Digital Signature of the issuer. An issuer is also called as Intermediary Certification Authority(ICA). Browser will also get the ICA’s certificate which contains public key of the ICA. The method mentioned previously is used for validating Digital Signature.
After validating, we are sure that the certificate of the website is the correct one and provided by that ICA. The question that arises next is how do we trust the issuer i.e. ICA? To resolve this there will be a Digital Signature in the ICA’s certificate, signed from the another ICA or root CA. That also can be validated. That means there is a chain of Authorities’ certificates. Browser does all these validations in the chain.
But where does this chain end at the top?
The chain of ICAs will end at root CA on the top. It is called chain of trust. Root CAs are the trusted entities globally. Root CA certificates are pre-downloaded in the devices (computer, smart phone etc.). Root CAs issue certificates to ICAs. And ICAs issue certificates to other ICAs or directly to website domain . This digital certificate provided to a website domain is called SSL certificate . The reason it is named so because it used for providing a layer of security for communication between user and webserver.
There are in fact 3 types of SSL certificates based on validations done,
- Domain validation (DV) — covered in this article. In this certificate domain name is visible in the Subject field. Eg: www.example.com
- Organization validation (OV)— in which strict verification is done at organization level and certificate displays domain name, name of the company, name of the city, state, and country where the company exists.
- Extended Validation (EV) — in which the verification process is very strict, which makes any phishing websites impossible to get this certificate. So this certificate can show highest level of trust. The certificate displays details similar to that in OV along with some more information.
I hope this article helped you to understand some basics about security on a website. To get details in depth you can go through advanced topics like Certificate Revoking, The public key Infrastructure (PKI), X.509 certificate format.
*there can be multiple mid layers of ICAs. Like one ICA can authorize other ICAs by providing digital certificate.