Authentication + Encryption + Certification Authority = Trust
Conducting financial transactions over the Internet requires a safe investing environment. One of the biggest problems facing Internet business today is the issue of trust and security. Most consumers are concerned about the safety of their credit card and personal details. Many people simply don't trust the Web, fearing that their transactions might not be safe.
A critical issue for suppliers is how to win a your trust and convince you that it is perfectly safe to make online purchases or conduct safe investing on the suppliers website. The easiest and most secure way to achieve this is through authentication and encryption.
Why is authentication important?
In the age of faceless Internet commerce, authentication provides crucial online identity. People and companies need to get to know one another before conducting business. In traditional commerce, people rely on physical credentials – such as a business licence or lD document – to prove their identities and assure the other party of their ability to transact safely.
In the age of faceless Internet commerce, authentication provides crucial online identity. People and companies need to get to know one another before conducting business. In traditional commerce, people rely on physical credentials – such as a business licence or lD document – to prove their identities and assure the other party of their ability to transact safely.
A business partner's identity must be established before it can be trusted in conducting safe investing or other trade. At the most basic level, there must be a process which verifies that an organisation or individual exists, has a name, and is entitled to use that name. This process may also establish other identification attributes. Trusted third parties or delegated authorities often play a key role in confirming the identity attributes of participants at the time identification takes place.
Once the participant's basic identity and identification attributes are established and verified in "real" world, it must be issued with a credential such as an ID document or a business licence that can be used to prove identity. In the digital world, the most robust form of credential is the digital or Server Certificate signed by a trusted Certification Authority. [note #1]
How authentication works
Authentication allows the receiver of a digital message to be confident of both the identity of the sender and the integrity of the message. When Web visitors connect to websites, they reach one of two kinds of servers. If the servers are secure, visitors will get messages indicating that fact; similarly, if they are not secure, there may be warnings to that effect. A secure website is one that has been authenticated and has a certificate. The certificate tells users that an independent third party has agreed that the website belongs to the company it claims to belong to. A valid certificate means that users can be confident that they are sending confidential information to the place they think they are sending it.
Authentication allows the receiver of a digital message to be confident of both the identity of the sender and the integrity of the message. When Web visitors connect to websites, they reach one of two kinds of servers. If the servers are secure, visitors will get messages indicating that fact; similarly, if they are not secure, there may be warnings to that effect. A secure website is one that has been authenticated and has a certificate. The certificate tells users that an independent third party has agreed that the website belongs to the company it claims to belong to. A valid certificate means that users can be confident that they are sending confidential information to the place they think they are sending it.
The basic premise is that the Certification Authority, CA, is vouching for the link between an individual's identity and his or her public encryption key. The CA provides a level of assurance that the public key key contained in the certificate does indeed belong to the entity named in the certificate. For an Web user to determine whether a legitimate CA issued the certificate, he must verify the issuing CA's signature on the certificate.
CA's must be absolutely certain that they are issuing certificates to the "correct" company. They must be sure that the company they are certifying owns the Internet Domain Name they have certified, that it is registered as a business, and that its registered name is the same as that on the certificate the CA is signing. Once the CA has done what is, essentially, a background check on all these elements, the CA signs off on the public key. Then the Secure Sockets Layer (SSL) will start functioning. SSL, another critical element of a secure website, ensures that the information sent by a server is identical to that received by a Web visitor - that no change has taken place.
How can you tell if a website/company is authentic?
Before submitting information or purchasing goods, you need to know that the company you are doing business with is who it claims to be. Web shops can buy Server Certificates from many different companies (CAs). But Internet applications are configured to trust only those Server Certificates that come from a few highly reputable companies. So, if someone sends you his or her Server Certificates (either via e-mail or from a website you visit) and it is from a CA that the application does not trust, you will get an alert message asking if you want to trust the new CA.
Before submitting information or purchasing goods, you need to know that the company you are doing business with is who it claims to be. Web shops can buy Server Certificates from many different companies (CAs). But Internet applications are configured to trust only those Server Certificates that come from a few highly reputable companies. So, if someone sends you his or her Server Certificates (either via e-mail or from a website you visit) and it is from a CA that the application does not trust, you will get an alert message asking if you want to trust the new CA.
When you visit a website you can be sure that transactions with the site are secured by looking for the following easy cues:
- The URL in the browser window displays "https:" at the beginning, instead of “http:”
- In Internet Explorer, a padlock icon appears in the bar at the bottom of the IE window. IE users can find out a website’s encryption level by following these steps:
- Go to the website you want to check.
- Right-click on the website's page and select Properties.
- Click the Certificates button.
- In the Fields box, select "Encryption type". The Details box shows you the level of encryption (40-bit or 128-bit).
[1] Internet applications are configured to trust only those Server Certificates that come from a few highly reputable companies, e.g. thawte, VeriSign, Entrust
[based on the thawte document The Value of Authentication]
No comments:
Post a Comment