Are digital
certificates secure?
Remaining vulnerabilities should be combined with biometric technology.

Today’s Internet infrastructure can facilitate many new industries—and further consolidate national and international business—with the use of digital certificates.

In its general definition, a digital certificate is an attachment to an electronic communication used for security purposes. The most common use of a digital certificate is to verify that a user sending a message is who he claims to be, and to provide the receiver with the means to encode a reply.

Are we putting too much trust in the maintenance and distribution of these certificates? After all, digital certificates are merely identifying a machine and not the user. One clear way to enhance the effectiveness of digital certificates is to combine them with biometric technology. Biometric technology identifies a person based on physical characteristics. A person’s face, voice and fingerprint patterns cannot be duplicated and used by anyone else. Adding biometric authentication successfully secures the digital certificate wherever it is stored.

DIGITAL CERTIFICATES—VULNERABILITIES

In order to apply for a digital certificate, you must submit personal information to a certificate authority, much like you would when you apply for a credit card. Once issued, this digital identity, which is usually sent to the owner via e-mail, most likely will not contain your name. You need to upgrade this certificate by visiting a notary and having the information verified. The notary fills out the necessary forms and returns them to the certificate authority. Once this is done, you are issued a digital certificate bearing your name. This digital certificate can now be used for electronic transactions, acting as your signature for documents, such as mortgages, sales contracts and insurance policies.

With the introduction of large enterprises doing business on the Web, executing a deal in a reasonable amount of time (Internet time) using in-person methods is difficult. These digital certificates, however, can be used to legally bind someone in an agreement—quickly and electronically.

One problem with a digital certificate is where it resides once it is obtained. The owner’s certificate sits on his computer, and it is the sole responsibility of the owner to protect it. If the owner creates and sends an encrypted e-mail, the recipients to whom the owner’s public key has been sent can decrypt and read the message. They can also use his certificate as a means of trusting his signature, and can hold him liable for all claims in his message. If the owner walks away from his computer, others can gain access to it and use his digital certificate to execute unauthorized business.

The best way to address the vulnerabilities of digital certificates is by combining them with biometric technology. The main advantage of biometric technology with digital certificates is that it confirms the actual identity of the sender, rather than the computer. A digital certificate can be released by some form of bioprint before authorization of an electronic transaction takes place, making use of the certificate by someone else almost impossible.

DOUBLE SAFE WITH BIOMETRICS

Every individual has unique characteristics, such as the pitch of his voice and the different points of his face and fingerprints. Another human being cannot duplicate these identifying characteristics. A person’s stored voice or face data can be compared to a live sample to identify or verify an individual. The incorporation of these capture devices (camera for face, microphone or telephone for voice, and sensors for fingerprints) are all readily available in today’s technology infrastructure.

Before authorization of an electronic money transfer, either from one bank to another or to another account, a digital certificate verified by a form of biometric should be presented. This biometric would effectively secure the digital certificate wherever it is stored.

When an e-mail you are sending needs to contain a confidential attachment, you could use a digital certificate to encrypt the text and prove identity. You should also use a biometric to prove to the receiver that you have authorized the use of that digital certificate. This level of trust will create a confidence in receiving information from trusted parties.

Also, with this further authentication of attachments, e-mail administrators can identify particular attachments containing viruses and easily trace them to the originator who is liable for all damages incurred.

By layering digital certificates with biometric technology, security is enhanced. There is a false sense of security gained when people work strictly with a digital certificate without protection or who might have access to it. A layered approach of digital certificates with biometric technology can offer a more complete solution to making important transactions on the Web.

Hammel is director of product engineering for Keyware Technologies, Woburn, MA.