Specifications

ManualsBrandsMaxxus ManualsExercise BikePRO SPK-23

321

322

323

324

325

326

327

328

329

330

When a signed message is received, it can be checked. The signature is decrypted using the

sender’s public key. A hash value is generated for the message using the same method that the

sender used. If the decrypted hash value matches the hash value you generated, then the mes-

sage is from the sender and has not been altered.

Digital Certificates

It is good to be able to verify that a message has not been altered and that a series of messages

all come from a particular user or machine. For commercial interactions, it would be even bet-

ter to be able to tie that user or server to a real legal entity such as a person or company.

A digital certificate combines a public key and an individual’s or organization’s details in a

signed digital format. Given a certificate, you have the other party’s public key, in case you

want to send an encrypted message, and you have that party’s details, which you know have

not been altered.

The problem here is that the information is only as trustworthy as the person who signed it.

Anybody can generate and sign a certificate claiming to be anybody he likes. For commercial

transactions, it would be useful to have a trusted third party verify the identity of participants

and the details recorded in their certificates.

These third parties are called Certifying Authorities (CAs). Certifying Authorities issue digital

certificates to individuals and companies subject to identity checks. The two best known CAs

are VeriSign (http://www.verisign.com/) and Thawte (http://www.thawte.com/), but there

are a number of other authorities. VeriSign and Thawte are both owned by the same company,

and there is little practical difference between them. Some of the lesser-known authorities, like

Equifax Secure (www.equifaxsecure.com), are significantly cheaper.

The authorities sign a certificate to verify that they have seen proof of the person or company’s

identity. It is worth noting that the certificate is not a reference or statement of credit worthi-

ness. It does not guarantee that you are dealing with somebody reputable. What it does mean is

that if you are ripped off, you have a pretty good chance of having a real physical address and

somebody to sue.

Certificates provide a network of trust. Assuming you choose to trust the CA, you can then

choose to trust the people they choose to trust and then trust the people the certified party

chooses to trust.

Figure 13.6 shows the certificate path that Internet Explorer displays for a particular certificate.

From this, you can see that www.equifaxsecure.com has a certificate issued by Equifax Secure

E-Business Certifying Authority. This CA, in turn, has a certificate issued by Thawte Server

Certifying Authority.

E-commerce Security Issues

HAPTER 13

E-COMMERCE

SECURITY ISSUES

297

17 7842 CH13 3/6/01 3:36 PM Page 297