Digital Certificate

Public key and Private key

Public and private key encryption mathematically involve a pair of keys, a public one known by everybody, and a private one known only by its owner. It is a question of an asymmetric encryption system, where a message is encrypted and decrypted through a pair of mathematically linked keys, or a symmetric one where encryption and decryption are carried out via only one key, which should be known by both sender and receiver.

The main advantage of this dual-key system is that the decryption key does not have to be sent to the addressee, thus preventing third parties from intercepting and making use of it to find out the contents of the communication.

Private keys are known only by the people or entities possessing them, while public keys are managed by intermediaries who act as guarantors and who are known as Certificate Authorities.

The two-key concept is basic to understanding the proposed model solution which is non other than the one underpinning Public Key Infrastructure (PKI) the main web security systems are based on.

Digital Signature

A digital signature is the process whereby a message is guaranteed not to have been altered during its transmission (integrity), and besides, only the sender is really the one he/she claims to be (authentication), and that the message has been sent by the sender and not by anybody else (non-repudiation).
The digital signature is based on the code, with the private key of the sender, of a summary of the message, which will accompany the message whether it is transmitted in code or open.

Senders generate a summary of the message using a known secure hash system. They then encrypt this summary using their private key (so it will thus only be possible to decrypt it with their public key) and send both the message and the summary to the receiver. When the message arrives, the receiver, in turn, will generate another summary parting from the message using the known hash system. Then, the summary that has been sent will be decrypted with the help of the receiver’s public code.

It is simply a matter of comparing both summaries, and if they coincide, it can be guaranteed that the contents have not been changed at any time during the transmission (integrity), and that, furthermore, only the sender can possess the private key corresponding to the public key used for decrypting the summary (authentication and non-repudiation).

Digital Certificates or Electronic Certificates

A digital certificate is an electronic credential issued and signed (digitally) by a Certification Authority. The digital certificate contains the public key of a specific person or identity it remains bound to. This bond is “certified” by the Certification Authority that issues the certificate.

The basic elements of a digital certificate are as follows:

• User identity

• Type of certificate

• Certificate serial number

• Digital signature algorithm or hash

• Expiry date of the same

• User public key

• Identity of Certification Authority sending message

• Digital signature of Certification Authority

At “e-puertobilbao” each user will have their own digital certificate, signed by the Certification Authority which in this case will be the Port Authority of Bilbao. In the process of application for digital certificates, users must prove their identity before whichever Registration Authority is decided, which likewise, will also be the Port Authority of Bilbao.

Certification Entity

The challenge faced by Internet security systems based on asymmetric cryptography and on digital certificate use is that of the authenticity of keys, that is, who guarantees that the key of an interlocutor, freely obtained on the platform, is really his or hers? What would happen if somebody sends their public key claiming to be someone they are not?

Basically, the problem of distributing keys in such a way that guarantees they belong to their legitimate owners has still not been solved. And this is where the concept of Certification Authority comes into play, a recognised trusted third party that digitally signs the keys and identities of users and systems.

The technical details of the security solution for the “e-puertobilbao” platform are presented as a centralised alternative where a central element of the user community created around “e-puertobilbao”, such as is the Port Authority of Bilbao, is designated as the Certification Authority, assuming functions of generation, issue and maintenance of the certificates. This solution will involve the generation of its “own” digital certificates, which although technically complying with X.509 standards, would only be valid certificates for operations within the platform.

In “e-puertobilbao”, each user will have to keep their private key, in such a way that only they can use it. The public key for users (included in their digital certificates) will be of common knowledge for the other users since it will be published in the Certification Authority’s lists of certificates.