Certificates can be used for:
- Authentication, which verifies the identity
of someone or something.
- Privacy, which ensures that information is
only available to the intended audience.
- Encryption, which disguises information so
that unauthorized readers are unable to decipher it.
- Digital signatures, which provide
nonrepudiation and message integrity.
These services can be important to the security of your communications. In addition, many applications use certificates, such as e-mail applications and Web browsers.
Authentication is crucial in making communication more secure. Users must be able to prove their identity to those with whom they communicate and must be able to verify the identity of others. Authentication of identity on a network is complex because the communicating parties do not physically meet as they communicate. This can allow an unethical person to intercept messages or to impersonate another person or entity.
Whenever sensitive information is transmitted between computing devices on any type of network, users should generally use some sort of encryption to keep their data private.
Encryption can be thought of as locking something valuable into a strong box with a key. Conversely, decryption can be compared to opening the box and retrieving the valuable item. On computers, sensitive data in the form of e-mail messages, files on a disk, and files being transmitted across the network can be encrypted using a key. Encrypted data and the key used to encrypt data are both unintelligible.
For more information about encryption and certificates, see Resources for Certificates.
A digital signature is a way to ensure the integrity and origin of data. A digital signature provides strong evidence that the data has not been altered since it was signed and it confirms the identity of the person or entity who signed the data. This enables the important security features of integrity and nonrepudiation, which are essential for secure electronic commerce transactions.
Digital signatures are typically used when data is distributed in plaintext, or unencrypted form. In these cases, while the sensitivity of the message itself might not warrant encryption, there could be a compelling reason to ensure that the data is in its original form and has not been sent by an impostor because, in a distributed computing environment, plaintext can conceivably be read or altered by anyone on the network with the proper access, whether authorized or not.