Using PKI

The most common PKI based applications include authentication to and authorization for the use of web resources, signed and secure e-mail messages, and electronic document signatures. Each of these functions is implemented in appropriate software applications.

Using Web Browsers and SSL

PKI is built in to all web browsers that use SSL. Secure Sockets Layer (SSL) is a protocol used to protect data transmitted between a client application and a server. An SSL connection is secured by using the PKI certificate of the web server to share a symmetric key with the web browser which is used to encrypt data exchanged between them. When SSL is being used to communicate with a web server, the "security" functions of the web browser allow the end user to check the validity of and view the associated web server's certificate.

This is currently the most common application of SSL. Since it works with no further user interaction, most people are unaware of the other PKI certificate and security features. Some web browsers also allow you to store and use personal PKI certificates for authentication. The key pair and certificate are used with web servers and sites that require authentication through client side SSL connections. In a client side SSL connection your web browser authenticates you by using your private key to decrypt a message encrypted by your public key. Depending on the features of the browser, you may need to specify which certificate is to be used if you have several. Some browsers will select a certificate that will work based on which other certificates were used to sign it.

Your Private Key

In a PKI based protocol transforming some data using the private key is needed to provide the identity of the person or device participating in the application. This private key is connected to a certificate containing the corresponding public key. Showing that you can use that private key demonstrates the connection to the name of the subject in the certificate. Simply having a PK certificate in your possession proves nothing.

As noted already, a certificate has an associated private key. Use of the private keys is frequently controlled by a password set in the browser. Depending on the features of the browser, you may be asked for the password, whenever the private key is used, the first time it is used or it may be used by any one using the computer on which it is stored.

Web browsers typically have features that let you, examine, import and export certificates and keys. Certificates can be personal or accepted by the users for certain trusted companies or authorities. Once an SSL connection is established, the server certificate in use can usually be examined by looking at the properties of the page transmitted over the SSL connection.

Certificates and keys are most commonly stored on the hard disk of the computer you are using. In addition to providing the password when the private key is used, usually a password is also required to import or export keys and certificates. Some browsers also support key and certificate storage in a secure external device. Again a password is often used to gate access to the key and certificate.

Root Certificates and Certificate Authorities

Certificates issued to web servers and individuals are signed by a Certificate Authority. The signature on a certificate identifies the particular Certificate Authority that issued a certificate. The Certificate Authority in turn has a certificate that binds it's identity to it's public key, so you can verify it's identity. A certificate authority publishes a policy defining it's practices so users of certificates issued by that Authority have a basis from which to make a trust judgement for transactions based on PKI. To enable separate instituitons to establish trust relationships between themselves, Certificate Authorities can have their certificates signed by other authorities which audit their practices. These chains of certificates do finally end with a certificate that is self signed which is known as a "root" certificate. Both Browsers and web servers both start off with a list of known root certificates that they "trust". You can add other root certificates to a browser or web server certificate store for additional certificate authorities that you are willing to trust. Web browsers alert you when you begin a transaction that involves a new certificate authority. To proceed with the transaction, you must accept the new certificate either temporarily or permanently. The alert dialog allows you to view the new certificate so you can make a decision.

Your Password

You will need to set a password for either your Browser certificate store or each private key you have saved. The password controls use of your private key(s) and should be kept secret. You should not share your password with any one. The password used to protect a certificate store is only known on your computer and can't be recovered by your local computer support staff. Encrypting a file and then finding yourself unable to decrypt it is a painful lesson. So it is very important to create a password that you will remember. Give your choice some thought in advance of starting to obtain your key pair and certificate.

A single-word is not recommended as a password since it is very vulnerable to a dictionary attack, which consists of having a computer try all the words in the dictionary until it finds your password. It is widely recommended that you create a password that includes a combination of upper and lowercase alphabetic letters, numbers and punctuation marks. However, unless the password you choose is something that is easily committed to long-term memory, you are unlikely to remember it when needed. Picking a password on the spur of the moment is likely to result in forgetting it entirely. Choose something that is already in your long-term memory.

Some password do's and don'ts: 

       don't 
              use your name, your address, or any similar personal information for your password. 
       don't 
              use any single word or pair of words. 
       don't 
              use a short password. 
       do 
              use a mixture of lower and uppercase, digits and punctuation: ``m1Xed_kZ'' 
       don't 
              use an easy to guess sequence like ``qwerty'' or ``345678'' 
       do 
              use mnemonics to help you remember your password: ``mpiNfy'' - my password is not for you. 
       do 
              change your password regularly 
       don't 
              use any of the passwords listed here

Resetting Your Password

If someone else has previously set a certificate store password for the account or profile you are using, or you have forgotten the certificate store password, you can reset the machine. This procedure will delete the user certificates stored on this machine. Do the following...

Netscape 4.x

Windows: 
       Close Netscape. 
       Go to Start->Find (Search on Win2000)->Files or Folder. 
       Search for files named key3.db and cert7.db. 
       Right-click on each of these files, and select delete. 
       Reopen Netscape and try again to get Certificates. 

Note: These files are generally located in the folder in C:\Program Files\Netscape\Users\username

Macintosh: 
    1.Close Netscape 
    2.Use Sherlock, or Search, to search for the following files: Certificates7 and
       Key Database3 
    3.Drag any copies of either of these files into the Trash. 
    4.Reopen Netscape and try again to get Certificates. 

Note: The files are generally be found in :System Folder:Preferences:Netscape Users:username:Security

Mozilla, Netscape 6.x, 7.x?

Select the edit menu, preferences item, open the Privacy & Security section in the left column. Select the "Master Password" subsection, click the "RESET" button.

Internet Explorer 5.5x and later

Passwords that protect keys on Windows/IE are set when the key is created or imported. Each key can have a separate password. Keys are stored in the registry. There is no explicit feature for changing the password. A password can be changed by exporting the key with the "Certificate Export Wizard" and then reimporting the key, changing the Wizards's options to set a new password. Access the wizard by selecting "Internet Options" on the "Tools" menu. Select the "Content" tab and click the "Certificates" button. Select the certificate and click the "Export" button. To reload the certificate, click the "Import" button.

Secure e-mail (S/MIME)

A number of modern e-mail clients use the MIME standard for encoding data. S/MIME is an extension of MIME that allows PKI signatures and encryption of the mail contents. To use S/MIME you need to have a public/private key pair and associated PK certificate. Using S/MIME features in an e-mail client requires the same use of the private key, public key certificate and certificate store password as described above for using SSL in a web browser.

Signed Documents

A number of applications are available to electronic sign documents using PKI. Using these applications involve the same considerations discussed above. In addition you will need to archive the public key certificates of the document's signers in order to be able to verify the signatures in the future.

Back to PKI Lab Home

Dartmouth College PKI Lab
Last update: 7 January 2004