Security of Internet Communications II: Authentication
To make an analogy with the real world, we can consider the case of card payment in a shop or restaurant. What we saw in the previous article would be the need to hide the data from the card and the code we type from the looks of others and how to do it; on this occasion, we will refer to the need and the way to make the server, shop, etc. Be reliable.
And on the Internet there's also the same problem: when we're shopping in an online store, how do we know that store is what it says and that it's not a thief who has mounted a website with the same look as the real store to get our data? This is the scam of phishing: a website is made very similar to a bank or shop, with a very similar URL, to which users are attracted, usually through an email, where the data of the passwords or cards that we introduce are held by the scammer. There are antivirus that have phishing detectors but they are not 100% safe. It is best to review the URL well looking for suspicious tracks. But it is not always easy to detect fraud. Is there any mechanism of the Internet that guarantees that is what a web says, that is, authentication of the web?
Authentication of websites using HTTPS
This is guaranteed by the HTTPS protocol mentioned in the previous article. As we saw, the HTTPS protocol uses the cryptography with public key, that is, the message is encrypted with the public key of the recipient, but the message cannot be deciphered with that public key that anyone knows, but with the private key that only the recipient knows, ensuring that only the recipient can read our message. This ensures that our data will be encrypted and cannot be captured by third parties. But authentication is guaranteed thanks to another feature of the HTTPS protocol: digital certificates of public key.
Digital certificates are digital documents that guarantee the link between a digital entity and its public key, issued by reliable third parties (certificate issuers). Thus, online stores must previously obtain a certificate of start-up of an HTTPS server with one or more issuers. And when a browser has to start an HTTPS connection, the first thing it does is to connect with issuing certificates and request the digital certificate of that website to ensure that the public key is that of the company that really says it and that the public key is correct.
If everything is correct with the digital certificate, we can see the certificate data by clicking on the lock icon that appears in the address bar. If not, the browser shows us a warning that you will surely have seen on more than one occasion, a police officer with an icon that appears requesting documentation. Whenever this appears, it does not mean that we are in front of a fraudulent website: our browser may not be aware of this issuer of certificates (for example, because it is obsolete), or that the web is exclusive to a small group (for example, the extranet of a company) and that it has not requested certificates; if we are sure that the web is safe, the browser allows us to advance.
Therefore, if we have to enter some private data (password, confidential document, credit card data, etc.) in some web, if we see the padlock corresponding to the HTTPS protocol and the browser does not make any observation, we can do it with tranquility, since we are sure that the recipient is the one who says and no one can be captured.
Authentication of the sender of the mail message
Another way to make fraud is email. On behalf of someone we know you can get an email requesting information or giving instructions, and if you say you can steal data, as it is easy to send an email on behalf of another. Is it possible to authenticate the sender? Yes, through digital signature.
The digital signature is, basically, a special use of cryptography with public key. The sender encrypts a copy of the message with private key and the recipient, for its decryption, will use the public key of the sender obtained from a certificate issuer; if the decryption is equal to the original message, it means that the message is necessarily sent by the alleged sender, since it only has its private key.
Email programs (Outlook, Thunderbird...) have the possibility to digitally sign messages, some of their own and others with the installation of the PGP (Pretty Good Privacy) or GPG (GNU Privacy Guard) program of their free version. About this type of programs we also comment in the previous article saying that they use cryptography with public key to encrypt the message and that only the recipients can decrypt. But it is not the only thing that these types of programs do: they also implement the digital signature to authenticate the sender. However, with the web mail (Gmail, Hotmail, Yahoo...) it is not possible to sign digitally. This would require our private key to pass into the provider's hands, and that can't be done because for public key cryptography to be reliable you just have to save the private key yourself. The only option is to use a browser plugin, which will perform encryption on your computer.
In short, by browsing the websites that use the HTTPS protocol and through the digital signature by PGP, GPG or other way, we can be sure that not only nobody will capture the data, but also that it is our partner.
Zu idazle
Zientzia aldizkaria
