Smart cards and certs

[mhorowit]

Need some clarity on what's on a smart card vice a PKI cert.
From one source:"Smart cards... have embedded certificates used for authentication". "The certificate holds a user's private key"

When we study PKI, we see that the certificate is used to bind the user to his public key. In fact of the several items held on the PKI cert is the public key. The private key is kept elsewhere.

Seems like a conflict. Are we talking about two different certificates? - Mike

[cdupuis]

Hum....

Let's see if I can shed some light.

A certificate is based on the X509 V3 standard. The certificate contain a series of fields that are mandatory and there are extensions that can be added as needed as well. In short it is a container for information that has been signed by a certification authority.

When you apply for a certificate to be issued to you, the certification authority will take the necessary steps to validate your identity and once it is convinced that you are WHO you PRETEND to be it will vouch for your identity by signing the certificate using the CA private key. The certificate will include a copy of the user PUBLIC key and a copy of the CA public key as well.

You make use of the CA PUBLIC key to validate the digital signature applied on the certificate. That would be one of the validation step to ensure the certificate has not been modified since it was issued by the CA.

People who wish to communicate securely with you will do so using your PUBLIC key to encrypt the data that has to be sent over insecure networks such as the Internet. Only the corresponding PRIVATE key will be able to decrypt whatever has been encrypted with the PUBLIC key.

The PRIVATE key is never ever shared with anyone. It has to be kept totally secret and protected at all times. This is where the smart card could come into play.

SMART CARDS

You can think of a smart card as a VERY secure container.

The card has a processor on board and a fair amount of storage. The card could contain one or more digital certificate.

The smart card is a two factor authentication mechanism. The card is the first (something you have) and the pin (something you know) to unlock the card is the second.

Smart Card offers protection for the content stored within the card. They are a good storage location for your PRIVATE Key. The PUBLIC key does not need to be protected, it can be put on your website, signature within emails, phone book, or anywhere you wish.

The public key of a user is usually kept within his digital certificate. People can download and use your digital certificate to validate who you are and then extract a copy of your PUBLIC key from the certificate to communicate securely with you.

The Certificate that you receive never ever contain the private key. However, you smart card would be a great place to secure your private key instead of leaving it on your workstation where it could be stolen and your passphrase captured using a keystroke recorder.

TRUST

We do need the CA or else the level of trust would be very low.

Anyone can generate key pairs as they wish, however only by asking the CA to validate the identity would you get some trust. The CA is the one vouching for the user identity.


Best regards

Clement