1.2.Encryption
To
encrypt a file means to scramble a stream of data so that its original contents
cannot be read. Restoring the data to its original form is known as decryption.
Both encryption and decryption require a key, a digital message, and an
encryption algorithm.
There are several types of encryption, all requiring the use of secret
information, usually referred to as a key.
In
traditional encryption, called secret (symmetric)-key encryption, the sender
uses the secret key to scramble (encrypt) the message and the receiver uses the
same key to unscramble (decrypt) it. But this method has a problem. The sender
and receiver must agree on the secret key without anyone else finding it out.
Often, they must trust a courier or a phone system to communicate the secret
code. Anyone who overhears or intercepts the key in transit can read, modify or
forge encrypted messages.
Therefore,
what is more commonly used today is a method called public (asymmetric)-key
encryption. Introduced in 1976, this method gives each user a pair of keys: a
public key and a private key. Each person's public key is made available in a
public directory; while the private key is kept secret.
1.3.
SSL
Short form for Secure
Sockets Layer, a protocol developed by Netscape for transmitting private documents via the
Internet. SSL works by using a private key to encrypt
data that's transferred over the SSL connection. Both Netscape Navigator and
Internet Explorer support SSL. Many Web sites use this protocol to obtain
confidential user information, such as credit card numbers. By convention, Web
pages that require an SSL connection start with https:
1.4.
Certification Authority
A
trusted third-party organization issues digital certificates that are used to create
digital signatures and public-private key pairs. The role of the CA in this
process is to validate that the individual granted the unique certificate is, in
fact, who he or she claims to be. CAs are a critical component in data security
and electronic commerce because they confirm identities of parties exchanging
information.
1.5.
CRL (Certificate Revocation Lists)
Certificates
have a specified lifetime, but CAs can reduce this lifetime by the process known
as certificate revocation. The CA publishes a certificate revocation list (CRL)
that lists certificates it considers no longer valid. The CA may also include in
the CRL the reason why the certificate has been revoked. It also includes a date
from which this change of status is understood to apply.
1.6.
PKI
The
term public key infrastructure (PKI) is used to describe the policies,
standards, and software that regulate or manipulate certificates and public and
private keys. In practice, PKI refers to a system of digital certificates,
certification authorities (CAs), and other registration authorities that verify
and authenticate the validity of each party involved in an electronic
transaction.
1.7.
Public Key & Private Key
Two
keys—a public key and a private key, which are mathematically related—are
used in public-key encryption. To contrast it with symmetric-key encryption,
public-key encryption is also sometimes called asymmetric-key encryption. In
public-key encryption, the public key can be passed freely between the parties
or published in a public repository, but the related private key remains
private. Data encrypted with the public key can be decrypted only using the
private key. Data encrypted with the private key can be decrypted only using the
public key.
2.
Comtrust Certification
Comtrust
is the only certification authority in the UAE.
2.1
How long does it take to process applications for Digital certificates?
-
Demo
certificates are processed immediately.
-
User certificates are processed from immediately to within 5 days after receipt of documentation.
-
Server
certificates are processed within 5 business days after receipt of
documentation.
2.2. Do I need to come in
person to submit the documentation required?
For
user certificates and server certificate applicant's physical presence may be
required.
2.3. While enrolling for the Comtrust user/demo certificate, I
am asked to apply a Microsoft Security patch on my machine. Why?
There is a
vulnerability in the Microsoft Windows operating systems which could be
exploited to delete the digital certificates from the vulnerable system.
Microsoft has released a security patch for this
http://support.microsoft.com/default.aspx?scid=kb;en-us;q323172.
Therefore,
we request our customers to apply this security patch on their systems before
they enroll for digital certificates so that their machines are protected from
any malicious attack. If your system already has a newer service pack installed
that has removed this vulnerability, you'll not be asked to apply this security
patch.
2.4. During enrollment, I was asked to choose a cryptographic method,
which one to choose?
If
you do not have a specific requirement just leave it to the default selection.
The Cryptographic provide is simply the set of libraries that are used to
generate the key-pairs. (e.g., you can use the smart card libraries to create
your keys on a smart card)
2.5.
I completed the enrollment but
I did not receive a response?
Depending on the type of
certificate you have applied for, the processing time will differ.
Please check on duration of processing in
CPS.
In
general you should get an email describing the steps that should follow your
enrollment. If a reference number is communicated to you, please note it down.
You will be able to check status of your certificate using this reference
number.
3.
Managing the Certificates
3.1
Installing Certificate
3.1.1.
I am facing a problem accessing SSL pages, the browser is just unable to show those pages
Many IE 5.0X users have reported errors when browsing secure SSL pages. We know this problem is not specific to Comtrust Digital Certificates, but with the IE accessing the pages. Microsoft has released Service Packs and fixes for IE5.x to correct some of those problems
One of the hot fixes is Q247367.exe which resolves the incorrect internal
key in the Schannel.dll file. You can download this hot fix from:
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/ie/downloads/schannel.asp
3.1.2.
How do I know my Digital Certificate is installed and working?
Netscape
Navigator Users:
Follow these steps to make sure your Digital Certificate is properly installed:
-
Launch
Netscape Navigator 3.0 (or later).
-
Click
the security button on the NS toolbar.2.
-
Click
in the link yours
-
Verify that your new Digital
Certificate is listed in the personal certificates display.
-
To view your Digital Certificate, select it and then click the More Info button.
Microsoft
Internet Explorer users: Follow these steps to make sure your Digital ID is
properly installed:
-
Select Options from the View menu.
-
Select the content tab.
-
In
the Certificates section, click the Personal button.
-
Your
new Digital ID should appear in the list that appears.
-
View your
Digital ID by selecting it and then click the View
Certificate button
3.1.3. I deleted
Microsoft Internet Explorer and installed the latest version, how do I reinstall
my Digital Certificate?
If
you delete your Web browser you also delete the Digital Certificate. You will
need to apply for a new one. If the Microsoft Internet Explorer copies were
removed by deleting the application and its directory, the file containing
the private key associated with the digital certificates got deleted.
Without the private key the Certificate cannot be installed.
In
general you should export your certificate (back it up) before upgrading or
uninstalling your browser/email client.
3.1.4
I deleted Netscape Navigator and installed the latest version,
how do I reinstall my Digital Certificate?
If
you delete your Web browser you also delete the Digital Certificate. You will
need to apply for a new one. If the Netscape Navigator copies were removed by
deleting the application and its directory, the file that contained the private
key associated with the Digital Certificate got deleted. Without the private key the Certificate cannot be installed.
In
general you should export your certificate (back it up) before upgrading or
uninstalling your browser/email client.
3.1.5.
Why should I save a back up copy of my Digital Certificate?
It
is important to save a back up copy of your Digital Certificate on a floppy
disk, in case your hard drive crashes, you will be able to re-install it.
3.1.6.
How do I save a back up copy of my digital certificate?
a. Internet Explorer
-
From
Internet options menu choose contents
-
Choose
certificates
-
Select
certificate to be exported
-
Click
Next
-
Click
--Yes, export with private Key
-
Click
Include all certificates in path, if possible
-
Enter
& confirm password
-
Select
drive and file to exported & Click Next
-
Click
Finish & then OK
-
Remove
Certificate from browser
b.
Netscape
-
Click
security from toolbar
-
Under
certificates click “yours”
-
Select
certificate to be exported & Click Export
-
Enter
password for Data Export and click OK
-
Confirm
password
-
Select
drive and save certificate
-
Delete Certificate from browser
3.1.7.
How do I transfer a digital certificate on to my new computer from floppy
diskette?
a.
Internet Explorer
- From Internet options choose
contents
- Click Certificates
- Click Import
- Click Next
- Browse and choose certificate to
be imported & Click Next
- Enter password that was given at
the time of exporting, click box next to "Mark the key as exportable" and
click Next.
- Click Finish
- Click OK
b.
Netscape
- Click Security from toolbar
- Click “Yours” under
Certificates
- Click Import a Certificate
- Select certificate from floppy
- Enter password that was used to
export certificate.
- Click OK and your certificate
will be displayed.
3.1.8.
Which browsers support Digital Certificates?
3.2. Losing Certificates
3.2.1.
I lost My PC. Can I still use my Digital Certificate?
Only,
if you have a backed-up the certificate on a diskette. However to avoid any
misuse of your digital certificate you
should ask comtrust to revoke your Certificate.
3.2.2.
I Unplugged my PC. Does my certificate still exist?
Yes
it does.
3.2.3.
I accidentally deleted my Digital Certificate from my hard drive?
If
you have not backed it up on a floppy, then it is lost.
3.2.4.
My hard drive crashed, is there any way to recover my Digital Certificate?
If
you have not backed it up previously, it will be lost. You will need to apply
for a new one.
3.2.5.
How Do I delete my Digital Certificate?
To
remove your Digital ID and key files from your machine, please follow the
following:
a. Netscape Navigator users
-
Select
Security Preferences from the Options menu.
-
Select the
Personal Certificates tab.
-
Select the
Digital Certificate you want to remove, then click the Delete Certificate button.
b.
Microsoft Internet Explorer users
-
Select
Options from the View menu.
-
Select the
content tab.
-
In the
Certificates section, click the Personal button.
-
Select the
Digital Certificate you want to remove, and then click the Delete button.
3.3. Renewal:
3.3.1.
Can I renew my Comtrust digital certificate?
Yes. You can renew your Comtrust server, user and business user certificates.
Please
click here to renew your Server Certificate.
Please
click here to renew your User / Business User
certificate.
3.3.2.
How will I know when my certificate expires?
You
will be notified by e-mail from Comtrust prior to your certificate expiry to
apply for a new one. Also you can view the expiry date from your Internet
Explorer or Netscape browser.
3.4 Revocation:
3.4.1. How do I revoke my digital certificate?
Please
call the Comtrust help desk at 800-6-900 or send a digitally signed e-mail to
ra@comtrust.ae.
3.4.2.
When can I revoke my digital certificate?
As long as your certificate is valid (not expired or revoked), you can
revoke it. You should revoke you certificate immediately if the private key is
compromised.
3.4.3.
Can someone else revoke my digital certificate without my knowledge?
No.
3.5.
Changing the content of the digital certificate:
3.5.1.
I have a new e-mail address and I want to use my existing digital certificate
with this e-mail, is it possible?
The
e-mail address, which you included in your certificate, is bound to the particular
private key issued to you. So, if you want to change the email that is shown on
your certificate, you will need to apply for a new certificate.
3.5.2.
I moved, can I change my details on the certificate?
No,
you cannot. You will need to apply for a new one.
4.
Using Digital Certificate
4.1.
How can I use my digital certificate to sign e-mail messages?
a.
Internet Explorer
-
From
tools menu of Outlook Express, go to Options
-
Click
on Security
-
Click
on box related to Add signatures to all out-going messages
b.
Netscape
Communicator
4.2.
How can I use my Digital Certificate to encrypt messages?
Before
encrypting a message, you will need to have recipient’s Digital Certificate.
The easiest way to obtain recipient’s Digital Certificate is to have
him/her send a digitally signed message.
a) Netscape
Communicator
When
you receive a digitally signed message, the sender’s Digital Certificate is
automatically stored in you address book.
You can encrypt messages in the following manners:
-
Click
on Security button on toolbar
-
Click
on Messenger from Menu on left part of screen
-
Click
on option “Encrypt mail messages when it is possible”
b) Internet
Explorer
When
you receive a digitally signed message, the sender’s Digital certificate is
automatically stored in you address. You
can encrypt messages in the following manners:
Alternately,
you can Encrypt messages by clicking Encrypt every time you send a message
4.3.
How can I find someone else’s digital certificate?
You
can get another person's digital Certificates in one of the following ways:
-
Have
that person send a digitally signed message to you or alternately
-
You
can get it from Comtrust directory.
4.4
How can I read encrypted e-mails I receive?
If
the message was properly encrypted and your Certificate is installed properly,
you will not need to do anything to decrypt, because the Digital Certificate
will recognize it automatically and decrypt it.
4.5
Can I send secure e-mail to someone who does not have a digital certificate?
No.
Only secure e-mail addresses can encrypt, decrypt and communicate encrypted
messages. However, You will only be able to send signed messages (not encrypted)
to people without certificates.
4.6.
Can I use my digital ID with more than one e-mail addresses?
No.
