Why digital certificates were such a brilliant idea (and still are)

Claudius van der Meulen|11 April 2019
Why digital certificates were such a brilliant idea (and still are)

We’ve been using codes and ciphers for thousands of years to protect secrets. A clay tablet from Mesopotamia (dated 1500 BC), for example, encrypted a craftsman’s recipe for pottery glaze. We can assume this was commercially valuable to him, and so perhaps only his trusty apprentice knew how to translate the code.

However, it’s all very well encrypting information so that it can’t be understood if it’s intercepted, but what if the sender and receiver can’t verify each other’s identity? How do you know that you’re really talking to your banks, and how does your bank know that it’s you that they’re dealing with? This is the challenge that typical man-in-the-middle attacks exploit – the hacker can impersonate the sender or receiver to intercept or alter the information being sent.

So, for secure and trusted communication, the parties involved need to be able to validate each other before sharing anything confidential. This where digital certificates come in. Acting as a “digital fingerprint”, a digital certificate is issued by a Certificate Authority (CA), which has the responsibility of authenticating the identity of a certificate holder.

Ok; so problem solved, right? Unfortunately not. With the addition of a third player – the CA – both the holder of a certificate and the user of the certificate have to trust the CA. Even if the CA verifies the identity of the other party, what does this actually tell me? How did the CA ensure that the other party is who they say they are? Did they validate that party? How? When?

This is an “open-loop CA”, and while it can address the initial challenge of identifying the parties in a communication, it does come at a cost. Validating the identity of the party using the certificate requires some effort and introduces a financial risk, which therefore requires a form of insurance. This cost is then reflected in the price of the certificate, which can easily equate to a non-working business model or cutting (security) corners.

Entersekt recognized the value of using certificates to provide the digital security required by today’s financial institutes, but also understood that a few “tweaks” were needed to make the solution of certificate technology really work. What we did was this:

  1. We implemented a closed-loop private key infrastructure (PKI) solution, the advantage of which is that issuing and validating certificates can be done in a controlled manner.
  2. We implemented our patented emCert extension, which allows us to decouple issuing certificates – allowing us to secure the connection between the parties, even if the user has not been identified – from formally identifying the user of the app on the mobile device.

With these changes, Entersekt can support millions of users while providing a state-of-the-art mobile communication channel at a low cost and with minimal friction. So used the right way, certificates give financial institutions the opportunity to build their digital services on a solid foundation, exposing their customers to countless new possibilities.

If you found this blog interesting, perhaps try this post: Since when is PKI scalable?

About the author

Claudius van der Meulen

Claudius van der Meulen

SVP Europe

Claudius manages Entersekt’s European business from our offices in the Netherlands. He’s a seasoned salesperson with two decades’ experience working in information technology at companies like Sun Microsystems and ACI Worldwide, and has been fundamental to our success in the region.

Subscribe to our newsletter for our latest news, press releases and events

logo entersekt

Entersekt is an international software development company based just outside of Cape Town, South Africa.

We are leaders in authentication, app security, and payments enablement technology, offering a highly scalable solution set with a track record of success across multiple continents.