Symmetric encryption is great but it requires that the two parties engaging in secure communications should agree on a cipher key in advance before they can start exchanging messages securely.

Public-key cryptography has changed that. Brilliant scientific minds have invented ciphers that involve two keys instead of one: private and public. The two are mathematically related but, for all practical purposes, cannot be deduced one from the other. A message encrypted with the public key can only be decrypted with the corresponding private key, and vice versa. By far the most popular public-key cipher is RSA.

Now, if Alice wants to send a secure message to Bob, all she needs to do is take Bob's public key and encrypt the message with it. No one except Bob can decrypt such a message since only Bob has the corresponding private key. No prior arrangement between Alice and Bob is necessary.

The process can work in reverse as well: if Bob encrypts a document with his private key and sends it to Alice, she can decrypt the document with Bob's public key thus verifying that it did indeed come from Bob and not anyone else, and was not modified during transmission. Thus encryption with one's private key creates a digital signature.

In real life, a message is never encrypted directly with a public or private key for performance reasons -- public-key ciphers are very slow. The message is encrypted with a random symmetric key and it is that key that is encrypted with the public key and sent along with the encrypted message. Likewise, a digital signature is computed from the document's hash value, not from the entire document.

But how can Alice know that the public key she has obtained really belongs to Bob and not someone else? The short answer is: she can't. This is where certificates come in handy.

4.1.2 What's a Certificate?

A certificate is a data package that contains the entity's details (such as its name, email address, organization, etc.) bundled with this entity's public key and is issued (and digitally signed) by an independent trusted third party called a Certification Authority (CA) only after that authority has verified its identity. An entity can be a private individual or organization. A certificate is essentially a vehicle for transporting public keys in a uniform and verifiable fashion.

We deal with digital certificates on a regular basis without even noticing it. Every time we purchase something online with a credit card, the information we submit is protected by Secure Socket Layer (SSL), a protocol based on public-key cryptography. The public key used by your browser to communicate securely with the web server is provided by the server via an SSL certificate. Its details can be viewed by clicking on the little lock icon displayed by the browser every time it operates under SSL.

4.1.3 Get Your Own Certificate!

AspEncrypt represents a certificate store via the CryptoStore object. An instance of this object is created via CryptoManager's OpenStore method, as follows:

VBScript
Set Store = CM.OpenStore( "MY", True )

C#
ICryptoStore objStore = objCM.OpenStore( "MY", true );

The first argument to OpenStore is the name of the store. The valid values are "MY" for the personal store, "AddressBook" for the other people store, "CA" for the intermediary CA store, and "ROOT" for the Root CA store. The 2nd argument specifies whether the store to be opened belongs to the current user (if set to False) or the local machine (if set to True.)

In an ASP/ASP.NET environment, if anonymous access is enabled, an attempt to open a store will probably result in an Access is denied error. To avoid this error, impersonation of an admin account should be used with the method LogonUser, as follows:

VBScript
CM.LogonUser "domain", "account", "password" Set Store = CM.OpenStore( "MY", True )

C#
objCM.LogonUser( "domain", "account", "password", Missing.Value ); ICryptoStore objStore = objCM.OpenStore( "MY", true );

To obtain a list of all certificates residing in a store, the Certificates property of the CryptoStore object should be used. This property returns an instance of CryptoCerts, a collection of CryptoCert objects each representing a certificate in this store. CryptoCert's various properties return the certificate's attributes such as its subject, issuer, issue and expiration dates and other information. The following code snippet displays the subject and issuer information of all certificates residing in the MY store of the current user (the one being impersonated by the LogonUser method:)

VBScript
Set CM = Server.CreateObject("Persits.CryptoManager") CM.LogonUser "domain", "account", "xxxxxx" Set Store = CM.OpenStore( "MY", false ) For Each Cert in Store.Certificates Response.Write Cert.Subject & "---" & Cert.Issuer & "<BR>" Next

C#
ICryptoManager objCM = new CryptoManager(); objCM.LogonUser( "domain", "account", "xxxxxx", Missing.Value ); ICryptoStore objStore = objCM.OpenStore( "MY", false ); foreach( ICryptoCert objCert in objStore.Certificates ) { txtResult.Text += objCert.Subject[Missing.Value] + "---" + objCert.Issuer[Missing.Value]; }

The CryptoCert properties Subject and Issuer deserve special attention. These properties return CryptoName objects containing detailed information about the entity to whom the certificate is issued, and the issuing authority, respectively. The CryptoName object has a default Item property which accepts an optional string index argument. For our personal certificate shown above, the expression Cert.Issuer (VB Script) or Cert.Issuer[Missing.Value] (C#) returns the following CR/LF-separated string:

E=info@persits.com
C=US
S=NY
L=New York
CN=Persits Software Demo CA New York

The expression Cert.Subject returns the string

E=peter@persits.com
CN=Peter

You can see that a certificate's Subject and Issuer properties consist of several tagged components separated by a CR/LF sequence. The most common ones are CN (common name), E (email), O (organization), OU (organizational unit), L (locale), S (state), and C (country).

The CryptoName object allows you to obtain the individual components of a name by specifying the appropriate tag as Item's argument. For example, the expression Cert.Issuer("CN") (VB Script) or Cert.Issuer["CN"] (C#) returns the string

Persits Software Demo CA New York

The CryptoName object also provides the property Name, which looks for the components CN, OU, O, and E in this order and returns the first non-empty value found.

The CryptoStore.Certificates collection allows you to obtain a particular certificate by 1-based index, and also by serial number. A certificate's serial number, as well as all other properties can be viewed on the Details tab of the Certificate dialog in IE:

The serial number can be copied from this dialog box and pasted directly into your script as the index argument to Store.Certificates(...), as follows:

VBScript
Set Cert = Store.Certificates("d5 b9 c8 38 8f fb 41 b0 43 d6 47 2b b9 58 44 5e")

C#
ICryptoCert objCert = objStore.Certificates["d5 b9 c8 38 8f fb 41 b0 43 d6 47 2b b9 58 44 5e"];

The spaces in the index value are ignored, so the expression

Set Cert = Store.Certificates("d5b9c8388ffb41b043d6472bb958445e")

is also valid.

In addition to the Subject and Issuer properties covered above, the CryptoCert object also offers properties corresponding to the certificate property dialog shown above, and several others unrelated to that dialog. These properties are:

BasicConstraints
IssuerCert
KeyUsage
NotAfter
NotBefore
SerialNumber
Sha1Hash
SignatureAlgID
SignatureAlgorithm
StoreName
PrivateKeyContext
PrivateKeyExists
PublicKey
PublicKeyLength
Version