Join Curt Frye for an in-depth discussion in this video Introducing digital certificates, part of Securing Microsoft Office Files.
Many organizations use digital certificates to enhance security. And in this movie, I will explain what digital certificates are and how they work. As a bit of background, digital certificates rely on a specific form of encryption. Symmetrical encryption schemes use a single key, such as a password to encrypt and decrypt a file. So if you have password protected in Excel Workbook and re-entered the password to get access to the file, then you have used symmetrical or symmetric encryption.
Public key or asymmetrical, encryption splits a key into two pieces, the secret half and the public half. And then through some advanced mathematics. Those keys can be recombined and allow you to open the file. Or by virtue of other users public keys, send them files that they can only decrypt using their own secret key. A digital certificate is a computer file that associates an identity with a secret key. And by using a digital certificate to digitally sign a file, you can indicate that you're the author and also, indicate that the file has not changed or has changed since the time you signed it.
Knowing the passphrase associated with a secret key is a strong indicator of identity. And that means that combining a digital certificate with a file creates a signature that can be tested against a known set of identities. So, how do you get a digital certificate? I mean, who makes these things? The broad name for organizations that issue digital certificates are Certificate Authorities. There are companies or other organizations that have implemented security practices that encourage users to believe and feel that the certificates are based on rigorous checks and accurately reflect the identities of the people or organizations that have those certificates.
There are various levels of certificates you can get. A level one might just be a basic identity check, such as looking you up in public information records and using a scanned copy of your driver's license to verify who you are. A level three certificate might be a company that submits information that beyond what's required for a tax return. So the question is why should we trust these Certificate Authorities? Well, the most reputable publish their security procedures.
That way you can audit at least on paper and from a distance what they say they do and then rely on their reputation. You can also look at which certificates your customers and colleagues accept. Because if they accept them and you have reasonable expectation that they have performed their due diligence, then that is a vote certainly in favor of that Certificate Authority. And finally, many companies issue their own certificates for internal use. And even if those certificates aren't accepted outside of the company, you can still use it to create a project within your own company.
So now, let's take a look at the process of signing using a certificate. This is a very broad overview. But basically, you start by signing a file using your certificate. So you have the file and you apply your secret key and you apply your secret key by entering the passphrase associated with that key. And then, the file goes into a system. Say, you send it to your colleague and then they can examine the signature on that file. The mechanism for that and again these are very, very broad strokes.
The way that happens and again this is a very general description is that the software installed on their system goes to the Certificate Authority site and checks the list of valid certificates. If the certificate matches the signature on the file, then the file is good and can be open safely. On the other hand, if the certificate is on a certificate revocation list, then you would get an error message or some sort of a warning indicating that the certificate was no longer valid.
And then you might not want to trust the signature or perhaps not even open the file at all. You might have run into similar security if you have security options enabled on your web browser. If you visit a site that has a digital certificate that has expired or perhaps has expired or perhaps is from an untrusted authority, then you might have seen a warning message like this. Digital certificates when used properly add security to the system. You should find out the best practices within your organization and take advantage of them.
- Protecting files with strong passwords
- Restricting edits in Word documents
- Locking Excel worksheet cells
- Setting macro security levels
- Defining trusted publishers, locations, and documents
- Removing sensitive information with the Document Inspector
- Securing files with digital certificates