Protect Your Digital Certificate ; Protect Your Private KeyDigital Certificates make use of a technology called public key cryptography. During the initial enrolment process for obtaining a Digital Certificate, your computer creates two keys: one public, which is published within your certificate and posted within TrustWise's repository, and one private, which is stored on your computer. TrustWise does not have access to your private key. It is generated locally on your computer and is never transmitted to TrustWise. The integrity of your certificate (your "digital identification") depends on your private key being controlled exclusively by you. IT IS YOUR RESPONSIBILITY TO PROTECT YOUR PRIVATE KEY. ANYONE WHO OBTAINS YOUR PRIVATE KEY CAN FORGE YOUR DIGITAL SIGNATURE AND TAKE ACTIONS IN YOUR NAME! How is my private key protected?How should I protect my private key?What is a "good" password?I use Netscape 3.X, where do I enter the password that protects my private key?I use Microsoft Explorer 3.X. Why didn't it ask me for a password when I generated my key?I saw a form on a Web page that asked for my Netscape (private key) password. Why do they need it?Where does my computer store my private key?I need to use my Digital Certificate at home and at work. Can I safely move my private key and Digital Certificate from one computer to another?Can I change my private key password without getting a new certificate?I forgot my private key password, can someone change it for me?No one can help me if I forgot my password. That doesn't sound very friendly. Why?Someone stole my computer. Do they have my certificate's private key now?Someone stole my computer and I chose NOT to password-protect my certificate's private key. What do I do now?I rely on my Digital Certificate for very confidential communications. Is there any way I can further protect my private key?How is my private key protected?Your private key is protected in two ways: 1) It is stored on your computer's hard drive so you can control access to it. 2) When you generate your private key, the software you use (such as your browser) will probably asked you for a password. This password protects access to your private key. For Microsoft Explorer users, your private key is protected by your Windows password. A third party can access your private key only by (i) having access to the file your key is stored in (which is usually part of your system's configuration information) and (ii) knowing your private password. Some software permits you to choose to not have a password protect your private key. If you use this option, then you are trusting that no one, presently or in the future, will have unauthorised access to your computer. In general, it is far easier to use a password then to completely
safeguard your computer physically. Not using a password is like pre-signing all of the
cheques in your chequebook and then leaving it open on your desk. Return to table of contents.How should I protect my private key?Protect your computer from unauthorised access by
keeping it physically secure. Use access control products or operating system protection
features (such as a system password). Take measures to protect your computer from viruses,
because a virus may be able to attack a private key. Always chose to protect your private
key with a good password. See http://csrc.nist.gov/publications/nistbul/csl96-08.txt
concerning private key security and http://csrc.nist.gov/publications/nistbul/csl90-08.txt
concerning computer virus attacks. Return to table of contents.What is a "good" password?A good password is one that is long enough and unusual enough that
an exhaustive search (such as by using a dictionary) is not likely to reveal it. A good
password is easy for you to remember but difficult for someone else to guess. Use a
password of at least eight characters. Do NOT use something obvious or easily traceable to
you, such as your telephone number, birth date, or the name of a member of your family. Do
NOT use an ordinary English word, a familiar jargon term, or a password that you have
previously used. If you write down your password, do not store it in an easily accessible
place. See http://csrc.nist.gov/publications/fips112/fip112-1.wp
and http://csrc.nist.gov/publications/fips112/fip112-2.wp
concerning password usage. Return to table of contents.I use Netscape 3.X. Where do I enter the password that protects my private key?Netscape refers to your private key password as your "Netscape
Password." Netscape will prompt you when the browser requires you to enter it. Note:
You should *never* enter your Netscape Password in a form retrieved over the Internet.
Only enter it on local generated Netscape dialogue boxes. Return to table of contents.I use Microsoft Explorer 3.X. Why didn't it ask me for a password when I generated my key?Microsoft Explorer protects your private key with the Windows log on password, not with a separate password. Return to table of contents.I saw a form on a Web page that asked for my Netscape (private key) password. Why do they need it?They DON'T. Never provide your private key password to anyone. No legitimate business ever needs to know this information. Return to table of contents.Where does my computer store my private key?Your private key is typically stored in encrypted format in a
Preferences or Configuration file that can only be unlocked (decrypted) using your private
key password. For example, for Netscape version 3.0 for Macintosh, it is stored in the
Security sub-folder of the Netscape folder (in the Mac Preferences folder) in a file named
"Key Database." Different programs may store your private key in different
places. Return to table of contents.I need to use my Digital Certificate at home and at work. Can I safely move my private key and Digital Certificate files from one computer to another?It is possible to move your key and Digital Certificate files from one
computer to another, as long as both computers are running the exact same software. You
may need to talk to your software vendor to see if this is possible with the applicable
software. It is very important that you use a secure password to protect your private key
if you intend to move the key from machine to machine. Return to table of contents.Can I change my private key password without getting a new certificate?Yes. Your private key password encrypts your certificate's private
key. You can change this password (thereby reencrypting your private key) using the
program you used to create it. For example, with Netscape you can change your password
from the "Passwords" dialogue accessed from the Security Preferences menu. You
should immediately change your password if you think someone else may have learned it. Return to table of contents.I forgot my private key password. Can someone change it for me?No. If you have forgotten your private key password, no one can help
you. You will have to generate a new set of keys and obtain a new certificate. Any secure
E-mail message (S/MIME) encrypted using your public key will be effectively lost. In some
cases you might also have to reinstall your E-mail software and Web browser as well. Return to table of contents.No one can help me if I forgot my password. That doesn't sound very friendly. Why?There is a trade-off between security and convenience. If there was some way for another person to recover your private key password for you, then he or she could steal it and use it for purposes you might not approve of. Certificates (Digital IDs) are still new, and not all of the features one might like to see are available yet. In the future it will be possible to save an unencrypted copy of your private key (so no password is required) on a floppy disk which you could then put in a safe place, such as a safe deposit box. Both Microsoft and Netscape are working on such a system. You could then use that floppy to recover your certificate's private key if you lose the password that normally encrypts it. Return to table of contents.Someone stole my computer. Do they have my certificate's private key now?If you used a good password to protect your private key, then it is unlikely that the thief will be able to use your private key. However, you should still contact the CA that issued your certificate and request that it revoke your certificate and issue you a new one (with a new public and private key). Please note that FREE Personal Digital Certificates
cannot be revoked. Return to table of contents.Someone stole my computer, and I had elected to NOT password-protect my private key. What do I do now?Immediately notify your CA that your key has been compromised. It will arrange to revoke your certificate and get you a new one. Note: Although relying parties should always check the revocation status of a Digital Certificate, some relying parties might not have done so. It is a good idea to inform anyone that may be affected that your private key has been compromised. Please note that FREE Personal Digital Certificates
cannot be revoked. Return to table of contents.I rely on my Digital Certificate for very confidential communications. Is there any way I can further protect my private key?There are two types of hardware devices available that are more secure than your hard drive for storing your private key. These are known as tokens (typically PCMCIA cards or special floppy disks) and smartcards. Contact your software vendor to see if it supports these devices. Return to table of contents.Copyright © British Telecommunications plc 2000 |