Trustis
www.simplysign.co.uk
Key Links Site Map FAQs
Home | About SimplySign | Get a Certificate | Terms & Conditions | Information | Contact Details | Online Help
Chamber SimplySign - Online Help

Private Key Protection

Digital Certificates are based on Public Key Cryptography, a scheme that uses public and private key pairs.  As part of your application for a Digital Certificate, two related keys are created:

  • one public, which is stored within your certificate and published in the Repository,
  • and one private, which is stored on your computer (or on your personal hardware token or smartcard if you have been issued with one).

No-one but you should have access to your private key.  The integrity of your digital identity depends on your private key being controlled exclusively by you.

IT IS EXTREMELY IMPORTANT THAT YOU PROTECT YOUR PRIVATE KEY.  ANYONE WHO OBTAINS YOUR PRIVATE KEY CAN FORGE YOUR DIGITAL SIGNATURE AND TAKE ACTIONS IN YOUR NAME!

Contents

Where is my private key and how is it protected?

What can I do to help protect my private key?

Can I back up my private key?
I've been asked for my private key password - what should I do?
I've forgotten my private key password - what can I do?
Why can't someone recover my password?
Someone has stolen my computer - can they sign as me?

Where is my private key and how is it protected?

By default, Microsoft products store private keys in an encrypted form in the Registry.  Netscape uses a similar mechanism of encrypting and hiding the key but does not use the Registry for this purpose.  When you generate your private key, the software you use (such as your browser) will probably ask you for a password.   This password is used to protect access to your private key.  In these cases, someone else can access your private key only by having access to the file that your key is stored in (which is usually part of your system's configuration information) and knowing your private password.  Some software permits you to choose to allow the system to remember your password for you or to not have a password protect your private key.  You are recommended to not use these options, since you would be trusting that no one, either presently or in the future, will have unauthorised access to your computer.

You may have been issued with a hardware token (perhaps a smartcard, or other hardware plug-in device).  These are replacements for the default software-based key stores that are used with commonly available browsers and email products.  They provide enhanced protection of your private key by ensuring that accesses to your private key are dependent on "something that you own" (the hardware token), coupled with something that you know (a password, passphrase or PIN).

Return to table of contents

What can I do to help protect my private key?

Protect your computer from unauthorised access

  • by doing whatever you can to keep it physically secure.
  • by using access control products
  • by taking advantage of operating system protection features (such as passwords for login accounts, screensavers, key store accesses, system access/configuration, BIOS setup, BIOS boot-up).

Where passwords are used, always choose good passwords that cannot easily be guessed or that cannot be broken by common attacks such as those based on dictionary lookups.   DON'T  WRITE DOWN YOUR PASSWORD!  As a suggestion, a technique that can be used to produce good passwords and that can still be remembered is as follows:

  • Think of a memorable phrase.  This can be something very personal such as "i will remember my first real kiss forever"
    Try to make the phrase at least eight words in length.
  • take the first letter from each word in the phrase,
    or use numbers instead where there is a clear connection (as in 1 for the word "first", 2 for "to", "two", "too", 4  for "fore", "four", "for", etc.)
  • using this scheme with the example phrase, your password would be:     iwrm1rkf

Take measures to protect your computer from viruses and other malicious software.   These may be used to eavesdrop passwords, to look for, copy and send confidential information (including key stores) to others, modify or make unavailable important software and data, and attempt other forms of attack on private keys.

Return to table of contents

Can I back up my private key?

You should never back up your private key without protecting with a password. If anyone were to get hold of the backup, they could masquerade as you by signing all manner of transactions, communications and documents.  If you should ever lose or damage your private key (e.g, by having your laptop stolen or having a hard disk crash, or losing any hardware token that you may have been issued with), then you should request that this certificate be revoked immediately, and you be issued with a new one.  Any signatures that you made prior to this time, can still be verified by others, but it will prevent anyone from generating any new valid signatures using that key.

If you do intend to make a backup of your private key, make sure that you use the export facilities provided with your browser and that you set good passwords in order to protect the export file.

  • In Netscape there is an option to export your key to a password protected file in a folder of your choice. It comes out in a form called PKCS#12 (Public Key Cryptography Standard) in a file with a .p12 filename extension.  To use the export facility in Netscape, you need to either:
    • choose "Communicator - Tools - Security Info" from the menu
    • or click on the Security Icon at the top of the Netscape window (if this is displayed)
    • From there, you need to click on the "Yours" item under "Certificates"
    • then select the certificate you want to export and click on the "export" button then follow the instructions.
  • In Internet Explorer 5, you have a similar option to export your key to a password protected file of your choice.  In this case, it comes out as a PKCS12 (Public Key Cryptography Standard) file with a .pfx filename extension..  To use the export facility in Internet Explorer 5, you need to:
    • go through the menus to "View - Internet Options - Content - Certificates - Personal"
    • select the certificate you want to export and then click on the Export button.

The file that you create should be placed on a floppy disk and stored in some secure place. Remember that this file will be encrypted and that future access to it will require the use of the password that you specified when you create the export file, so you may also decide to lodge a copy of this password in a sealed envelope, in a separate secured storage place where only you or some specially authorised trustee can access it.

Return to table of contents

I've been asked for my private key password - what should I do?

Netscape refers to this password as the Netscape Password, but however it is called - NEVER provide your private key password to anyone!  There is no legitimate reason that anyone would ever need to know this information.  If you see this request on as a result of browsing someone's website, they are trying to get you to disclose this information, so that they can break into your private keystore, and either decrypt information that is personal to you, or attempt to masquerade as you in some transaction.

Return to table of contents

I've forgotten my private key password - what can I do?

If you have forgotten your private key password, no one can help you, (unless you took a backup of the private key as discussed earlier in this document). You will be unable to gain access to information that was encrypted using this certificate, and without access to a backup, any secure emails that were encrypted using your public encryption certificate will effectively be lost.  For private signing keys, you will be unable to continue to generate signatures using this key.

You will have to generate a new set of keys and obtain a new certificate.   Depending on the software being used, you may also need to reinstall your E-mail software and Web browser as well.

Return to table of contents

Why can't someone recover my password?

If there was some way for another person to recover your private key password for you, then it would be possible, using the same methods, for someone to steal it and use it for purposes you might not approve of.

Return to table of contents

Someone has stolen my computer - can they sign as me?

If you used a good password to protect your private key, then it is unlikely that the thief will be able to use your private key.  However, you must still request that  your certificates be revoked and that you be issued with new ones.  People will still be able to verify your signatures on old documents, emails and web transactions, but the thief will not be able to generate new signatures that appear to come from you.

If you had decided not to password-protect your private keys, or had used a particularly bad password, it is much more likely that the thief has your private keys.   To all intents and purposes, if this is the case, the thief can act as if he or she were you.  Under these circumstances, it is imperative that you contact the Registration Authority or the Issuing Authority immediately and inform them that your private keys have been compromised, that these certificates need to be revoked, and that you need to be issued with new certificates.  You should then ensure that this cannot happen again by protecting the new private keys with passwords and by making sure that they are good passwords (see above on "What can I do to help protect my private key").

Return to table of contents
Copyright © 2004 SimplySign - 4 Westwood House, Westwood Business Park, Coventry CV4 8HS