|
PKI - Public Key Infrastructure
| What is PKI? |
|---|
|
PKI (Public Key Infrastructure) is an arrangement in cryptography that facilitates third party examination of, and vouching for, user identities.
PKI allows the binding of public keys to users. These public
keys are most frequently stored in cartificates. This binding of public
keys to users is usually carried out by software in a central location, in coordination with other associated software components installed in distributed locations.
The term Public Key Infrastructure is sometimes used in a broader
sense to mean both the Certificate Authority (CA) and related
arrangements as well, and in some other times, confusingly or wrongly,
to denote public key algorithms used in electronic communications. In
the latter case, it should be kept in mind that public key algorithms
do not require PKI.
| | Working with PKI |
|---|
|
Public Key Infrastructure arrangements help users to authenticate
each other and to use the information in identity certificates (public
keys of each person) to encrypt and decrypt messages between each other.
Here is the way PKI works: The public key infrastructure architecture consists of client software, server software such as a certificate authority, hardware (e.g., smart cards)
and operational procedures. Using his/her private key, a user may sign
messages digitally, and another person can verify this signature using
the public key embedded in that user's certificate issued by a
certificate authority within the Public Key Infrastructure, thereby
enabling two or more parties to establish confidentiality, message
integrity and user authentication without having to compromise any secret information in advance or during the process.
Most enterprise PKI systems depend upon certificate chains to
establish a party's identity. That is, while the certificate for any
party may be issued by a certificate authority computer, it becomes
mandatory that the legitimacy of that computer in turn need to be
certified, and that is done by a higher certification authority and the
chain goes on.
This certification hierarchy, at a minimum level, will consists of
many computers, often more than an organization, and an assortment of
interoperating software packages from different systems across
different sources. This hierarchical structure is in fact inevitable as
standards are critical to PKI operation. Many of the operating
standards in this area are formulated by the IETF PKIX workgroup.
Enterprise-scale public key infrastructure systems are sometimes tied closely with the enterprise's directory schema
by combining the employee's public key - embedded in a certificate -
with other personal details such as name, designation, and department.
X509 is the most commonly used certificate format alongside the
directory schema LDAP.
| | PKI APplications |
|---|
|
Public Key Infrastructures, irrespective of the vendors, have many
uses. These include providing public keys and bindings to user
identities which are used for:
- Encryption or authentication of documents. For example, XML signature standards if the document concerned is encoded in XML.
- The same, but in case of email messages (using S/MIME or OpenPGP).
- Verification and authentication of users to applications such as in smart card login and client validation using SSL.
- Bootstrapping secure communication protocols such as SSL and Internet Key Exchange IKE).
PKI Alternatives
Newer techniques for the authentication of public key information
have been introduced and some of them are already in use by various
enterprises. Most popular amongst them include the Web of Trust, Simple
Public Key Infrastructure (SPKI) and Robot Certificate Authorities or
Robot CAs.
| | PKI Authorities |
|---|
|
PKI Authorities consists of three different authorities that essentially make up a PKI system. These are the Registration Authority, Certification Authority and Certificate Directory.
Registration Authority
The jobs of the Registration Authority are to processes user
requests, confirm their identities, and induct them into the user
database.
Certification Authority
The tasks of a Certification Authority are to issue public key certificates
and to attest that the public key embedded in it indeed belongs to the
particular entity as stated in the certificate. The Certification
Authority also has the right to cancel a certificate if required, and
verify it at any point of time depending on the registration
conditions.
Certificate Directory
The Certificate Directory manages and stores the user's registration information and certificates for future references.
From the above mentioned logical structuring of the different
authorities, it is quite clear that the success of any public key
infrastructure system depends entirely upon the efficiency,
coordination, and performance of its public key infrastructure system
authorities.
Alternatives to PKI Authorities
Alternatives to PKI authorities include: Web of Trust, Simple Public Key Infrastructure (SPKI) and Robot Certificate Authorities.
| | PKI Certificate |
|---|
|
A PKI certificate, which stands for Public
Key Infrastructure certificate, allows someone to combine their digital
signature with a public key and something that identifies them, an
example being their real life name. This certificate is used to allow
computer users to show that they do own the public keys they claim to.
In other words, it is a security mechanism for public keys.
As mentioned before, a digital signature
is required for the PKI certificate. This signature can either be made
by an authority figure who assigns the certificates, the person whose
identity is being confirmed, or even endorsers of the public key. As
with credit cards, a digital signature is a way for other parties and
people to verify that a person is in fact the owner of the public key
they claim is their own.
| | Applications of PKI Certificates |
|---|
|
PKI certificates are most commonly used to authenticate
cryptographic public keys. In small networks, giving public keys to
others may be safe. This is often untrue for larger networks, however,
and a solution must be found. This solution is public-key cryptography.
To give an example of why having an unsecured public key may become
troublesome, let us take the example that a person needs to communicate
with another person in order to establish a business relationship. By
publishing his public key, the first person is able to receive and send
messages to his companion through a secure and safe method. A problem
arises, however, in the fact that someone else can pose as the first
person and send messages that person did not want to send. I am sure it
becomes obvious why a person pretending to be another can be a huge
problem during any sort of communication effort.
The PKI certificate is a way to stop this problem. This certificate
allows other people to verify that they are indeed communicating with
the right person and using the right public key. It is a clear answer
to the problem of the third party problems that may arise without it.
Multiple Certificate Authorities
A problem can occur when two different people or parties meet each
other and both are using certification authorities the other does not
recognize. Because they do not recognize the respective authorities,
the certificates may not seem real. To help combat this, many
certificate authorities now keep their own personal public keys in the
certificates to help guide new finders of their services to them. This
public key is signed by yet another certification authority, allowing a
complicated hierarchy of trust to be created. To keep this simple, it
basically means that all certificates are linked together by one source
in an ideal situation and this source is a trustworthy one.
It is important for users who are given PKI certificates to ensure
that his or her certification authority is indeed a legitimate provider
of that service. It can obviously lead to problems if someone is using
a certificate that really has no use as it was given out by someone
lacking the authority to. Use the Certificate Revocation List or the
Online Certificate Status Protocol to check this information.
PKI Certificate Revokation
There are times when a certificate must be revoked by an authority.
A common example of this occurring is if a person's identity
information changes, for instance if they decide to change their name
for some reason or another.
PKI Certificate Standards
The PKI certificate usually includes personal information such as
name, employment status and company's name, and how long the
certificate is valid. The most popular standard for PKI certificates is
ITU-T X.509.
| | What is a Certificate Authority? |
|---|
|
Certificate Authority or Certification Authority (CA) is an entity, which is core to many PKI (Public Key Infrastructure) schemes, whose purpose is to issue digital certificates
to use by other parties. It exemplifies a trusted third party. Some
certification authorities may charge a fee for their service while some
other CAs are free. It is also not uncommon for government and
institutions to have their own CAs.
| | Issuing a Certificate |
|---|
|
The certification authority issues a Public Key Certificate (PKC), which attests that the public key embedded in it indeed belongs to a particular person, server,
organization or any other entity as said in the certificate. In such
schemes, the obligation or duty of CAs is to verify the credentials of
the applicants before issuing the certificate so that the users can
trust the information in the CA certificates of a particular entity
without any second thoughts.
But this model is not fool proof, at least in a theoretical point of
view. For example, if a person (say A) could manage to get a
certification authority to issue a false certificate tying another
person (say B) to a wrong public key, whose corresponding private key
is available to A, then this could lead to some serious security
problems. That is, if a third person (say C) eventually obtains and
uses the public key in this certificate, then with the private key, it
is possible for A to break into the security contours of C's
communication. In such a way, on a practical level, C's messages could
be decrypted and the person could be duped to accept forged signatures.
| | |
|---|
Security
As mentioned above, while the correctness of a certificate is
taken for granted, it is to be accepted that assuring the correctness
of data presented by companies, person or programs seeking a
certificate is rather difficult and has glaring loop holes. That is, it
is not an impossible task for an applicant to dupe the certification
authority. In order to plug these chinks in the armor, certification
authorities usually use a combination of authentication
techniques which include leveraging government bureaus, third parties
databases and services, the payment infrastructure, and custom
heuristics to analyze the trust worthiness of the applicant. In few enterprise systems,
local types of authentication like Kerberos can be used to obtain the
certificate, which in turn can be used by relying third parties.
Notaries may be required in some cases to personally verify the party
whose sign is being notarized.
| | Protocols Supporting X.509 Certificates |
|---|
|
|
|
Espaņol