Lec 06 - Components of PKI
Lec 06 - Components of PKI
2
PKI
3
Public Key Cryptography
• Key Distribution is easier with Public Key
Cryptography
• Each Node is responsible for knowing its own
private key and all the public keys can be
accessible in one place.
• But there are problems with Public Keys as well
4
Problems with the Public Key
5
Public Key Distribution Problem
• A bad guy creates a key pair (private/public) and
quickly tells the world that the public key he
published belongs to Alice
6
How to verify a Public Key?
Two approaches:
• Before you use Alice’s public key, call her or
meet her and check that you have the right one
7
PKI Provides the Answer
• Everyone trusts the root Certificate Authority
(Verisign, Thawte, BT etc.)
8
Solution of Public key Problem
• A typical solution for this is to have a trusted node
known as a Certificate Authority (CA) that
generates Certificates
• Certificates are signed message specifying a name
(Alice) and the corresponding Public Key
• All nodes need to pre-configured with CA’s public
key so that they can verify its signatures on
certificates.
9
Public Key Infrastructure
• A Public Key Infrastructure (PKI) consists of the
components necessary to securely distribute public
keys.
• Public Key Infrastructure is a combination of
software, encryption technologies, and services
application that allows users to encrypt and send
information securely over a public network.
• PKI mainly includes message digests, digital
signatures, and encryption services
10
PKI Features
11
Components of PKI
12
Components of PKI
Digital Certificate
Certification Authorities (CAs)
Registration Authorities (RAs)
Certificate Holders
Repository/Directory
Validation Server
13
Digital Certificate
14
Digital Certificates
• Digital certificate is a digital document providing
linkage between the public key and the
identification data of its owner by the digital
signature of a trusted third party
15
Digital Certificates
Certificate
Attributes
Public Key of
Certificate holder
Encrypted hash
of certificate
Certificate
Authority
16
Similarities Between A Passport And A
Digital Signature
Passport Entry Corresponding digital
certificate entry
Full name Subject name
Valid to Same
17
Certification Authority (CA)
18
Certification Authority
A CA can certify the binding between a public key and
the owner.
19
Registration Authority (RA)
20
Registration Authority
21
Difference Between CA and RA
22
Difference between CA and RA
• RA is an intermediate entity between CA and end
user
23
Difference between CA and RA
End User
24
Directory
25
Directory
Directories are databases that stores the copies
of certificates issued by CA to facilitate a
single-point access for certificate management
and distribution (similar to telephone directories)
26
Directory
27
PKI: Used To Support
Identification and Authentication
Non-Repudiation
Integrity
Confidentiality
28
Digital Certificate
Creation Steps
29
Digital Certificate Creation Steps
Key Generation
Registration
Verification
Certificate Creation
30
Step 1: Key Generation
31
KEY Generation
• There are two different approaches for key
generation
– User creates a private and public key pair
using some software. Then user keeps the
private key and sends public key along with
other information to RA
– RA generates a key pair on the behalf of user
( i.e user does not aware of the technicalities
or it there is a requirement of centrally
generated or distributed keys )
32
USER GENERATING ITS OWN KEY PAIR
Key Generation
Subject
33
RA GENERATING A KEY PAIR ON BEHALF
OF THE USER
For user X
Key Generation
Registration Authority
private public
35
Registration
• User sends public key, associated registration
information, evidence ( i.e copy of passport or tax
statement ) about himself to RA.
36
Step 3: Verification
37
Verification
38
Proof Of Possession
40
Certificate Creation
41
Digital Certificate
Certificate Serial Number Hash Function
(SHA, MD5)
Issuer Name
Validity
Subject Name
Issuer Unique Identifier Message Digest
Subject Unique Identifier
CA’s Digital Signature
private
Digital Signature
Algo
42
A message digest of all but the last
Digital Certificate field is created
Certificate Serial Number
Hash Function
Issuer Name
(SHA, MD5)
Validity
Subject Name
Issuer Unique Identifier Message Digest
Issuer Unique Identifier MD1
Is MD1
Digital Signature = MD2
public
45
INTERNET EXPLORER
55
Certificate Hierarchies
• To verify the Digital Certificates, the receiver must
have to know the Issuer CA’s Public Key.
• If the CA of Alice and Bob are same, then this is
not a problem
• But this cannot always be guaranteed
• Alice and Bob may not have obtained their
certificates from the same CA
• How can Alice obtain the public Key of the CA of
Bob?
• To resolve such problems, a Certification
Authority Hierarchy is created.
• This is also called “Chain of Trust”
57
Self Signed Certificate & Cross Certification
• Self signed certificate means that a certification
authority (e.g. root CA) signs its own certificate
• Cross Certification
– Generally every country appoints its own root
certificate.
– In real life, CA s are implemented in
decentralized manner.
– Cross Certification allows CA s and end users
from different PKI domains to interact
58
Certificate Revocation
• If your credit card is lost, or if it gets stolen, you
would normally report the loss to the concerned
bank. The bank would cancel your credit card
• Similarly, the digital certificates can also be
revoked
59
Certificate Revocation
• Most common reasons can be:
– The holder of the digital certificate reports that
the private key corresponding to the public key
specified in the digital signatures is
compromised.
– CA realized that it has made some mistake in
issuing it
– The certificate holder leaves a job and the
certificate was issued specifically while the
person was employed in that job
60