Digital Certificates

&
Public Key Infrastructure(PKI)

BSCS-3rd
 Digital Certificate vs Digital Signature
• Digital certificates and digital signatures are used to help create trust between the
sender and receiver in digital communications.

• Digital Certificate : A digital certificate verifies the authenticity of a device, user, or server.

• Digital Signature : while a digital signature confirms the integrity of a message.

• The Digital Signatures are also used to prove a document originated from valid
sender, but has several weaknesses.

• Only shows that the private key of the sender was used to encrypt the hash value.
• Imposter can post a public key under the sender’s name.
Digital Signature Weakness
 Digital Certificate
• A digital certificate is an electronic document issued by a trusted
third party (Certificate Authority or CA) that uses encryption and
digital signatures to establish the authenticity of an individual,
organization, or device.

• Build trust among the communicating entities and ensures secure

communication over the internet.

• Digitally signed by the trusted third party, Certificate Authority(CA)

• Digital certificates prevents man-in-the-middle attack that impersonate owner of the public
key.
Key Components of a Digital Certificate:

• Certificate Authority (CA):

• The entity responsible for issuing and managing digital certificates.
• Public Key:
• A cryptographic key used to encrypt data and verify digital signatures. It is publicly
accessible.
• Private Key:
• A secret cryptographic key paired with the public key. It is used to decrypt
data and create digital signatures.
• Certificate Holder Information:
• Identifies the person, organization, or device to which the certificate is issued,
including:
• Name or domain
• Organization name
• Email address
Key Components of a Digital Certificate:

• Certificate Serial Number:

• A unique identifier assigned by the CA.
• Validity Period:
• Specifies the start and end dates during which the certificate is valid.
• Signature Algorithm:
• The cryptographic method used to sign the certificate.
• Digital Signature:
• A CA-issued stamp verifying the certificate's authenticity.
 Types of Digital Certificates
• Digital certificates can be broadly classified into the following
categories/types:

• SSL/TLS Certificates (Secure Socket layer/Transport layer Security)

• Code Signing Certificates
• Email Certificates (S/MIME Certificates: Secure/Multipurpose Internet Mail
Extensions)
• Root Certificates
• Document Signing Certificates
• IoT Certificates
 Types of Digital Certificates
• SSL/TLS Certificates (Secure Socket layer/Transport layer Security)
• Used to secure websites and encrypt communication between web browsers and
servers, enabling HTTPS.
• There are several types of SSL/TLS Certificates:

• Domain Validation (DV): Verifies domain ownership.

•Example: Personal blogs or small business websites.
• Organization Validation (OV): Verifies domain ownership and organization details.
• Medium assurance, suitable for businesses.
• Example Use: Corporate websites.
•Extended Validation (EV): Requires extensive verification of the organization.
• High assurance; displays the green address bar in browsers.
• Example Use: Banks and e-commerce websites.
• Wildcard Certificates: Covers a domain and all its subdomains.
• Example Use: *.example.com secures www.example.com, blog.example.com, etc.
Types of Digital Certificates

• Code Signing Certificates: Ensures the authenticity and integrity of

software or applications.

• Developers use these certificates to sign their software, indicating that it has
not been altered since it was signed.

• Example : Windows, macOS, or mobile app distribution platforms.

•

Types of Digital Certificates

• Email (S/MIME) Certificates: Secure/Multipurpose Internet Mail
Extensions)

• Encrypts and digitally signs email communication.

• Ensures email confidentiality.
• Verifies sender identity.

• Example Use: Secure communication in organizations or for individuals handling

sensitive information.
 Types of Digital Certificates
• Document Signing Certificates:
• Used to digitally sign documents to ensure their integrity and authenticity.
• Provides tamper-proof assurance.
• Shows the signer’s verified identity

•Example Use: Contracts, agreements, or government documents.

 Types of Digital Certificates
• IoT Certificates:
• Secures communication between Internet of Things (IoT)
devices.

• Encrypts device-to-device communication.

• Authenticates devices in IoT networks.

• Example Use: Smart home systems or industrial IoT

solutions.
 Types of Digital Certificates
• Root Certificates:
• A certificate authority can issue multiple certificates in the form of a tree
structure.
• A root certificate is the top-most certificate of the tree.
• the private key which is used to "sign" other certificates.
• All certificates signed by the root certificate inherit the trustworthiness of
the root certificate.
• A signature by a root certificate is somewhat analogous to "notarizing" identity in
the physical world.
• Such a certificate is called an intermediate certificate.
• Certificates further down the tree also depend on the trustworthiness of the
intermediates.
 Types of Digital Certificates
• The root certificate is usually made trustworthy by some mechanism
other than a certificate, such as by secure physical distribution.
• For example, some of the best-known root certificates are distributed in
operating systems by their manufacturers.
• Microsoft distributes root certificates belonging to members of the Microsoft
Root Certificate Program to Windows desktops .
• Apple distributes root certificates belonging to members of its own root
program.

•Root Certificates form the basis of PKI ( Public Key Infrastructure)

Types of Digital Certificates

(Certificate Chaining)
 Digital Certificates
• Pinning:
• A technique in which a digital certificate is hard-coded (pinned) within
the app (program) that is using the certificate.
• Pinning is common for securing mobile messaging apps and for
certain web-based services and browsers, OS.
 Public Key Infrastructure (PKI)
• Public key infrastructure (PKI)
• It is the underlying infrastructure for the management of public keys
used in digital certificates.
• PKI is a framework for all the entities involved in digital certificates
for digital certificate management
• including hardware, software, people, policies, and procedures—to create,
store, distribute, and revoke digital certificates.
• In short, PKI is digital certificate management.
 Public Key Infrastructure (PKI)
• Public Key Infrastructure (PKI) is a system of policies, procedures,
technologies, and roles that enable secure communication and the
management of digital identities through the use of cryptographic keys
and digital certificates.

• PKI provides the foundation for secure electronic communication by

ensuring confidentiality, integrity, authenticity, and non-
repudiation of data and users.
 Key Components of PKI

1. Certificate Authority (CA)

2. Registration Authority (RA)
3. Digital Certificates
- Certificate Management action/life Cycle( Create, Store, Distribute and revoke/Expire)
4. Trust Models
5. Public and Private Keys(Keys management)
6. Certificate Revocation List(CRL)/Validation Authority
7. Online Certificate Status Protocol(OCSP)
 Key Components of PKI

1. Certificate Authority (CA):

• A trusted entity responsible for issuing, revoking, and managing digital

certificates.

• Verifies the identity of entities (individuals, organizations, or devices) before

issuing certificates.
 Key Components of PKI

2. Registration Authority (RA):

• Acts as an intermediary between the user and the CA.

• Verifies the user's identity and requests certificate issuance from the CA.
 Key Components of PKI

3. Digital Certificates:
• Electronic documents that bind a public key to the identity of the certificate
holder.

• Typically based on the X.509 standard and include:

• Subject's public key.
• Certificate holder's identity.
• Certificate's validity period.
• Issuing CA's information.
• Digital signature from the CA.
• Certificate Management action/life Cycle( Create, Store, Distribute and revoke/Expire)
Key Components of PKI

4. Trust model :
• A trust model refers to the type of trust relationship that can exist
between individuals or entities.
• Direct trust, a relationship exists between two individuals because one
person knows the other person
• A third-party trust refers to a situation in which two individuals trust
each other because each trusts a third party(i.e. CA).
• PKI trust models use a CA.
• Hierarchical trust model
• Distributed trust model
Key Components of PKI

• Hierarchical Trust Model

• The hierarchical trust model assigns a single hierarchy with one master CA
called the root.
• This root signs all digital certificate authorities with a single key.
• Problem: i) if the CA’s single private key were to be compromised, then all
digital certificates would be worthless. Ii) No load balancing .
Key Components of PKI

• The distributed trust model has multiple CAs that sign digital certificates.
This essentially eliminates the limitations of a hierarchical trust model.
• Overcome the limitations of hierarchal model
• The loss of a CA’s private key would compromise only those digital certificates for
which it had signed, and the workload of verifying and signing digital certificates
can be distributed.
• Commonly used by internet.
Key Components of PKI

5. Public and Private Keys Management

• A cryptographic key pair used for secure communication.

• Public Key: Shared openly and used for encryption or signature verification.
• Private Key: Kept secret by the owner and used for decryption or digital signing.

• PKI plays an important role in key exchange/Session keys.

Key Components of PKI

6. Certificate Revocation List (CRL)

• A list maintained by the CA of certificates that have been revoked and are no
longer valid, also shared with the validation authority.

7. Online Certificate Status Protocol (OCSP)

• A protocol for real-time verification of a certificate's status (valid, expired, or
revoked).
 How PKI works ?
• Following steps are carried out during a secure communication
session :

• Key Pair Generation:

• Certificate Issuance(Request to reg. auth):
• Certificate Distribution:
• Secure Communication:
• Certificate Revocation/Validation
 Working of PKI
• Key Pair Generation:

• Users generate a public and private key pair.

• The public key is sent to the CA as part of the certificate request (to
the registration authority), where the private key stays with the user.
 Working of PKI
• Certificate Issuance:
• The registration authority verifies the user's identity.
• If verified, the CA issues a digital certificate containing the user's
public key and identity details.

• Certificate Distribution:
• The digital certificate is shared with others(validation authority) to
establish trust.
Working of PKI
• Secure Communication:
• Users exchange public keys and use them for:
• Encrypting data for secure transmission.
• Verifying the authenticity of digital signatures.

• Certificate Revocation:
• If a private key is compromised or the certificate is no longer needed,
the CA(validation auth.) revokes the certificate and adds it to the CRL.
Working of PKI
 Advantages of PKI
• Data Confidentiality: Ensures only authorized parties can access the
data.
• Authentication: Verifies the identity of users, devices, or servers.

• Data Integrity: Prevents unauthorized modification of data during

transmission.

• Non-Repudiation: Ensures that actions (like sending a message or

signing a document) cannot be denied.
 Applications of PKI
• Secure Web Browsing: HTTPS relies on PKI to encrypt
communication between browsers and websites.
• Email Security: Ensures the confidentiality and authenticity of email
messages (e.g., S/MIME).
• Code Signing: Verifies the authenticity and integrity of software or
code.
• Document Signing: Provides non-repudiation and authenticity for
digital documents.
• IoT Security: Protects device-to-device communication and
authenticates IoT devices.
Challenges:
• Complexity: Requires expertise to implement and maintain.

• Cost: Setting up and managing PKI can be expensive.

• Key Management: Securely managing private keys is critical and

challenging.

• Trust Model: Relies heavily on the trustworthiness of the CA.