Key Management

and Distribution
Distribution of the Public Keys

• Public announcement
• Publicly available directory
• Public-key authority
• Public-key certificates
 Public Announcement
• Broadcast your public key to the public
• via newsgroups, mailing lists, from personal website, etc.
• major weakness is anyone can create a key claiming to be
someone else and broadcast it
• so attacks are possible
Public Announcement
 Publicly available directory

• A greater degree of security can be achieved by

maintaining a publicly available dynamic directory of
public keys.
• Maintenance and distribution of the public directory
would have to be the responsibility of some trusted entity.
 Publicly available directory

• The authority maintains a directory with a {name, public key}

entry for each
participant.
• Each participant registers a public key with the directory authority.
• A participant may replace the existing key with a new one at any
time.
Publicly available directory
 Public-key authority

• Improve security by tightening control over distribution of

keys from directory
• has properties of directory and requires users to know
public key for the directory
• users interact with directory to obtain any desired public
key securely
● does require real-time access to directory when keys
are needed
 Public-key certificates

• certificates allow key exchange without real-time access to

public-key authority
• a certificate binds identity to public key
• usually with other info such as period of validity, rights of use etc
• with all contents signed by a trusted Public-Key or
Certificate Authority (CA)
• can be verified by anyone who knows the public-key
authorities public-key
Public-key certificates
 X.509 Authentication Service

• X.509 defines a framework for the provision of authentication services

by the X.500 directory to its users.
• A distributed set of servers that maintain a database about users.
• The X.509 public key infrastructure (PKI) standard identifies the
format of public key certificates.
• X.509 is an important standard because the certificate structure and
authentication protocols defined in X.509 are used in a variety of
contexts. For example, the X.509 certificate format is used in S/MIME,
IP Security and SSL/TLS.
• Each certificate contains the public key of a user and is signed with
the private key of a CA.
 X.509 Certificates
• issued by a Certification Authority (CA), containing:
• version (1, 2, or 3)
• serial number (unique within CA) identifying certificate
• signature algorithm identifier
• issuer X.500 name (CA)
• period of validity (from - to dates)
• subject X.500 name (name of owner)
• subject public-key info (algorithm, parameters, key)
• issuer unique identifier (v2+)
• subject unique identifier (v2+)
• extension fields (v3)
• signature (of hash of all fields in certificate)
 Public Key Infrastructure (PKI)

• Public-key infrastructure (PKI) is a set of hardware,

software, people, policies, and procedures needed to
create, manage, distribute, use, store, and revoke
digital certificates.
• The principal objective for developing a PKI is to enable
secure, convenient and efficient acquisition of public
keys.
 PKIX Model
• End entity: A generic term used to denote
end users, devices (e.g., servers, routers), or
any other entity that can be identified in the
subject field of a public-key certificate.

• Certification authority (CA): The issuer of

certificates and (usually) certificate
revocation lists (CRLs).

• Registration authority (RA): The RA is

often associated with the end entity
registration process but can assist in a
number of other areas as well.
 PKIX Model
• CRL issuer: An optional component
that a CA can delegate to publish CRLs.

• Repository: A generic term used to

denote any method for storing
certificates and CRLs so that they can
be retrieved by end entities.