About PKI (Public Key Infrastructure)

Cryptography : PKI

In cryptography, a PKI is an arrangement that binds public keys with their respective users identities by means of a certificate authority (CA). The user identity must be unique within each CA domain. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA).

 

 

From wikipedia :
For each user, the user identity, the public key, their binding, validity conditions and other attributes are made unforgeable in public key certificates issued by the CA.

 

More “Network & Security” posts

 

1)  Introduction

1.1 What is a PKI ?

PKI stands for “Pubic Key Infrastructure“, it is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

1.2 Why do we need a PKI ?

A PKI is required to resolve the “user to Public Keybinding problem.

2) Asymmetric Algorithms reminder

This is a quick reminder about asymmetric keys algorithms, it is important to understand

this in order to understand why and where PKI is required.

Asymmetric algorithms main feature :

  • One key is used for encryption AND a different key is used for decryption

– One of those keys can be made public : If we can securely obtain the “public key“, this makes key management a lot simpler when compared to symmetric algorithms.

– The question is : when I receive someone’s public key, how do I really know it belongs to that person or entity ? That is the question to which PKI answers.

 

 

3) Digital Certificate

From Wikipedia :
In typical public key infrastructure (PKI) arrangements, a digital signature from a certificate authority (CA) attests that a particular public key certificate is valid (i.e., contains correct information).

3.1  Definitions

  • What is a digital certificate ?
    A digital certificate is a structured data which binds a user’s identity to a public key, this association is certified by a Certificate Authority (CA).
  • What is a CA ?
    A CA is the company that issues the certificate.
  • What is a self-signed certificate ?
    A self-signed certificate is said self-signed because it is issued and validated (signed) by the same company : the CA (logically this should be a root CA, one of the highest rank). In today web browsers many root certificates are included, which makes easier the web browsing, but it may also leads to security issues (you must be trusting you web browser installation source).

Note : This definition is only valid in a PKI context, in a web of trust context there is no root CA or highest ranked CA, there is, actually, no CA at all!

 

3.2 Contents of a typical digital certificate

X-509 v3 : This is the actual standard describing certificate structure (format). Already extensively used in the internet (e.g on web servers:TLS; web browsers:TLS; email client:S/MIME; IPSec VPN’s:IKE)

From Wikipédia :

  • Serial Number : Used to uniquely identify the certificate.
  • Subject : The person, or entity identified.
  • Signature Algorithm : The algorithm used to create the signature.
  • Issuer : The entity that verified the information and issued the certificate.
  • Valid-From : The date the certificate is first valid from.
  • Valid-To : The expiration date.
  • Key-Usage : Purpose of the public key (e.g. encipherment, signature, certificate signing…).
  • Public Key : the purpose of SSL when used with HTTP is not just to encrypt the traffic, but also to authenticate who the owner of the website is, and that someone’s been willing to invest time and money into proving the authenticity and ownership of their domain.
  • Thumbprint Algorithm : The algorithm used to hash the certificate.
  • Thumbprint : The hash itself to ensure that the certificate has not been tampered with.

To be finished (sorry pal !)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site supports SyntaxHighlighter via WP SyntaxHighlighter. It can highlight your code.
How to highlight your code: Paste your code in the comment form, select it and then click the language link button below. This will wrap your code in a <pre> tag and format it when submitted.