Public Key Infrastructure
This material was developed with funding from the
National Science Foundation under Grant # DUE 1601612
Certificate Authority (CA)
A Public Key Infrastructure (PKI) is a system used to distribute, verify, and revoke public keys used for public key encryption. A Digital Certificate, also known as a public key certificate, is a digital file that cryptographically links a public key with its owner. The PKI system uses a trusted third party called a Certificate Authority (CA) to issue, sign, and store the Digital Certificates. PKI enables users and systems to exchange data over the Internet securely.
Public Key Infrastructure and Digital Certificates
Secure Web Server
For example, Alice visits a secure web site by entering https://www.acme.com in her browser. The ACME site will use digital certificates to authenticate the user and encrypt the transaction. Alice will receive a Digital Certificate from the web site that contains a public key. Alice’s browser and application software will validate the Digital Certificate. Then Alice’s system uses the public key in the digital certificate to encrypt all information transmitted to the secure server.
Bob the owner of an e-commerce web site, wants to provide a secure web site for customers. Bob needs to purchase and install a Digital Certificate on his server. Bob generates a private key and a public key. The private key will stay with Bob’s web site domain. The Public Key, along with identifying information is the basis for Bob’s Digital Certificate.
The computed value of an input (i.e., a data string) using a hashing algorithm
To begin the PKI certificate enrollment process, Bob generates a certificate signing request (CSR) that he sends to the certificate authority (CA). The format of the request uses the certification request syntax developed by RSA Security called Public Key Cryptography Standards version 10 (PKCS #10). The CSR contains Bob’s distinguished name, his public key, and a digital signature along with the hashing algorithm used to create the digital signature (the digital signature is the hash of the request encrypted with Bob’s private key).
A cryptographic hash function that converts a data string into a numeric value with a fixed length. Example would be SHA256.
When Bob sends the CSR request to the CA for a new certificate, a check to verify that Bob is allowed to request certificates for that particular domain is done. This check is performed by the Registration Authority (RA). The RA can be a person or an automated process that ensures that Bob is allowed to request certificates for that domain. This process maintains the trustworthiness of the Digital Certificate generation process.
Registration Authority (RA)
Used to identify employees for secure email and web-based transactions
Click each certificate for more information.
Authenticates a visitor’s identity. Used for business to business communications such as inventory management.
There are several different types of Digital Certificates. The Digital Certificate contains various items of information including a version number, serial number, details about the issuer, the validity period, subject details, the public key, and a digital signature.
Proves ownership of a domain name and establishes SSL/TLS encrypted sessions between the website and a visitor
Proves authorship of distributed software programs
Alice and Bob both trust the same CA. Highly trusted CA’s are known as Root CA’s and include VeriSign, GeoTrust, DigiCert, Comodo, Entrust and GlobalSign. The certificates for these Root CA’s are installed by default in web browsers. If Alice wants to view the Digital Certificates, she goes to the browser’s Settings or Options > Advance. She looks for a tab or option to manage or view certificates. The Trusted Root Certification Authorities for Chrome is shown above.
When Alice connects to Bob’s web site, www.acme.com, she receives the Digital Certificate. Alice needs to verify the certificate. If the certificate was issued by an unknown or untrusted CA or if the web site’s certificate does not match any certificates on Alice’s browser list, Alice will get a warning.
Certificate Authorities work with software manufacturers to embed their certificates (called Root Certificates) into the software. Therefore, the process of validating certificates is actually done by the software, Alice’s browser.
A Certificate Revocation List (CRL) is a list of Digital Certificates that an issuing Certificate Authority has revoked before the scheduled expiration date. Each entry in a CRL includes the serial number of the revoked certificate and the revocation date. When a web browser makes a connection to a site, the Web server’s Digital Certificate is checked for problems including a check to make sure that the certificate is not listed in a CRL. The most common reason that a certificate makes the CRL is that the certificate’s private key has been compromised.
The CA attests to the identity of the applicant when it signs the Digital Certificate.
Since a Digital Certificate provides identification, access control can also be achieved. Additionally, only the intended individual can access information within encrypted data.
The PKI process and exchange of Digital Certificates ensure several primary security functions.
Click each item above for more information.
Only the sender has access to the Private Key used to sign the data and that proves the origin of the data.
Data is encrypted with the Public Key within the Digital Certificate and only the intended recipient can decrypt and read it.
The recipient can identify any tampering because the data is digitally signed.