Cryptography - Public Key Infrastructure Flashcards
Public Key Infrastructure (PKI)
Includes systems, software, communication protocols that distribute, manage and control public key cryptography
Can certify that public key is tied to an entity and verify that a public key is valid
X.509 - Framework that PKI’s use. Enables authentication between networks and over the internet.
Includes time stamping and certificate revocation
Provides confidentiality, message integrity, authentication, nonrepudiation
Structure includes CA’s, certificates, registration authorities, CRL’s, cross-certification and Online Certificate Status Protocol (OCSP)`
Registration Authority
Verifies requester’s identity, registers them, passes the request to the CA
Certificate Authority (CA)
CA creates and signs the digital certificates
Maintains the certificates
Revokes certificates when needed
Certificate binds the participant to his keys
Public CA
provides PKI as a payable service to companies
Private CA
Operated by a company so they can control all aspects of PKI process
Certification path validation
Checking legitimacy of the certificates in the certification path
Online Certificate Status Protocol (OCSP)
Protocol that obtains revocation status of an X.509 digital certificate in real-time
Alternative to the CRL used by many PKI’s
Automatically validates and reports back the status by accessing the CRL
Attributes of a certificate
Provides entity with credentials to prove its identity and associates that identity with a public key
Must provide the serial number, issuer, subject (owner) and the public key
Verisign’s 3 digital certificate classes
Class 1 - for individuals intended for email These certificates get saved by web browsers
Class 2 - For organizations that must provide proof of identity
Class 3 - For servers and software signing where independent verification and identity and authority checking is done by issuing CA
Certificate Revocation List (CRL)
List of digital certificates that a CA has revoked. Browser must check the CRL or the CA must push out the CRL values to clients.
Revocation Request Grace Period
Maximum time between when revocation request is received by he CA and when revocation actually occurs
Shorter revocation period is better security but higher implementation cost
Steps for requesting a digital certificate
User requests digital certificate and Receiving Authority (RA) receives the request
RA requests identifying information from requestor
RA forwards certificate request to the CA
CA creates digital certificate for requestor. Requestors public key and identity information are included as part of certificate.
User receives certificate
Process for communicating with a PKI
Bob requests Alice’s public key from the Certificate Repository
Repository sends Alice’s certificate to Bob
Bob verifies certificate and extracts Alice’s public key
Bob encrypts session key with Alice’s public key and sends the encrypted session key and his certificate to Alice
Alice receives Bob’s certificate and verifies it with a trusted CA
After this, they can communicate with encryption
Cross-Certification
Establishes trust relationship between CA’s
i.e. 2 organizations decide to trust each other’s CA’s
Key Management
Essential to ensure cryptography provides confidentiality, integrity, authentication
ensures keys are protected during creation, distribution, transmission and storage
Keys should always be stored in ciphertext when stored on non-cryptographic device
Key distribution, storage, maintenance should be automatic by integrating them into the application
Backup copies of keys should be made and stored securely
Designated individual should have control of backup copies with others designated as emergency backups