Lecture 15: PKI and Certificates Flashcards
What do public key infrastructures imply?
The use of public digital certificates
Digital signatures provide these certificates
What types of certificates are standardised and used in most network security applications
X.509 certificates
Give NIST’s definition of a public key infrastructrue
the key management environment for public key information of a public key cryptographic system
What is key management concerned with?
The lifecycle of cryptographic keys –> generation, distribution, storage and destruction of keys
What legal or business (trusted) entities may be involved in PKI?
1) registration authorities (RAs)
2) validation authorities (VAs)
3) certification authorities (CAs)
What do registration authorities do i.t.o PKIs?
vouching for the identity of a user
What does PKI stand for?
public key infrastructure
What do validation authorities do i.t.o PKIs?
verify that identity
What do certification authorities do i.t.o PKIs?
issuing digital certificates (certifying the public key of the user)
How can we be confident of the correct binding between a public key and its owner?
–> e.g. when using a public key to encrypt a message or to verify a digital signature
achieved through using digital certificates
What do digital certificates contain?
1) public key
2) owner identity
3) signature alg
4) validity period
….
Who signs digital certificates?
certification authority (CA)
–> CA should be trusted by the certificate verifier
What does a CA do?
creates, issues and revokes certificates for subscribers and other CAs
What does CA stand for?
certification authority
What must a CA have?
a certification practice statement (CPS)
What does CPS stand for?
certification practice statement
What issues does a CPS cover?
<strong>1)</strong> checks performance before certificate issue
<strong>2)</strong> physical, personnel and procedural security controls for the CA
<strong>3)</strong> technical and key pair protection and management controls
<strong>4)</strong> certificate revocation management procedures
<strong>5)</strong> accreditation info
<strong>6)</strong> legal and privacy issues and liability limitations
Outline the X.509 standard
Most widely used certificate standard
Originally ITU standard
Now RFC 5280
Current version (3) allows flexible extensions
What are the important fields in X.509 certificates? (8)
1) version number
2) serial number (set by CA)
3) signature algorithm identifier (alg used to digitally sign)
4) issue name (of the CA)
5) subject name (of the user to which the certificates is issued
6) public key info
7) validity period
8) digital signature (of the certificate, generated by CA)
Explain the digital certificate example on slide 10 in set 15
See slide 10 in set 15
Explain the digital certificate example on slide 11 in set 15
See slide 11 in set 15
How do you verify a certificate?
1) by checking that the CA’s signature is valid
2) by checking that any conditions set in the certificate are correct
What must be done in order to verify a certificate?
The user of the certificate must have the correct public key of the CA
Does it matter how the user obtains the certifcate?
no