PKI Components 6.4 Flashcards
Public Key Infrastructure (PKI)
A way to describe policies, procedures, hardware, software, and people that are used to manage digital certificates. This is the process of creating, distributing, managing, storing, and revoking them.
There is a great deal of planning associated with this. It also refers to the associations we make with a public key to a person or a device.
Key Generation
We decide on a strength of the key (number of bits), and then decide the cipher of the key. We then generate a certificate to associate the public key with a user or device. Then the key is distributed to its associate, and then store it in a protected area.
Digital Certificates
It’s a public key combined with a digital signature. It may include other important details as well. PKI uses a certificate authority for additional trust. Web’s of Trust add other users for additional trust. Certificates can be built into the OS. You can create certificates through Windows Domain services, and Linux has 3rd party options.
What’s in a Digital Certificate?
Certificates follow the X.509 certificate format. It contains:
Serial Number Issuer Signature Algorithm Validity Dates Subject Public Key Extensions
Certificate Extensions
You can add more information to a digital certificate to extend the functionality.
DigitalSignature The key used to verify a digital signature
KeyEncipherment The key used to encrypt other keys used for secure key distribution
DataEncipherment The key used to encrypt data, which cannot be used to encrypt other keys
CRLSign The key used to verify a CA signature on a revocation list
KeyCertSign The key used to verify CA signatures on certificates
NonRepudiation The key used when a nonrepudiation service is being provided
Commercial Certificate Authorities
Built-in to your browser. Web site owner/managers get the CA’s to sign your digital certificate so anyone who connects to your site, is trusted by the browser. It’s an easy process, you create a key pair, public/private. You send the public key to the CA for a Certificate Signing Request (CSR). They perform a number of checks to verify you are who you say you are and that you own the site. It then provides the signatures and may provide additional features.
Private Certificate Authorities
You build an in house CA. All of your devices must be configured to trust your own CA. It is common for medium-to-large orgs. Instead of paying for every certificate, you build them in house for your own network.
PKI Trust Relationships
Some orgs use a single CA authority, though it’s not very common. Most orgs use a hierarchical authority. The single CA issues certs to intermediate CA’s and it forms a CA tree. This allows orgs to distribute the load of the CA creation, or allow different regions to create and manage their own CA’s. It also helps the revokation process. If someone gains access to a private sign in key on an intermediate CA, you only have to revoke those CA’s, and not the entire orgs.
Key Revocation
This occurs through a Certificate Revocation List (CRL). There are many reasons this could potentially happen.
Getting Revocation Details to the Browser
There is a protocol called the Online Certificate Status Protocol (OCSP) to give the browser a way to check the status of its certificates. These are usually sent via HTTP and is easily supportable over existing internet connections. Not all browser support this, usually older browsers. Some browsers do not check this at all.