Section 23: Public Key Infrastructure Flashcards
Public Key Infrastructure (PKI)
Public Key Infrastructure (PKI)
o Software, services, and hardware that support the generation of digital certificates and capabilities of public-key encryption
When you go to www.website.com, your web browser is going to reach out to the Certificate Authority and ask for a copy of that sites public key. It is then going to send a random number(key), encrypted with the Public Key. Once both parties have the same secret key, they can begin using that to send data back and forth.
If all this happens successfully, you will see the padlock in your browser.
Certificate Authority (CA)
o Issues and guarantees signed digital certificates
o A CA can be either private or public
▪ Provide certificate services to users
▪ Ensure validity of certificates and the identities of those applying for a certificate
▪ Establish trust in the CA from users, government, regulatory authorities, and enterprises
▪ Manage servers and repositories that store and administer the
certificates
▪ Perform key and certificate lifecycle management, from generation to revocation
Certificate Chaining (Chain of Trust)
Validates a certificate by tracing each CA that signs the certificate
Registration Authority (RA)
o Accepts requests for digital certificates and performs additional steps to validate an authorization
Digital Certificate
o A digitally signed electronic document that bind a public key with a user’s identity
Wildcard certificates
Wildcard certificates
● Allow all of the subdomains to use the same public key certificate
and have it displayed as valid
*.website.com = mail.website.com….support.website.com….uk.website.com…etc…
Single Sided vs Double Sided Certificate
▪ Single-sided Certificate
● Does not require to have your own digital certificate
▪ Dual-sided Certificate
● Requires the user to also authenticate themselves to the server with their own certificate. Better for security, but is more intensive and slower.
Digital Signature
Created by hashing the file then taking the resulting hash digest and
encrypting it with a user’s private key from their digital certificate. This is used in code signing.
Online Certificate Status Protocol (OCSP)
▪ A protocol that allows us to determine the revocation status of a digital certificate using its serial number
Certificate pinning
Instead of relying solely on the traditional CA-based verification, certificate pinning involves associating a specific cryptographic identity with the server and enforcing that identity during subsequent connections.
In certificate pinning, the client is configured to trust a specific public key or certificate provided by the server rather than trusting any CA-signed certificate. This can be achieved by hardcoding the public key or certificate information within the client application.
Certificate Stapling
▪ Allows a webserver to perform certificate status checking instead of the browser
▪ This method resolves the issues of certificate pinning by having the
webserver obtain a time-stamped OCSP response from the certificate
authority
HTTP Strict Transport Security (HSTS)
▪ The webserver is configured to notify web browsers that are connecting to it that they should only request the website using HTTPS and not HTTP
▪ Prevents on-path or man-in-the-middle attacks by exploiting the HTTP website connection
