Section 8.74 Public Key Infrastructure (PKI) Flashcards
Objectives 1.4 Explain the importance of using appropriate cryptographic solutions. Objectives 2.3 Explain various types of vulnerabilities. Objectives 2.4 Given a scenario, you must be able to analyse indicators of malicious activity.
Public Key Infrastructure (PKI)
An entire system involving hardware, software, policies, procedures, and people that is based on asymmetric encrytpion
■ Facilitates secure data transfer, authentication, and encrypted communications
■ Used in HTTPS connections on websites
System that creates asymmetrical key paits that consist of those public and private keys that are used in the encryption and decryption process.
Establishing a Secure Connection
■ User connects to a website via HTTPS
■ Web browser contacts a trusted certificate authority for the web server’s public
key
■ A random shared secret key is generated for symmetric encryption
■ The shared secret is securely transmitted using public key encryption
■ The web server decrypts the shared secret with its private key
■ Both parties use the shared secret for symmetric encryption (e.g AES) to create
a secure tunnel
Confidentiality
● Data is encrypted using a shared secret
Authentication
● The web server’s identity is verified using its private key
■ Visual indicators like a padlock show secure communication
Public Key Infrastructure vs. Public Key Cryptography
Public Key Infrastructure (PKI)
● Encompasses the entire system for managing key pairs, policies, and trust
● Involves generating, validating, and managing public and private key pairs
that are used in the encryption and decryption process
● Ensures the security and trustworthiness of keys
Public Key Cryptography:
● Refers to the encryption and decryption process using public and private
keys
● Only a part of the overall PKI architecture
Key Escrow
Storage of cryptographic keys in a secure, third-party location (escrow) which enables key retrieval in cases of key loss or for legal investigations
Security Concerns:
● Malicious access to escrowed keys could lead to data decryption
● Requires stringent security measures and access controls
■ Relevance in PKI: In PKI, key escrow ensures that encrypted data is not permanently inaccessible
Useful when individuals or organizations lose access to their encryption keys