Public Key Infrastructure PKI

1. 1 Public Key Infrastructure (PKI) Two major frameworks exist: 1. X.509 2. PGP (Pretty Good Privacy). >Certificate management systems: (i) certification (ii) issuance, (iii) revocation. >Act as trusted third party. <> X.509 is more popular and <> It fits corporate model well. //It is like a certificate authority (CA).//

2. 2 Certificate Authority (CA) Issues a digital certificate to users: It certifies the public keys of users. It must validate applicant�s identity before issuing a certificate. CA must verify that the applicant has the matching private keys. Distribution: <> Digital certificates are not secret. <> On the contrary, they should be widely advertised.

3. 3 Certificate Authority (CA)� Certificate Revocation: A certificate valid during the dates mentioned on the certificate. A CA can revoke a certificate prematurely. //due to various reasons � CA�s or applicant�s private key compromised.// Revoked certificates can not be used. Revoked certificates are placed on a Certification Revocation List (CRL). A certificate user must verify the certificate.

4. 4 X.509 Certificate Data Structure Version: v1, v2, or v3. Serial #: a unique number. Signature method: The method used to sign the digital certificate (e.g., RSA). Issuer name: The entity whose private key signed the certificate. Valid time period: begin time and end time. Subject name: The entity whose public key is included in the certificate. Subject�s public key: public key and public key method.

5. 5 Challenge-Response Protocol CA must authenticate/verify an applicant before issuing it a digital certificate. //involves checking if an applicant has the matching private keys.// 1. CA ? A : Epub-keyA(FivePM => Class over) 2. A decrypts it with its private key and 3. A ? CA: (Class over => FivePM).

6. 6 Flow of Trust Root CA: Each X.509 PKI implementation has a root CA. There may be a network of CAs (each can issue a digital certificate.) Self-signed Certificates: A certificate that is signed by itself (CA). Can be trusted without any additional verification. <> A certificate signed by the root CA is trusted by everyone.

7. 7 Why is X.509 Very Popular? �Easy to bring a new person into the system.� <> Root CA issues the new person a digital certificate and gives him a copy of the root CA�s certificate (public keys). <> That is all that is needed to bring a new person in the trusted network. <>The new person can retrieve any other person�s certificate and get his key. <> Likewise, any other person can retrieve new person�s certificate and get his key.

8. 8 Subordinate CAs �A root CA can outsource registration and distribution of certificates.� <> A sub CA can distribute certificates issued by the root CA. <> A sub CA can also be authorized to issue certificates to users. //signed by sub-CA�s private key.// <> The structure of CAs depends upon the organization�s needs and applications.

9. 9 Subordinate CAs� Chaining trust from root CA: <> If a sub-CA is issuing a certificate, the receiver (say Bob) of this certificate verifies the validity as follows: 1. Bob obtains root CA�s public key from its certificate. 2. Bob verifies sub-CA�s certificate and obtains its public key (using CA�s public key). 3. Using sub-CA�s public key, Bob verifies the received certificate and obtains the public key contained in it.