The Workings of PKI


In the previous blog post, we learnt about the various pieces of the puzzle called the public key infrastructure. It’s time to learn how these pieces work after fitting together.

The PKI is made up of the following different components.
• Certification authority
• Registration authority
• Certificate repository
• Certificate revocation system
• Key backup and recovery system
• Automatic key update
• Key Management

To help understand the workings of a PKI, let’s try to take a day to day example and then try to learn through it on the workings of the PKI. Let’s say that Oslo wants to get him a passport. He needs this to prove to everyone that he is Oslo when he visits another country. The passport issued by the Government will be his way to enable trust with another country’s systems and people. They may not know him, but they will trust the passport that he is carrying. Now Oslo wants to apply for the passport. So he goes to the registration authority or the passport office and submits his form. The passport office collects all the details along with other documents and sends his request to the government. The government receives (certificate authority) and prints the certificate.  Oslo is elated after receiving the passport. He can now travel where he wants to.

Oslo now wishes to travel to India. He applies for a VISA and asks permission to enter the country for travel purposes. The government of India requests Oslo his passport at the embassy or you can say the document ( certificate) they can trust.

With this example in your mind, consider the following points to understand the workings of a PKI.

Oslo wants to be a part of the PKI. So he requests for a certificate to the RA.

  1. The registration authority requests for documentation from Oslo. He supplies the requested documents.
  2. The RA performs the verification and sends the request to the CA.
  3. The CA creates a digital certificate for Oslo. The public key and private key pair are generated. 
  4. Once Oslo receives the certificate (passport), he can participate in the PKI.
  5. Oslo wishes to transact with Tokyo, a friend of his and hence finds his public key.
  6. The public key is requested from the public directory which supplies him the digital certificate.
  7. Once Oslo verifies the digital certificate of Tokyo, he is convinced and trusts him and agrees to send the information.
  8. In order to send the information, he encrypts a session key with Tokyo’s public key and sends her the message along with his digital certificate. Only Tokyo can decrypt the message ( session key that will be used for communication thereon) and verify Oslo identify through the digital certificate.
  9. Once Tokyo is convinced, the exchange of information begins.

Some of you will definitely wonder that this is the same which we read through the various other cryptographic algorithms. So what is different here in PKI.

The PKI is not just encryption as explained in the previous blog post. It is a complete infrastructure that allows unknown people to trust each other and exchange information without worrying about security.

The key management is one of the most important components of the PKI. What if the keys are lost or breached? Who remembers which pair of keys were issued to whom? What if a digital certificate expires?

Let’s go back to the passport example. What happens if Oslo’s passport is lost? Who keeps the records that how many passports have been issued to Oslo in the past?

A PKI must retain a key history, which keeps track of all the old and current public
keys that have been used by individual users.

In the next blog post, we will learn about the trusted platform module which will help us understand the key storage and its management. 

Comments

You may also like to read...

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel

How to Pass the CISSP Exam in First Attempt