What is Public Key Infrastructure (PKI)?


Quite often in the world of cryptography will you hear the term, PKI or Public Key Infrastructure. While people often use this term loosely without understanding ( and even appreciating) the whole gamut which this word entails, it is extremely important for a security professional to understand what PKI represents.

Have you ever visited a store like that of Best Buy or Big Bazaar etc? They provide you with almost everything you can imagine. Public Key Infrastructure, henceforth referred to as PKI in the blog post, is a set of programs, procedures, algorithms, communication protocols, security policies that work together to enable secure transmission of information. PKI is an ISO authentication framework that uses public-key cryptography and the X.509 standard. PKI is not just an encryption standard or a technology, it is a complex assortment of various aspects that work together.

We have learnt about confidentiality, integrity, privacy, non-repudiation and PKI offers all of that. It is a hybrid system of symmetric and asymmetric key algorithms and methods. While you may argue that even public-key cryptography offers a majority of such benefits, it is important to note that public-key cryptography is just a set of algorithms used for encrypting the data. PKI on the other hand offers contains the pieces that will identify users, create and distribute certificates, maintain and revoke certificates, distribute and maintain encryption keys, and enable all technologies to communicate
and work together for the purpose of encrypted communication and authentication.

If you have a puzzle game, public-key cryptography will be just one small piece in the big puzzle game. It is not the complete puzzle itself. PKI is made up of many different parts: certificate  authorities, registration authorities, certificates, keys, and users. A security professional needs to know not only how do all these puzzle pieces fit together, knowledge of how each piece’s workings is also necessary.

Certificate Authorities

Consider CA or certificate authorities just like the government. The government issues you an ID card ( Aadhaar, Passport etc) or perhaps any identity proof and when you showcase that to any person of the law, he/she trusts that you are that person that you are claiming to be. In a similar manner, to enable trust between two or more unknown parties to securely transmit information, a digital certificate is issued to them. The certificate is created and signed (digital signature) by a trusted third party, which is a certificate authority (CA). When the CA signs the certificate, it binds the individual’s identity to the public key, and the CA takes liability for the authenticity of that individual. It is this trusted third party (the CA) that allows people who have never met to authenticate to each other and to communicate in a secure method.

In simple terms, a user will just verify the certificate which is available with the other user. It’s about trust which each user will have in the CA. The big Q here is who is the CA?

A CA is a trusted organization (or server) that maintains and issues digital certificates. When a person requests a certificate, the registration authority (RA) verifies that individual’s identity and passes the certificate request off to the CA. The CA constructs the certificate, signs it, sends it to the requester, and maintains the certificate over its lifetime. When another person wants to communicate with this person, the CA will basically vouch for that person’s identity.

Certificate

The CA issues a certificate to a user who requests for one. The standard for how the CA creates the certificate is X.509, which dictates the different fields used in the certificate and the valid values that can populate those fields. The certificate includes the serial number, version number, identity information, algorithm information, lifetime dates, and the signature of the issuing authority.
To understand this in more detail, let’s take the example of the website - www.mayurpahwa.com. Do you notice a lock button in front of the URL at the top? If you click on this lock button, you will find the details of the certificate that has been issued to this website. In fact, you can check for any website that you visit.

Registration Authority

If you wish to get a passport, you need to register yourself at the passport office for an appointment.  The passport office set up by the government is the registration authority that processes your  registration request. The RA establishes and confirms the identity of an individual, initiates the certification process with a CA on behalf of an end-user, and performs certificate life-cycle management functions. The RA cannot issue certificates but can act as a broker between the user and the CA. When users need new certificates, they make requests to the RA, and the RA verifies all necessary identification information before allowing a request to go to the CA.

In addition to this, keys are one of the last ingredients in the PKI infra. How do all of these come together to form the PKI is what we’ll learn in the next blogpost.

Comments

You may also like to read...

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel

How to Pass the CISSP Exam in First Attempt