What is PKI and its use case?
PKI stands for Public Key Infrastructure. It is a framework of policies, procedures, hardware, software, and standards used to manage, distribute, and validate digital certificates and public-private key pairs. PKI enables secure communication and authentication over untrusted networks, such as the internet, by providing a trusted infrastructure for verifying the identities of users, devices, and services.
Key components of a PKI system include:
1. **Certificate Authority (CA)**: A trusted entity responsible for issuing, revoking, and managing digital certificates. The CA verifies the identity of certificate applicants and signs their public keys to create digital certificates.
2. **Digital Certificates**: Electronic documents that bind a public key to an entity's identity, such as a person, organization, or device. Digital certificates are signed by a CA and used to verify the authenticity of public keys and establish secure communication channels.
3. **Public and Private Keys**: Asymmetric cryptographic keys used for encryption, decryption, and digital signatures. Public keys are freely distributed and used for encryption and verification, while private keys are kept secret and used for decryption and signing.
4. **Certificate Revocation Lists (CRLs)**: Lists maintained by CAs that contain information about revoked or expired digital certificates. CRLs are periodically published and distributed to inform relying parties about invalidated certificates.
5. **Registration Authority (RA)**: An entity responsible for verifying the identity of certificate applicants and forwarding their information to the CA for certificate issuance.
6. **Certificate Repository**: A centralized or distributed repository where digital certificates and CRLs are stored and made accessible to users and applications.
Use cases of PKI include:
1. **Secure Communication**: PKI enables secure communication over untrusted networks by encrypting data transmissions and verifying the identities of communicating parties using digital certificates and public-private key pairs. Use cases include encrypted email communication, secure web browsing (HTTPS), and virtual private networks (VPNs).
2. **Authentication**: PKI is used for user authentication and access control in various applications and services. Digital certificates are used to authenticate users, devices, and services, allowing access to protected resources based on their verified identities.
3. **Data Integrity and Non-Repudiation**: PKI provides mechanisms for ensuring data integrity and non-repudiation in digital transactions. Digital signatures created with private keys are used to verify the authenticity and integrity of electronically signed documents and transactions.
4. **Document and Code Signing**: PKI is used for digitally signing documents, code, and software to verify their authenticity, integrity, and origin. Digital signatures created with private keys provide proof of authorship and protect against tampering and unauthorized modifications.
5. **Secure Remote Access**: PKI is used for secure remote access solutions, such as virtual private networks (VPNs) and remote desktop services. Digital certificates are used to authenticate remote users and devices, establishing secure communication channels over untrusted networks.
Overall, PKI plays a crucial role in establishing trust, confidentiality, integrity, and non-repudiation in digital communications and transactions, making it essential for secure and reliable operations in various domains, including e-commerce, finance, healthcare, and government.
The electronic certificate contains a public key that allows data to be encrypted that can only be decrypted using the private key. for eg if you had a certificate from microsoft.com, you could use this certificate to encrypt data so that people at Microsoft could decrypt it.
The next part of electronic cert is a digital signature. This proves that certificate is from a trusted source and it's not fake. The digital signature also provides a checksum like function to the digital certificate. That is, it can be used to check if the certificate has been altered.
The first point to understand with the digital signature is the hash value. The hash value is a value that represents the certificate. The hash is calculated by putting the certificate through a mathematical function to produce a value. A simple hash function would be to add each byte in a file together to obtain a single number, of course, the hash function used in certificates is more complex than this. The hash value is then put through a mathematical function using the private key to generate a digital signature. This digital signature is then added to the certificate. Now that the digital signature is added to the certificate, it can be used later to check that the certificate has not been altered or damaged.
Hash -> private key -> digital signature
Digital Signature -> public key -> Hash
To check the certificate, the digital signature is put through a mathematical function using a public key. The result of this should be the original hash value. If this value is not obtained, the person knows the certificate is corrupt or has been tampered with. The hash function is a one-way process which means you cannot use the hash value to generate the original cert. This essentially means that even though the private key is used in the process, it is not possible to use the digital signature to obtain the private key. So what exactly does the digital signature do?
First, it provides a method for checking the identity, for example, if you had a certificate that was issued to cisco.com, the name of the website could be included as a field in a certificate. When the cert is downloaded to a client computer, the client computer checks the name on the cert to see if it matches the website that they are trying to access. If it does the cert will be used.
You can see that if another website also obtained this cert and attempted to use it, the cert would be rejected as the name in the cert and website do not match. Remember that cert is essentially a file with data in it, so it is an easy process to change the name of the cert. If this were to occur and an attempt was made to use the cert, the digital signature comes into play. Notice that when a modified cert is used the digital signature will not match the data in the cert and cert will be rejected. This is how a certificate can be used to prove identity and how they protect themselves from being tampered with. The next question that arises is if you were given a digital cert, would you trust this cert? Certificate work off a trust mode. To illustrate this, consider an example that occurs often in the real world. In this example, let’s say you have the company Microsoft. Microsoft makes operating systems as we know and you want to buy a laptop that works with windows 8. In order to do this, you find a laptop and see that the laptop has a sticker on it saying windows 8 compatible. Even though the laptop is not made by Microsoft, you can be assured that because it has this sticker, Windows 8 will work on this laptop.
So what has happened here? You are trusting that the manufacturer of the laptop has put the sticker on the laptop because their laptop works with windows 8. You are trusting Microsoft that they will not allow a sticker like this to be put on a laptop that would not run windows 8. Thus you can see how one trusts the other and the person who purchases the laptop must trust both.
So how does this all relate to cert?
Certificate use the same type of trust mode. At the top, you have a cert authority. In this example, i will use the cert authority Verisign. Verisign has been around for a long time and is well trusted on the internet. A certificate authority job is to issue cert. This cert could be used for users, computers, devices and web pages. let’s say ciscoTraining wants to get a cert for their web page. To do this they obtain a cert from Verisign which would allow a visitor to the cisco training website to use encrypted SSL.
Before Verisign would issue a cert to ciscoTraining a number of checks are performed. These checks include checking who registered the domain name and a number of checks on the business. This helps prevent cert being issued to individuals who want to use the cert for illegal activities. For example, if someone attempted to obtain a certificate for M1crosoft.com, notice that i has been changed to 1, this would be denied. What this essentially means is that if you use a cert from Verisign, you can be assured that a number of checks have been performed before the cert was issued. If it is possible for a cert to be issued to a company that is doing the wrong thing, but at least you can be assured that some checks have been performed to determine that they are a valid company.
The next question is what happens when a user connects to the cisco training website and obtain the cert? How does it know it is valid and from Verisign and why would it trust and thus use this cert? By default, a number of cert are installed on the client computer when the operating system is installed. These include a Verisign cert. Since the cert is installed locally in the OS, the OS will trust any cert issued by verisign. When the cert is downloaded from cisco training, the digital signature is used in the cert to determine a number of different things. First that the cert has not been tampered with and the website matches the website in the cert. Using the local cert installed in the OS, windows can check the cert obtained from ciscoTraining to see if it is, in fact, a Verisign cert. You can start to see how the cert trust model works. The computer must trust the CA that the cert came from just like you would trust an organization like Harvard University. Cert work the same way, you need to trust who issued the cert in order to start using it. While surfing on the internet if we see error “problem with website security cert” this means a website that windows do not trust. This essentially means no cert is installed locally on the computer or the site has not been placed in the exception list. What this essentially means from a user’s perspective is that windows have not been configured to trust cert from this source. In this case, the user can take the risk and accept the cert and hope for the best or not to open a website. Although CA like Verisign is trusted by windows by default, you may want to use your own CA. Besides having a complete control over the CA, cert from the companies like Verisign do cost money. If you have your own CA you can issue as many certs as you wish at no cost besides the costs for the OS and h/w to run it on.
When deploying a cert infra this will often be done at a number of different levels. At the top, you will have a root CA. The root CA will issue a cert to subordinate or 2nd level CA. Often what will happen after the root CA has issued a cert to second level authorities, the root CA will be taken offline. Since the root CA holds the private key that effectively is the key to the entire cert infra, this should be protected. In some cases, a company will install the root CA on removable media. Once the root CA is not needed anymore, the removable media is placed in a safe until it is needed again. The second level CA’s are free to issue cert without the root CA so the system will work fine even though the root CA is offline. Having the root CA offline helps keep it secure. The 2nd level CA will often issue a cert to users and computers. For eg a cert may be issued to a user so their identity can be checked when using a VPN connection. It is also possible to have additional levels of CA if your org requires it.
1st level (Root CA)
2nd level (Users cert) and (computer cert)
3rd level (VPN) (Email) (web1) and (web2 )
In this eg, let us consider what happens when a computer attempts to connect to a web server. The cert for that website will be downloaded to the client, but will the client trust that cert? In order for the cert to automatically be trusted, a cert from the root CA needs to be installed locally on the client computer. Once this cert is installed on the computer, the computer will trust any cert automatically that comes from any CA in this hierarchy. If root CA is trusted by the client, any of the child CA’s will be trusted automatically.
certificate basically contains:
-who issued the cert
-who the cert is issued to
-valid to
-public key
-digital signature
The next part of electronic cert is a digital signature. This proves that certificate is from a trusted source and it's not fake. The digital signature also provides a checksum like function to the digital certificate. That is, it can be used to check if the certificate has been altered.
The first point to understand with the digital signature is the hash value. The hash value is a value that represents the certificate. The hash is calculated by putting the certificate through a mathematical function to produce a value. A simple hash function would be to add each byte in a file together to obtain a single number, of course, the hash function used in certificates is more complex than this. The hash value is then put through a mathematical function using the private key to generate a digital signature. This digital signature is then added to the certificate. Now that the digital signature is added to the certificate, it can be used later to check that the certificate has not been altered or damaged.
Hash -> private key -> digital signature
Digital Signature -> public key -> Hash
To check the certificate, the digital signature is put through a mathematical function using a public key. The result of this should be the original hash value. If this value is not obtained, the person knows the certificate is corrupt or has been tampered with. The hash function is a one-way process which means you cannot use the hash value to generate the original cert. This essentially means that even though the private key is used in the process, it is not possible to use the digital signature to obtain the private key. So what exactly does the digital signature do?
First, it provides a method for checking the identity, for example, if you had a certificate that was issued to cisco.com, the name of the website could be included as a field in a certificate. When the cert is downloaded to a client computer, the client computer checks the name on the cert to see if it matches the website that they are trying to access. If it does the cert will be used.
You can see that if another website also obtained this cert and attempted to use it, the cert would be rejected as the name in the cert and website do not match. Remember that cert is essentially a file with data in it, so it is an easy process to change the name of the cert. If this were to occur and an attempt was made to use the cert, the digital signature comes into play. Notice that when a modified cert is used the digital signature will not match the data in the cert and cert will be rejected. This is how a certificate can be used to prove identity and how they protect themselves from being tampered with. The next question that arises is if you were given a digital cert, would you trust this cert? Certificate work off a trust mode. To illustrate this, consider an example that occurs often in the real world. In this example, let’s say you have the company Microsoft. Microsoft makes operating systems as we know and you want to buy a laptop that works with windows 8. In order to do this, you find a laptop and see that the laptop has a sticker on it saying windows 8 compatible. Even though the laptop is not made by Microsoft, you can be assured that because it has this sticker, Windows 8 will work on this laptop.
So what has happened here? You are trusting that the manufacturer of the laptop has put the sticker on the laptop because their laptop works with windows 8. You are trusting Microsoft that they will not allow a sticker like this to be put on a laptop that would not run windows 8. Thus you can see how one trusts the other and the person who purchases the laptop must trust both.
So how does this all relate to cert?
Certificate use the same type of trust mode. At the top, you have a cert authority. In this example, i will use the cert authority Verisign. Verisign has been around for a long time and is well trusted on the internet. A certificate authority job is to issue cert. This cert could be used for users, computers, devices and web pages. let’s say ciscoTraining wants to get a cert for their web page. To do this they obtain a cert from Verisign which would allow a visitor to the cisco training website to use encrypted SSL.
Before Verisign would issue a cert to ciscoTraining a number of checks are performed. These checks include checking who registered the domain name and a number of checks on the business. This helps prevent cert being issued to individuals who want to use the cert for illegal activities. For example, if someone attempted to obtain a certificate for M1crosoft.com, notice that i has been changed to 1, this would be denied. What this essentially means is that if you use a cert from Verisign, you can be assured that a number of checks have been performed before the cert was issued. If it is possible for a cert to be issued to a company that is doing the wrong thing, but at least you can be assured that some checks have been performed to determine that they are a valid company.
The next question is what happens when a user connects to the cisco training website and obtain the cert? How does it know it is valid and from Verisign and why would it trust and thus use this cert? By default, a number of cert are installed on the client computer when the operating system is installed. These include a Verisign cert. Since the cert is installed locally in the OS, the OS will trust any cert issued by verisign. When the cert is downloaded from cisco training, the digital signature is used in the cert to determine a number of different things. First that the cert has not been tampered with and the website matches the website in the cert. Using the local cert installed in the OS, windows can check the cert obtained from ciscoTraining to see if it is, in fact, a Verisign cert. You can start to see how the cert trust model works. The computer must trust the CA that the cert came from just like you would trust an organization like Harvard University. Cert work the same way, you need to trust who issued the cert in order to start using it. While surfing on the internet if we see error “problem with website security cert” this means a website that windows do not trust. This essentially means no cert is installed locally on the computer or the site has not been placed in the exception list. What this essentially means from a user’s perspective is that windows have not been configured to trust cert from this source. In this case, the user can take the risk and accept the cert and hope for the best or not to open a website. Although CA like Verisign is trusted by windows by default, you may want to use your own CA. Besides having a complete control over the CA, cert from the companies like Verisign do cost money. If you have your own CA you can issue as many certs as you wish at no cost besides the costs for the OS and h/w to run it on.
When deploying a cert infra this will often be done at a number of different levels. At the top, you will have a root CA. The root CA will issue a cert to subordinate or 2nd level CA. Often what will happen after the root CA has issued a cert to second level authorities, the root CA will be taken offline. Since the root CA holds the private key that effectively is the key to the entire cert infra, this should be protected. In some cases, a company will install the root CA on removable media. Once the root CA is not needed anymore, the removable media is placed in a safe until it is needed again. The second level CA’s are free to issue cert without the root CA so the system will work fine even though the root CA is offline. Having the root CA offline helps keep it secure. The 2nd level CA will often issue a cert to users and computers. For eg a cert may be issued to a user so their identity can be checked when using a VPN connection. It is also possible to have additional levels of CA if your org requires it.
1st level (Root CA)
2nd level (Users cert) and (computer cert)
3rd level (VPN) (Email) (web1) and (web2 )
In this eg, let us consider what happens when a computer attempts to connect to a web server. The cert for that website will be downloaded to the client, but will the client trust that cert? In order for the cert to automatically be trusted, a cert from the root CA needs to be installed locally on the client computer. Once this cert is installed on the computer, the computer will trust any cert automatically that comes from any CA in this hierarchy. If root CA is trusted by the client, any of the child CA’s will be trusted automatically.
certificate basically contains:
-who issued the cert
-who the cert is issued to
-valid to
-public key
-digital signature
Difference in digital certificate and digital signatures?
Digital certificates and digital signatures are both cryptographic mechanisms used in information security, but they serve different purposes and have distinct characteristics:
1. **Digital Certificate**:
- A digital certificate is an electronic document that binds a public key to the identity of its owner, such as a person, organization, or device.
- Digital certificates are issued by a trusted Certificate Authority (CA) after verifying the identity of the certificate applicant.
- The certificate includes information about the certificate holder (subject), the issuer (CA), the public key, the certificate's validity period, and the digital signature of the CA.
- Digital certificates are used for authentication, encryption, and establishing secure communication channels over untrusted networks.
- Example use cases include SSL/TLS certificates for secure web browsing, S/MIME certificates for encrypted email communication, and code signing certificates for verifying the authenticity of software.
2. **Digital Signature**:
- A digital signature is a cryptographic mechanism used to provide proof of the authenticity, integrity, and origin of a digital message or document.
- A digital signature is created by applying a mathematical algorithm (such as RSA or ECDSA) to a message or document using the signer's private key.
- The resulting digital signature is appended to the message or document and can be verified by anyone using the signer's public key.
- Digital signatures provide non-repudiation, meaning the signer cannot later deny having signed the document, as well as integrity, ensuring that the document has not been altered since it was signed.
- Digital signatures are used in various applications, including document signing, code signing, electronic transactions, and legal contracts, to provide assurance of authenticity and integrity.
In summary, digital certificates are used to bind public keys to identities and establish trust in the authenticity of communication parties, while digital signatures are used to provide proof of the authenticity and integrity of digital messages or documents. Digital certificates often include digital signatures from trusted Certificate Authorities to verify their authenticity, while digital signatures are applied by individuals or entities to validate the authenticity and integrity of specific documents or messages.
No comments:
Post a Comment