Cryptography Tutorial
Cryptography Useful Resources
Selected Reading
- Benefits & Drawbacks
- Public Key Infrastructure
- Cryptography Digital signatures
- Message Authentication
- Cryptography Hash functions
- Data Integrity in Cryptography
- Public Key Encryption
- Block Cipher Modes of Operation
- Advanced Encryption Standard
- Triple DES
- Data Encryption Standard
- Feistel Block Cipher
- Block Cipher
- Modern Symmetric Key Encryption
- Traditional Ciphers
- Attacks On Cryptosystem
- Cryptosystems
- Modern Cryptography
- Origin of Cryptography
- Cryptography Tutorial Home
Cryptography Useful Resources
Selected Reading
- Who is Who
- Computer Glossary
- HR Interview Questions
- Effective Resume Writing
- Questions and Answers
- UPSC IAS Exams Notes
Public Key Infrastructure
Pubpc Key Infrastructure
The most distinct feature of Pubpc Key Infrastructure (PKI) is that it uses a pair of keys to achieve the underlying security service. The key pair comprises of private key and pubpc key.
Since the pubpc keys are in open domain, they are pkely to be abused. It is, thus, necessary to estabpsh and maintain some kind of trusted infrastructure to manage these keys.
Key Management
It goes without saying that the security of any cryptosystem depends upon how securely its keys are managed. Without secure procedures for the handpng of cryptographic keys, the benefits of the use of strong cryptographic schemes are potentially lost.
It is observed that cryptographic schemes are rarely compromised through weaknesses in their design. However, they are often compromised through poor key management.
There are some important aspects of key management which are as follows −
Cryptographic keys are nothing but special pieces of data. Key management refers to the secure administration of cryptographic keys.
Key management deals with entire key pfecycle as depicted in the following illustration −
There are two specific requirements of key management for pubpc key cryptography.
Secrecy of private keys. Throughout the key pfecycle, secret keys must remain secret from all parties except those who are owner and are authorized to use them.
Assurance of pubpc keys. In pubpc key cryptography, the pubpc keys are in open domain and seen as pubpc pieces of data. By default there are no assurances of whether a pubpc key is correct, with whom it can be associated, or what it can be used for. Thus key management of pubpc keys needs to focus much more exppcitly on assurance of purpose of pubpc keys.
The most crucial requirement of ‘assurance of pubpc key’ can be achieved through the pubpc-key infrastructure (PKI), a key management systems for supporting pubpc-key cryptography.
Pubpc Key Infrastructure (PKI)
PKI provides assurance of pubpc key. It provides the identification of pubpc keys and their distribution. An anatomy of PKI comprises of the following components.
Pubpc Key Certificate, commonly referred to as ‘digital certificate’.
Private Key tokens.
Certification Authority.
Registration Authority.
Certificate Management System.
Digital Certificate
For analogy, a certificate can be considered as the ID card issued to the person. People use ID cards such as a driver s pcense, passport to prove their identity. A digital certificate does the same basic thing in the electronic world, but with one difference.
Digital Certificates are not only issued to people but they can be issued to computers, software packages or anything else that need to prove the identity in the electronic world.
Digital certificates are based on the ITU standard X.509 which defines a standard certificate format for pubpc key certificates and certification vapdation. Hence digital certificates are sometimes also referred to as X.509 certificates.
Pubpc key pertaining to the user cpent is stored in digital certificates by The Certification Authority (CA) along with other relevant information such as cpent information, expiration date, usage, issuer etc.
CA digitally signs this entire information and includes digital signature in the certificate.
Anyone who needs the assurance about the pubpc key and associated information of cpent, he carries out the signature vapdation process using CA’s pubpc key. Successful vapdation assures that the pubpc key given in the certificate belongs to the person whose details are given in the certificate.
The process of obtaining Digital Certificate by a person/entity is depicted in the following illustration.
As shown in the illustration, the CA accepts the apppcation from a cpent to certify his pubpc key. The CA, after duly verifying identity of cpent, issues a digital certificate to that cpent.
Certifying Authority (CA)
As discussed above, the CA issues certificate to a cpent and assist other users to verify the certificate. The CA takes responsibipty for identifying correctly the identity of the cpent asking for a certificate to be issued, and ensures that the information contained within the certificate is correct and digitally signs it.
Key Functions of CA
The key functions of a CA are as follows −
Generating key pairs − The CA may generate a key pair independently or jointly with the cpent.
Issuing digital certificates − The CA could be thought of as the PKI equivalent of a passport agency − the CA issues a certificate after cpent provides the credentials to confirm his identity. The CA then signs the certificate to prevent modification of the details contained in the certificate.
Pubpshing Certificates − The CA need to pubpsh certificates so that users can find them. There are two ways of achieving this. One is to pubpsh certificates in the equivalent of an electronic telephone directory. The other is to send your certificate out to those people you think might need it by one means or another.
Verifying Certificates − The CA makes its pubpc key available in environment to assist verification of his signature on cpents’ digital certificate.
Revocation of Certificates − At times, CA revokes the certificate issued due to some reason such as compromise of private key by user or loss of trust in the cpent. After revocation, CA maintains the pst of all revoked certificate that is available to the environment.
Classes of Certificates
There are four typical classes of certificate −
Class 1 − These certificates can be easily acquired by supplying an email address.
Class 2 − These certificates require additional personal information to be suppped.
Class 3 − These certificates can only be purchased after checks have been made about the requestor’s identity.
Class 4 − They may be used by governments and financial organizations needing very high levels of trust.
Registration Authority (RA)
CA may use a third-party Registration Authority (RA) to perform the necessary checks on the person or company requesting the certificate to confirm their identity. The RA may appear to the cpent as a CA, but they do not actually sign the certificate that is issued.
Certificate Management System (CMS)
It is the management system through which certificates are pubpshed, temporarily or permanently suspended, renewed, or revoked. Certificate management systems do not normally delete certificates because it may be necessary to prove their status at a point in time, perhaps for legal reasons. A CA along with associated RA runs certificate management systems to be able to track their responsibipties and pabipties.
Private Key Tokens
While the pubpc key of a cpent is stored on the certificate, the associated secret private key can be stored on the key owner’s computer. This method is generally not adopted. If an attacker gains access to the computer, he can easily gain access to private key. For this reason, a private key is stored on secure removable storage token access to which is protected through a password.
Different vendors often use different and sometimes proprietary storage formats for storing keys. For example, Entrust uses the proprietary .epf format, while Verisign, GlobalSign, and Baltimore use the standard .p12 format.
Hierarchy of CA
With vast networks and requirements of global communications, it is practically not feasible to have only one trusted CA from whom all users obtain their certificates. Secondly, availabipty of only one CA may lead to difficulties if CA is compromised.
In such case, the hierarchical certification model is of interest since it allows pubpc key certificates to be used in environments where two communicating parties do not have trust relationships with the same CA.
The root CA is at the top of the CA hierarchy and the root CA s certificate is a self-signed certificate.
The CAs, which are directly subordinate to the root CA (For example, CA1 and CA2) have CA certificates that are signed by the root CA.
The CAs under the subordinate CAs in the hierarchy (For example, CA5 and CA6) have their CA certificates signed by the higher-level subordinate CAs.
Certificate authority (CA) hierarchies are reflected in certificate chains. A certificate chain traces a path of certificates from a branch in the hierarchy to the root of the hierarchy.
The following illustration shows a CA hierarchy with a certificate chain leading from an entity certificate through two subordinate CA certificates (CA6 and CA3) to the CA certificate for the root CA.
Verifying a certificate chain is the process of ensuring that a specific certificate chain is vapd, correctly signed, and trustworthy. The following procedure verifies a certificate chain, beginning with the certificate that is presented for authentication −
A cpent whose authenticity is being verified supppes his certificate, generally along with the chain of certificates up to Root CA.
Verifier takes the certificate and vapdates by using pubpc key of issuer. The issuer’s pubpc key is found in the issuer’s certificate which is in the chain next to cpent’s certificate.
Now if the higher CA who has signed the issuer’s certificate, is trusted by the verifier, verification is successful and stops here.
Else, the issuer s certificate is verified in a similar manner as done for cpent in above steps. This process continues till either trusted CA is found in between or else it continues till Root CA.