Chapter 10
Public Key Infrastructure


Objectives in this Chapter

ATHENA



Explain cryptography strengths and
vulnerabilities



Define public key infrastructure (PKI)



Manage digital certificates



Explore key management


Understanding Cryptography
Strengths and Vulnerabilities

ATHENA



Cryptography is science of “scrambling” data so
it cannot be viewed by unauthorized users,
making it secure while being transmitted or
stored



When the recipient receives encrypted text or
another user wants to access stored
information, it must be decrypted with the
cipher and key to produce the original plaintext


Symmetric Cryptography
Strengths and Weaknesses

ATHENA



Identical keys are used to both encrypt and
decrypt the message



Popular symmetric cipher algorithms include
Data Encryption Standard, Triple Data
Encryption Standard, Advanced Encryption

Standard, Rivest Cipher, International Data
Encryption Algorithm, and Blowfish



Disadvantages of symmetric encryption relate
to the difficulties of managing the private key


Asymmetric Cryptography Strengths
and Vulnerabilities


With asymmetric encryption, two keys are used
instead of one
• The private key decrypts the message
• The public key encrypts the message

ATHENA


Asymmetric Cryptography Strengths
and Vulnerabilities (continued)

ATHENA



Can greatly improve cryptography security,
convenience, and flexibility




Public keys can be distributed freely



Users cannot deny they have sent a message if
they have previously encrypted the message
with their private keys



Primary disadvantage is that it is computingintensive


Digital Signatures


Asymmetric encryption allows you to use either
the public or private key to encrypt a message;
the receiver uses the other key to decrypt the
message



A digital signature helps to prove that:
• The person sending the message with a public key is
who they claim to be
• The message was not altered

• It cannot be denied the message was sent

ATHENA


Digital Certificates

ATHENA



Digital documents that associate an individual
with its specific public key



Data structure containing a public key, details
about the key owner, and other optional
information that is all digitally signed by a
trusted third party


Certification Authority (CA)


The owner of the public key listed in the digital
certificate can be identified to the CA in
different ways
• By their e-mail address
• By additional information that describes the digital

certificate and limits the scope of its use



ATHENA

Revoked digital certificates are listed in a
Certificate Revocation List (CRL), which can be
accessed to check the certificate status of other
users


Certification Authority (CA)
(continued)
The CA must publish the certificates and CRLs
to a directory immediately after a certificate is
issued or revoked so users can refer to this
directory to see changes
 Can provide the information in a publicly
accessible directory, called a Certificate
Repository (CR)
 Some organizations set up a Registration
Authority (RA) to handle some CA, tasks such
as processing certificate requests and
authenticating users


ATHENA



Understanding Public Key
Infrastructure (PKI)

ATHENA



Weaknesses associated with asymmetric
cryptography led to the development of PKI



A CA is an important trusted party who can sign
and issue certificates for users



Some of its tasks can also be performed by a
subordinate function, the RA



Updated certificates and CRLs are kept in a CR
for users to refer to


The Need for PKI

ATHENA



Description of PKI


Manages keys and identity information
required for asymmetric cryptography,
integrating digital certificates, public key
cryptography, and CAs



For a typical enterprise:
•
•
•
•


ATHENA

Provides end-user enrollment software
Integrates corporate certificate directories
Manages, renews, and revokes certificates
Provides related network services and security

Typically consists of one or more CA servers
and digital certificates that automate several
tasks



PKI Standards and Protocols


A number of standards have been proposed for
PKI
• Public Key Cryptography Standards (PKCS)
• X509 certificate standards

ATHENA


Public Key Cryptography
Standards (PKCS)

ATHENA



Numbered set of standards that have been
defined by the RSA Corporation since 1991



Composed of 15 standards detailed on pages
318 and 319 of the text


X509 Digital Certificates

ATHENA




X509 is an international standard defined by
the International Telecommunication Union
(ITU) that defines the format for the digital
certificate



Most widely used certificate format for PKI



X509 is used by Secure Socket Layers
(SSL)/Transport Layer Security (TLS), IP
Security (IPSec), and Secure/Multipurpose
Internet Mail Extensions (S/MIME)


X509 Digital Certificates (continued)

ATHENA


Trust Models

ATHENA




Refers to the type of relationship that can
exist between people or organizations



In the direct trust, a personal relationship
exists between two individuals



Third-party trust refers to a situation in
which two individuals trust each other only
because each individually trusts a third party



The three different PKI trust models are
based on direct and third-party trust


Trust Models (continued)

ATHENA


Trust Models (continued)


The web of trust model is based on direct trust




Single-point trust model is based on third-party
trust
• A CA directly issues and signs certificates



ATHENA

In an hierarchical trust model, the primary or
root certificate authority issues and signs the
certificates for CAs below it


Managing Digital Certificates

ATHENA



After a user decides to trust a CA, they can
download the digital certificate and public key
from the CA and store them on their local
computer



CA certificates are issued by a CA directly to

individuals



Typically used to secure e-mail transmissions
through S/MIME and SSL/TLS


Managing Digital Certificates (continued)

ATHENA


Managing Digital Certificates
(continued)

ATHENA



Server certificates can be issued from a Web
server, FTP server, or mail server to ensure a
secure transmission



Software publisher certificates are provided by
software publishers to verify their programs are
secure



Certificate Policy (CP)

ATHENA



Published set of rules that govern operation of a
PKI



Begins with an opening statement outlining its
scope



Should cover at a minimum the topics listed on
page 325 of the text


Certificate Practice Statement (CPS)

ATHENA



More technical document compared to a CP




Describes in detail how the CA uses and
manages certificates



Covers topics such as those listed on pages 325
and 326 of the text