Public Key Infrastructure (PKI)
Public-key
infrastructure (PKI) is the set of hardware, software, people, policies, and
procedures needed to create, manage, store, distribute, and revoke digital
certificates based on asymmetric cryptography.
Purpose of PKI
The
purpose for developing a PKI is to enable secure, convenient, and efficient
obtain public keys.
PKIX
Public key infrastructure X.509 is called as PKIX. Figure shows the PKIX Architectural Model.
Figure: Public Key Infrastructure (PKIX) |
PKIX Elements
Figure
shows the interrelationship among the key elements of the PKIX model. These
elements are,
End
entity: A generic term used to denote end users, devices (e.g.,
servers, routers), or any other entity that can be identified in the subject
field of a public key certificate.
Certification
authority (CA): The issuer of certificates and (usually)
certificate revocation lists (CRLs). It may also support a variety of
administrative functions, although these are often delegated to one or more
Registration Authorities.
Registration
authority (RA): An optional component that can assume a number of
administrative functions from the CA. The RA is often associated with the end
entity registration process but can assist in a number of other areas as well.
CRL
issuer: An optional component that a CA can delegate to publish CRLs.
Repository: A
generic term used to denote any method for storing certificates and CRLs so
that they can be retrieved by end entities.
PKIX Management Functions
PKIX
identifies a number of management functions that potentially need to be
supported by management protocols which are:
Registration:
Registration
begins the process of enrolling in a PKI. User first makes itself known to a CA
(directly or through an RA), prior to that CA issuing a certificate for that
user. Registration usually involves some offline or online procedure for mutual
authentication. Typically, the end entity is issued one or more shared secret
keys used for subsequent authentication.
Initialization:
Before
a client system can operate securely, it is necessary to install key materials
that have the appropriate relationship with keys stored elsewhere in the
infrastructure. For example, the client needs to be securely initialized with
the public key and other assured information of the trusted CA(s), to be used
in validating certificate paths.
Certification:
This
is the process in which a CA issues a certificate for a user’s public key,
returns that certificate to the user’s client system, and/or posts that
certificate in a repository.
Key Pair
Recovery: Key pairs can be used to support digital signature creation
and verification, encryption and decryption, or both. When a key pair is used
for encryption/decryption, it is important to provide a mechanism to recover
the necessary decryption keys when normal access to the keying material is no
longer possible, otherwise it will not be possible to recover the encrypted
data. Key pair recovery allows end entities to restore their
encryption/decryption key pair from an authorized key backup facility
(typically, the CA that issued the end entity’s certificate).
Key Pair
Update: All key pairs need to be updated regularly (i.e., replaced
with a new key pair) and new certificates issued. Update is required when the
certificate lifetime expires and as a result of certificate revocation.
Revocation
Request: An authorized person advises a CA of an abnormal situation
requiring certificate revocation. Reasons for revocation include private key
compromise, change in affiliation, and name change.
Cross
Certification: Two CAs exchange information used in establishing
a cross-certificate. A cross-certificate is a certificate issued by one CA to
another CA that contains a CA signature key used for issuing certificates.
PKI Management Protocols
The PKI
working group has defines two alternative management protocols.
RFC 2510
defines the certificate management protocols (CMP).
PKI
Services allows a CMP client to communicate with it to request, revoke, suspend
and resume certificates.
RFC 2797
defines certificate management messages over CMS.
Where CMS
refers to RFC 2630, and cryptographic message syntax (CMS).
CMS can
encrypt, decrypt, sign and verify, compress and decompress CMS documents.
Figure: Working of PKIX |
To learn more about Public Key Infrastructure, Click here
Watch more videos click here.
No comments:
Post a Comment