PUBLIC KEY INFRASTRUCTURE

Introduction

Asymmetric encryption involves the use of a public and private key. A cryptographic key is a
long string of bits used to encrypt data. The public key is available to anyone who requests it and
is issued by a trusted certificate authority. This public key verifies and authenticates the sender of
the encrypted message. The second component of a cryptographic key pair used in public key
infrastructure is the private, or secret, key. This key is kept private by the recipient of the
encrypted message and used to decrypt the transmission.

Complex algorithms are used to encrypt and decrypt public/private key pairs. The public key
authenticates the sender of the digital message, while the private key ensures that only the
recipient can open and read it.

1. Definition of Public Key Infrastructure

Public key infrastructure (PKI) is a set of tools and procedures that are used to create, manage,
distribute, use, store and revoke digital certificates and manage public-key encryption. PKI is
important for securing data transfers on the internet and authenticating the identities of people or
devices involved in the communication.

Public-key encryption is a method of encrypting data using two keys: a public key and a private
key. The public key is available to anyone who wants to send a message to the owner of the
private key. The private key is only known by the owner and is used to decrypt the message. The
keys are mathematically related but it is very hard to derive the private key from the public key.

A digital certificate is a document that contains information about the identity of an entity (such
as a person or a device) and its public key. A certificate authority (CA) is an entity that issues
and verifies digital certificates. A CA can also revoke or suspend certificates if they are
compromised or expired. A registration authority (RA) is an entity that assists the CA in
identifying and authenticating certificate applicants.
PKI enables various security services such as:

✓ Confidentiality means that only the intended recipient can read the message.
✓ Integrity means that the message has not been altered in transit.
✓ Access control means that only authorized entities can access certain resources.
✓ Authentication means that the sender and receiver can verify each other's identity.
✓ Non-repudiation means that the sender cannot deny sending the message.

The core of a public key infrastructure is trust. It is important for a recipient entity to know
without a doubt that the sender of the digital certificate is exactly who they claim to be.

Digital certificates are also called PKI certificates. A PKI certificate offers proof of identity to a
requesting entity, which is verified by a third party and works like a digital passport or driver’s
license.

The PKI certificate will contain the following:

• Distinguished name (DN) of the owner

• Owner’s public key
• Date of issuance
• Expiration date

Why is PKI used?

One of the most common uses of PKI is the TLS/SSL (transport layer security/secure socket
layer), which secures encrypted HTTP (hypertext transfer protocol) communications.

Website owners will obtain a digital certificate from a trusted CA. To be issued a CA, the owner
of the website will have to prove that they are indeed the actual owner. Once verified, the
website owner can purchase an SSL certificate to install on the web server. This tells the browser
that it is the legitimate website the browser is trying to access.
The TLS/SSL protocol relies on a chain of trust, where the user has to trust the root-certificate
granting authority. An alternative scheme is the web of trust, which uses self-signed certificates
that are validated by a third party. Web of trust is often used in smaller communities of users,
such as within an organization’s self-contained network.

Additional uses for PKI include the following:

▪ Email encryption and authentication of the sender

▪ Signing documents and software
▪ Using database servers to secure internal communications
▪ Securing web communications, such as e-commerce
▪ Authentication and encryption of documents
▪ Securing local networks and smart card authentication
▪ Encrypting and decrypting files
▪ Restricted access to VPNs and enterprise intranets

PKI have some components:

Certificate Authorities (CA)

Certificate authority is the issuer of certificates.

A certificate authority (CA) is the trusted third party responsible for validating the identity of a
person or organization. Once the identity has been verified a certificate server generates a digital
certificate containing the subject's public key. The digital certificate is then digitally signed with
the CA's private key.

Certificate Authorities are real organizations consisting of people and technologies whose job it is
to validate the identity of those seeking digital certificates.
The key functions of a CA are as follows −

Generating key pairs − The CA may generate a key pair independently or jointly with the
client.

Issuing digital certificates − The CA could be thought of as the PKI equivalent of a passport
agency − the CA issues a certificate after client provides the credentials to confirm his identity.
The CA then signs the certificate to prevent modification of the details contained in the
certificate.

Publishing Certificates − The CA need to publish certificates so that users can find them. There
are two ways of achieving this. One is to publish certificates in the equivalent of an electronic
telephone directory. The other is to send your certificate out to those people you think might
need it by one means or another.

Verifying Certificates − The CA makes its public key available in environment to assist
verification of his signature on clients’ digital certificate.

Revocation of Certificates − At times, CA revokes the certificate issued due to some reason
such as compromise of private key by user or loss of trust in the client. After revocation, CA
maintains the list of all revoked certificate that is available to the environment.

Certificate Management System (CMS)

It is the management system through which certificates are published, temporarily or permanently
suspended, renewed, or revoked. Certificate management systems do not normally delete
certificates because it may be necessary to prove their status at a point in time, perhaps for legal
reasons. A CA along with associated RA runs certificate management systems to be able to track
their responsibilities and liabilities.

Validation authority

It is an entity that provides a service used to verify the validity or revocation status of a digital
certificate per the mechanisms described in the X.509 standard and RFC 5280. It is an entity trusted
by the users of the certification services which provides information about the revocation status of
the certificates issued by the ESCB - PKI Certification Authority.
End user

It is a person or entity that uses a digital certificate to verify their identity in order to access secure
systems or data. The basic idea behind PKI is to have one or more trusted parties electronically
sign a document proving that a particular cryptographic key belongs to a specific user or endpoint.
The system then uses the key as an identity for the user or endpoint in enterprise networks

Registration Authorities (RA)

The registration authority (RA) is the component of a PKI which is responsible for accepting
requests for digital certificates and authenticating the person or organization making the request.

Advantage of PKI

✓ Flexibility
✓ Cost Effective
✓ Government approved
✓ Security

Disadvantage of PKI

✓ Maintenance
✓ Requires dedicated IT
✓ Requires backup.

1.1 Trusted Third Party (TTP)

In cryptography, a trusted third party (TTP) is an entity which facilitates interactions
between two parties who both trust the third party; the Third Party reviews all critical
transaction communications between the parties, based on the ease of creating fraudulent
digital content. In TTP models, the relying parties use this trust to secure their own
interactions. TTPs are common in any number of commercial transactions and in
cryptographic digital transactions as well as cryptographic protocols, for example, a
certificate authority (CA) would issue a digital identity certificate to one of the two parties in
the next example. The CA then becomes the Trusted-Third-Party to that certificate’s
issuance. Likewise, transactions that need a third-party recordation would also need a third-
 party repository service of some kind or another. 'Trusted' means that a system needs to be
trusted to act in your interests, but it has the option (either at will or involuntarily) to act
against your interests. 'Trusted' also means that there is no way to verify if that system is
operating in your interests, hence the need to trust it. Corollary: if a system can be verified to
operate in your interests, it would not need your trust. And if it can be shown to operate
against your interests one would not use it. A trusted third party can also help two parties
generate a shared secret key for secure communication.

Example.

Suppose John and Taye wish to communicate securely – they may choose to use cryptography.
Without ever having met Taye, John may need to obtain a key to use to encrypt messages to him.
In this case, a TTP is a third party who may have previously seen Taye (in person), or is
otherwise willing to vouch for that this key (typically in a public key certificate) belongs to the
person indicated in that certificate, in this case, Taye. Let's call this third person Suleman.
Suleman gives Taye's key to John, who then uses it to send secure messages to Taye. John can
trust this key to be Taye's if he trusts Suleman. In such discussions, it is simply assumed that he
has valid reasons to do so (of course there is the issue of John and Taye being able to properly
identify Suleman as Suleman and not someone impersonating Suleman).

1.2 Certification

A public key certificate is an electronic document used to prove the validity of a public key. It
includes information about the key, information about the identity of its owner (called the
subject), and the digital signature of an entity that has verified the certificate’s contents (called
the issuer). Public key certificates form a part of a public key infrastructure (PKI) system that
uses encryption technology to secure messages and data. A public key certificate uses a pair of
encryption keys, one public and one private. Data encrypted with the public key can only be
decrypted with the private key.

Certificate-based encryption is a system in which a certificate authority uses ID-based

cryptography to produce a certificate.
A PKI certificate is a data file that people use to encrypt information and identify users who
request access to it. Many professionals use PKI certificates to protect information on digital
platforms, such as the internet or a private network server.

PKI certificates operate by verifying the identity of users and devices that try to access
information to keep it secure. They can also allow users to encrypt specific data, such as personal
emails, and safely send data to various sources over the internet.

A PKI certificate uses both private keys and public keys. A public key can encrypt information
that professionals want to protect. By contrast, a private key can decrypt data that someone’s
encrypted, so long as the private key matches the public identification number.

Types of PKI certificates

Personal authentication certificates

A personal authentication certificate helps to verify people's identities and add signatures to
online communications. One of the most common uses for a personal authentication certificate is
to sign emails and S/MIME certificates which allow users to share information with others
online.

Using a personal authentication certificate can make these communications more secure by
adding digital signatures and hashing functionalities to these messages. Many companies also
use personal authentication certificates to authenticate their clients digitally.

Document signing certificates

Document signing certificates allow users to secure the documents they share on digital
platforms, such as on the internet or through email.

These certificates work by using a strict process to verify the identity of whoever signs the
document and ensuring that the company they work for authorizes them as a representative.
Then, they use hashing to secure the information in a document by encrypting it with a password
that users have to input in order to access the document.
Code signing certificates

Code signing certificates primarily work by protecting items that people can download, such as
software and executable files. Due to this function, these certificates are often popular in
industries that use software to download and transmit large batches of data, such as publishing
and software development.

Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates

SSL/TLS certificates typically focus on ensuring that any data that users want to transmit over a
web server remains secure. Because of this, people who purchase SSL/TLS certificates are often
business owners who have their own websites or other website owners.

They can then install these certificates directly onto the server where they run their website.
SSL/TLS certificates can also have a few different functions depending on the specific type of
certificate a person chooses. Here are some of the tasks that an SSL/TLS certificate can
complete:

✓ Domain validation
✓ Extended validation
✓ Organization validation
✓ Securing single domains
✓ Securing multi domains
✓ Securing single-level subdomains

How to get a PKI certificate

Here are some steps you can follow to get a PKI certificate:

1. Request the certificate online

The first step in getting a PKI certificate is typically to request one online. While the
exact process for requesting a PKI certificate can vary depending on the source you want
to receive it from, most have similar requirements.
 For example, you typically need to read through regulations about how to use a PKI
certificate and verify that you accept the organization's terms and conditions. There's also
usually a form to fill out and submit that then provides a control number to help users
when installing the PKI certificate on their devices.

2. Install the PKI certificate

When you receive approval for a PKI certificate, the source usually sends it to you via
email. Then, you can save it to your computer to prepare for installation. Installing a PKI
certificate typically involves using the control number from your application form to
access the certificate and importing it as a file into your computer.

Once the file is on your computer, you can review the general settings and confirm the
installation process.

3. Calibrate the security settings

The final step in getting a PKI certificate and preparing it for use is to choose the security
settings you want to follow. This can involve choosing a security level for the certificate, which
users most often set to high in order to maintain cybersecurity.

Then, you can create a unique password for the PKI certificate that can grant access to users who
have it. For example, if you want to access information that the PKI certificate protects from a
different device, you can enter the password when prompted to view your files.

1.3 Key Distribution

Key distribution is the process of generating, storing, exchanging, and revoking cryptographic
keys in a PKI system. Keys are essential for encrypting and decrypting data, as well as signing
and verifying digital certificates. Key distribution can be done in various ways, depending on the
security level required. For instance, a Certificate Authority (CA) is a trusted third party that
issues and validates digital certificates for entities in a network. Additionally, a Key Exchange
Protocol is a set of rules and algorithms that enable two or more entities to establish a shared
secret key over an insecure channel. Examples of such protocols are Diffie-Hellman, RSA, and
Elliptic Curve Cryptography (ECC). Lastly, a Key Management Service (KMS) is a centralized
or decentralized service that generates, stores, distributes, and rotates keys for entities in a
network. It can also provide access control, auditing, and backup functions.

Advantages of key distribution

Key distribution can provide several benefits for identity management and authentication in a
distributed system, such as enhanced security, scalability, and efficiency. It can ensure that only
authorized entities can access and use the keys, and that the keys are protected from unauthorized
disclosure, modification, or loss. Key distribution also enables the use of different keys for
different purposes and domains, reducing the risk of compromise or misuse. Furthermore, it can
support the growth and evolution of a distributed system by allowing new entities to join and
leave the network, updating and revoking keys as needed. Additionally, key distribution can
improve the performance and reliability of a distributed system by reducing the overhead and
latency of encryption and decryption operations, minimizing network traffic and bandwidth
consumption, as well as optimizing storage and computation resources.

Disadvantages of key distribution

Key distribution can present various challenges and limitations for identity management and
authentication in a distributed system. These include complexity, cost, and trust. Complexity is
increased due to the need for additional components, processes, and policies, which can also
introduce errors and vulnerabilities. Cost-wise, key distribution requires more hardware,
software, and personnel resources, which can affect the profitability of a PKI system. Finally,
trust is dependent on the trustworthiness and availability of entities involved in a PKI system.
Additionally, ethical and legal issues may arise from privacy, confidentiality, and accountability
concerns.
 1.4 PKI Topology

PKI topology refers to the structure of PKI system.

PKIs can form different topologies of trust, such as single-root PKI topology and hierarchical
PKI topology.

A single-root PKI topology centrally manages all the certificate which makes it more vulnerable
to threats and attacks. It also requires greater security measures to protect the root certificate
which can be difficult and expensive to manage.

Figure 1.1 Single-root PKI topology

 1.5 Enrollment and Revocation Procedures

Enrollment and Revocation Procedures are two important processes in PKI.

Enrollment is the process of obtaining a digital certificate from certificate authority (CA). The
purpose of a PKI is to manage the public keys used by the network for public key encryption,
identity management, certificate distribution, certificate revocation, and certificate management.
Once enabled, users who enroll for a certificate are identified for later authentication or
certificate revocation.

Revocation is the process of invalidating a certificate before it expires. The enrollment process
involves submitting a certificate request to the CA. The CA certifies the identity of the requester
and issues a digital certificate. Revocation can be done by either the certificate holder or the CA.
The certificate holder can revoke their own certificates if they suspect that their private key has
been compromised. CAs can revoke certificates if they are no longer valid or if the key has been
compromised. Revocation is an important part of a Public Key Infrastructure (PKI) and is
performed by the issuing certificate authority. A certificate revocation list (CRL) is a list of
digital certificates that have been revoked. It is an important component of a PKI system
designed to identify and authenticate users to a shared resource like a Wi-Fi network. In any
large-scale PKI, there will be users whose private keys will be compromised. In order to mitigate
the damage that a key compromise can cause, any certificates associated with a compromised
key should be revoked.