Search

Public key Infrastructure

Updated: Apr 8, 2021

NIST SP 800-53 defines PKI as the framework and services that provide for the generation, production, distribution, control, accounting, and destruction of public-key certificates. Components include the personnel, policies, processes, server platforms, software, and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, recover, and revoke public key certificates.


PKI is an ISO framework used for authentication purposes leveraging on the X.509 standard. PKI addresses multiple security goals, such as authentication, confidentiality, nonrepudiation, and integrity of the messages exchanged. You must note that it is a hybrid system using both symmetric and asymmetric key algorithms methods. The core function of PKI is to ensure that the receiver’s identity can be positively identified through the use of digital certificates.

PKI Core Components

It have 3 core components.

  1. Registration Authority

  2. Certification Authority

  3. Validation Authority

RegistartionAuthority


A Registration Authority (RA) is a function for certificate enrollment used in Public Key Infrastructures. It is responsible for receiving certificate signing requests – for the initial enrollment or renewals – from people, servers, things, or other applications.

It is like a Middle man that you need to contact if you need to get a Digitial Certificate(SSL/TLS)


Certification Authority


In cryptography, a certification authority (CA) is an entity that issues digital certificates. A CA acts as a trusted third-party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.

We can take a Digital Certificate like Passport and Certification Authority like Passport Office.

Passport Identifies who you are where you from and etc. Digital Certificate does the same job for the internet user.

I can't trust a third-party website on the internet but if a third-party gives a website a digital certificate. it gives me a bit of relief that I can at least identify who that can be with that SSL/TLS certificate. I will just add one thing here don't that as a relief. The digital certificate just identifies where that website comes from. It doesn't specify what that website carries.

The same goes for people Passport just identifies who the person is. it doesn't tell what a person have done.


Validation Authority


Validation Authority(VA) just validates that the Certificate is correct and up to date.

In public key infrastructure, a validation authority (VA) is an entity that provides a service used to verify the validity of a digital certificate per the mechanisms described in the X.509 standard and RFC5280. Page nr 69





Illustration copied from Wikipedia


Resources


https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

https://tools.ietf.org/html/rfc5280#section-5.3.1



28 views0 comments