Public Key Infrastructure:
A public key infrastructure (PKI) is an entire system of hardware and software, policies
and procedures, and people. It is used to create, distribute, manage, store, and revoke
digital certificates. The PKI is all encompassing: It includes users, client computers,
servers, services, and most of all, encryption. PKI creates asymmetric key pairs, a
public key and a private key: The private key is kept secret, whereas the public key can
be distributed.
If the key pair is generated at a server, it is considered to be centralized, and the public
key is distributed as needed. If the key pair is generated at a local computer, it is
considered to be decentralized, and the keys are not distributed, instead they are used
by that local system.
An example of public key usage would be a certificate obtained by a web browser
during an encrypted session with an ecommerce website. An example of private key
usage would be when a user needs to encrypt the digital signature of a private e-mail.
The difference is the level of confidentiality. The public key certificate obtained by the
web browser is public and might be obtained by thousands of individuals. The private
key used to encrypt the e-mail is not to be shared with anyone.
Certificates:
Certificates are digitally signed electronic documents that bind a public key with a user
identity. The identity information might include a person’s name and organization, or
other details relevant to the user to whom the certificate is to be issued.
Most certificates are based on the X.509 standard, which is a common PKI standard
developed by the ITU-T that often incorporates the single sign-on authentication
method. This way, a recipient of a single X.509 certificate has access to multiple
resources, possibly in multiple locations.
Components of an X.509 certificate include the following:
Owners (users) information including their public key
Certificate authority information including their name, digital signature, serial
number, issue and expiration date, and version
�Certificate Authorities:
A certificate authority (CA) is the entity (usually a server) that issues certificates to
users. In a PKI system that uses a CA, the CA is known as a trusted third party. Most
PKI systems use a CA. The CA is also responsible for verifying the identity of the
recipient of the certificate.
The user and the website are the two parties attempting to communicate. The CA is a
third party that negotiates the security of the connection between you and the website.
For a user to obtain a certificate from a CA, the user must present two items of
information: The first is proof of the user’s identity; the second is a public key. This
public key is then matched to the CA’s private key, and if successful the certificate is
granted to the user.
X.509/PKIX Certificate:
X.509 certificates are used to authenticate clients and servers. The most common use
case is for web servers using HTTPS. Internet Engineering Task Force (IETF) formed
the Public Key Infrastructure X.509 (PKIX) working group. This extends the basic
philosophy of the X.509 standard and specifies how the digital certificates can be
deployed in the world of the Internet.
PKIX Services
PKIX identifies the primary goals of a PKI infrastructure in the form of the following
broad level services:
• Registration: It is the process where an end-entity (subject) makes itself known to a
CA. Usually, this is via an RA.
• Initialization: This deals with the basic problems, such as how the end-entity is sure
that it is talking to the right CA? We have seen how this can be tackled.
• Certification: In this step, the CA creates a digital certificate for the end-entity and
returns it to the end-entity, maintains a copy for its own records and also copies it in
public directories, if required.
�• Key pair recovery: Keys used for encryption may be required to be recovered at a
later date for decrypting some old documents. Key archival and recovery services
can be provided by a CA or by an independent key recovery system
• Key Generation: PKIX specifies that the end-entity should be able to generate
private and public key pairs or the CA/RA should be able to do this for the end-entity
(and then distribute these keys securely to the end-entity).
• Key Update: This allows a smooth transition from one expiring key pair to a fresh
one, by the automatic renewal of digital certificates. However, there is a provision for
manual digital certificate renewal request and response.
• Cross-Certification: Helps in establishing trust models, so that end-entities that are
certified by different CAs can cross-verify each other.
• Revocation: PKIX provides support for the checking of the certificate status in two
modes: online (using OCSP) or offline (using CRL).
