Public Key Infrastructure

Updated Jan 30, 2024 ·

Trust Models

Trust models define how trust is established and managed in a system or network. They provide a framework for determining the authenticity and integrity of entities, such as users, devices, or services.

Centralized Trust Model

In a centralized trust model, trust is placed in a central authority, such as a Certificate Authority (CA) in a Public Key Infrastructure (PKI).

The CA issues digital certificates that bind public keys to identities.
Entities trust the CA to verify the authenticity of certificates.

Public Key Infrastructure (PKI)

Centralized trust model used to establish and manage trust in a networked environment.
Trusted CA issue digital certificates that bind public keys to identities.
Validates authenticity and integrity of digital certificates during secure communications.
Hierarchical structure; Root CA at the top and subordinate CAs under the root CA's authority.
Widely used in securing network communications, such as HTTPS.

Decentralized Trust Model

In a decentralized trust model, trust is distributed among multiple entities without relying on a central authority.

Often used in peer-to-peer networks or blockchain systems.
Trust is established through consensus mechanisms or cryptographic algorithms.
Example: Blockchain technology, distributed ledger systems.

Web of Trust

It simply isn't possible to personally meet everyone that you want to exchange messages with.
A specific implementation of the decentralized trust model.
Used in PGP (Pretty Good Privacy) encryption software and similar systems.
Users vouch for each other's public keys by signing them with their own private keys.
Trust is based on the network of trust relationships between users, rather than a centralized authority.
Trust is transitive; If user A trusts user B and user B trusts user C, then user A can also trust user C.

Public Key Infrastructure (PKI)

Public Key Infrastructure or PKI is a combination of software, encryption technologies, processes, and services that enables an organization to secure its communications and business transactions.

Based on Asymmetric Encryption
A system that creates the asymmetrical key pairs used in encryption and decryption process.
Provide confidentiality, integrity, access control, authentication, and non-repudiation.

As a recap:

Requirement	Description	PKI Solution
Confidentiality	The secure transmission of information over networks ensuring that it is not accessed by unauthorised individuals	Data encryption
Integrity	To validate that all the outputs are equivalent to the inputs. Any alter of the data can be immediately detected and prevented.	Digital signatures
Authenticity	Both the sender and recipient should be able to validate each other's identities.	Hash algorithms, message digests, digital signatures
Non-repudiation	To ensure that the sender or receiver of a message cannot deny either sending or receiving such a message in future.	Digital signatures, audit logs
Availability	Information should be consistently and readily accessible for authorized parties. Involves properly maintaining hardware and technical infrastructure and systems that hold and display the information.	Redundancy

Components

Certificate Authority (CA)

Primary component of a PKI. The CA server is used for issuing certificates for users, applications, and other CAs as well. In the CA server, the following are configured:

Policies
Rules
Conditions fo the certificates
Hierarchy of the CAs:
- Root CA
- Subordinate CA)
Subordinate CA is also known as Issuing CA

Hierarchical Structure:

How it works:

Root CA is precious, usually taken offline.
Intermediate CAs do all the hardwork.
User requests presents the digital certificates to the intermediate CAs.
The intermediate CAs performs the confirmations themselves.

Registration Authority (RA)

A Registration Authority (RA) is an entity responsible for authenticating and verifying the identities of individuals or organizations before they are issued digital certificates by a Certificate Authority (CA).

Verifies identity of certificate applicants through interviews, or background checks.
Collects and processes documentation from certificate applicants to establish their identity.
Receives certificate requests from users and validates the information provided.
Approved requests are forwarded to the CA for certificate issuance.
Maintains records of requests and approvals for auditing and accountability purposes.

Key Escrow

Refers to the process where the user's private keys are stored in a secure, third-party location, which is effectively an "escrow".

Key escrows can be set up using key escrow agents.
In case of any investigation, keys can be retrieved from the escrow.
Ensures encrypted data is always accessible.
Access is strongly regulated.
At least two administrators are required when taking out the key from the escrow.

Key Recovery Agent

Key recovery agents are specialized type of software that allows the restoration of a lost or corrupted keys.

Useful in case of major incidents or disasters

Digital Certificates

Digital certificates are digitally signed electronic document that binds a public key with a user's identity.

Purchased from the CA
Electronic documents binding identity to public key
Provide authentication, encryption, integrity
Commonly uses X.509 protocol standard.

This certificates contains:

User's info like name and organization
Digital signature
Serial number for the certificate
Issue and expiration date
Version of the certificate
Public key
Information about the CA

As an example, we can see the digital certificates for both Goole and Apple's websites below:

We can see that Google uses ECC certificates while Apple uses RSA public certificates.

Google is heavily focused on mobile devices.
Mobile devices have less processing power.
ECC has smaller 256-bits key size, while RSA has 2048-bits key size.
ECC public certificates are favored for mobile and low favor devices.
RSA public certificates are favored for desktops.

Certificate Signing Requests (CSRs)

A Certificate Signing Request (CSR) is a message sent from an applicant to a Certificate Authority (CA) to apply for a digital certificate. CSRs are typically generated by the entity requesting the digital certificate, such as a website owner or an organization's IT department.

Public Key: Key that will be included in the digital certificate.
Identity Information: Common name (CN), organization name, country.
Key Information: Cryptographic algorithm and key size to be used in the digital certificate.
Signature: Signed by the private key corresponding to the public key.

Once the CSR is submitted to the CA:

The CA verifies the information provided.
The information is used to generate the digital certificate.
The digital certificate is issued and returned to the entity.
Issued certs can be installed on the entity's server for secure communications.

Certificate Templates

Certificate templates are predefined formats or structures that specify the key attributes and parameters for creating digital certificates.

Streamline the certificate issuance process.
Specify key usage, validity, attributes
Allow customization to meet specific organizational needs
Ensure consistency and compliance.
Example is EFS - Encrypted File System

Certificate Revocation Standards

Certificate revocation is the process of invalidating a previously issued digital certificate before its expiration date. Several standards and protocols facilitate the certificate revocation process in a Public Key Infrastructure (PKI) environment:

Certificate Revocation List (CRL)
Online Certificate Status Protocol (OCSP)
Delta CRL
OCSP Stapling

Resources

Public Key Infrastructure (PKI) and other Concepts in Cryptography for CISSP Exam

Trust Models​

Centralized Trust Model​

Decentralized Trust Model​

Public Key Infrastructure (PKI)​

Components​

Certificate Authority (CA)​

Registration Authority (RA)​

Key Escrow​

Key Recovery Agent​

Digital Certificates​

Certificate Signing Requests (CSRs)​

Certificate Templates​

Certificate Revocation Standards​

Resources​