Public Key Infrastructure
Trust Models
Trust models define how trust is established and managed in a system or network. They provide a framework for determining the authenticity and integrity of entities, such as users, devices, or services.
Centralized Trust Model
In a centralized trust model, trust is placed in a central authority, such as a Certificate Authority (CA) in a Public Key Infrastructure (PKI).
- Trust is placed in a central authority
- CA issues digital certificates linking public keys to identities
- Entities rely on the CA to validate authenticity
Public Key Infrastructure (PKI)
- Uses a centralized trust model to manage secure communications
- Trusted CAs issue certificates to confirm identities
- Ensures authenticity and integrity of certificates during exchanges
- Structured hierarchically: Root CA at the top, subordinate CAs below
- Commonly used in securing networks, including HTTPS connections
The centralized model simplifies trust management by relying on a single authority, but the security of the system depends entirely on that authority’s reliability.
Decentralized Trust Model
A decentralized trust model spreads trust across multiple participants instead of relying on a central authority.
- Common in peer-to-peer networks and blockchain systems
- Trust is built using consensus mechanisms or cryptographic proofs
- Example: blockchain and distributed ledger technologies
Web of Trust
- Uses decentralized trust where users validate each other’s keys
- Used in PGP (Pretty Good Privacy) and similar encryption tools
- Users sign each other’s public keys, creating a network of trust
- Trust is transitive: if A trusts B and B trusts C, A can also trust C
This model removes dependence on a single authority, making trust more distributed and resilient.
Public Key Infrastructure (PKI)
Public Key Infrastructure or PKI is a combination of software, encryption technologies, processes, and services that enables an organization to secure its communications and business transactions.
- Uses asymmetric encryption with public and private key pairs
- Generates and manages keys for encryption and decryption
- Ensures confidentiality, integrity, authentication, access control, and non-repudiation
As a recap:
| Requirement | Description | PKI Solution |
|---|---|---|
| Confidentiality | The secure transmission of information over networks ensuring that it is not accessed by unauthorised individuals | Data encryption |
| Integrity | To validate that all the outputs are equivalent to the inputs. Any alter of the data can be immediately detected and prevented. | Digital signatures |
| Authenticity | Both the sender and recipient should be able to validate each other's identities. | Hash algorithms, message digests, digital signatures |
| Non-repudiation | To ensure that the sender or receiver of a message cannot deny either sending or receiving such a message in future. | Digital signatures, audit logs |
| Availability | Information should be consistently and readily accessible for authorized parties. Involves properly maintaining hardware and technical infrastructure and systems that hold and display the information. | Redundancy |
Components
Certificate Authority (CA)
Primary component of a PKI. The CA server is used for issuing certificates for users, applications, and other CAs as well. In the CA server, the following are configured:
- Policies
- Rules
- Conditions fo the certificates
- Hierarchy of the CAs:
- Root CA
- Subordinate CA)
- Subordinate CA is also known as Issuing CA
Hierarchical Structure:
How it works:
- Root CA is precious, usually taken offline.
- Intermediate CAs do all the hardwork.
- User requests presents the digital certificates to the intermediate CAs.
- The intermediate CAs performs the confirmations themselves.
Certificate chains in PKI establish trust by linking a website's certificate to a trusted root CA through one or more intermediate CAs. A missing intermediate CA breaks the chain, preventing the browser from verifying the website's certificate.
Registration Authority (RA)
A Registration Authority (RA) is an entity responsible for authenticating and verifying the identities of individuals or organizations before they are issued digital certificates by a Certificate Authority (CA).
- Verifies identity of certificate applicants through interviews, or background checks.
- Collects and processes documentation from certificate applicants to establish their identity.
- Receives certificate requests from users and validates the information provided.
- Approved requests are forwarded to the CA for certificate issuance.
- Maintains records of requests and approvals for auditing and accountability purposes.
Key Escrow
Refers to the process where the user's private keys are stored in a secure, third-party location, which is effectively an "escrow".
- Key escrows can be set up using key escrow agents.
- In case of any investigation, keys can be retrieved from the escrow.
- Ensures encrypted data is always accessible.
- Access is strongly regulated.
- At least two administrators are required when taking out the key from the escrow.
Key Recovery Agent
Key recovery agents are specialized type of software that allows the restoration of a lost or corrupted keys.
- Useful in case of major incidents or disasters
Digital Certificates
Digital certificates are digitally signed electronic document that binds a public key with a user's identity.
- Purchased from the CA
- Electronic documents binding identity to public key
- Provide authentication, encryption, integrity
- Commonly uses X.509 protocol standard.
This certificates contains:
- User's info like name and organization
- Digital signature
- Serial number for the certificate
- Issue and expiration date
- Version of the certificate
- Public key
- Information about the CA
As an example, we can see the digital certificates for both Goole and Apple's websites below:
We can see that Google uses ECC certificates while Apple uses RSA public certificates.
- Google is heavily focused on mobile devices.
- Mobile devices have less processing power.
- ECC has smaller 256-bits key size, while RSA has 2048-bits key size.
- ECC public certificates are favored for mobile and low favor devices.
- RSA public certificates are favored for desktops.
Certificate Signing Requests (CSRs)
A Certificate Signing Request (CSR) is a message sent from an applicant to a Certificate Authority (CA) to apply for a digital certificate. CSRs are typically generated by the entity requesting the digital certificate, such as a website owner or an organization's IT department.
-
Public Key: Key that will be included in the digital certificate.
-
Identity Information: Common name (CN), organization name, country.
-
Key Information: Cryptographic algorithm and key size to be used in the digital certificate.
-
Signature: Signed by the private key corresponding to the public key.
Once the CSR is submitted to the CA:
- The CA verifies the information provided.
- The information is used to generate the digital certificate.
- The digital certificate is issued and returned to the entity.
- Issued certs can be installed on the entity's server for secure communications.
Certificate Templates
Certificate templates are predefined formats or structures that specify the key attributes and parameters for creating digital certificates.
- Streamline the certificate issuance process.
- Specify key usage, validity, attributes
- Allow customization to meet specific organizational needs
- Ensure consistency and compliance.
- Example is EFS - Encrypted File System
Certificate Revocation Standards
Certificate revocation is the process of invalidating a previously issued digital certificate before its expiration date. Several standards and protocols facilitate the certificate revocation process in a Public Key Infrastructure (PKI) environment:
- Certificate Revocation List (CRL)
- Online Certificate Status Protocol (OCSP)
- Delta CRL
- OCSP Stapling