Public Key Infrastructure

Public key infrastructure (PKI) is a framework that consists of hardware, software, and policies that exist to manage, create, store, and distribute keys and digital certificates. Although PKI is not needed for small groups, exchanging keys becomes difficult as the groups become bigger. To respond to this need, PKI was developed. The components of the PKI framework include the following:

• The Certificate Authority (CA) A function maintained by a person or group that is used to issue certificates to authorized users. The CA creates and signs the certificate. The CA is the one that guarantees the authenticity of the certificate.
• The Certificate Revocation List (CRL) The CA maintains the CRL list. The list is signed to verify its accuracy, and the list is used to report problems with certificates. When requesting a digital certificate, anyone can check the CRL to verify the certificates integrity. A compromised certificate or one that has been revoked before its expiration data will be reported through by the CRL
• The Registration Authority (RA) Reduces the load on the CA. The RA cannot generate a certificate, but it can accept requests, verify an owner's identity, and pass along the information to the CA for certificate generation.
• Certificate Server The certificate server maintains the database of stored certificates.
• X.509 Standard The accepted standard for digital certificates. An X.509 certificate includes the following elements:

  Version

  Serial Number

  Algorithm ID

  Issuer

  Validity

  • Not Before
  • Not After

  Subject

  Subject Public Key Info

  • Public Key Algorithm
  • Subject Public Key

  Issuer Unique Identifier (Optional)

  Subject Unique Identifier (Optional)

  Extensions (Optional)

Trust Models

Trust isn't a problem in small organizations, but when you need to communicate within large organizations, with external clients, and third parties, it's important to develop a working trust model. Organizations typically follow one of several well-known trust models. Three of the most common include

• Single-authority trust
• Hierarchical trust
• Web of trust

Single Authority

A single authority trust model uses a single third-party central agency. This agency provides the trust, the authority, and any keys issued by that authority. An example of this is shown in Figure 12.9.

Figure 12.9. Single trust model.

Hierarchical Trust

The hierarchical trust is actually a rather common model. It is based on the principle that people know one common entity in which they truly trust. This top layer of trust is known as the root CA. The root CA can issue certificates to intermediate CAs. Intermediate CAs issue certificates to leaf CAs. Leaf CAs issue certificates to users. An example of this is shown in Figure 12.10.

Figure 12.10. Hierarchical trust model.

Web of Trust

A web of trust consists of many supporters that sign each other's certificates. Users are validated on the knowledge of other users. PGP is an example of an application that uses the web of trust model. A vulnerability of the web of trust is that a malicious user can sign bad or bogus keys and endanger the entire group. An example of the web of trust can be seen in Figure 12.11.

Figure 12.11. Web of trust model.