Chapter 14 Notes
Asymmetric Encryption Algorithms:
• Digital Signature Algorithm (DSA)
• Diffie-Hellman (DH)
• Elliptic Curve Cryptography (ECC)
• The sender creates a hash to identify the message
• The sender then encrypts the hash with his private key and appends it to the message
• The recipient decrypts the hash with the sender’s public key and re-computes that value to verify the integrity of the message.
• Certificate Authority (CA): Trusted third party that signs the public keys in the PKI system.
• Certificate: Issued by the CA to bind a user or device to a public key.
Components of PKI:
• CA to provide management of keys
• PKI users and/or devices
• Storage and protocols
• Supporting organizational framework and user authentication through Local Registration Authorities (LRA).
• Supporting legal framework
• Single Root CA: centrally administered, single point of failure, and difficult to scale
• Hierarchical CA: delegation and distribution of trust, certification paths
• Cross-Certified CAs: horizontal trust relationship
PKI Keys: Users are given two pairs of keys. One is used for encryption and the other is used for signing. Two certificates validate each of the two public keys from the two key pairs.
Usage of PKI Keys:
• Signing keys may be used less and therefore can have a longer lifetime
• In a key recovery scheme, the option exists for only the encryption private key to be backed up
• Different key lengths and algorithms can be used for different key pairs in order to fulfill legal requirements.
RA Offloading: In order to secure the CA, as well as to reduce CA overload, many key management tasks can be offloaded to RAs. RAs can handle:
• Enrollment and authentication of users
• Key generation for users who do not have generation capabilities
• Distribution of certificates after enrollment
X.509v3 Usage and Applications: X.509v3 is an IETF industry standard for basic PKI including certificate and certificate revocation list (CRL) formats. It is widely used in many applications including:
• SSL web authentication
• S/MIME encrypted email
• IPSec VPNs
• Client certificates
• PKCS #7: Defines the syntax of cryptographic protected messages, specifically, it is widely used in S/MIME email.
• PKCS #10: Defines certification request syntax.
Simple Certificate Enrollment Protocol (SCEP):
• Client creates certificate request according to PKCS #10
• The request is enveloped in PKCS #7 and sent to the officiating RA or CA
• When received by the RA or CA, it is either automatically or manually accepted or rejected.
Identity Management: In PKI, identity management is gained through the CA acting as a trusted third party and the X.509 standard which describes how to store an authentication key. The CA certificate contains the following:
• The CA’s identify
• The CA’s public key
• The signature encrypted with the CA’s private key
• Parameters including serial numbers, algorithms used, and validation fields
PKI Unique Authentication Characteristics:
• Authentication begins with each party obtaining the CA’s certificate as well as their own certificates.
• True non-repudiation is provided through public/private key pairs.
Caveats of Using PKI:
• A user’s certificate is compromised (private key is stolen): A CRL must be kept, and users must be informed of CRL parameters
• The CA’s root certificate is compromised: An Authority Revocation List is needed and the entire PKI system must be updated.
• The CA administrator must follow strict rules for the certification enrollment process and must use additional out of band authentication procedures.