110 likes | 371 Vues
2. Certificate Authority (CA). Issues a digital certificate to users:It certifies the public keys of users.It must validate applicant's identity before issuing a certificate.CA must verify that the applicant has the matching private keys.Distribution:<> Digital certificates are not secret.<> O
E N D
1. 1 Public Key Infrastructure (PKI) Two major frameworks exist:
1. X.509
2. PGP (Pretty Good Privacy).
>Certificate management systems:
(i) certification (ii) issuance, (iii) revocation.
>Act as trusted third party.
<> X.509 is more popular and
<> It fits corporate model well.
//It is like a certificate authority (CA).//
2. 2 Certificate Authority (CA) Issues a digital certificate to users:
It certifies the public keys of users.
It must validate applicants identity before issuing a certificate.
CA must verify that the applicant has the matching private keys.
Distribution:
<> Digital certificates are not secret.
<> On the contrary, they should be widely advertised.
3. 3 Certificate Authority (CA) Certificate Revocation:
A certificate valid during the dates mentioned on the certificate.
A CA can revoke a certificate prematurely.
//due to various reasons CAs or applicants private key compromised.//
Revoked certificates can not be used.
Revoked certificates are placed on a Certification Revocation List (CRL).
A certificate user must verify the certificate.
4. 4 X.509 Certificate Data Structure Version: v1, v2, or v3.
Serial #: a unique number.
Signature method: The method used to sign the digital certificate (e.g., RSA).
Issuer name: The entity whose private key signed the certificate.
Valid time period: begin time and end time.
Subject name: The entity whose public key is included in the certificate.
Subjects public key: public key and public key method.
5. 5 Challenge-Response Protocol CA must authenticate/verify an applicant before issuing it a digital certificate.
//involves checking if an applicant has the matching private keys.//
1. CA ? A : Epub-keyA(FivePM => Class over)
2. A decrypts it with its private key and
3. A ? CA: (Class over => FivePM).
6. 6 Flow of Trust Root CA:
Each X.509 PKI implementation has a root CA.
There may be a network of CAs (each can issue a digital certificate.)
Self-signed Certificates:
A certificate that is signed by itself (CA).
Can be trusted without any additional verification.
<> A certificate signed by the root CA is trusted by everyone.
7. 7 Why is X.509 Very Popular? Easy to bring a new person into the system.
<> Root CA issues the new person a digital certificate and gives him a copy of the root CAs certificate (public keys).
<> That is all that is needed to bring a new person in the trusted network.
<>The new person can retrieve any other persons certificate and get his key.
<> Likewise, any other person can retrieve new persons certificate and get his key.
8. 8 Subordinate CAs A root CA can outsource registration and
distribution of certificates.
<> A sub CA can distribute certificates issued by the root CA.
<> A sub CA can also be authorized to issue certificates to users.
//signed by sub-CAs private key.//
<> The structure of CAs depends upon the organizations needs and applications.
9. 9 Subordinate CAs Chaining trust from root CA:
<> If a sub-CA is issuing a certificate, the receiver (say Bob) of this certificate verifies the validity as follows:
1. Bob obtains root CAs public key from its
certificate.
2. Bob verifies sub-CAs certificate and obtains its public key (using CAs public key).
3. Using sub-CAs public key, Bob verifies the received certificate and obtains the public key
contained in it.