adam's notes

Digital Certificates and PKI

  • A smart card is programmed with:
    • an encryption key pair
    • and a digital certificate
      • issued by the authenticating domain
  • digital certificate is used to authenticate machines when using TLS
    • certificate can be installed on a web server or email server to
      • validate its identity
      • establish a secure transmission channel
  • digital certificates depend on public key cryptography
    • aka asymmetric encryption
    • solves the problem of distributing encryption keys when you want to
      • communicate securely with others
      • authenticate a message that you send to others
      • or authenticate yourself to an access control system
    • generates a key pair
      • private key remains a secret that only you know
        • cannot be derived from the public key
      • public key can be transmitted to other subjects
      • used for:
        • want others to send you confidential messages
          • give them your public key to use to encrypt the message
          • can then only be decrypted by your private key
          • public key cannot be used to decrypt a message
        • want to authenticate yourself to others
          • create a signature using your private key
          • give others your public key to use to verify the signature
          • as only you know private key, everyone can assure that only you could have created the signature

Info

  • encryption using public key is slow
    • rather than encrypting the whole message, typically encrypt a symmetric key
      • for use in a single session
        • called a session key
      • exchanges it securely
      • symmetric key is used to encrypt the message
  • the basic problem with public key cryptography lies in proving the identity of the owner of a public key
    • system is vulnerable to attacks where threat actor is able to substitute your public key for their own
  • Public key infrastructure (PKI) aims to prove that the owners of public keys are who they say they are

Public Key Infrastructure (PKI)

Public key infrastructure (PKI) is a framework of certificate authorities, digital certificates, software, services, and other cryptographic components deployed for the purpose of validating subject identities.

  • anyone distributing public keys should obtain a digital certificate

    • validity of the certificate is guaranteed by a certificate authority (CA)
    • is essentially a wrapper for a subject’s (or end entity’s) public key
    • contains
      • public key
      • information about the subject
      • info about the certificate’s issuer or guarantor
    • digitally signed to prove that it was issued to the subject by a particular CA

  • sometimes, using PKI can be too difficult or expensive to manage

    • Any machine, web server, or program code can be deployed with a self-signed certificate
      • A digital certificate that has been signed by the entity that issued it, rather than by a CA
      • e.g., web administrative interfaces of SOHO routers are often protected by a self-signed certificate
      • can also be useful in development and test environments
      • OS or browser will mark self-signed certificates as untrusted
        • a user can choose to override this
      • nature of self-signed certificates makes them very difficult to validate
      • should not be used to protect critical hosts and applications

Graph View

Backlinks