Public Key Infrastructure (PKI)

---

Public key infrastructure (PKI) is a framework of certificate authorities, digital certificates, software, services, and other cryptographic components deployed for the purpose of validating subject identities.

• basic problem with public key cryptography is verifying identity of key holders
  • PKI aims to solve this
• provides the mechanisms required to confidently identify the owners of public keys
• anyone issuing a public key should publish it in a digital certificate
• certificate’s validity is guaranteed by a certificate authority (CA)
  • Trusted CAs are pre-established by recording their information within operating system certificate stores, within browsers, and by using special hardware storage components
• 2 main components
  • certificate authorities
    • issue and verify certificates
  • registration authorities
    • verify the identity of the individual associated with the certificate
• PKI can revoke certificates if:
  • expired
  • compromised
  • or other reasons
• Revoked certificates are added to a revocation list
  • a public list that holds all an organization’s revoked certificates for a time

How PKI Works

Components

• Certificate Authority (CA)
  • issues, renews, revokes, and distributes digital certificates
• Registration Authority (RA)
  • verifies the identity of a digital certificate applicant
  • certificate applicant sends a certificate signing request (CSR) to an RA
    • contains the applicants public key, name, organization, department, physical address, and email
  • RA validates the applicant’s identity and approves or rejects the CSR
  • if approved, RA forwards CSR to the CA for issuing of the applicant’s digital certificate
• Certificate Repository (CR)
  • aka central directory
  • stores the digital certificates issued by a CA
  • contains the certificate revocation list (CSR)
    • list of certificates the CA has revoked prior to its expiration
• Certificate Policy (CP)
  • defines the structure of a PKI, describes the PKI’s entities and roles, and specifies a PKI’s procedures and operational requirements
• Certificate Practice Statement (CSP)
  • describes how a CA issues, renews, revokes, and distributes certificates
  • helps a certificate user to decide whether or not to trust a PKI’s certificates

Certificate Lifecycle

1. Issuance
   • certificate is issued by a CA after a certificate applicant’s identity is validated by an RA
   • issued certificate is stored in a CR
2. Revocation
   • certificate is revoked by a CA before the end of the certificate’s validity period
     • added to the CRL
3. Suspension
   • certificate’s validity is temporarily suspended by the CA
   • validity may be re-established or may be fully revoked
4. Expiration
   • certificate is expired when the end of the validity period is reached
   • CP defines the process of applying for a new certificate after expiration

PKI Trust Model

• PKI Trust Model
• Root of Trust

Key Concepts

• Digital Certificate
• Certificate Authority (CA)
• Key Management
• Cryptoprocessors
• Key Escrow