-
What
are the processes in a PKI?
Processes in a PKI:
Certificate Issuance
Certificates are issued by the CA to the end-users and end-entities
according to policies defined by the CA. The certificate issued by the
CA, legally binds the certified public key to the user which also
implies binding of the private key. The information contained in the
certificate should be correct which is signed by the CA since an
independent third party may verify that the CA issued the certificate.
The certificate is usually issued for a short period depending on the
purpose.
Certificate Revocation
Whenever
a private key associated with a certificate gets exposed or is threatened
to have been exposed, the owner of the certificate intimates the CA
regarding the development. The CA then revokes the certificate. The
revoked certificates are placed on a list called Certificate Revocation
List (CRL) which is signed by the CA. The CRL is published to an easily
accessible point on a regular basis. With a certificate revocation,
association between the owner and the certificate expires which implies
that the relying party should not accept the certificate for
authentication.
Authentication/
Verification
The
parties involved in a transaction may be authenticated by a
challenge/response mechanism. In this one party poses a challenge that
requires a response by the other. The end-user who has been challenged
proves evidence of ownership of the certificate by providing a response
that is encrypted with his private key. The challenging party then
decrypts the response by using the public key contained in the certificate
assumed to be that of the other party. After this the challenged party is
considered authenticated if the decrypted response is verified to match
the challenge. This authentication is done from both sides i.e. both from
the client as well as the server side. The important requirement in this
entire process is that both sides must trust the public key corresponding
to the private key used by the CA while issuing the certificates. The CA
plays a very important role in that it becomes the trust provider in the
transaction, ensuring that the user trusts the certificate if it trusts
the CA issuing the certificate.
Non-repudiation
/ Verification
Non-repudiation
services are used in mail signing, signing crucial agreements etc. or
business transactions. If the private key of the signature is protected,
then the digital signature is impossible to copy. The certificate provides
the non-repudiation service. Any party can verify that a noted CA issued
the certificate. The act of non-repudiation is made possible through the
use of a digital signature. The digital signature is created by encrypting
given data with the private key. The receiving party would verify by using
the certified public key to match the expected values. This procedure
would ensure non-repudiation at the time of action, since the receiving
party should be able to check for certificate validity and revocation
status.
-
What
is Cryptography?
Cryptography
is the science of enabling secure communications between a sender
and one or more recipients. This is achieved by the sender
scrambling a message (with a computer program and a secret key) and
leaving the recipient to unscramble the message (with the same
computer program and a key, which may or may not be the same as the
sender's key). There are two types of cryptography: Secret/
Symmetric Key Cryptography and Public/ Asymmetric Key Cryptography
The
emphasis of cryptography is on data confidentiality, data integrity,
sender authentication, and non-repudiation of origin/data accountability.
-
What
is a key?
Physical keys are used for locking and unlocking. In cryptography, the
equivalent functions are encryption and decryption. A key in this case
is an algorithmic pattern or rule(s) to render the message unreadable.
-
What
is encryption?
Encryption is the transformation of information from readable
form into some unreadable form.
-
What
is decryption?
Decryption is the reverse of encryption; it's the transformation
of encrypted data back into some intelligible form.
|
