Sunday, August 1, 2021

Public Key Infrastructure (PKI) | Purpose of PKI | PKIX Elements | PKIX Management Functions


Public Key Infrastructure (PKI)

Public-key infrastructure (PKI) is the set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography.

Purpose of PKI

The purpose for developing a PKI is to enable secure, convenient, and efficient obtain public keys.


Public key infrastructure X.509 is called as PKIX. Figure shows the PKIX Architectural Model.

Figure : Public Key Infrastructure (PKIX)  

PKIX Elements

Figure shows the interrelationship among the key elements of the PKIX model. These elements are,

End entity: A generic term used to denote end users, devices (e.g., servers, routers), or any other entity that can be identified in the subject field of a public key certificate.

Certification authority (CA): The issuer of certificates and (usually) certificate revocation lists (CRLs). It may also support a variety of administrative functions, although these are often delegated to one or more Registration Authorities.

Registration authority (RA): An optional component that can assume a number of administrative functions from the CA. The RA is often associated with the end entity registration process but can assist in a number of other areas as well.

CRL issuer: An optional component that a CA can delegate to publish CRLs.

Repository: A generic term used to denote any method for storing certificates and CRLs so that they can be retrieved by end entities.


PKIX Management Functions

PKIX identifies a number of management functions that potentially need to be supported by management protocols which are:

Registration: Registration begins the process of enrolling in a PKI. User first makes itself known to a CA (directly or through an RA), prior to that CA issuing a certificate for that user. Registration usually involves some offline or online procedure for mutual authentication. Typically, the end entity is issued one or more shared secret keys used for subsequent authentication.

Initialization: Before a client system can operate securely, it is necessary to install key materials that have the appropriate relationship with keys stored elsewhere in the infrastructure. For example, the client needs to be securely initialized with the public key and other assured information of the trusted CA(s), to be used in validating certificate paths.

Certification: This is the process in which a CA issues a certificate for a user’s public key, returns that certificate to the user’s client system, and/or posts that certificate in a repository.

Key Pair Recovery: Key pairs can be used to support digital signature creation and verification, encryption and decryption, or both. When a key pair is used for encryption/decryption, it is important to provide a mechanism to recover the necessary decryption keys when normal access to the keying material is no longer possible, otherwise it will not be possible to recover the encrypted data. Key pair recovery allows end entities to restore their encryption/decryption key pair from an authorized key backup facility (typically, the CA that issued the end entity’s certificate).

Key Pair Update: All key pairs need to be updated regularly (i.e., replaced with a new key pair) and new certificates issued. Update is required when the certificate lifetime expires and as a result of certificate revocation.

Revocation Request: An authorized person advises a CA of an abnormal situation requiring certificate revocation. Reasons for revocation include private key compromise, change in affiliation, and name change.

Cross Certification: Two CAs exchange information used in establishing a cross-certificate. A cross-certificate is a certificate issued by one CA to another CA that contains a CA signature key used for issuing certificates.


PKI Management Protocols

The PKI working group has defines two alternative management protocols.

RFC 2510 defines the certificate management protocols (CMP).

PKI Services allows a CMP client to communicate with it to request, revoke, suspend and resume certificates.

RFC 2797 defines certificate management messages over CMS.

Where CMS refers to RFC 2630, and cryptographic message syntax (CMS).

CMS can encrypt, decrypt, sign and verify, compress and decompress CMS documents.

Figure : Working of PKIX

        To learn more about Obtaining & Revocation of Certificate, watch below video

Video : Public Key Infrastructure (PKIX)

Watch more videos click here.

No comments:

Post a Comment