8.1: Certificates, Certification Authorities and PKI

Public Key Certificate

A data structure that binds a public key to a named subject using a digital signature by a Certificate Authority (CA)

What is the role of a Certification Authority?

To digitally sign public key certificates, asserting that a specific public key belongs to the named subject

Relying Party

Any party that relies on the certificate places their trust in the issuing CA in order to verify this signature

What is the purpose of the CA’s signature on a certificate?

To protect the integrity of all certificate fields by signing the hash of all fields

What type of certificate is most commonly used in practice?

X.509v3 certificates

What certificate fields of of type Name?

Subject and Issuer

What is a Distinguished Name (DN) in a certificate?

A unique identifier for the subject or issuer, composed of attribute pairs <Attribute name, Value> like Country, Organization, Organizational Unit, and Common Name

Certificate Fields

Public Key, Subject, and Issuer along with other attribute fields that allow proper identification and safe use of the public key

Basic fields and Extension fields

What is a CA vouching for when issuing a certificate?

The association between an entity’s name and its public key— not the character or integrity of the entity

What are 3 checks a CA should perform before issuing a certificate?

1. Proof of private key knowledge (e.g., challenge response test)

2. Control of claimed computer addressable identity (e.g., email, domain)

3. Verification of real world identity (for high quality certifications)

Why is it preferred that an end entity generate its own key pair?

To avoid trusting the CA with the private key, preventing potential misuse

Acquiring a Certificate

End entity sends the CA a certification request including a DN, public key, and optional additional attributes

Public Key Infrastructure (PKI)

A collection of technologies and processes for managing public keys, private keys, and their use by applications

What is the primary goal of PKI?

To authenticate entities and establish authenticated session keys— supporting encryption, digital signatures and integrity

What are 4 core components of PKI?

1. Data structures

2. Cryptographic toolkits

3. Architectural components

4. Procedures/protocols for key/certificate lifecycle management

What does a Registration Authority (RA) do in PKI?

Acts on behalf of a CA to verify identities and facilitate certificate requests

What makes lifecycle management of long-term private keys challenging?

If encrypted under weak passwords, they’re vulnerable to offline guessing attacks.

Managing non-repudiable signatures adds complexity to reconstruct time relevant revocation information

What are the benefits of PKI over symmetric-key infrastructures?

Better automation, scalability, security, and convenience. No need for manual key sharing or hard coding secrets