Public Key Infrastructure (PKI)
Public Key Infrastructure (PKI) is a system that validates a user’s digital identity over a public or private network. It does so by associating a pair of public and private keys with the individual’s identity credentials. These keys are created with a cryptographic algorithm and shared by a certificate authority (CA) that links them to the user’s unique identity. The CA stores this information in a database and issues digital certificates, which include the public key or information about the public keys, in order to verify the user’s identity.
A PKI consists of:
1. A certificate authority (CA)
It that stores, issues and signs the digital certificates.It acts as the root of trust and provides services that authenticate the identity of individuals, computers and other entities. A Certificate Authority (CA) is a computer (or group of computers) on a network that signs and issues public keys for transaction and message encryption. As part of a public key infrastructure, a CA checks with a Registration Authority to verify information provided by the requester of a digital certificate. If the RA verifies the requester’s information, the CA can then issue a certificate.
Key Functions of CA
The key functions of a CA are as follows −
- Generating key pairs− The CA may generate a key pair independently or jointly with the client.
- Issuing digital certificates− The CA could be thought of as the PKI equivalent of a passport agency − the CA issues a certificate after client provides the credentials to confirm his identity. The CA then signs the certificate to prevent modification of the details contained in the certificate.
- Publishing Certificates− The CA need to publish certificates so that users can find them. There are two ways of achieving this. One is to publish certificates in the equivalent of an electronic telephone directory. The other is to send your certificate out to those people you think might need it by one means or another.
- Verifying Certificates− The CA makes its public key available in environment to assist verification of his signature on clients’ digital certificate.
- Revocation of Certificates− At times, CA revokes the certificate issued due to some reason such as compromise of private key by user or loss of trust in the client. After revocation, CA maintains the list of all revoked certificate that is available to the environment.
2. A registration authority
It verifies the identity of entities requesting their digital certificates to be stored at the CA. A Registration Authority (RA) is simply a trusted computer that runs services to verify the validity of certificates being issued by a Certificate Authority. Most private networks combine their own CA with a Registration Authority as the central repository, but for internet transactions there are recognized providers that most businesses use. Enterprise networks who only want certificates issued to specifically identified and authenticated individuals. achieve this goal by using an their own RA.
3. A central directory
A central directory is implemented as part of a PKI,as a place to store and look up digital certificates,along with other relevant information.
4. A certificate management system
It is the management system through which certificates are published, temporarily or permanently suspended, renewed, or revoked. Certificate management systems do not normally delete certificates because it may be necessary to prove their status at a point in time, perhaps for legal reasons. A CA along with associated RA runs certificate management systems to be able to track their responsibilities and liabilities.
5. A certificate policy
A certificate policy (CP) is a document which aims to state what are the different actors of a public key infrastructure (PKI), their roles and their duties. This document is published in the PKI perimeter.