Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1


Ratings: (0)|Views: 202|Likes:
Published by BARNALI GUPTA
It is a white paper on Public Key Infrastructure
It is a white paper on Public Key Infrastructure

More info:

Published by: BARNALI GUPTA on Apr 06, 2009
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Public Key Infrastructure
Jim Hurst
Public Key Infrastructure
Secure communications is an essential requirement for any modern organization. Inpractical terms, this often means sending encrypted information across the Internet—through electronic mails, file transfers, secure web transactions, or telephony. Public keyinfrastructure, or PKI, addresses the problem of managing encryption and decryptionkeys for groups of users to assure the confidentiality of information. PKI also providesfor the use of digital signatures, which allows for verification of the integrity of digitalinformation. A final benefit of PKI is non-repudiation, which verifies that a particularauthor sent a given message.PKI is based upon three principle technologies: public key cryptography, digitalsignatures, and digital certificates. These key components are discussed in the nextsections. This is followed by an explanation of how PKI is implemented in the enterprise,and the problems that it must address.
Public Key Cryptography 
Any discussion of public key infrastructure must begin with public key cryptography.Public key cryptography, also known as asymmetric cryptography, allows users tocommunicate secretly without having a shared secret key. The trick is that each user hasboth a public and a private key. Anyone can access the public key, but only the user hasaccess to the private key. The true magic of public key systems is that when a particularpublic key is used to encrypt information, only the corresponding private key can decryptit (because the keys are mathematically related). To send you a secret message, I use yourpublic key to encrypt my message. I can then send you the message via public means,because no one can read the message without your private key.Mathematicians Whitfield Diffie and Martin Hellman developed the first publishedpractical application of public key cryptography in 1976 (although classified systemswere probably already in use at this time). Their method of jointly establishing a secretkey is now known as Diffie-Hellman key exchange.In 1978, the team of Rivest, Shapiro, and Adelman published a method of using two largeprimes for encryption and decryption that combined public key encryption and digitalsignatures. The method, still used today, is known as RSA, and it is based on thecomputational difficulty of factoring large prime integers. Other well known public keyalgorithms include El Gamal, which is based on discrete logarithms, and ECC (ellipticcurve cryptography), which is based on the algebraic structure of elliptic curves overfinite fields.
Digital Signatures 
A second crucial application of public key cryptography is digital signing. A digitalsignature allows verification that a given private key signed a particular message, whichprovides the benefits of integrity and non-repudiation. An author can sign a document by
creating an electronic fingerprint of the document (a hash), and then encrypting the hashwith the author’s private key. The recipient of the document decrypts the hash with theauthor’s public key and tests it against a current hash of the document. Because theauthor’s private key is required to generate the original hash, the author must havegenerated the signed document. If the two hashes do not match, the document has beenmodified since the original hash was made. If the two hashes match, this verifies that thedocument has not been modified. Therefore, it was signed with the author’s private key,which makes the author responsible for the document. This ability to verify that a givensender did indeed send a particular message is known as non-repudiation.
Digital Certificate
Current implementations of PKI depend on digital certificates, also known as public keycertificates or identity certificates. This is a certificate that uses a digital signature to binda user identity to a public key. The user identity can include arbitrary fields, usuallyincluding name, organization, and address. A certificate authority (CA) creates andmaintains the digital signatures. Certificate authorities function as trusted third parties,validating the identities of all user certificates they create. Governments and largeorganizations can have their own CAs. There are numerous commercial CAs, and acertificate authority and the tools to use it are integral parts of any PKI.The most common digital certificate standard is the ITU-T X.509. X.509 providesstandard formats for certificates and a set of procedures to determine is a given certificateis valid. An X.509 certificate has a start date and an expiration date defined when it iscreated. The CA might also have revoked the certificate. X.509 certificates use aCertificate Revocation List to keep track of certificates that have been voided.A common use of X.509 certificates is for one CA (the root CA or root authority) toendorse a second tier CA, which then generates user certificates. Validating the usercertificates means validating the parent CA that issued them, which in turn requiresvalidating the root CA that endorsed the issuing CA. The most common application of digital certificates is the secure sockets layer (SSL) used in web commerce. SSL is not atrue PKI system, because the server is validated, although the client is not.
Consider a simple example of a PKI system at work. Alice, an employee of AtlasAmalgamated, needs to send a secret bid to Bob at Better Business. Alice uses her normalemail client, but flags the message as encrypted. The corporate PKI system mustauthenticate Alice’s identity, then contact Bob’s CA, retrieve his public key, and use thiskey to encrypt the message. It also digitally signs the email with Alice’s private key, andthen sends it to Bob across the Internet. When Bob receives the message, his PKI systemauthenticates his identity, notes that the email is signed, and contacts Alice’s certificateauthority to retrieve her public key. The system uses Alice’s public key to decrypt thehash. It then generates a new hash to verify that Alice sent the message and it has notbeen modified. The PKI next decrypts the message using Bob’s private key and deliversthe plaintext into Bob’s inbox.

Activity (7)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads
AndrewConsulting liked this
jfscrbd liked this
Mihai Chitu liked this
DCDoe liked this
ksi12345 liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->