What is PKI, and why is it being used?
Ever thought about how you can validate the authenticity of a website and the data we are sending to it is really safe?
You probably don’t have to worry about it for the years to come, but it would be a good exercise in case you might want to expand your knowledge base and prepare yourself for some interview.
For the sake of an argument, let’s consider that your friend Bob built a website and wants to communicate with you through that. So the first thing you do is fire up your favourite web browser, type the name of his website in the address bar and click on the website that looks familiar to the one he described.
Let’s consider a case here. What if the site doesn’t belong to Bob and the message you are sending is getting delivered to some other people? You can easily verify it by calling Bob. But is it possible for all the websites in the world? Would you call their owners every time you wish to verify if the site is legitimate?
Do you think that it is practically possible? Probably not. It can certainly be a good exercise if you want to network with some people, but not feasible. So, what can be done?
The answer is Digital Certificates. These are certificates issued by a trusted third party, which you and Bob can both trust upon. These certificates are issued on the request of Bob, exclusively for Bob and are used by browsers to authenticate whether the website is authentic and belongs to Bob. The third party, in this case, is referred to as Certificate Authority or the CA and is a part of the Public Key Infrastructure or the PKI.
A PKI is a set of policies, software, hardware, etc that are required to store, generate, maintain, distribute and revoke digital certificates and public keys.
Components of PKI:
The following are the components of PKI:
1. Certificate Authority
2. Registration Authority
3. Public Key Cryptography
4. Digital Certificates
- Certificate Authority.
Probably the main entity in PKI, would be the Certificate Authority. There are a lot of certification authorities such as GlobalSign. It is the one which your good friend would have to contact in case he wants to generate a digital certificate for his website. But can a CA generate a digital certificate for any person? What if the person is fraudulent and wants to set up a phishing website in Bob’s name? The answer is no. No one but Bob can issue a certificate for himself.
Let’s understand what type certificate CA issues
Type of Certificates that CA issues:
While CAs focus mainly on TLS certificates, they also issue a variety of digital certificates, including:
- Code signing certificates — The code is verified to be from the developers and has not been updated, allowing the programme to be trusted. It is used to sign software releases and validate software from the vendor or developer to ensure that the code is genuine..
- Email certificates — Emails can be protected and validated using the S/MIME protocol, allowing the sender to prove authorship and avoid tampering.
- Document signing certificates — In order to ensure that documents are unmodified and trustworthy, they should be signed using Adobe, Microsoft, and other software programmes. When you see a digital signature on your document it is almost always signed with this certificate.
But how? The answer is Registration authority.
2. Registration Authority
There are millions of websites that can be accessed with a single click of a button. Every day, a couple hundred of those are launched. How can a certificate authority (CA) issue certificates while also validating the identity of an individual? It just cannot be done. As a result, a distinct institution known as the Registration Authority, or RA, is utilised to verify the identity of the user who wishes to give the certificate to the public. RA will verify the identity of the user and the certification authority will create a certificate for the website that can be trusted. So, to answer the question, yes, any anonymous user can produce a certificate on Bob’s behalf and use it on his website, as long as they do not identify themselves. He is unable to do so.
3. Public Key Cryptography
Digital certificates are unique and no websites will have the same two certificates. This is ensured by the use of asymmetric or public key cryptography.
Let’s first understand the public key in short. There are two types of cryptography, asymmetric and symmetric. In symmetric key cryptography, the key used to encrypt is the same as the one used to decrypt. Consider it like a door lock. There is just one key that can lock and unlock the door.
Asymmetric key cryptography on the other hand is a bit different. The key used to encrypt is different from the one used to decrypt. There are 2 keys involved. One is called the public key and the other is called the private key. As it is pretty evident from the name, the public key should be publicly available and the private key should only be accessible to the owner.
Now if Bob wants to generate a digital certificate for his website, he’ll first have to generate a private and public key pair. He’ll then send the public key to the CA, once he’s verified by the RA. The CA will take his public key and other details and then encrypt it with their private key (i.e. the private key of the CA). Once this has been done, it can be then sent back to Bob and then whenever you open Bob’s site, a Certificate will automatically be downloaded which will be used to verify, by the browser, that the site indeed belongs to Bob.
4. Digital Certificate
This is the certificate that is generated by a certificate authority (CA). Unlike other certificates, this one is not just any old certificate. It is compliant with the X.509 standard and contains the key-value pairs listed below.
Different type of Digital Certificates:
There are also some different type of TLS certificates that are available and they are
- DV — Registration of Domain Validated certificates is confirmed when the applicant can demonstrate that he has control over the domain name being registered. However, because DV certificates do not contain any information that can be used to identify an entity, they are not recommended for commercial use.
- OV — Organisation Certificates that have been validated are authenticated by the CA against company register databases that are maintained by governments. CAs may request specific documents and contact information from OV certificate holders in order to validate that the information contained in the certificates is legitimate business information. When it comes to commercial or public-facing websites, this is the most common type of certificate required.
- EV — When it comes to protecting brands and consumers, Extended Validation certificates provide the greatest level of authenticity available.
These are the attributes that are being used in the digital certificates:-
a. Version: It indicates the version of the certificate.
b. Certificate Serial Number: It indicates the serial number of the certificates, it is an unique issuance certificate number that issuer assigns.
c. Issuer Name: This define the name of the CA who issued the certificate
d. Subject Name: The entity a certificate belongs to, this might be a machine, an individual, or an organisation.
e. Validity: This defines the validity period of the SSL certificate.
Not before: The certificate’s validity period begins and ends at the earliest possible time and date. In order to avoid difficulties with clock skew, this is usually set to a few hours or days before the moment the certificate was issued.
Not after: The time and date after which the certificate is no longer valid is indicated on the certificate.
f. Subject Public Key: A public key belonging to the certificate subject.
i. Signature algorithm: An encryption algorithm as well as a hashing algorithm are included in this. For example, “sha256RSA” is a hashing technique in which sha256 is used and RSA is used as an encryption mechanism.
h. Signature: The body of the certificate is hashed (hashing algorithm in “Signature Algorithm” field is used) and then the hash is encrypted (encryption algorithm in the “Signature Algorithm” field is used) with the issuer’s private key.
During the course of the write-up, did it occur to you that if someone wants to revoke the certificate or wants to change the private-public key pair then how can this be accomplished? Explicitly for this purpose, the CA maintains a list of certificate Serial Numbers that have been discarded, or revoked. The list is called Certificate Revocation List or CRL.
