PKI: Public Key Infrastructure
We have previously seen how public key cryptography works and that it is widely used in modern day cryptography. Recall that we have public and secret keys that allow us to achieve security: here the secret keys are private to the party concerned and the public keys are in open domain, that is anyone can access them. Therefore, we must be careful how we manage these keys.
This week, we will look at how this is achieved in real life through Public Key Infrastructure and, in particular, the assurance of public keys. Public key cryptosystems can be compromised; rarely are they compromised because of poor design decision, more often public key cryptosystems are compromised due to implementation and key management.
So, what does the assurance of public keys mean and what is the problem?
Well, we know each party has a public key associated with it and these keys are in the public domain. However, there are no assurances that each of these keys are correct. In other words, knowing exactly which party the key is associated to; a party may say it is associated with a particular public key, but this may not be true.
How do we overcome this problem?
The problem of public key assurance is dealt with using what we call public key infrastructure (PKI). Let’s look at two main aspects of PKI: what a Digital Certificate is and what role a Certification Authority plays.
Digital Certificate:
Digital certificates act like a form of ID or a passport. In this context, a digital certificate is given to a communicating party, so usually the computer or device that is doing the communication. Most importantly the certificate contains the public key. A record of these certificates are then stored by the Certification Authority (CA). If someone wants to check whether public key is valid for a particular party, they can carry out what is known as a ‘signature validation process’ with he CA, which means they can be assured that the public key given in the certificate is the public key that belongs to the certificate — therefore, it belongs to the party concerned.
Certification Authority:
The CA is the entity that issues certificates to parties involved in the public key cryptosystem. It is the CA’s job to make sure the information contained in the certificate is correct. In particular, they certify that the public key contained in the certificate is correct for the party who holds the certificate.
There are four classes of certificate, class 1 to class 4. Class 1 certificates are used for low level uses of public key cryptography and can be gained by providing only an email address. Class 4 certificates are the ones used by governments and financial organisations, where the levels of security required are much higher and higher levels of trust are required by the CA.
Further reading:
In this tutorial, you have seen the outline of how PKIs work. Conduct your own research into the process, you should be able to see what we have discussed and go into more detail about other parts of the process too.
This article was written by David Butler, one of the course creators and teachers at Oxbridge Inspire. David is studying for a PhD at the Alan Turing Institute in London.
Oxbridge Inspire delivers innovative STEM education and provides guidance and inspiration to young people wishing to pursue STEM subjects at University and beyond. To find out more about Oxbridge Inspire and the courses and activities we offer, visit our website.
