Join Lisa Bock for an in-depth discussion in this video Building a PKI/certificate services infrastructure, part of Foundations of IT Security: Core Concepts.
- Public Key Encryption uses two keys: a public key and a private key. A public key is public, and anyone can share the public key and claim ownership. While this seems like a great concept, we must be able to trust that the public key belongs to the entity that shared that public key. Public Key Infrastructure, or PKI, is not a protocol but a framework that is used to ensure trust. Public Key Infrastructure uses a trusted third party, or certificate authority, to authenticate entities by using a digital certificate for each entity.
A certificate authority is responsible for issuing, revoking, and distributing certificates, and includes VeriSign, GoDaddy, and Thawte. They most likely will use an X.509 certificate, which is a widely used standard for defining digital certificates. Companies can also create their own certificates. Let's take a look at how this works. Up at the top we see the certificate authority, which is the trusted third party.
We see Alice and we see Bob. All three entities have generated a public and a private key. Alice and Bob both send up their public key. And now the certificate authority is going to verify them. First of all, the certificate authority takes the unsigned certificate containing the user's ID and user's public key, and generates a hash of that certificate. Now this small stump of data is going to be encrypted using the certifying authority's private key to form a signature.
This small stump of data that has been encrypted is now attached to the certificate and distributed to those who ask for it. As you can see now, Alice has obtained Bob's public key from the certificate authority. Now, what happens is Alice takes that signed certificate and generates a hash of the certificate. Then, on the bottom, that small stump of data is pulled off for comparison. But first it has to be decrypted with the certifying authority's public key.
The two are then compared, and if they were equal, then we know that Bob's public key can be trusted. So now Bob has Alice's public key, Alice has Bob's public key, and the two can communicate securely. I'm in Mozilla, and I can see the https, which represents Google.com and a secure connection. The little lock will tell us that the certificate is available, and I'm going to go to Connection, and here I'm going to go to Certificate Information, where now I can see the information about the certificate itself.
so Public Key Infrastructure is a framework used to ensure trust using certificates.
Note: This course maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals 98-367 certification exam and is recommended test prep viewing.
- Evaluating risks, threats, and vulnerabilities
- Minimizing the attack surface
- Avoiding worms and viruses
- Protecting your system from spyware
- Making web browsers more secure
- Securing wireless transmissions
- Encrypting files, folders, and drives
- Using virtual private networks