Public key infrastructure
1 / 25

Public Key Infrastructure - PowerPoint PPT Presentation

  • Uploaded on

Public Key Infrastructure. July 2011. Topics. The need of PKI Trust Model PKI Structures CA types PGP. Public Key Distribution issue. Public Key cryptography solves the problem of Confidentiality, Integrity Authenticity Non-repudiation But how to ensure the public key is not faked?

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Public Key Infrastructure' - dolan-watkins

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript


  • The need of PKI

  • Trust Model

  • PKI Structures

  • CA types

  • PGP

Public key distribution issue
Public Key Distribution issue

  • Public Key cryptography solves the problem of

    • Confidentiality,

    • Integrity

    • Authenticity

    • Non-repudiation

  • But how to ensure the public key is not faked?

  • Eve creates a pair of keys (private/public) and tells everyone that the public key he generated belongs to Alice

    • People send confidential stuff to Alice

    • Alice cannot read (missing of the private key)

    • Eve reads Alice’s messages

Public key infrastructure

  • PKI is a group of solutions for key distribution problems and other issues:

    • Key generation

    • Certificate generation, revocation, validation

    • Managing trust

  • Using Certificates

How to verify a public key
How to Verify a Public Key?

  • Two approaches:

    • Before using anyone public key:

      • Meet to get the right one

      • Have the public key sent in storage device using registered mail (if you trust registered mail)

      • You can use the telephone (if you trust the telephone)

    • Contact someone already trust to certify that the key really belongs to real owner

      • By checking for a trusted digital signature on the key

      • That’s were certificates play a role


  • The need of PKI

  • Trust Model

  • PKI Structures

  • CA types

  • PGP

Trust models
Trust Models

  • Web-of-Trust

    • P2P model for key certification based on friends and friends of friends

    • Individuals digitally sign each other keys

    • You trust implicitly keys signed by some of your friends

    • Used by “Pretty Good Privacy” (PGP)

  • Trusted Authority + Path of Trust (CAs)

    • A trusted agent who certifies public keys for general use

    • Everyone trusts the root Certificate Authority (Verisign, Thawte, BT etc.)

    • CA digitally signs keys of anyone having checked their credentials by traditional methods

    • CA may even nominate others to be CAs

Ca model trust model
CA model (Trust model)

Root Certificate

CA Certificate

CA Certificate

Server Cert.

Server Cert.

Server Cert.

Server Cert.

Web of trust model







Web of Trust model

Trust models issues
Trust Models Issues

  • Web-of-trust

    • Time-consuming, requires lots of work

    • Works well in small or high connected worlds

    • How to verify a public key from someone who don’t know before

  • Certification authorities

    • “big brothers” that everyone must trust

    • Simpler model to deploy

A fully functional pki
A Fully Functional PKI

  • Certification authority

  • Certificate repository

  • Certificate revocation

  • Key backup and recovery

  • Automatic key update

  • Key history management

  • Cross-certification

  • Support for non-repudiation

  • Time stamping

  • Client software


  • The need of PKI

  • Trust Model

  • PKI Structures

  • CA types

  • PGP

Pki major parts
PKI Major Parts

  • PKI is a system that uses public-key encryption and digital certificates to achieve secure Internet services.

  • There are 4 major parts in PKI.

    • Certification Authority (CA)

    • A directory Service

    • Services, Web servers

    • Business Users

Pki structure
PKI Structure

Certification Authority

Directory services

Public/Private Keys




Storing certificates and keys
Storing Certificates and Keys

  • Certificates need to be stored so that interested users can obtain them

    • This is not an issue. Certificates are “public”

  • Keys need to be stored for data recovery purposes

    • This weakens the system, but is a necessity

  • This is a function of most certificate servers offer

    • Those servers are also responsible for issuing, revoking, signing etc. of certs

  • But this requires the certificate server to generate the key pairs

Example wrong





Certification Server





Example (wrong)

Public key is submitted to CA for certification

User generatesa key pair

Certificate is sent to the user

Example good

This model allows key recovery

User request a certificate to CA






Certification Server





Example (Good)

CA generatesa key pair

CA generatescertificate

Private Key and Certificate are sent to the user

Ssl with pki
SSL with PKI

  • Server authentication is necessary for a web client to identify the web site it is communicating with

  • To use SSL, a special type of digital certificate – “Server certificate” is used

  • Get a server certificate from a CA

  • Install a server certificate at the Web server

  • Enable SSL on the Web site


  • The need of PKI

  • Trust Model

  • PKI Structures

  • CA types

  • PGP

Single ca
Single CA

  • A CA that issues certificates to users and systems, but not to other CAs

    – Easy to build

    – Easy to maintain

    – All users trust this CA

    – Paths have one certificate and one CRL

    – Doesn’t scale particularly well

Hierarchical pki
Hierarchical PKI

  • CAs have a hierarchical relationship (as in a tree)

  • All CAs trust the root CA

    • Root’s is self-signed

  • Root CA certifies its child CAs, and they in turn certify their child CAs, and so on.

  • Easy to establish/verify trust relationship between any two CAs

  • X509 pki approach to trust
    X509 PKI – Approach to Trust

    • Why should I trust a CA?

      • Cross-certification


    • The need of PKI

    • Trust Model

    • PKI Structures

    • CA types

    • PGP

    Pretty good privacy pgp
    Pretty Good Privacy (PGP)

    • Release in June 1991 by Philip Zimmerman (PRZ)

    • PGP is a hybrid cryptosystem that allows user to encrypt and decrypt

    • Use session key “a random generated number from the mouse movement or keystrokes”

    Pgp public key
    PGP Public Key

    • Philip R Zimmermann's Public Keys

    • Current DSS/Diffie-Hellman Key:

    • Key fingerprint: 055F C78F 1121 9349 2C4F 37AF C746 3639 B2D7 795E


    • Version: PGP 7.0.3

    • mQGiBDpU6CcRBADCT/tGpBu0EHpjd3G11QtkTWYnihZDBdenjYV2EvotgRZAj5h4ewprq1u/zqzGBYpiYL/9j+5XDFcoWF24bzsUmHXsbDSiv+XEyQND1GUdx4wVcEY5rNjkArX06XuZzObvXFXOvqRj6LskePtw3xLf5uj8jPN0Nf6YKnhfGIHRWQCg/0UAr3hMK6zcA/egvWRGsm9dJecD/18XWekzt5JJeK3febJO/3Mwe43O6VNOxmMpGWOYTrhivyOb/ZLgLedqX+MeXHGdGroARZ+kxYq/a9y5jNcivD+EyN+IiNDPD64rl00FNZksx7dijD89PbIULDCtUpps2J0gk5inR+yzinf+jDyFnn5UEHI2rPFLUbXWHJXJcp0UBACBkzDdesPjEVXZdTRTLk0sfiWEdcBM/5GpNswMlK4A7A6iqJoSNJ4pO5Qq6PYOwDFqGir19WEfoTyHW0kxipnVbvq4q2vAhSIKOqNEJGxg4DTEKecf3xCdJ0kW8dVSogHDH/c+Q4+RFQq/31aev3HDy20YayxAE94BWIsKkhaMyokAYQQfEQIAIQUCOlTwWwIHABcMgBE/xzIEHSPp6mbdtQCcnbwh33TcYQAKCRDHRjY5std5Xle4AKCh1dqtFxD/BiZMqdP1eZYG8AZgTACfU7VX8NpIaGmdyzVdrSDUo49AJae0IlBoaWxpcCBSLiBaaW1tZXJtYW5uIDxwcnpAbWl0LmVkdT6JAFUEEBECABUFAjpU6CcFCwkIBwMCGQEFGwMAAAAACgkQx0Y2ObLXeV5WUQCfWWfTDHzSezrDawgN2Z4Qb7dHKooAoJyVnm61utdRsdLr2e6QnV5Z0yjjiQBGBBARAgAGBQI6VOkSAAoJEGPLaR3669X8JPcAnim4+Hc0oteQZrNUeuMSuirNVUr7AKC1WXJI7gwMq0Agz07hQs++POJBMokARgQQEQIABgUCOlcobQAKCRDXjLzlZqdLMVBtAKDa5VPcb6NVH6tVeEDJUv+tBjp6oACeLoNtfbs2rvJkgKDHWEIDmJdgy2GJAD8DBRA6WP4Y8CBzV/QUlSsRAkmdAKC3TfkSSeh+poPFnMfW+/Y/+AAEEpGSUYAAQEAAAEAAQAA/9sAQwAKBwcIBwYKCAgICwoKCw4YEA4NDQ4dFRYRGCMfJSQiHyIhJis3LyYpNCkhIjBBMTQ5Oz4+PiUuRElDPEg3PT47///EALUQAAIBAwMCBAMFB

    • …………………………………………………………………..

    • QQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29/j5+v/EAB8BAAMBAQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAUhMQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5+v/aAAwDAQACEQMRAD8A9mooooAKKKKACsjW/Eum6FGTdS7pcfLEv3j/AIfjWV428XHQrf7HY4e/lHXIxEvqfevH7y8lupXmmuJppWOZJC+AD9aly7GkIX1Z3OpfE3Up3K2EUVumcdN7fy/pWLL4415wPM1GWPJyNpK/0Fc5btG/Pktkfx7yTVhYAGLsAxbryf5c5rNvzNlG3Q6yz8ZaxEyudQkcZ+7JtYH867PRfG9nfIsd7/o8p/iI+U/4V5EI/IGV+XUGfnHy9iUsiGSa6q6Jew1XpTDJvAAICDACNUV4K2PS6h574Z3NaBsIQe5jkVO48MSohjC6s29CjPhlU79cQIYWmBpuNfwroZ6zltyz6Y2Fm65V0IfvVicR7zvFFCOhahMuk1cr+Qp936OMEq9sLZGxTjClgwrHGS7YpMSZrEC7bpOmERjo4F/n5YmCHJCH8QzCOc9+80gjVEsHiJVABrC8yykjKL5x1V/PSArE4QtMLbkBPGmQYOw8bx6jCHoO43QjUzbqRfBMHZqWVJyoIIZCp+n13XM4+NO/cDVsZ8bjch0LIOyMrT85n24yfXRlP0s7BFjLm59Jjhf4djuJWikJawWETlypAy86OYRRuwCbIyNauBeTKy+avZvF2oLvpwH4UnudpC06/O0jkj2lQpn9EEUw11RwO6sq9zYTwAUyKerN00cbCfyiZl01CIo0btcTO6hQK3c67PaloJ9lVH8/mH7LuqkMLDH5ugkpzmed/8SorfqVkakne6b4mRySFCBXaVZoKmDHzcH2oSSMhM9exyh6dzi1bGu6JAEwEGBECAAwFAjpU6CcFGwwAAAAACgkQx0Y2ObLXeV7lbQCg+N+fI3bzqF9+fB50J5sFHVHM7hYAn0+9AfDl5ncnr4D7 ReMDlYoIZwRR =Bgy+

    • -----END PGP PUBLIC KEY BLOCK-----