Public Key Infrastructure - How PKI works
PKI (Public Key Infrastructure)
PKI is a set of standards, procedures, software, and people for implementing authentication using public key cryptography. PKI is used to request, install, configure, manage and revoke digital certificates. PKI offers authentication via digital certificates, and these digital certificates are signed and provided by certificate authorities.
PKI uses public key cryptography and works with x509 standard certificates. It also provides other things such as authenticating users, producing and distributing certificates, maintaining, managing and revoking certificates. PKI is an infrastructure in which many things happen and is not a process or algorithm itself, so PKI consists of a number of aspects to enable the infrastructure to work. As well as authentication, PKI also enables the use of providing integrity, non-repudiation and encryption.
If a company wanted a public key they would require a digital certificate. They will have to request this certificate from a certificate authority or a registration authority. The certificate authority is someone who everyone should trust as a centralised authority for managing and maintaining certificates. The CA will require the company to fill in a number of details and validate their request before they can hand out a certificate. This certificate is a proof that the company is who they say they are in the digital world (like a passport in the real world). An RA is just an organisation who processes requests on behalf of a CA.
PKI combines well with Diffie-Hellman in providing secure key exchanges, as Diffie-Hellman does not provide authentication on its own capabilities. PKI is used in various protocols such as PGP and SSL.
Two main PKI models
Used for small to medium sized companies or flat network design. A single authority assigns all their certificates.
Hierarchical is used in medium to large organisations. You have a root CA, such as Microsoft in house solution, or it can be a public trusted company such as Verisign. Then you have separate sub ordinate CA's assigning separate security domains digital certificates. Hierarchical is a multi tiered approach suited for enterprise networks. Subordinate CA's hand out certificates to employees and other people (systems and individual users).
A company requests for a digital certificate.
The CA would require some information back from this company. Usually some proof they are who they claim to be, and require their registration information.
After the CA is happy with the company’s request, it would generate a public key for the company with the identity information attached to the certificate. This public key along with its related private key can be generated by the CA or by the system the company will be installing this certificate on. If it is produced by the company then on the device a public and private key pair would be generated and sent to the CA.
The CA will sign and issue the company with a digital certificate, and this will be their identification proving they are who they claim to be.
The company can now use this information to participate in the PKI system.
How two companies or two users would communicate a secure channel between each other via public key.
Joe wants to communicate with Carl and so sends his certificate to Carl. Carl checks out this certificate's CA signature with his CA, Verisign for example. He will look at the CA public key with Verisign to ensure the CA signature is on the certificate. If the certificate is valid then Carl can assume Joe is who he says he is, and the connection would be accepted. Then Joe checks Carl’s certificate, and if the certificate is fine and valid, the VPN process can be progressed.
The process works by two peers exchanging their public keys. Joe would send his public key to Carl and Carl would send his public key to Joe. Joe would then use the public key sent from Carl and its own private key to generate a symmetric key using the Diffie-Hellman algorithm. Carl would also take the same process as Joe and in turn produce the exact same symmetric key as Joe, though enabling them to communicate securely over the in-secure internet. Both peers can now encrypt, transmit and decrypt data using their symmetric keys.
How a secure key is agreed upon by two peers
Wikipedia's guide to Public Key Infrastructure