Chapter 25: PKI Management

  

Introduction

The previous chapter defined the format of the X.509 digital certificate. The format is a guide to understanding the benefits and limitations of the Public Key Infrastructure (PKI). PKI provides the ability to create, store, distribute, manage, and revoke public keys with the use of the X.509 digital certificate format. Very few certificates are actually created by a user , except for testing purposes, because for subjects and issuers that are not inside the same organization, a path of trust must be established to certify that the message was encrypted by the sender's private key.

As a user, you cannot trust everyone who handles a certificate as it is being sent across the Internet, so PKI allows the receiver and sender of the secure message to only be concerned with trust points, commonly known as Trust Anchors (TA). The sender and receiver of the message are commonly known as the end entities. The TA is the point that an end entity will trust. A TA is normally a Certificate Authority (CA). The CA is a third-party company that is responsible for establishing a TA and a certificate path. The certificate path is the path that a certificate will take to transfer from one end entity to the other. Figure 25-1 gives an example.

click to expand
Figure 25-1: Basic certificate path

Here is a description of Figure 25-1:

  • The purpose of the public key is to decrypt the message from user B. Because B encrypted the message with her private key, the message can only be decrypted with B's public key.

  • If the public key can be guaranteed to come from user B, it follows that the message came from user B.

  • If the public key from user B can decrypt the message, only the private key from user B can encrypt the message.

  • To decrypt the message, user A needs to get a public key from user B. If user A already has a trusted public key from B, there is no need to get the key.

  • If B has sent a message to A, PKI is the means to retrieve the key from user B. When retrieving the key, user A need only trust one entry point in this scenario, the CA. The CA is the Trusted Anchor to both entities in the scenario.

  • User A needs to retrieve B's public key but doesn't know how to reach B. User A need only know about their common CA that issues the certificates to user A. User A will get a public key only to their Trusted Anchor (TA). The TA is the public key that the user will receive when registering his organization to the CA.

  • User A need only to check its TA's certificate. The path to user B depends on user B's TA. User B also needs to know whom to trust. Because user A trusts the CA and the CA trusts user B, then user A can trust user B.

  • User A can then receive user B's certificate and can trust the public key of the certificate. User A can then decrypt the message and know for sure that it came from user B.

Note  

The path of certificates is also known as the certificate chain , which is the chain of certificates needed to get from A to B.

  


Java Security Solutions
Java Security Solutions
ISBN: 0764549286
EAN: 2147483647
Year: 2001
Pages: 222

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net