Dealing with brick-and-mortar businesses gives us plenty of opportunity to develop trust with a vendor. We can see the store, talk to the employees, and get a good look at how they do business. Internet transactions are far less transparent. We can't see who we are dealing with, don't know what type of operation they really run, and might not be sure we can trust them. The public key infrastructure (PKI) was made to address these concerns and bring trust, integrity, and security to electronic transactions.
PKI is a framework that consists of hardware, software, and policies that exists to manage, create, store, and distribute keys and digital certificates. The components of this framework include the following:
Certificate Authority (CA)
The best analogy of a CA is that of the Department of Motor Vehicles (DMV). This is the state entity that is responsible for issuing a driver's license, the gold standard for physical identification. If you cash a check, go to a night club, or catch a plane, your driver's license will be the one document universally accepted at all these locations to prove your identity. CAs are like DMVs: They vouch for your identity in a digital world. VeriSign, Thawte, and Entrust are some of the companies that perform CA services.
Now, a CA doesn't have to be an external third party; many companies decide to tackle these responsibilities by themselves. Regardless of who performs the services, the following steps must be performed:
The CA verifies the request for certificate with the help of the RA.
The individual's identification is validated.
A certificate is created by the CA, which verifies that the person matches the public key that is being offered.
Registration Authority (RA)
The RA is like a middle man: It's positioned between the client and the CA. Although the RA cannot generate a certificate, it can accept requests, verify a person's identity, and pass along the information to the CA for certificate generation.
RAs play a key role when certificate services are expanded to cover large geographic areas. One central CA can delegate its responsibilities to regional RAs, such as having one RA in the United States, Canada, Mexico, and Brazil.
Expect to see exam questions that deal with the workings of PKI. It's important to understand that the RA cannot issue certificates.
Certificate Revocation List (CRL)
Just as with a drivers licenses, digital certificates might not always remain valid. Individuals might leave the company, information might change, or someone's private key might become compromised. For these reasons, the CRL must be maintained.
The CRL is maintained by the CA, which signs the list to maintain its accuracy. Whenever problems are reported with digital certificates, they are considered invalid and the CA has the serial number added to the CRL. Anyone requesting a digital certificate can check the CRL to verify the certificate's integrity.
Digital certificates are at the heart of the PKI system. The digital certificate serves two roles. First, it ensures the integrity of the public key and makes sure that the key remains unchanged and in a valid form. Second, it validates that the public key is tied to the stated owner and that all associated information is true and correct. The information needed to accomplish these goals is added into the digital certificate. Digital certificates are formatted to the X.509 standard. The most current version of X.509 is version 3. One of the key developments in version 3 was the addition of extensions. Version 3 includes the flexibility to support other topologies, such as bridges and meshes. It can operate as a web of trust, much like PGP. An X.509 certificate includes the following elements:
The Client's Role in PKI
Now, it might seem that, up to this point, all the work falls on the shoulders of the CAs, this is not entirely true. Clients are responsible for requesting digital certificates and for maintaining the security of their private key. Loss or compromise of the private key would mean that communications would no longer be secure. Loss of the private key would be devastating. If you are dealing with credit card numbers or other pieces of user identity, this type of loss of security could lead to identity theft.
Protecting the private key is an important issue because it's easier for an attacker to target the key than to try to crack the certificate service. Organizations should concern themselves with seven key management issues:
The CISSP Cram Sheet
A Note from Series Editor Ed Tittel
About the Author
We Want to Hear from You!
The CISSP Certification Exam
Access-Control Systems and Methodology
System Architecture and Models
Telecommunications and Network Security
Applications and Systems-Development Security
Business Continuity Planning
Law, Investigations, and Ethics
Practice Exam 1
Answers to Practice Exam 1
Practice Exam 2
Answers to Practice Exam 2