6.3 Explain the core concepts of public key infrastructure
Three basic types of distributed trust models are:
Hierarchical trust model: Here one root CA and one or more subordinate CAs will be present. The subordinate CAs provide redundancy and load balancing. The root CA is usually off-line. Here even if a subordinate CA is compromised, the root CA can revoke the subordinate CA, thus providing redundancy.
Web of Trust: This is also called cross-certification model. Here CAs form peer-to-peer relationship. This model is difficult to manage as the number of CAs grow larger. This kind of trust relationship may happen when different divisions of a company has different CAs, and need to work together. Here CAs must trust one another.
Bridge CA architecture: Bridge CA overcomes the complexity involved with Web of Trust model. Here Bridge CA act as the central co-ordinate point. All other CAs (known as principals) must trust only the Bridge CA.
If the CA’s private key is compromised, certificates’ private key is compromised, certificates issued by that CA issued by that CA are affected. This will lead to issuance of new certificates to all users, and registration. These problems can be overcome by use of a distributed trust model, in which multiple CAs are involved.
Certificate Revocation List (CRL): A certificate revocation list (CRL) is a list of certificates, which have been revoked, and are no longer valid.
Digital certificate is a credential issued by a trusted authority that binds you (and individual or an organization) to an identity that can be recognized and verified electronically by other agencies. Locally issued digital certificates are valid only within an organizations network (like intranet). Therefore, any secure pages or digital signatures containing local registration will not work on the Internet.
6.4 Implement PKI, certificate management and associated components
Public Key Infrastructure (PKI): It is a framework for all of the entities involved in digital certificates—including hardware, software, people, policies, and procedures to create, store, distribute, and revoke digital certificates. PKI is essentially digital certificate management.
A key is required to encode/decode a message, and the security of a message depends on the security of key.
A cipher text is the encoded message, and
A certificate is a digitally signed document by a trusted authority.
Recovery agent: It is responsible for recovering lost or damaged digital certificates
Key escrow: Key escrow refers to a process in which keys are managed by a third party, such as a trusted CA. In key escrow, the private key is split and each half is encrypted. The two halves are sent to the third party, which stores each half in a separate location. A user can then retrieve the two halves, combine them, and use this new copy of the private key for decryption. Key escrow relieves the end user from the worry of losing her private key. The drawback to this system is that after the user has retrieved the two halves of the key and combined them to create a copy of the key, that copy of the key can be vulnerable to attacks.
Copyright © Anand Software and Training Private Limited.