CertiGuide to Security+  9  Chapter 4:  Basics of Cryptography (Domain 4.0; 15%)

4.5.10.1  Multiple Key Pairs (Single, Dual) 1 2 3 4 5 6 4.7  Success Questions

PKI (Public Key Infrastructure)

You explored PKI (Public Key Infrastructure), which is the combination of software, encryption technologies and services allowing organizations to protect the security of their communications and data. PKI’s are generally implemented with public/private key systems, and use digital certificates issued and validated by certificate authorities for authentication.

You discovered important elements of a PKI including:

• Digital Certificates, a digital ID card binding a public key to the individual or item such as a server identified by the certificate; most certificates are based on the X.509 certificate standard and include information like the X.509 version, expiration date, serial number, name of issuing certificate authority, name of individual to whom certificate belongs and their public key; versions in common use include X.509v2 and X.509v3 which adds custom extensions to X.509v2.
  
  
• Certificate Authority, or CA, the digital equivalent of a notary public, which is a trusted third party that can verify the legitimacy of a public/private key pair as belonging to the individual in question; they create key pairs, publish public keys in directories, provide services such as revocation and expiration for keys, verify certificate status in response to queries, etc.
  
  
• Certificate Policy, the set of rules issued by a CA indicating the applicability of a certificate to a class of applications with common security requirements; describes rules for the issuance, management and use of certificates issued by that CA.
  
  
• Certificate Practice Statement, or CPS, a more detailed statement of the procedures and policies used by the CA in managing the certificates it issues; includes operational procedures and a description of the organization’s certificate management system; tends to be much more detailed than a Certificate Policy.
  
  
• Certificate Revocation List, or CRL, a list of all revoked, expired or suspended certificates which is a time-stamped list digitally signed with the CA’s private key; one problem with CRL’s is that they are typically updated once a day or so, rather than in real time, so there can be a delay between the time revocation is requested and the time a certificate appears in the CRL.

In taking a more in-depth look at certificates, you learned that certificate authorities may be arranged in various ways; there may be a single certificate authority, or a combination of several, used in managing a PKI. “Trust” is the confident reliance on an entity or organization; in the PKI world it often describes the relationship between the certificate holder and the issuing CA, or viewer of a certificate and the issuing CA. “Trust models” are used to describe the “chain of trust”, that indicates how trust in an entity affects trust in other entities, similar to the way trusts work in Windows 2000 domain environments. Some common CA trust models include:

• Web of Trust, no central authority; each user creates and signs certificates for people they know; PGP uses this model.
  
  
• Single CA, each entity is issued a public key, over a secure channel, which is generally issued by a single CA; there is a single point of contact to check certificate status and to request certificate actions such as revocation.
  
  
• Hierarchical, a tree-structured model involving multiple CA’s with a Root CA at the top, using lower-level CA’s whose certificates are signed by the Root CA, for improved scalability; better for large hierarchical organizations like the military than for distributed, non-centralized peer-to-peer uses.
  
  
• Browser Trust List, or CA list, in which each user has a list of public keys for all the CA’s the user trusts.

4.5.10.1  Multiple Key Pairs (Single, Dual) 1 2 3 4 5 6 4.7  Success Questions