Before reading this article, you may find useful to have a look at the preliminary post about encryption concepts for IT, that explains step-by-step the needs for a Public Key Infraestructure.
What is a Public Key Infrastructure (PKI)?
When establishing a communication between a sender and a receiver through a network, they may see convenient to have a trusted third party that is in charge of distributing the public keys to the agents involved in communication. These public keys would be digitally signed by the trusted third party.
In order to distribute public keys, this third party forges a digital certificate by appending the signed subscriber’s public key with details of the subscriber’s identity.
The organizational structure to distribute digital certificates through a third party is called Public Key Infrastructure (PKI).
The goal of using a third party, PKI and digital certificates is to achieve authentication during the communication, and removing vulnerabilities to man-in-the-middle (MITM) attacks.
A PKI is composed of:
- Subscriber
- Certification authorities (CA)
- Registration authorities (RA)
- Certification Revocation List (CRL)
- Certificate Practice Statement (CPS)
A subscriber or end entity is an entity that is participating in a PKI and is the subject of a certificate.
Certification Authority (CA) is how the trusted third party in charge of distributing certificates is called in PKI.
CA maintains a Certification Revocation List (CRL), that contains all compromised certificates, it means, certificates that have been leaked, lost, etc.
Certificates usually contains a Certificate Practice Statement (CPS), that provides information about how the CA issue certificates.
A CA can delegate some specific functions to a Registration Authority (RA). It is not mandatory to have a RA different to CA. Functions of RA are not fixed, but it is mainly to verify the identity of the subscriber.
You might also be interested in…
External References
- Mike Malone; “Everything you should know about certificates and PKI but are too afraid to ask‘; smallstep
- ISACA; “CISA Review Manual 26th Edition“, Chapter 5 “Protection of Information Assets”, section 5.4.5. “Encryption”, pp. 375-376
- EC-Council; Certified Ethical Hacker v10