A Brief Guide To PKI

Security can be a very complex subject because of all the different algorithms and mechanisms that can be employed in order to secure data. This guide looks primarily at public/private key pairs and certificates. These are the building blocks of a Public Key Infrastructure (PKI). This is essentially what we are building with our free certificate authority (CA).

First of all we should probably examine exactly what a CA is. It's simply an organisation (like us) that creates and makes available certificates. Anybody could create their own certificates but how would we know genuine ones from fake ones? This is where the CA comes in. It's the CA's responsibility to validate that the owners of certificates are who they say they are. Certificates issues by a CA are signed by the CA to verify this fact. If you trust the CA then you can implicitly trust the certificates signed by them.

Next we should clarify what a certificate actually is. A certificate is often called a public key certificate. A certificate is simply a file that contains information about someone, a server or an organisation. A public key certificate also contains the public key for the subject of the certificate. Certificates and keys are heavily intertwined so we'll take a look at keys before exploring the uses of certificates any further.

There are different types of keys in cryptography but we are concerned with a subset called asymmetric keys, or public/private key pairs. As the name suggests this is a pair of keys; a private one and a public one. The private key is usually derived from a password or pass phrase and should never, ever be divulged to anyone (unless you REALLY trust them). The public key is created to work with the private key to create an asymmetric key pair. The public key can be distributed freely as people will use this to validate your digital signature or to encrypt data for you.

In normal encryption some data are encrypted with a password. The encrypted data can then be decrypted using the same password. This mechanism is known as symmetric encryption. However, we are concerned with asymmetric encryption. So what's the difference? Whenever you encrypt data using your public key it can only be decrypted using your private key; and vice versa, when data is encrypted using your private key it can only be decrypted using your public key, hence the term asymmetric, because the same key can't be used to encrypt and decrypt data.

At this point I should clarify that a key is simply a binary string that is used in cryptography algorithms.

Given what we know about keys so far we can work through an example. Assume that Alan and Michelle have both registered and create their own keys and certificates. Alan now wants to send some encrypted information to Michelle. Michelle's public key is publicly available so Alan can install Michelle's public key certificate and use that to encrypt a message for Michelle. Remember the asymmetric nature of the keys, the encrypted data can be decrypted ONLY by Michelle's private key. Given that Michelle is the only person to know the private key, Alan has successfully created a secret message that only Michelle can decrypt and view. What Alan should not do is to use his own private key to encrypt the message because the encrypted message would then be able to be decrypted by Alan's public key, which of course is publicly available to everyone, so the message would not be very secure.

However, what Alan can do with his private key is to sign documents. This involves another cryptography staple called hashing. A hash is like a fingerprint of data - a small amount of data that is generated by applying an algorithm to the data being signed. This hash is then encrypted using Alan's private key. This can only be decrypted using Alan's public key which is readily available. In order to validate that the document hasn't been tampered with readers of the document can create a hash of the document. By decrypting the signature with Alan's public key they can compare the hashes to see if they match. If they don't match it's possible that the document has been altered.

Certificates are also used for securing websites, validating visitors to websites, securing Internet communications etc. Anywhere that security is needed, certificates are appropriate. If you want to get your own certificate register today.

 
©2007 This is a site wholly owned and operated by Benchmarx Limited. Provider of software development and internet services for 10 years.