3.9 Public Key Infrastructure

Public Key Infrastructure

Lifecycle: key generation, certificate generation, distribution, storage, revocation, expiration

Digital certificates = binds a public key with a digital signature - digital signature adds a trust - PKI uses CA for additional trust

PKI trust relationship Single CA = everyone receives certificate from one authority Hierarchical = single CA issues certificates to intermediate CA, then intermediate assigns certificate to leaf CA

Registration Authority (RA) = entity requesting the certificate needs to be verified, RA identifies and authenticates the requester

Certificates

Domain Validated (DV) = owner of the certificate that has some sort of control over the DNS domain

Extended Validated Certificate (EV) = additional checks for the certificate owner's identity

Subject alternative name (SAN) = ability to add many different DNS domain names under a single certificate

Organization Validated (OV) = authenticated with nine validation checks and are considered a mid-level business certificate

Certificate Formats

X.509

Distinguished encoding rules (DER) = format designed to transfer syntax for data structures - binary encoding for X.509 certificates and private keys

Privacy-enhanced mail (PEM) = type of Public Key Infrastructure (PKI) file used for keys and certificates

PKCS#12 = or .pfx file is a file which contains both private key and X.509 certificate

CER = certificate of your server. It is usually received by the certificate authority for the domain - usually contains public key

Certificate Concepts

OCSP (online certificate status protocol) = real-time status checks on security certificates. used to check the revocation status of digital certificates

OCSP stapling = verification technique for the status revocation of X.509 certificates, where the server sends periodical status requests to the CA and passes on the CA’s response to the client browser

Pinning = adding the certificate to the application/server you are running, if the expected certificate doesn't match with the one pinned to the application, the app can decide what to do - associating a host with their expected X.509 certificate or public key

Key escrow = third party holds the decryption key, third party can release the keys under certain circumstances, such as a court order - a method of storing important cryptographic keys. Each key stored in an escrow system is tied to the original user and subsequently encrypted for security purposes Key Components: - Escrow Agent: A trusted third party responsible for securely storing the cryptographic keys. - Escrow Agreement: A legal agreement that outlines the terms under which the keys can be released. - Keys: The actual cryptographic keys used for encryption/decryption, which are stored securely by the escrow agent.