PKI Basics - A technical perspective

1 The electronic information systems today are as complex as the business relationshipsthey need to serve. The words Information Security are now familiar at the highest levelsof corporate structures. The security consultant is taking his place as an advisor alongwith the legal and accounting experts that are essential to conducting business security, when approached from a corporate perspective , is an enabler oftraditional business goals in an electronic environment. Improved revenue through ac-cess to new markets, reduced costs through the efficiencies of extranet and internet deliv-ery of information, compliance with government and industry regulations regarding theprivacy of personal information, and reduced risk of liability are only a few examples ofthe business objectives that can be enabled by having a cogent security policy and securitydelivery infrastructure.

2 The question today is not whether to build a security infrastruc-ture but rather which one to build. [ROI]One of the most crucial questions in any business transaction is the identity of the entitywith which the transaction is being conducted. Historically, personal relationships, face-to-face contract signings, notaries, and third party counsel are used to help establish trustin this most important aspect of conducting our business. As the reliance on paper shiftsto electronic transactions and documents, so must the reliance on traditional trust fac-tors shift to electronic security measures to authenticate our electronic business partners,customers, and suppliers before engaging in the exchange of information, goods, andservices.

3 Similarly, the need for confidentiality and confidence in the integrity of ex-changed information is critical. Extending this list of security services, there may befurther need to establish the non-repudiation of agreements, and to digitally notarize andsecurely timestamp transactions. [BUS] PKI Basics - A TechnicalPerspective is a deliverablefrom the PKI Forum s BusinessWorking Group (BWG). Severalmember organizations andindividuals have contributed byproviding content, editorialassistance and editorial :Shashi KiranNortelPatricia LareauPKI ForumSteve LloydPKI ForumAcknowledgementsThis paper is the companion piece to the paper PKI Basics : a Business Perspec-tive in the Forum s PKI Notes Series.

4 Together the two papers provide a concise,vendor neutral introduction to the PKI technology from business and technicalperspectives. The audience for this technical perspective includes both thebusinessperson looking for a high level description of the technology and the ITprofessional who is unfamiliar with PKI concepts. Our goal is to familiarize thereader with the terminology of PKI, the architectural components and how theyinteract, and the certificate life-cycle management 2002 IntroductionPKI Basics - A technical PerspectiveIntroduction1 The Cryptographic BuildingBlocks2 PKI Defined4 The PKIX ArchitectureModel4 End Entities6 Certification Authority (CA)6 Registration Authority (RA)

5 7 Repositories7 Certificate Revocation List Issuers 8 PKIX Management Functions 8 Registration8 Initialization8 Certification9 Key Pair Recovery9 Key Pair Update9 Revocation Request10 Cross-Certification10 Additional Management Functions 10 PKIX Management Protocols11 PKIX Certificate Discovery andValidation Protocols11 References13 Table of ContentsPKI Forum: PKI Basics - a technical perspective : November 20022 Introduction continuedWhy Sign?In electronic commerce , theestablishment of trust is only must we trust theidentity of the business partnerbut we must also have utmostconfidence in the transactionitself.

6 Digitally signing atransaction can achieve both ofthese trust objectives. PublicKey is a well-vetted, well-understood technology. Thetrust is built into theInfrastructure by design. Noother signing solution canprovide the pre-conditions forlegal validity as consistently orcomprehensively as a signatures alonecannot address all the realworld issues associated withsignatures, but PKI digitalsignatures can mitigate thoserisks introduced by theelectronic the world of commerce becomes increasingly dependent on the electronic storage,accessibility, and delivery of valuable information, the question of maintaining a level oftrust in all those business processes.

7 Which is commensurate with the levels well estab-lished in the brick and mortar world, becomes critical. All of the security services men-tioned above must be utilized to maximize the advantages of electronic commerce . PKIprovides a well-conceived infrastructure to efficiently deliver these services in a cohesivemanner. PKI is a long-term solution, as any infrastructure should be considered. Itsreturn is through the ongoing progression of business applications it enables to conductbusiness From the cryptographic underpinnings and building blocksthrough the architecture, certificate life cycle management, and deployment topics, thisnote is meant to give a vendor-neutral introductory explanation of the PKI technology Cryptographic Building BlocksTo facilitate the architectural discussions that follow, this section describes, at a high level.

8 The cryptographic underpinnings of the technology and why it provides such valuableelements with which to build a security infrastructure. Cryptography is fundamentallybased on the use of keys that are used to encrypt and decrypt data1. There are two typesof cryptography: 1) secret key or symmetric and 2) public key or asymmetric. Secret keycryptography is characterized by the fact that the same key used to encrypt the data isused to decrypt the data. Clearly, this key must be kept secret among the communicatingparties; otherwise the communication can be intercepted and decrypted by the mid 1970 s, symmetric cryptography was the only form of cryptography avail-able, so the same secret had to be known by all individuals participating in any applica-tion that provided a security service.

9 Although this form of cryptography wascomputationally efficient, it suffered from the fact that it could not support certainsecurity services, and it presented a difficult key management problem since the secretkeys had to be distributed securely to the communicating parties. However, this all changedwhen Whitfield Diffie and Martin Hellman introduced the notion of public key cryptog-raphy with the publication of their New Directions in Cryptography paper [DH] in1976. This represented a significant breakthrough in cryptography because it enabledservices that could not previously have been entertained as well as making traditionalsecurity services more key cryptography is based on the use of key pairs.

10 When using a key pair, only oneof the keys, referred to as the private key, must be kept secret and (usually) under thecontrol of the owner. The other key, referred to as the public key, can be disseminatedfreely for use by any person who wishes to participate in security services with the personholding the private key. This is possible because the keys in the pair are mathematicallyrelated but it remains computationally infeasible to derive the private key from knowl-edge of the public key. In theory, any individual can send the holder of a private key amessage encrypted using the corresponding public key and ONLY the holder of theprivate key can read the secure message ( can decrypt it).