Cryptography Reference
In-Depth Information
6.2
Public-Key Infrastructure (PKI)
Who says that fictions only and false hair
Become a verse? Is there in truth no beauty?
Is all good structure in a winding stair?
George Herbert
(1593-1633), English Poet and Clergyman
A
public-key infrastructure
, or PKI, consists of a set of protocols and stan-
dards, which support and enable the secure and transparent use of public-key
cryptography. PKI is particularly important in
applications
requiring the use
of public-key cryptography. For instance, in Section 6.3, we will look at one
such application to a secure e-commerce scheme developed for credit card pay-
ments over the Internet, which will use the concepts we develop herein. As we
shall see, PKI may be used as a tool for authentication, key distribution, and
nonrepudiation. Section 6.1 dealt with several issues surrounding authenticity,
and key distribution. We discussed nonrepudiation briefly on page 162 when
we were comparing SKCs and PKCs; and on page 182 when we looked at the
DSS. In this section, we will formalize the notions surrounding PKI so we can
use it as a framework for such discussions as that surrounding the credit card
payment scheme in the next section.
PKI provides protocols for certification of public keys and verification of
certificates. The reason is that if Alice wants to be sure she is communicating
with Bob and not Eve, say, then she must have assurance that Bob's public key
actually belongs to Bob. This is where the role of a certificate comes into play.
We now discuss PKI with the role of providing key management through the
use of a
certification authority
(CA) and a
registration authority
(RA).
Role of the CA
The CA is an entity responsible for issuing
public-key certificates
, which
are tamperproof data blocks. A certificate contains (at least) the following:
entity identification; CA identifier; and a public key. These are used to bind the
individual name to the corresponding public key. The CA accomplishes this by
a7xing its private key as a digital signature, thereby performing
key registration
via the issuing of a certificate. Think of the certificate as being the analogue of
a driver's license.
Role of the RA
The RA typically plays the role of assisting the CA by establishing and
verifying the identity of entities, called
end users
, who wish to register on a
network, for instance. Other functions of the RA may include:
(1) Key predistribution for later online verification.
(2) Initiation of the certification process with the CA for end-users.
(3) Performance of certificate-management functions such as
certificate revo-
cation
(meaning the cancellation of a previously issued certificate).
Search WWH ::
Custom Search