Cryptography Reference
In-Depth Information
(4) Key generation (in the absence of a CA to do so).
PKI Services
1. Certificate creation, distribution, management, and revocation.
2. PKI-enabled services, that are
not
part of the PKI, can be built upon the
core PKI, and these include secure communications and timestamping.
3. A PKI, in itself, may
not
involve any cryptographic operations with the keys
that it is managing. A common feature of all PKIs is a set of certification
and validation protocols, since the fundamental core predicate of PKI is
the secure management of public keys, as well as nonrepudiation.
Certificates
By a
certificate
we will mean the ISO/ITU-T X.509 Version 3 public-key
certificate format. The ITU is the International Telecommunication Union,
which was established on May 17, 1865 (as the International Telegraph Union)
to manage the first international telegraph networks. The name change came
in 1906 to properly reflect the new scope of the Union's mandate. The ITU-T
is the ITU Telecommunication Standardization Section, one of three sections
of ITU, established on March 1, 1993. In conjunction, ISO (see page 218) and
ITU-T form world standards such as the X.509, which is a public-key certificate.
Version 3 (as specified in [128]) was developed to correct deficiencies in earlier
versions, and has become the accepted standard so that often the term
certificate
is used to mean this version of X.509. Version 3, denoted by X.509V3, contains
each of the following fields: (1) version number; (2) certificate serial number;
(3) signature-algorithm identifier; (4) issuer name; (5) validity period; (6) entity
name; (7) entity public-key information; (8) issuer unique identifier; (9) entity
unique identifier; (10) extensions; (11) signature; (12) In addition, the extensions
field can contain numerous types such as authority key identifier, extended key
usage, and private-key usage period.
PKI Trust Models
In PKIs, the
trust models
are used to describe the relationships of CAs with
end users and others. We describe only two of them.
1.
User-Centric Trust
. In this model, each user makes the decision as to
which certificates to accept or reject. There is an implementation, used by
Pretty Good Privacy
(PGP), about which we will learn in Chapter 8, when
we discuss e-mail security. In this implementation, a user, such as Alice,
exchanges certificates which are public keys of those other users with whom
she wants to communicate. She protects her certificate from alteration by
signing it with her private key. Upon receipt of Bob's certificate, say, Alice
acts as a CA by assigning it one of the following levels:
(1)
Complete trust
, meaning that she trusts Boband anyone whose cer-
tificate is signed with Bob's key.
Search WWH ::
Custom Search