Cryptography Reference
In-Depth Information
Certificate Authority
Certificate Authority
RegistUation Authority
Alice
Alice
Bob
Bob
Figure 4.5.
CA + RA Model
same time. Furthermore, the domination of a single organization responsible for dis-
tributing certificates might lead to a monopoly by one organization in this technology,
resulting in excessive fees for distributing certificates. Hence, it is recommended that
we have a hierarchical CA architecture instead of a single CA model (Figure 4.5). This
recommendation could lead to multiple root CAs instead of a single CA.
A subset of the single CA model might include multiple Registration Authorities
spread across different domains. Each Registration Authority (RA) is responsible for
verifying the mapping between an end user's name and his public key. Upon authenti-
cating each end user, the intermediate RAs send a signed message to the CA with the
request to grant the public key certificate.
Although this model reduces the burden of having all work done by the CA, it is
still a single CA model and inherits most of the drawbacks associated with the single
CA model.
4.2.2 A Hierarchy of Certifi cate Authorities
In this model (Figure 4.6), each domain has a CA that is responsible for authenticat-
ing the mapping between an end user's identity and the public key. Furthermore, each
domain can be subdivided into multiple CAs and RAs. A separate entity may take the
role of an RA, or it can be combined with the CA.
Hence, this model facilitates a conducive environment for healthy competition
among the organizations owning the root CAs. However, this model increases the secu-
rity risk if any one of the root CA's private keys is compromised, leading to a com-
plete failure of the system. In practice, a simple social engineering attack could trick
less tech-savvy people to accept certificates and add them to their trusted list of CAs.
However, in the world of wireless security networks, sensors can be preprogrammed not
to accept any new certificates from a non-trusted source.
Search WWH ::
Custom Search