Cryptography Reference
In-Depth Information
Figure 4.7 portrays the basic PKI model that is used in many enterprises.
1. In this example, Alice must first enroll or register with the RA in order to par-
ticipate in the PKI. Alice generates a private/public key pair and sends the public
key along with the related identity information to the nearest RA.
2. The RA validates Alice's information and forwards the related information to its
CA (CA1). In an enterprise environment, this process is tightly controlled and
the entity that plays the role of an RA is assumed to be trusted.
3. The main objective of CA is to bind the identity information along with the
credentials supplied by RA with Alice's public key. The binding is established
when the CA digitally signs the public key certificate that is sent back to Alice.
4. If Bob is interested in communicating securely with Alice, he will need Alice's
public key certificate. Hence, he sends a request to Alice to procure the public
key certificate.
5. Alice responds to the request by sending her digital certificate.
6. Upon receiving the digital certificate, Bob needs to validate the certificate and
sends this certificate to CA1.
7. The concerned CA (CA1) checks with the repository that stores the Certificate
Revocation List (CRL) to see if the certificate has expired. In addition, Bob
verifies the CA's digital signature by using his CA's public key embedded in the
other root CA (CA1's certificate). If CA1's certificate is not already stored in
Bob's cache, he needs to send a request to CA1 in setup 6.
8. Upon successfully verifying Alice's certificate, Bob can send an encrypted mes-
sage to Alice.
4.2.3 Pros and Cons of PKI
Although PKI has existed for more than two decades, and has revolutionized security
for online business models (e-commerce), it is by no means a panacea that facilitates
seamless end-to-end security and allows the business world to accept it with utter con-
fidence. Even though PKI provides a robust user authentication mechanism in the
enterprise domain, major problems have been encountered in leveraging digital cer-
tificates in encryption. In the enterprise world, the preenrollment problem persists in
PKI, where senders need to ensure that receivers have their certificates (usually stored
in a repository) before sending an encrypted message to their receivers. First, the intro-
duction of third parties maintaining public key certificates introduces problems such
as trust. A receiver who is in the process of verifying the sender's digital signature will
trust the root CA of that sender's domain. Second, the possibility of information leak-
age exists, and third, whether the binding between the certificate and binding was
legitimate at the time of issuance may also be a concern.
In the context of WSN, the direct application of PKI presented in Figure 4.7 is not
practical, as it would introduce extra communication overhead in a resource-constrained
system. The lack of a trusted infrastructure in an ad-hoc, decentralized environment
makes it difficult to apply the concept of certificate authority directly. Second, it is not
Search WWH ::




Custom Search