Monday, May 1, 2017

PKI

PKI (Public Key Infrastructure) is a structured standards-based technology that is utilized by corporate intranets are well as internet-based eBusiness applications.

PKI is to authenticate users or machines and to encrypt data transmission between two entities.

The component of PKI:
* Certificate Authority(CA)
* Public/Private Key Pair
* Digital Certificate
* Certificate Trust Chain/Certificate Hierarchy
* Key Management

A CA is the trusted authority that issues digital certificates to individuals or to servers or websites to allow them to prove and attest to their identity.

Data encrypted with the public key can only be decrypted by the private key, and data signed by the private key can only be validated using the public key.

Digital Certificate is the electronic commerce worlds version of a password or driver's license.
The most widely accepted format for Digital Certificates is defined by the X.509 international standard. Basic attributes of the X.509 standard are the owner's name and public key, expiration date of the public key, issuing Certificate Authority's name and its digital signature and the serial and version number of the Digital Certificate.

Alice                        

Sign email using private key
Encrypt email using Bob's public key

Bob
Encrypt email using Private key
Validate signature using Alice's public key

Certificate Trust chain:
Root CA
Intermediate/Subordinate CA
Issuing CA

Key Management: Private keys must be securely generated and stored.

Certificate Encoding Formats

Base64
PEM (privacy enhanced mail) format is the most common format that Certificate Authorities certificates in. PEM certificates usually have extensions such as .pem , .crt, .cer and .key. PEM format is Base64 ASCII format.
DER (Distinguished Encoding Rules) format supports storage of a single certificate. The DER format is a binary form of a certificate.

SSL
Secure Socket Layer technology is the global standard security technology for establishing an encrypted link for secure data exchange between clients and web servers.
SSL 3.0 served  as the basis for TLS 1.0.
The Internet Engineering Task Force (IETF) created TLS (Transport Layer Security) as the successor to SSL.

SSL/TLS communication:
1 Client visits secure web site https:// (ClientHello)
2 Server asserts its site identity by sending back its own SSL certificate's public key to the client's browser. (Server Hello)
3 Client verifies the server's identity. Performs certificate chain validation. (trusted CA, not expired, not revoked)
4 Server sends a request to the client to send its client certificate.
5 Client selects and sends an appropriate certificate to the server
6 Server verifies client authenticity
7 Client : When mutual authentication is complete and both client and server are assured, the client then generates a key called "session key" or "pre-master key", encrypts it using the server's public key, send the pre-master key to the server.
8 Server uses its private key to decrypt the pre-master key and generate master key for data exchange.
9 Client and server use the negotiated master key to encrypt and decrypt the data.

Use private key size of 2048 to ensure strong authentication.
Comply with Payment Card Industry (PCI DSS) standards.



No comments:

Post a Comment