Share this
What Is Public Key Infrastructure and How Important Is It?
by PivIT Global on Oct 6, 2022 7:05:00 AM
One of the biggest challenges when using asymmetric encryption algorithms and digital certificates is providing secure distribution of public keys between the parties. In other words, how does the receiver know they have received a public key of the real system instead of the public key of an attacker pretending to be the real system?
The solution to this challenge comes from a framework consisting of processes, technologies, and policies that allow you to encrypt and sign data. This service framework is called Public Key Infrastructure (PKI). It supports scalable solutions that require the management of system and user identities. Moreover, it plays a vital role in HTTPS communications and VPN technologies.
In this article, we provide the following:
- an overview of the PKI,
- the terminology and components involved,
- the benefits it offers to modern security requirements, and
- review graphical examples to understand how the whole concept works.
View some of our other popular topics:
- The Best Wireless LAN Option: Aruba Wireless vs. Cisco Meraki Wireless
- Must-Have Port Security: Simple but Efficient Layer 2 Protection
- Telnet Versus SSH: How SSH Works and Why It's Better
PKI Overview and Its Components
The main idea behind using PKI is the third-party that guarantees that the identification presented by the remote peer can be trusted. Once that trust is established, any two entities can validate their identities and securely exchange data.
The PKI consists of two key terms: Certificate Authority (CA) and a certificate. The CA is the trusted third party responsible for signing the public keys of the entities in the form of an identity certificate. The certificate is a document that uniquely identifies an entity by binding together the personal information of the entity and its public key.
The goal is for entities to enroll with a PKI and download identity certificates that a CA of your choice signs. An identity certificate contains the entity's public key, and its legitimacy is proven by the CA's digital signature included on the certificate.
Once validated as legitimate, the certificate is accepted, and the public key is used by the peer later on in the process of establishing a session (symmetric encryption) key needed for protecting the data to be exchanged between the two entities.
Trusted Third-Party Example
Here's an analogy to understand the PKI third-party process better:
Let's say you apply for an ID card, which is the identity certificate in terms of PKI. You submit the requested information, and once the application is approved, the ID card is issued by the government agency, which represents the CA in terms of PKI.
Later on, when you withdraw money from the bank, you must show your ID card so they know who you are. Because the bank trusts the issuer of the ID card (the CA in our case), they allow the request to be processed.
Authenticating the CA
For an entity to verify a signature in an identity certificate presented by the peer entity, the user or entity must have the public key of the CA that issued that certificate in the first place.
This is done by requesting the CA's identity certificate, also known as the root certificate. This CA root certificate is self-signed and must be accepted by anyone that needs to verify the signatures in the identity certificates issued by that CA. The root certificates are free for download and, by default, pre-installed in mainstream web browsers.
As shown in the image above, the process can be broken down into two steps:
- Step 1: User A requests the root certificate of the CA.
- Step 2: Once downloaded, User A has the public key of the CA and can validate any identity certificate issued by that CA. Many vendors offer CA services, such as GoDaddy, VeriSign, Thawte, Comodo, and Verisign.
____________________
Still unsure of how all of this works? PivIT's EXTEND offering can step in to augment your team and remote in to configure your gear with expert-level engineers (SmartHands | EXTEND). If you need someone on-site, we have field services ready at a moment's notice.
____________________
PKI Enrollment: Issuing an Identity Certificate
PKI enrollment is the process where the entity gets an identity certificate from a CA.
As shown in the image above, the process can be broken down into five steps:
- Step 1: User A generates private and public keys.
- Step 2: The public key and other personal information are submitted to the CA of choice.
- Step 3: Once the CA verifies the enrolling user's identity and public key, the CA uses its private key to digitally sign (encrypt) the hashed version of the request.
- Step 4: After that, the signature is appended to the identity certificate (also called signing).
- Step 5: The identity certificate is sent to User A. From then on, User A can identify themselves to others by presenting this certificate until it expires or is revoked.
Keep in mind that certificates are not secret or encrypted because that is not needed in the PKI concept. The only protection involved is the digital signature, which proves authenticity and integrity.
Validating an Identity Certificate
Once the entities get their identity certificates and the CA's public key (root certificate), they can establish point-to-point relationships independently of the CA.
As shown in the image above, the process can be broken down into two steps:
- Step 1: Users A and B exchange their identity certificates.
- Step 2: The signatures are verified by using the public key from the root certificate of the CA. After being validated, the public keys from the identity certificates are considered trusted and can be used for other services required by both users.
X.509 Standard
X.509 is a well-known ITU-T standard that defines basic PKI data formats, such as the identity certificate format and the certificate validation algorithms. Currently, digital identity certificates use the X.509 version 3, which consists of numerous fields representing data such as the certificate serial number, expiration date, and signature. It also includes the issuer and subject public key.
Certificates play a considerable role in many different services used daily by enterprises, such as TLS connections, email protection, IPsec VPNs, etc. The image above is an example of what one identity certificate (in our case, it is from Google) looks like, what information might be included, and how it is structured.
____________________
OneCall's Sparing Integrity Program provides transparency by giving you the serial number, part ID, and location of your spare so you know it will be ready to deploy when needed.
____________________
Certificate Revocation Solutions
Like with any other technology, the PKI also has some setbacks. The biggest potential problem with PKI is the possibility for a key (private or public) to become compromised. In such a case, all CA clients must be alerted not to trust those keys (certificates) anymore. This process is called certificate revocation.
Two certificate revocation solutions can be applied:
- Cyclic Revocation List (CRL): A list containing all certificates no longer valid. It is stored on an HTTP server and is updated at regular intervals. It is the responsibility of the users to check the received identity certificate against the CRL. This is a manual method and often delays the newest information.
- Online Certificate Status Protocol (OCSP): A protocol for real-time verification of identity certificates against a database of revoked certificates. This approach eliminates the weakness of the CRL but heavily depends on highly available OSCP server infrastructure. OSCP is the recommended option.
Protect Your Legacy Hardware
Now that you are familiar with the PKI concept, you can quickly start implementing the PKI framework in your network and take advantage of its benefits. This will make things internally flawless and provide additional flexibility and broader support for other services.
Do you have legacy hardware that is coming up on its end-of-sale date? Roll those right onto PivIT's OneCall maintenance strategy, where you get dedicated spares so you can protect your critical infrastructure.
Share this
- Configuration Guides (47)
- Cisco Routers (29)
- Switches (27)
- Network Security (23)
- Cisco Switches (21)
- Routing Protocols (21)
- Routers (20)
- Cisco (19)
- Product Comparisons (19)
- Firewall (18)
- Cisco Security (17)
- Cisco Technical Information (17)
- IT Hardware Solutions (17)
- Network Protocols (17)
- Wireless (17)
- Security (15)
- OneCall (13)
- Servers (12)
- cisco asa (12)
- Cisco Wireless (11)
- Router Protocols (11)
- Cisco Catalyst (9)
- Cisco UCS (9)
- Upgrading Network (9)
- Cisco Servers (8)
- Product Highlight (8)
- Access Control Lists (7)
- Fortinet (7)
- Server Comparisons (7)
- Access Points (6)
- Arista Networks (6)
- OSPF (6)
- Wireless APs (6)
- Cisco ASR (5)
- Cloud Solutions (5)
- HPE-Aruba Wireless (5)
- Juniper Mist (5)
- Network Management (5)
- SD-WAN (5)
- Storage (5)
- Switch Comparison (5)
- Back To Basics (4)
- Cybersecurity (4)
- EIGRP (4)
- Firewall Architecture (4)
- HSRP (4)
- Juniper Networks (4)
- Network Automation (4)
- Network Servers (4)
- OEM Comparison (4)
- Aruba Central (3)
- Cisco Telephony (3)
- DHCP (3)
- DHCP Snooping (3)
- Dell EMC PowerEdge (3)
- Internet (3)
- Maintenance (3)
- Maintenance Renewal (3)
- Network Accessories (3)
- TPM (3)
- Telephony (3)
- aruba (3)
- Cisco NX-OS (2)
- Cisco Nexus (2)
- Dell Servers (2)
- Fortinet NGFWs (2)
- IT Trends (2)
- LAN Networks (2)
- Network Time Protocol (2)
- Palo Alto NGFWs (2)
- Rapid PVST+ (2)
- Remote Configuration (2)
- Software Defined Networking (2)
- WLAN (2)
- Ways to Save (2)
- fortigate (2)
- Asset Management (1)
- CPU Usage (1)
- Cisco AIR-CT (1)
- Cisco Aironet (1)
- Cisco DNA (1)
- Cisco ISR (1)
- Cisco Supervisor Engines (1)
- Cisco UCS Manager (1)
- Cognitive Campus (1)
- Cost of Downtime (1)
- Dell EMC Data Domain (1)
- Edge Switches (1)
- Fabric Extenders (1)
- GRE Tunnel (1)
- HPE BL (1)
- Juniper SRX (1)
- Nexus Switches (1)
- Nutanix (1)
- Optics (1)
- PowerEdge R740xd (1)
- STP Extension (1)
- Sparing Integrity Program (1)
- Switched Virtual Interface (1)
- TCP (1)
- UCS Fabric Interconnects (1)
- hyperconverge (1)
- April 2024 (2)
- March 2024 (1)
- February 2024 (2)
- January 2024 (1)
- December 2023 (1)
- November 2023 (2)
- October 2023 (1)
- September 2023 (3)
- August 2023 (5)
- July 2023 (2)
- June 2023 (4)
- May 2023 (5)
- April 2023 (8)
- March 2023 (7)
- February 2023 (5)
- January 2023 (2)
- December 2022 (3)
- November 2022 (3)
- October 2022 (8)
- September 2022 (9)
- August 2022 (9)
- July 2022 (8)
- June 2022 (9)
- May 2022 (5)
- April 2022 (3)
- March 2022 (1)
- February 2022 (2)
- November 2021 (2)
- October 2021 (1)
- September 2021 (2)
- August 2021 (2)
- July 2021 (3)
- June 2021 (2)
- May 2021 (4)
- April 2021 (4)
- March 2021 (2)
- February 2021 (1)
- January 2021 (2)
- December 2020 (2)
- November 2020 (2)
- October 2020 (2)
- September 2020 (2)
- August 2020 (4)
- July 2020 (5)
- June 2020 (4)
- May 2020 (6)
- April 2020 (2)
- March 2020 (1)
- February 2020 (2)
- January 2020 (2)
- December 2019 (1)
- May 2019 (2)
- April 2019 (5)
- February 2019 (1)
- January 2019 (3)
- December 2018 (1)
No Comments Yet
Let us know what you think