PUBLIC KEY

INFRASTRUCTURE
 AGENDA

 Concept of Certificate Authority (CA)

 Project PRAMAAN: Deployment and Scope of

Work
 Public Key Infrastructure
 Purpose of PKI : Secure communication over
computer network
 Security ensured through Digital Certificates
& Digital signatures
 Framework for managing Digital Certificates
and Digital Signature
 PKI Policies, Standards for “TRUST”
 TRUST : Reliance on another person or entity
 Direct Trust :

Trust

A B
 Third Party Trust: a common trusted entity

Trust Trust

Trust

A B
 PKI: Trust from a Third Party

 Third Party: Certificate Authority or CA

 CA issues Digital Certificates

 Charge for Services

 Global Sign, Very Sign, CCA (Govt. of India)

 Hierarchical Trust Model

Root CA

DC
DC DC
 Root CA
 Signs All Certificates
 Publishes a self signed certificate
 Self signed certificate is created with own
private key to verify its own identity
 Maintains list of valid certificates issued by CA
 Maintains Certificate Revocation List (CRL)
 Limitations: if private key is compromised, all
DCs becomes worthless
 Distributed Trust Model
Root CA

Intermediate CA
Intermediate CA

DC DC DC

DC DC DC
 Distributed Trust Model

 Multiple CAs that signs Digital Certificates

 These CAs are called Intermediate CAs
 Loss of a CA’s private key would compromise
only those DCs for it had signed
 Establishes chain of trusts
Basis of most digital certificates used on the
internet
Distributed Trust Model
Distributed Trust Model
Distributed Trust Model
 Digital Signature
 Electronic verification of the sender
 It serves three purposes:
 Authentication
 Non- Repudiation
 Integrity
 Digital Signature
Public Key
Digest DS
Private Key

Digest

Digest DS
Public Key

B
 Digital Certificate
 Weakness of Digital Signature: Lack of
Authentication
Public Key

Private Key
DS DS

A B
Public Key

Common
Place
 Digital Certificate
 On receipt of a digitally signed message from
A, B gets public key of A from central place to
verify A’s DS

 On verification, B believes that message was

created by A and not altered in transit
 Digital Certificate
 MAN- IN- THE- MIDDLE
Public Key

DS Private Key

X DS DS
DS
C

A B
Public Key

Common
Place
 Digital Certificate
 C generates his own key pair and puts public
key at Central place
 C creates a new message and digitally sign it
with his private key and send it to B and tells B
that he is A
 On receipt, B verifies DS with public key of C
 B has no idea about true identity of the
sender because any one can pretend to be A
 Digital Certificate
 Digital Signature itself does not verify identity of the sender and his
public key

 Solution: Digital Certificate

 Digital Certificates are electronic credentials issues by trusted third

Party i.e. CA

 Information contained in DC (X.509)

 Certificate Owner’s name
 Owner’s Public Key and validity period
CA’s name
 Digital Signature of the CA
 Secure Socket Layer
 Browser request for a secure web page from Web Server

 Web Server sends own Public key with a SSL Certificate

signed by CA

 Browser trusts the Public key of Web server by verifying

Digital Signature using known Public key of CA

 Browser generates a symmetric key

 Browser encrypts own “symmetric key” with the public key

of Web Server and send it to web server
 Secure Socket Layer
Web server decrypts the symmetric key with
its own private key

Subsequent communications happen with

encryption using symmetric key of the
browser