PKI Part II: Certification Authorities

In Part I of this series, I described public-key cryptography and why it is useful. In this installment, I will discuss what makes PKI an infrastructure. We discovered last time that while public-key cryptography is an excellent solution for signing and encrypting data, it is worthless if you can’t be certain of where the public key came from. The missing ingredient is the trusted third party.

The role of trusted third party in a PKI is normally performed by a certification authority (CA). The CA issues digital certificates that bind identifying information about end entities (e.g. people, servers) to a public key. When the certificate is prepared, it is digitally signed by the CA so that anyone who trusts the CA can be sure they are communicating with the entity described by the certificate.

In order to sign certificates, a CA must have its own public/private key pair. That means that a CA also needs a certificate which may be issued to it by another CA or itself. A CA that signs its own certificate is called a trust root. A trust root must be absolutely trusted. If it is not, then every certificate it signs, the certificates signed using those certificates, and so on can not be trusted. Fortunately, there are far fewer trust roots than end entities making it a much more manageable task to decide who you can trust.

Another job of the CA is to revoke certificates. A certificate may be revoked for a number of reasons. The associated private key may have come under someone else’s control or the owner of the private key may no longer be a part of the organization. All of these revoked certificates are added to the Certificate Revocation List (CRL) which is issued and digitally signed by the CA. The CRL is updated periodically with the latest revocations and made readily available so that the revoked certificates may not be abused.

Now that there is a way to bind an entity to a public key, you can be sure that your communications using public-key cryptography are trustworthy. In the third part of the series, I will introduce some final details.

Each Thursday, Security Musings features a security-related technology or tool.  Featured items do not imply a recommendation by Gemini Security Solutions.  For more information about how Gemini Security Solutions can help you solve your security issues, contact us!