INTRODUCTIONIf BOB wants to send message to ALICE, Bob needs only Alice public key .Public key is freely available to every oneAny one can have access to anybody’s key.In public key Cryptography , every one shields private key and advertise public key.In other words, every one has access to everyone’s public key; public keys are available to public.
Public AnnouncementBy this approach announcement of public key is made publicly.BOB can put public key on website or announce it on local newspaper.When ALICE needs to communicate with BOB then Alice needs to obtain BOBs key from site/newspaper or send message to ask for key.
Drawback of AnnouncementThis approach is not secure, it is subject to forgery.Example- Eve could make such public announcement and before Bob can react, Eve would hack Bob’s file.Eve can fool Alice into sending her message that is intended for BobEve could sign a document with a corresponding forged private key and make every one believe that it was signed by Bob.Approach is vulnerable when Alice directly requests Bob’s public key, Eve can intercept Bob’s response and substitute his own forged public key instead of Bob’s.
Use of Trusted Center In this approach, there is trusted center that retains directory of public keys. Directory like telephone system, is dynamically updated. Each user can select a private and public . . . . key, keep private key and deliver the public Alice Ka key for insertion into the directory. . . . . BOb Kb The center have condition that each user . . register in the center and proves his/her . . identity. The directory can publicly advertise by the trusted center. The center can also respond to any inquiry about public key.
Controlled Trusted CenterA higher level of security can be achieved if there are added controls on the distribution of public key.The public key announcement includes timestamp and be signed by authority to prevent interception and modifications of response.Example-Alice need Bobs public key, she requests to center including bobs name and timestamp. Center respond with Bobs public key and timestamp signed with private key of center. Alice use public key of center, known by all, to verify timestamp. If timestamp is verified , Alice extract bobs public key.
Controlled Trusted Center . . . . Directory Alice Ka . . . . Bob KbAlice . . . . Trusted center Bobs public key T: timestamp Needs Bob’s key, Needs Bobs key, T
Drawback of controlled trusted centerControlled trusted center approach create heavy load on the center if number of requests are large.To over come this – creation of certificates was done(public key certificates).
Certificate Authority (CA) Bob wants two things- he wants people to know his public key and wants no one to accept a forged key as his. Bob would go to certificate authority/ federal/state organisation that binds public key and issue an certificate. The CA has well known public key itself that cannot be forged. The CA checks Bobs identification(proof), then ask for public key and write it on the certificate. To prevent certificate for being forged , the CA signs the certificate with its private key. Now Bob can upload the signed certificate and anyone can download the cerifiacte and use the centers public key to extract Bobs public key.
Certificate Authority (CA) . . . . Alice KaDirectory . . . . <---- --------- BOb Kb Recording . . . . Bob’s ----- CA Applying Bobs public key Issuing Bob’s Certificate Signed with CA’s Distributing to public Private key
Drawback of certificate Authority Although the use of CA has solved the problem of public key fraud, it has created a side effect . Each certificate may have different format. If Alice wants to use a program to automatically download different certificates and digest belonging to different people, tha program may not be able to do this. One certificate may have the public key in one format and other in different format. The public key may be on the first line or third line on different certificate. Anything that needs to be used universally must have a universal format. To remove this side effect , ITU designed X.59. Accepted by the internet changes and use protocol called ASN.1(abstract syntax notation 1) X.509 is a way to describe the certificate in a structured way.
X.509 certificate formatVersion numberSerial NumberSignatureAlgorithm IDIssuer name Hash Signature SignedValidity period Digest algorithm Algorithm DigestSubject name Signed with CA’sSubject public private keykeyIssuer uniqueidentifierExtensions Hash algorithm ID+ Cipher ID + ParametersSignature
Certificate Renewal and RevocationEach Certificate has a period of validity. If there is no problem with the certificate, the CA issues a new certificate before the old one expires. The process like the renewal of credit cards by a credit card company.Revocation means deleting & remaking. The user private key might have been comprised. The CA is no longer willing to certify the user. CA private key, which can verify certificates, may have been compromised. Such cases CA revokes all certificates. Revocation is done periodically issuing a certificate revocation list(CRL). List is checked when certificate is
Certificate Renewal andRevocation Signature Algorithm ID Issuer name This Update Date Next Update Date Hash Signature Signed Algorithm Digest Revoked Algorithm Digest Certificate Signed with CA’s private key : : Revoked Certificate Hash algorithm ID+ Cipher ID + Parameters Signature
Public key infrastructuresIt is model for creating, distributing and revoking certificates based on X.509