Fundamentals of PKI Tidbit

I want to touch on some of the fundamentals and standards involved with PKI to give us an overview of what things are/mean. To start let's cover what the standards are. So you have probably seen or heard of the term PKCS (Public Key Cryptography Standards). Well there are several types, below are a few:

  • PKCS#1 = RSA cryptography standard

  • PKCS#3 = Diffie-Hellman key exchange

  • PKCS#7 = format that can be used via CA in a response from a PKCS#10 request

  • PKCS#10 = format of a certificate request that is sent to a CA that wishes to obtain an identity certificate. Includes public key.

  • PKCS#12 = format for storing both, public & private, keys.

x509v3. This is a standard for certificates that is widely accepted.


Understanding some important items that are included with certificates:

  • Serial number = always issued and tracked from the CA.

  • Issuer = informs you what CA issued the certificate and informs who should be trusted.

  • Validity dates = provides the time window when the certificate is considered valid.

  • Subject of certificate = includes valuable information such as organizational unit (OU), country (C), and other important information.

  • Public key = within the certificate you can see the length of the key & contents. This is used during decryption.

  • Thumbprint = this is the hash for the certificate which is used for verification.

  • Key Usage = functions for which the public key in the certificate will/may be used.

  • CRL location = a URL that hosts can check to determine validity.

  • Signature = digital signature from the CA, which hosts use to verify authenticity of a certificate issued by that CA.

Understanding CRL & OCSP:

Certificate Revocation List is something that hosts can use/reference to ensure client certificates are valid. This list contains a list of certificates, which is based on serial numbers, that have been revoked for several possibilities by the issuing CA. Think of a CRL as the naughty list. CRLs can be very long.

Online Certificate Status Protocol is an alternative to using/relying on CRLs only. This method allows clients to send a request via HTTP to obtain the status of a certificate without the need of obtaining a possible long CRL list.


Now that we have a better understanding let's demo a brief interaction between two hosts (HostA & HostB) using certificates:

HostA and HostB share/exchange their identity certificates so they can authenticate each other. Now HostA has a file that it wants to send to HostB. HostA will take the file, generate a hash, & encrypt it with it's own private key. Now the encrypted hash is sent to HostB. This encrypted hash is technically known as the digital signature of HostA. HostB receives the packet (file), decrypts the encrypted hash with HostA public key. At this point, HostA is now authenticated since only HostA has the private key which is used to create a proper digital signature.


Lastly for this tidbit, I want to provide an overview of fundamental encryption components:

  • Symmetrical encryption: Same key is used for encryption/decryption; (AES, DES, 3DES)

  • Asymmetrical encryption: two keys (private/public key); one key to encrypt, one key to decrypt (RSA, Diffie-Hellman)

  • Digital Signature: Encryption of hash using private key; decryption of hash using sender's public key (RSA signatures)

  • Diffie-Hellman Exchange: uses a public/private keypair, but also generates the final shared keys used via symmetrical algorithms (IPsec)

  • Confidentiality: encryption algorithms accomplish this via converting clear-text into cipher text

  • Data Integrity: data is validated via comparing hash values (MD5, Sha1, Sha2, Sha3)

  • Authentication: verifies the peer's identity (RSA Signatures, PSKs)

Take a peek at some of my lab demo posts to see PKI in action. Cheers!

0 comments

Recent Posts

See All

ASA Security Contexts Tidbit

In this tidbit I want to explain what Cisco ASA Security Contexts are in this blog. A very plain & simple way to put it, security contexts are a way to logically divide the ASA into multiple logical

BGP Peer Groups Tidbit

I want to touch on BGP peer groups in this tidbit to explain what they are & why they are important. Peer groups in BGP can greatly simplify configuration when BGP neighbors share a lot of the same ou

Dual Hub FlexVPN Error Tidbit

Sharing an issue that took me some time to troubleshoot & figure out in my dual hub single cloud FlexVPN lab/post (see here: Configuring & Verifying FlexVPN Redundancy with Dual Hub & Single Cloud). S

#learnITwithCifelli

© 2023 by Train of Thoughts. Proudly created with Wix.com