I want to touch on some of the fundamentals and standards involved with PKI to give us an overview of what things are/mean. To start let's cover what the standards are. So you have probably seen or heard of the term PKCS (Public Key Cryptography Standards). Well there are several types, below are a few:
PKCS#1 = RSA cryptography standard
PKCS#3 = Diffie-Hellman key exchange
PKCS#7 = format that can be used via CA in a response from a PKCS#10 request
PKCS#10 = format of a certificate request that is sent to a CA that wishes to obtain an identity certificate. Includes public key.
PKCS#12 = format for storing both, public & private, keys.
x509v3. This is a standard for certificates that is widely accepted.
Understanding some important items that are included with certificates:
Serial number = always issued and tracked from the CA.
Issuer = informs you what CA issued the certificate and informs who should be trusted.
Validity dates = provides the time window when the certificate is considered valid.
Subject of certificate = includes valuable information such as organizational unit (OU), country (C), and other important information.
Public key = within the certificate you can see the length of the key & contents. This is used during decryption.
Thumbprint = this is the hash for the certificate which is used for verification.
Key Usage = functions for which the public key in the certificate will/may be used.
CRL location = a URL that hosts can check to determine validity.
Signature = digital signature from the CA, which hosts use to verify authenticity of a certificate issued by that CA.
Understanding CRL & OCSP:
Certificate Revocation List is something that hosts can use/reference to ensure client certificates are valid. This list contains a list of certificates, which is based on serial numbers, that have been revoked for several possibilities by the issuing CA. Think of a CRL as the naughty list. CRLs can be very long.
Online Certificate Status Protocol is an alternative to using/relying on CRLs only. This method allows clients to send a request via HTTP to obtain the status of a certificate without the need of obtaining a possible long CRL list.
Now that we have a better understanding let's demo a brief interaction between two hosts (HostA & HostB) using certificates:
HostA and HostB share/exchange their identity certificates so they can authenticate each other. Now HostA has a file that it wants to send to HostB. HostA will take the file, generate a hash, & encrypt it with it's own private key. Now the encrypted hash is sent to HostB. This encrypted hash is technically known as the digital signature of HostA. HostB receives the packet (file), decrypts the encrypted hash with HostA public key. At this point, HostA is now authenticated since only HostA has the private key which is used to create a proper digital signature.
Lastly for this tidbit, I want to provide an overview of fundamental encryption components:
Symmetrical encryption: Same key is used for encryption/decryption; (AES, DES, 3DES)
Asymmetrical encryption: two keys (private/public key); one key to encrypt, one key to decrypt (RSA, Diffie-Hellman)
Digital Signature: Encryption of hash using private key; decryption of hash using sender's public key (RSA signatures)
Diffie-Hellman Exchange: uses a public/private keypair, but also generates the final shared keys used via symmetrical algorithms (IPsec)
Confidentiality: encryption algorithms accomplish this via converting clear-text into cipher text
Data Integrity: data is validated via comparing hash values (MD5, Sha1, Sha2, Sha3)
Authentication: verifies the peer's identity (RSA Signatures, PSKs)
Take a peek at some of my lab demo posts to see PKI in action. Cheers!