PKI - Paiet/Tech-Journal-for-Everything GitHub Wiki

A: Select Cryptographic Techniques

Certificate Authorities (CA) - Perform the activities that make the PKI function, include issuance of certificates and oversight of the certificate lifecycle. The CA "signs" an entities digital certificate to certify that the certificate content accurately represents the certificate owner.

Types of Certificate Authorities:

1\. Enterprise vs. Stand Alone

2. Root vs. Subordinate

Registration Authorities (RA) - assists the CA by verifying the user's identity PRIOR to the issuance of a certificate. DOES NOT ISSUE certificate, but facilitate the CAs ability to do so

Certificate Lifecycle (generation through destruction):

1\. Enrollment - process of obtaining a certificate from a CA by validating your identity. Will need to provide the CA with a copy of your PUBLIC KEY once identity is validated to allow CA to issue the digital certificate on your behalf. Certificate issued is signed by the CA using it's PRIVATE KEY, certifying that they "TRUST" you and includes a copy of your PUBLIC KEY.

2. Verification - the process of checking the validity of an issued certificate by using the issuing CA's PUBLIC KEY. You must also check to ensure that the certificate has not been revoked by consulting the CA's Certificate Revocation List (CRL), or the Online Certificate Status Protocol (OCSP).

3\. Revocation - the occasional process that a CA engages in to let the world know that the certificate is no longer valid. The revocation request grace period is the maximum response time within which a CA will perform a revocation. Defined by the Certificate Practice Statement (CPS).

Certificate Pinning - a client will explicitly trust an entity's certificate or the most immediate CA that signed the certificate. The client therefore has no need to go up the chain of trust back to the root CA.

Certificate Revocation List (CRL) - a list of certificates that were revoked before the set expiration date. Each CA has its own CRL that can be accessed through the directory services of the network operating system or a website. The client CRL is updated by downloading the updated list from the server.

Online Certificate Status Protocol (OCSP) - an HTTP-based alternative to a CRL for checking the status of revoked certificates. OCSP servers, also called responders, accept a request to check a specific certificate's status.

The responder uses the certificate's serial number to search for it in the CA's database. The server then sends the certificate's status to the requester.

The main advantage of using OCSP over a CRL is that it lowers overhead on the client side. OCSP responses for specific certificate requests contain less data than entire revocation lists.

However, because OCSP does not by default encrypt these standard HTTP transmissions, an attacker may be able to glean that a network resource used a specific certificate at a specific time during this OCSP transaction.

In addition, if a server does not respond to a client with OCSP information, the connection may continue anyway.

OCSP stapling - transfers the burden to the web server that presents the certificate. The web server queries the OCSP server at specific intervals, and the OCSP server responds by providing a time-stamped digital signature. The web server appends this signed response to the SSL/TLS handshake with the client so that the client can verify the certificates' status.

PKI token - hardware devices that securely store digital certificates and their associated private keys. Tokens can be used to directly sign data, or they can be used as a backup measure in case the primary key storage location is compromised.

Key escrow - can be used to store private keys securely, while enabling one or more trusted third parties access to the keys under predefined conditions. The third party is called the key escrow agent.