401d8 read09 - carlosjorr/reading-notes GitHub Wiki

Public Key Infrastructure (PKI)

Name the three main components which make up PKI.

The three main components that make up PKI (Public Key Infrastructure) are: a) Certificate Authority (CA): The CA is responsible for issuing digital certificates to entities (e.g., websites, individuals) and validating their identity. b) Public/Private Key Pair: Each entity in the PKI has a unique key pair, consisting of a public key and a private key. The public key is used for encryption and can be shared openly, while the private key is kept secret and used for decryption. c) Digital Certificates: These are files issued by the CA that contain the entity's public key and other relevant information. They act as a digital identity card, enabling secure communication and verifying the authenticity of the entity.

How would you explain, to a non-technical friend, the role PKI plays in protecting traffic between your browser and a web server.

Imagine PKI as a digital handshake between your browser and a web server. When you visit a website, your browser asks the server for its "digital identity card" (digital certificate). The web server shows its certificate, which contains its public key, to the browser. Your browser then uses this public key to encrypt the data it sends to the server. Only the server's private key can decrypt this encrypted data. Similarly, the server uses your browser's public key to encrypt data sent back to you, and your browser decrypts it using your private key. This process ensures that only the server and your browser can understand the information exchanged, keeping your communication private and secure.

What is the main weakness of the PKI architecture?

The main weakness of the PKI architecture is the reliance on Certificate Authorities (CAs). Since CAs issue digital certificates, they play a crucial role in verifying the identity of entities. If a CA is compromised or issues fraudulent certificates, it can lead to man-in-the-middle attacks, where an attacker impersonates a legitimate entity. Moreover, if a CA's private key is compromised, it could potentially issue false certificates for any website, undermining the trust in the entire PKI system. To mitigate this risk, it is essential to have strict security measures and policies in place to safeguard CAs and their private keys.