Public Key Infrastructure (PKI)

PKI, which stands for Public Key Infrastructure, is a way to ensure secure communication between different parties over networks that are not secure, like the internet. It uses two different keys, a public one and a private one, to encrypt and decrypt information. The public key can be shared widely, while the private key must be kept secret by the owner. This system is used in various applications, including digital signatures, email, and VPNs, to provide authentication, confidentiality, and integrity for secure communication.

Symmetric and Asymmetric cryptography

Symmetric and asymmetric cryptography are two methods of encrypting information to protect it during communication.

In Symmetric Cryptography, the same key is used for both encryption and decryption. To decrypt the message, the sender and receiver must have the same key. While it's quicker and more efficient than asymmetric cryptography, it's less secure because the key needs to be protected from unauthorized access.

Asymmetric cryptography, on the other hand, uses two different keys - a public key and a private key - to encrypt and decrypt data. The public key can be shared publicly while the private key must be kept secure by the owner. It's a more secure method, but it's slower and more complex.

Elliptic Curve Cryptography (ECC) is a type of encryption that is more secure than traditional methods because it uses elliptic curves to create shorter and more efficient keys. Instead of using large numbers to create keys, ECC uses points on an elliptic curve that can be added and subtracted to create new keys. This makes ECC faster and more efficient, which is especially important in applications with limited resources like mobile devices.

Security Limitations of Public Key Infrastructure

One limitation is the risk of an attacker gaining access to a user's private key, which could allow them to decrypt all of the messages sent to that user. Trust in Certificate Authorities (CA) is another limitation because if a CA is compromised, it can undermine trust in the entire PKI system. Key revocation can also be a slow and complicated process, and different PKI systems may not be interoperable with each other, making it difficult to establish secure communication between users. Finally, user errors can also compromise the security of the system if users don't properly manage their keys and certificates.

Certificate Authority (CA)

A Certificate Authority (CA) is an organization that provides digital certificates used to verify the identity of websites, individuals, or devices on the internet. For example, when you visit a website that uses HTTPS, the website sends its digital certificate to your web browser. The browser then checks the digital certificate with a trusted CA to ensure its authenticity. The CA verifies the website's identity and issues a digital certificate that is used to encrypt data exchanged between the website and your browser. CAs play an important role in securing online transactions and preventing fraud. By verifying the identity of websites and other entities, they help protect users' personal and financial information. However, if a CA issues fraudulent certificates or is compromised, it can pose a significant security risk and undermine the trust in the entire system. Therefore, it's important to use trusted CAs to ensure the security and privacy of online transactions.

Questions:

1. Name the three main components which make up PKI.

Certificate Authority (CA); Registration Authority (RA); Certificate Revocation List (CRL).

2. How would you explain, to a non-technical friend, the role PKI plays in protecting traffic between your browser and a web server.

PKI is a system that helps protect the data that is exchanged between your web browser and a website's server. It uses digital certificates to ensure that the website you're communicating with is legitimate and that your personal data is being transmitted securely.

Basically, when you visit a website, PKI creates a secure connection between your browser and the website's server by encrypting the data that is being sent. This prevents unauthorized individuals from accessing and reading the data being transmitted.

PKI also verifies the identity of the website you're communicating with, which is important because it ensures that you're not giving your personal information to a fake or fraudulent website.

3. What is the main weakness of the PKI architecture?

The biggest weakness of the PKI architecture is the vulnerability of the Certificate Authority (CA). A CA is responsible for verifying the identity and public keys of websites and servers by issuing digital certificates. However, if a CA is attacked, it can issue fraudulent digital certificates that can be used by hackers to intercept and read encrypted traffic.

This type of attack is called a Man-in-the-Middle (MITM) attack. In a MITM attack, an attacker intercepts the communication between two parties and can listen, modify or redirect traffic. If a CA is compromised, the attacker can use the fraudulent certificates to pretend to be a legitimate website or server and trick users into giving away sensitive information such as passwords or credit card details.

While PKI has measures to prevent these attacks, the potential for a CA to be compromised is still a major weakness. However, there are ways to reduce the risk of a compromise such as implementing strict security protocols and audit procedures for CAs, and ensuring that digital certificates are properly managed and updated.