PKI is the core of security for most organizations, and at its heart is a couple of keys that together allows the encryption/decryption of the traffic exchanged.
- Public key to encrypt a message.
- Private key to decrypt a message.
The challenge of any symmetric or asymmetric encryption is the MIM (man in the middle) attack. How does one validate the keys is really from the genuine entity or someone who has hijacked the conduit.
PKI addresses this challenge by assigning digital certificates – X509 certificates; that establishes the identity (verifiable) of the entity that owns the keys.
- SAN – Subject Alternative Name
CA : Certification Authority
An organization that issues the certificates. A certificate issued by a CA can be used to issue and sign another certificates and this allows hierarchies of intermediate CA’s
Version of X.509
- X.509v3 Supports extension
Formats of certificate
- DER (Distinguished encoding rules)/(CER Canonical encoding rules) – Binary format
- PEM (Privacy enhanced Electronic Mail) – ASCII file format, that has the BEGIN CERTIFICATE and END CERTIFICATE tags
- PFX (Personal Information Exchange)/P12 (PKCS#12) – Binary format
- P7B – ASCII file format with tags BEGIN PKCS7 and END PKCS7
CRL Certificate revocation list
A valid certificate that has been compromised and not to be trusted is maintained in a CRL. The owner might have more than one certificates valid, but the list determines which one is to be trusted.
How SSL works?
Simples steps elaborating the process
- The client sends a HTTPS request for a web page to the secure web site.
- The server returns its public key to the client.
- The client validates the certificate.
- The client then creates a random symmetric key (known as a session key) used to encrypt the web page content, and then encrypts the symmetric key with the public key obtained from the web server.
- The encrypted information is sent to the web server.
- The web server decrypts and obtains the symmetric key.
- The web server uses the key to encrypt information between the client and the server.