Tech Decrypted

                        Taking the mystery out of learning cryptography
Home
Up

 

Download Part III: Distribution of Public Keys 

From Cryptography Decrypted by H.X. Mel and Doris Baker

Part III Synopsis:

Digital 

Certificates: 

Distributing Public Keys

 Public key cryptography changed 3,000 years of key exchange. For thousands of years, Alice and Bob had to somehow exchange a secret key without anyone else seeing it.  Furthermore, the shared secret key had to remain secret forever.  Public key cryptography changed all that, allowing Alice and Bob to exchange public keys openly.  Public keys don’t need to be secret.  In fact, some internet companies want as many people as possible to know their public keys.

Even though Alice can openly distribute her public key to Bob, they need assurances that nefarious BlackHat can’t substitute his public key for Alice ’s public key.  Since delivery of authentic public keys is still a problem, understanding your options for key delivery is important if you care about protecting your identity and valuables in the wild wild web.

Even though attacks are possible[1], digital certificates are the preferred way to securely deliver public keys. A digital certificate is a specialized document signed by a trusted third party not much different than a driver’s license. Just as in the case of a driver’s license, if you can trust the issuer and its issuing procedures, you can trust the certificate. 

The top part of a digital certificate contains plaintext identifying the issuer (signer), subject (whose public key is attached), the subject’s public key and the expiration date of the certificate. The bottom part of a digital certificate contains the issuer’s signed hash of the top part.  As mentioned in the article on public key cryptography, the hash saves time when digitally authenticating since it is compressed redundant copy of the original digital certificate.

A digital certificate consumer must have a trusted copy of the digital certificate issuer’s public key to verify the certificate.   The issuer, subject and consumer are reviewed in table 16-1.

 

Digital Certificate Persona

Action

Analogy

Issuer

Signs certificate

DMV

Subject

Sends issuer their public key

Licensee

Consumer

Uses subject’s public key (on certificate)

Car rental firm confirms licensee I.D.

Table 16-1 Digital Certificate Players

       Here we’ll examine two popular standards for digital certificates – X.509 and Pretty Good Privacy (PGP).  These are two ways that a network of digital certificates can be managed.  These digital certificate frameworks are commonly called public key infrastructures or PKI.  X.509 employs a centralized control in its trust model, while PGP distributes the trust.

 Centralized Trust:  X.509

The Root Certificate Authority (CA) is the single focal point of X.509 certificate policies. Digital certificate users trust the accuracy of the public keys the CA issues.

Like a DMV, the CA controls certificate registration, issuance, expiration and revocation. (We’ll see this is in stark contrast to PGP’s trust model, where the individual user acts unilaterally.)

The CA can out-source most of these functions to subcontractors. For instance, PKI defines terms and definitions for Registration Authorities (RA) who act on behalf of the CA. The CA can outsource the distribution of the certificate revocation list (CRL).

A CA Root Certificate is self-signed by the CA and is usually accepted as valid with additional verification. CA Root Certificates are often distributed through another trusted source; for example Netscape’s Internet Browser.

 Distributed Trust: PGP

Philip Zimmerman developed Pretty Good Privacy (PGP), a strong encryption system designed for the masses and based on RSA public key cryptography. It’s available for free from several Internet servers; probably the most well known source is MIT.

PGP’s digital certificates are similar to X.509 self-signed (root) certificates, except there can be more than one signature on PGP certificates.

In contrast to X.509’s centralized control (certificate authority) trust model, PGP uses a distributed trust (web-of-trust) model.  But PGP cryptographic methods and keys are as strong as those used with X.509.

[1] Attacks to digital certificates are discussed in Cryptography Decrypted, Chapter 16: Digital Certificates and Chapter 22: Cryptographic Gotchas.

Click to

Download Part III: Distribution of Public Keys 

From Cryptography Decrypted by H.X. Mel and Doris Baker

 

(c) H. X. Mel & Doris Baker all rights reserved