Changes between Version 1 and Version 2 of How_does_PKI_work


Ignore:
Timestamp:
07/27/12 14:42:36 (12 years ago)
Author:
Eric Crist
Comment:

minor grammar fixes

Legend:

Unmodified
Added
Removed
Modified

  • How_does_PKI_work

    v1 v2  
    11= [DRAFT] PKI - How does it work? =
    22
    3 PKI, or Public Key Infrastructure, is a way to establish trust with whom you are communicating.  Imaging talking to a complete stranger in the street.  You cannot be completely sure you can trust what that person says, and you probably wouldn't want to share secrets with that person without some confidence that this person is trustworthy.  If you have a good common friend which you have ultimate trust in, and this friend can guarantee to you that this person is a trustworthy, then it makes it easier to trust and share information with this stranger.
     3PKI, or Public Key Infrastructure, is a way to establish trust with whom you are communicating.  Imagine talking to a complete stranger in the street.  You cannot be completely sure you can trust what that person says, and you probably wouldn't want to share secrets with that person, without some confidence that this person is trustworthy.  If you have a good common friend, which you have ultimate trust in, and this friend can guarantee to you that this person is a trustworthy, then it makes it easier to trust and share information with this stranger.
    44
    5 The PKI model is basically the same.  If you are the client and you need to communicate with a server, how can you be sure you communicate with the correct server?  If both of you can confirm each others identity by providing a certificate, this trust can be ensured if both of you trust the third party which provided you with your certificates.  This third party is the Certificate Authority (CA).
     5The PKI model is basically the same.  If you are the client and you need to communicate with a server, how can you be sure you communicate with the correct server?  If both of you can confirm each others' identity by providing a certificate, this trust can be ensured if both of you trust the third party which provided you with your certificates.  This third party is the Certificate Authority (CA).
    66
    77== It's (almost) all about Certificates ==
    8 PKI is very much centred around certificates.  And a certificate is '''always''' signed by a CA.  But what is a certificate?  It's basically a collection of information which can be verified.  This is typically the information you can find in a certificate:
     8PKI is very much centered around certificates.  A certificate is '''always''' signed by a CA.  But what is a certificate?  It's basically a collection of information which can be verified.  This is typically the information you can find in a certificate:
    99
    1010 * Version
     
    4141The CAs can operate in a chain, where a CA can be the root CA.  In this case the CA certificate is self-signed.  This means that it cannot point at anyone else that it is who it claims to be.  If the CA certificate is signed by a different CA, it means that the CA certificate is signed by a superior CA which can confirm the authenticity.  Further in this little document, only root CA/self-signed CA certificates will be considered.
    4242
    43 There are more alternatives to setup a CA.  OpenVPN ships with easy-rsa.  And there are other alternatives such as XCA, ssl-admin and TinyCA.  We will not cover how to configure either of these.  But describe the process in general.
     43There are more alternatives to setup a CA.  OpenVPN ships with easy-rsa.  And there are other alternatives such as XCA, ssl-admin and TinyCA.  We will not cover how to configure either of these, but describe the process in general.
    4444
    4545The steps to generate a root CA are:
     
    5252
    5353== Servers and their certificates ==
    54 The server needs to a private key, its certificate and the CA certificate.  So the first step is to generate a new private key.  This private key is specific to this server.  To get such a needed certificate, the server needs to generate a Certificate Signing Request (CSR).  This is a file which needs to be sent to your CA.  The contents of this file is a public key derived from the private key.  This makes it possible to encrypt information, but to decrypt you need the private key.  In addition the CSR will contain hostname information, location and other information needed to identify the server.  It is also a server flag set in the CSR which will later be used to differentiate servers from clients.  This information is then signed using the private key.  Since the public key is also attached, the CA can validate that the information haven't been modified afterwards.
     54The server needs to a private key, its certificate and the CA certificate.  The first step is to generate a new private key.  This private key is specific to this server.  To get such a needed certificate, the server needs to generate a Certificate Signing Request (CSR).  This is a file which needs to be sent to your CA.  The contents of this file is a public key derived from the private key.  This makes it possible to encrypt information, but to decrypt you need the private key.  In addition the CSR will contain hostname information, location and other information needed to identify the server.  It is also a server flag set in the CSR which will later be used to differentiate servers from clients.  This information is then signed using the private key.  Since the public key is also attached, the CA can validate that the information haven't been modified afterwards.
    5555
    5656When the CA processes your CSR, all this information provided in the CSR needs to be verified.  When the person operating the CA finds good enough, the CA will sign this CSR with it's private key.  And the output will be the information from the CSR, the servers public key and the CA signature.  All this is stored inside a certificate file (CRT) which is sent back to the server, together with the CA certificate.