What is PKI | The Universal PKI | VPN Access — Exploitbyte
A PKI is a Public-Key Infrastructure. It is an infrastructure that allows you to recognize which public key belongs to whom. The classical description is as
follows.
There is a central authority that is called the Certificate Authority, or CA for short. The CA has a public/private key pair (e.g., an RSA key pair) and publishes the public key. We will assume that everybody knows the CA’s public key. As this key remains the same over long periods of time, this is easy to accomplish.
The Universal PKI
The ultimate dream is a universal PKI. A large organization, like the post
office, certifies everybody’s public key. The beauty of this is that every person only needs to get a single key certified, as the same key can be used for every application. Because everybody trusts the post office, or whatever other organization becomes the universal CA, everybody can communicate securely with everybody else, and they all live happily ever after.
If our description sounds a bit like a fairy tale, that is because it is. There is
no universal PKI, and there never will be.
VPN Access
A more realistic example would be a company that has a VPN (Virtual Private
Network) to allow its employees to access the corporate network from home
or from their hotel room when they are traveling. The VPN access points must
be able to recognize the people who have access and exactly what level of
access they have. The IT department of the company acts as the CA and gives
every employee a certificate that allows the VPN access points to recognize
the employee.
Electronic Banking
A bank wants to allow its customers to perform financial transactions on the
bank’s website. Properly identifying the customer is vital in this application,
as is the ability to produce proof acceptable in court. The bank itself can act as the CA and certify the public keys of its customers.
Also Read This:- How To Hack Wi-Fi with Kali Linux
Refinery Sensors
A refinery complex is very large. Spread out between miles of pipes and access roads are hundreds of sensors that measure things like temperature, flow rate, and pressure. Spoofing sensor data is a very serious attack on the refinery.
It might not be too difficult to send false sensor data to the control room, tricking the operators into taking actions that lead to a large explosion. Therefore, it is imperative that the control room get the proper sensor readings. We can use standard authentication techniques to ensure that the sensor data has not been tampered with, but to be sure that the data actually comes from the sensor, some kind of key infrastructure is needed. The company can act as a CA and build a PKI for all the sensors so each sensor can be recognized by the control room.
Credit Card Organization
A credit card organization is a cooperative venture between a few thousand
banks spread out all over the world. All of these banks must be able to
exchange payments. After all, a user who has a credit card from bank A must
be able to pay the merchant that banks with bank B. Bank A will need to settle
with bank B in some way, and that requires secure communications. A PKI
allows all banks to identify each other and perform secure transactions. In this situation, the credit card organization can act as the CA that certifies the keys of each bank.
Also Read This :- How to Hack Wifi With Android
Multilevel Certificates
In many situations, the CA is split into multiple pieces. For example, the central credit card organization is not going to certify each bank directly. Instead, they will have regional offices to deal with the individual banks. You then get a two-level certificate structure.
The central CA signs a certificate on the regional CA’s public key that says something like: ‘’Key PK X belongs to regional office X and is allowed to certify other keys.’’ Each regional office can then certify individual bank keys. The certificate on the bank’s key consists of two signed messages: the central CA’s delegation message that authorizes the regional office’s key, and the regional office’s certification of the bank’s key.
This is called the certificate chain, and such a chain can be extended to any number of levels.
Such multilevel certificate structures can be very useful. They basically allow the CA functionality to be split into a hierarchy, which is easy to handle for most organizations. Almost all PKI systems have a multilevel structure.
One disadvantage of this structure is that the certificates grow larger and
require more computations to verify, but this is a relatively small cost in most
situations. Another disadvantage is that each extra CA that you add to the
system provides another point of attack, and thereby reduces overall system
security.
Expiration
No cryptographic key should be used indefinitely; there is always a risk
that the key will be compromised. Regular key changes let you recover from
compromise, albeit slowly. A certificate should not be valid forever, either,
because both the CA’s key and the public key that is being certified expire.
Apart from these cryptographic reasons, expiration is important in keeping
information up-to-date. When a certificate expires, a new one will have to
be reissued, and this creates an opportunity to update the information in the
certificate. A typical expiration interval is somewhere between a few months
and a few years.
Summary
What we have described is a dream, but a very important dream. PKI is the
first and last word on key management for most of our industry. People have
been brought up on this dream and see it as something so obvious that it
doesn’t need stating. To be able to understand them, you must understand the PKI dream, because a lot of what they say is within the context of the dream. And it feels so good to think that you have a solution to the key management problem . . . .
If you got any problem or need some more information you can comment below we will help you soon. To learn more about Hacking you can check more.
Originally published at https://exploitbyte.com on April 2, 2020.