Security+: Implementing public key infrastructure
Public key infrastructure (PKI) is a vital management tool for asymmetric cryptography and digital certificates. It's an important concept to understand for anyone working with cryptography and encryption. That's why it's covered on the CompTIA Security+ exam.
There are 28 objectives across the Security+ exam domains, and objective 1.4 is "Explain the importance of using appropriate cryptographic solutions," which includes PKI. PKI involves components, PKI concepts, certificate types and certificate formats.
The following sections will elaborate on these concepts in greater detail. For more information on the Security+ exam, download our free Security+ ebook or learn about Infosec's Security+ Training Boot Camp.
What are essential PKI components?
A Certificate authority (CA) is a third-party trusted agency that issues digital certificates for verifying entities on the internet. Examples of certification authorities today include Symantec, VeriSign, GeoTrust, Comodo and Digicert. The CA can be either an external CA to the company, such as a commercial CA that charges for its service or an internal CA to the company, one that facilitates service to its workforce.
Generally, CA is responsible for the following duties:
- Generating, issuing and distributing the public key certificates
- Distributing CA certificates
- Generating and publishing certificate status information
- Allowing subscribers to request revocation
- Having the ability to revoke public key certificates
- Maintaining availability, continuity and security of certificate issuance signing functions
Some of the components related to CAs are described below:
- Intermediate CA is a subordinate certificate authority issued by the trusted root to sign digital keys. Intermediate CAs help the root CA distribute the workload of issuing and verifying certificates.
- Certificate revocation list (CRL) is a list of the serial numbers of digital certificates whose current status has been revoked. Various certification authorities maintain an online CRL that can be queried by inserting a certificate serial number. Additionally, a local computer maintains a local CRL and receives updates on the status of certificates.
- Online certificate status protocol (OCSP) can also be used to determine whether a certificate was revoked. Since CRLs contain a large list of serial numbers of digital certificates, it isn’t always convenient to search for the ones that have been revoked. Instead, it might be suitable to use OCSP to look up the specific certificate’s status in real time. By employing the OCSP solution, the CA repeatedly transmits CRLs to every requesting computer, and queries are current, immediate and direct.
- Certificate signing request (CSR) is an encrypted message that validates the information required by the CA to issue a certificate. Once the CA verifies it, the CSR inserts the generated public key into the certificate, which is then digitally signed with the CA's private key.
- A digital certificate is an attachment to an electronic message that enables an exchange of information over the internet using PKI.
- The public key and private key pair consist of two uniquely related cryptographic keys typically consisting of long, randomly generated numbers. Even though the two keys are related, you cannot derive the private key from the public key. The public key is shared publicly or openly with everyone and encrypts the message. Conversely, the private key is kept private to its respective owner and is utilized to decrypt the message encrypted using the public key.
- An object identifier (OID) is a string of decimal numbers used to uniquely identify objects (syntaxes, data elements and other parts of distributed applications). OIDs are usually found in SNMP, X.500 directories and OSI applications where uniqueness is crucial.
What PKI concepts do I need to know?
Here are a few concepts you should know to better understand PKI:
- OCSP stapling is a variation of OCSP and is used to determine if a certificate has been revoked. OCSP stapling shifts the burden from the client to the web server, which sends queries to the OCSP responder server at regular intervals to check the status of whether the certificate has been revoked.
- Pinning is a security feature where a certain web server is linked with a public key to minimize the risk of forged certificates.
- Key escrow is a storage process whereby a third party undertakes the responsibility of storing private keys in an escrow, which is a centralized management system. In the event of a disaster, when a key is lost, or a cyberattack occurs, a private key can be restored safely from the escrow. A key escrow system is inevitable where highly sensitive information is involved, such as state or military secrets.
Trust model
As the name suggests, trust is confidence or reliance on another person. A trust model refers to the relationship that exists between individuals or entities. For example, Bob must trust that a public key in Alice’s digital certificate belongs to her. Below, you will learn four types of trust models:
- Direct trust model: This model indicates that a relationship exists between two individuals because they know each other. The trust in a relationship indicates that they trust digital certificates of each other.
- Third-party trust model: In this model, two individuals trust each other’s digital certificates since they mutually trust a third party. In communications over the internet, the third party is usually the certificate authority. For example, in a courtroom hearing, the prosecutor and the defendant might not trust each other, but each of them can have trust in the judge (a third party) due to his impartiality.
- Hierarchical trust model: In this model, a single hierarchy is assigned to one master CA, called the root. A root signs all digital CAs using a single key.
- Distributed trust model: Unlike the hierarchical trust model, a distributed trust model involves numerous CAs that sign digital certificates.
What types of certificates are there?
Digital certificates are verified by a process known as a chain of trusts, which is the trust relationship between the CAs — namely root CA and intermediate CAs that issue the digital certificates. A chain certificate is a list that shows all the certificates that have been signed at different hierarchical levels by the root CA and the intermediate CAs.
Below, you will learn the types of certificates that may be covered on the Security+ exam.
- Wildcard and SAN: A wildcard is a public key certificate that can be applied to multiple subdomains of a master domain. One principal usage of wildcards is to secure websites with HTTPS. On the other hand, a subject alternative name certificate (SAN) is a web server certificate capable of supporting multiple domain names in a single certificate.
- Code signing and self-signed: Code signing is an act of digitally signing scripts and executables to affirm the software developer and ensure that the code has not been corrupted, modified or altered since it was signed. On the other hand, a self-signed certificate is signed by the same entity (individual or organization) who created it rather than a trusted CA.
- Email and user: An email certificate, also known as an SMIME certificate, is a digital certificate that is employed to sign and encrypt email messages so that their secure transmission can be ensured over the internet. An email message signed with an email certificate can only be read by the intended recipient. A user certificate is another type of digital certificate that is used for user authentication purposes. Common examples include smart cards or punch cards.
- Root: The root certificate is the public certificate that identifies the root certificate authority. It is highly effective, self-signed and sets the foundations of an X.509-based PKI.
- Domain validation (DV): A DV is a certificate that can be assigned to a web server for SSL encryption. The CA confirms that the person who receives the DV has control over the domain linked with the SSL.
- Extended validation (EV): An EV is the certificate used to provide a high level of authentication and security for HTTPS websites and software programs that prove the legal entity controlling the website.
What are certificate formats?
Lastly, it's important to understand that there are different certificate formats:
- Distinguished Encoding Rules (DER): A DER is a binary format designed to transfer syntax for data structures. It is often associated with Java certificates.
- Privacy-enhanced mail format (PEM): A PEM is a common format generally provided by CAs. It’s composed of numbers and letters and is supported across various platforms.
- P12 or PKCS 12 (public-key cryptography standards #12): P12 is a binary format used to store a server certificate, intermediate certificate and a private key in one file that can be encrypted and having a PFX format with file extension .pfx and .p12. P12 files are usually used on Windows OS to import and export private keys and certificates.
- P7B or PKCS 7 (public-key cryptography standards #7): A P7B is a cryptographic message-syntax standard associated with the .p7b file. Unlike P12, private keys are not included in a .p7b file.
Takeaways: PKI and Security+
Understanding public key infrastructure (PKI) is essential for anyone involved in cryptography and digital security. The components and concepts of PKI play a crucial role in ensuring secure communication and data protection, making it a fundamental aspect of modern cybersecurity practices.
Understanding the basics of PKI, certificates and cryptography is crucial to passing your Security+ exam.
For more on the Security+ certification, view our Security+ certification hub.