Public Key Infrastructure (PKI) is a framework that manages the creation, distribution, storage, and revocation of digital keys and certificates. It plays a crucial role in ensuring the security and integrity of communication over networks, particularly the Internet. PKI relies on asymmetric cryptography, where each entity has a pair of keys: a public key for encryption and a private key for decryption.
Major Components of PKI:
Certificate Authority (CA): The CA is a trusted entity responsible for issuing and managing digital certificates. It verifies the identity of individuals or entities and binds their public key to the certificate.
Registration Authority (RA): The RA acts as a verifier for the CA, authenticating the identity of entities requesting digital certificates before passing the information to the CA for issuance.
Public and Private Key Pairs: PKI uses asymmetric cryptography, involving pairs of public and private keys. The public key is shared openly, while the private key is kept secret. The public key
is used for encryption and verification, while the private key is used for decryption and signing.
Certificate Repository: This is a centralized or distributed database that stores digital certificates. Users can access this repository to verify the authenticity of a certificate.
Certificate Revocation List (CRL): CRL is a list of certificates that have been revoked by the CA before their expiration date. It helps in identifying and rejecting compromised or invalid certificates.
Why an Active Attacker can break an SSL Connection, but not an IPsec Connection:
SSL (Secure Sockets Layer) and IPsec (Internet Protocol Security) are both protocols used to secure communication, but they operate at different layers of the network stack. SSL/TLS can be vulnerable to attacks like Man-in-the-Middle (MitM), where an active attacker intercepts and alters communication between two parties. SSL relies on certificates issued by CAs, and if the attacker can compromise the CA or perform a successful phishing attack to obtain a valid certificate, they can impersonate the intended server or client.
However, IPsec operates at the network layer, providing security for IP packets. It uses a combination of authentication and encryption to secure communication. IPsec doesn't rely on certificates from external CAs in the same way SSL does. Instead, it uses pre-shared keys or other authentication methods, making it less susceptible to CA compromises.
References:
D. R. Stinson, "Cryptography: Theory and Practice," CRC Press, 2018.
B. Schneier, "Applied Cryptography," John Wiley & Sons, 1996.
RFC 4301 - "Security Architecture for the Internet Protocol."
