PKI Training - Cryptography Day 2

Certificate Path Validation:

This is performed for all the identities of the chain. It commonly checks for the following things:

  1. build & validate the certificate chain from the user certificate upto the trusted root.
  2. Check for intended purpose
  3. Check for expiry or “not yet valid”
  4. Check for revoked certificate

Certificate Life Cycle

Following are the

  1. Register
  2. Issue
  3. Distribute/Store
  4. Use (Sign/Encrypt)
  5. Expire/Revoke
  6. Renew/Rekey

Q: Can ECAC issue an Accreditation Certificate for the usage of Signing process? Ans:

Q: Difference between Re-key and Re-new of a Certificate? A: Re-newal of a certificate mean that the same key is used for issuance of a new certificate.

PKI Trust Model

  • Single CA PKI:
    • Contains single CA, having the role of root CA and issuing CA.
    • All users of PKI place their trust on this CA.
    • It is not a scalable architecture.
    • Usually used within a small organization.
  • Hierarchical PKI:
    • Hierarchical architecture is constructed with subordinate CA relationship.
    • Ideal within organization where multiple CAs
    • Users trust single root CA
    • Subordinate CAs may issue certificates to users or other CAs
    • Trust relationship is specified in only one way architecture.
  • Mesh/Bridge or Peer-to-Peer PKI: *

Within a certificate an entry is as following:

Basic Constraint Path Length Constraint = None

None means that their is no constraint, but if a numeric value is placed here, the hierarchical levels can’t be created after that. This may be used to restrict sub-CAs accreditation process.

Managed certificates

In any browser/OS has a certificates repository which can be viewed to understand/visualize the trusted root repository.

PKI Development

All the following libraries are high level libraries and available for PKI development. Normally, business use-cases are generated by the developer and use these following libraries for the Crypto Functions:

  • OpenSSL:
    • As a library
    • CLI Based
  • BouncyCastle:
    • Java and .Net variants available
  • IAIK from TU Graz
    • This has more features from the development perspective.
    • Strong support & strong documentation
    • Commercial purpose require purchase of the library

{::comment} You’ll find this post in your _posts directory. Go ahead and edit it and re-build the site to see your changes. You can rebuild the site in many different ways, but the most common way is to run jekyll serve, which launches a web server and auto-regenerates your site when a file is updated.

Jekyll requires blog post files to be named according to the following format:

YEAR-MONTH-DAY-title.MARKUP

Where YEAR is a four-digit number, MONTH and DAY are both two-digit numbers, and MARKUP is the file extension representing the format used in the file. After that, include the necessary front matter. Take a look at the source for this post to get an idea about how it works.

Jekyll also offers powerful support for code snippets:

def print_hi(name)
  puts "Hi, #{name}"
end
print_hi('Tom')
#=> prints 'Hi, Tom' to STDOUT.

Check out the Jekyll docs for more info on how to get the most out of Jekyll. File all bugs/feature requests at Jekyll’s GitHub repo. If you have questions, you can ask them on Jekyll Talk.

{:/comment}