Introduction to PKI 1221
RA
A registration authority (RA) is an extended part of a CA or an independent
authority. An RA can implement functions including identity authentication, CRL
management, key pair generation and key pair backup. The PKI standard
recommends that an independent RA be used for registration management to
achieve higher security of application systems.
PKI repository
A PKI repository includes a Lightweight Directory Access Protocol (LDAP) server
and some common databases that stores and manages information like certificate
requests, certificates, keys, CRLs and logs while providing a simple query function.
LDAP is a protocol for accessing and managing PKI information. An LDAP server
stores user information and digital certificates from the RA server and provides
directory navigation service. From an LDAP server, an entity can retrieve local and
CA certificates of its own as well as certificates of other entities.
Applications of PKI The PKI technology can satisfy the security requirements of online transactions. As
an infrastructure, PKI has a wide range of applications. Here are some application
examples.
VPN
A virtual private network (VPN) is a proprietary data communication network built
over the public communication infrastructure. A VPN can leverage network layer
security protocols (for instance, IPSec) in conjunction with PKI-based encryption
and digital signature technologies for confidentiality.
Secure E-mail
E-mails also require confidentiality, integrity, authentication, and non-repudiation.
PKI can address these needs. The secure E-mail protocol that is currently
developing rapidly is Secure/Multipurpose Internet Mail Extensions (S/MIME),
which is based on PKI and allows for transfer of encrypted mails and mails with
signature.
Web security
For Web security, two peers can establish a Secure Sockets Layer (SSL) connection
first for transparent and secure communications at the application layer. With PKI,
SSL enables communications with encryption between a browser and a server.
Both the communication parties can identify the identity of each other through
digital certificates.
Operation of PKI In a PKI-enabled network, an entity can request a local certificate from the CA and
the device can check the validity of certificates. Here is how it works:
1 An entity submits a certificate request to the CA.
2 RA reviews the identity of the entity and then sends the identity information and
the public key with a digital signature to the CA.
3 The CA validates the digital signature, approves the application, and issues a
certificate.
To Next Page
Loading...
