Key Management

• Key management deals with the secure generation, storage,

distribution, and backup of keys.

Communication between A & B

• A needs to know B’s public key. Likewise A needs B’s public key for
digital signature. “how does A know B’s Public key”
• Possibility -1 : A may frequently communicate with B in a secure
fashion, so may have B’s public key
• Possibility -2: Every entity’s public key securely maintained in a
centralized directory.
 Digital Certificates
• A digital certificate is a signed document used to bind a public key to the
identity of a person.
• Individual’s identity could be name, driver license or a passport, e-mail or
postal address, etc.
• Digital certificates contain some standard information such as the name of
the certificate holder, public key, validity period, and also the digital
signature of the certification authority.
• Certification Authority (CA) is the entity that issues certificate.
• CAs are often selected government agencies or bank.
• To carry more weight Registration Authority (RA) may be performed by
Bank. Like driver license or a passport.
• The CA or RA may require the applicant to demonstrate the possession of
the private key corresponding to the public key presented.
 X.509 Digital Certificate Format
X.509 is an ITU standard specifying the format for public key certificate.

• Certificate Serial Number and Version

• Issuer information
• Subject information
• Subject’s public key information
• Validity period
• Certificate signature and associated signing algorithm information.
 Digital Certificates in Action

• Assume that A needs to securely communicate to B

• Then A encrypts the message with B’s public key.
• Now A will have to perform number of checks to use B’s public key
( B’ Certificate)
• Is this indeed B’s Certificate?
• A should check if the certificate is still valid.
• A should verify the signature contained in the certificate.
(signed by CA & RA)
 Public Key Infrastructure (PKI)
• Functions of PKI
PKI is a framework that consists of hardware, software, policies, and
procedures for managing keys and certificates.

• Certificate creation, issuance, storage and archival

• Key generation and key escrow (if necessary)
• Certificate/Key updation (if necessary)
• Certificate revocation
There are crucial differences in the support required for private keys used for decryption versus
those used for signing.
(document kept in the custody of a third party and taking effect only when a specified
condition has been fulfilled)
 PKI Architectures
PKI architectures can be implemented in the following ways
Single CA architecture
• The Single CA architecture is the most basic type of PKI architecture.
• In this type of architecture, there is just one CA
who issues and distributes certificates.
• All these entities trust this CA. In addition, these
entities use only those certificates that are issued
by this CA.
• For example, Alice and Bob are two entities who trust a CA, i.e. CA−1.
• The single CA architecture suffers from scalability issues.
• Suitable for a small organization with a limited number of users
Hierarchical PKI Architecture
• This is the most common PKI architecture deployed by
organizations. In this architecture, PKI services are
provided by multiple CAs.
• all CAs in a hierarchical PKI architecture share
a trust relationship among them.
• The CAs in this type of architecture are connected
through superior−subordinate relationships.
• The CA hierarchy is an inverted tree−like structure
having root at the top, referred to as root CA,
which in turn contains branches or nodes.
• The root CA usually issues certificates to subordinate CAs and not to the users.
• However, the subordinate CAs can issue certificates to both users and subordinate CAs
at lower levels.
• Hierarchical PKIs are quite scalable. They can easily meet the demands of a growing organization.
• Mesh-based PKI
• In the mesh PKI architecture, the CAs have a
peer−to−peer relationship, rather than a superior−subordinate.
• All CAs in a mesh PKI can be trust points, and there is no single
CA around which the complete PKI architecture revolves.
• Since CAs issue certificates to each other, they share
a bi−directional trust relationship.

Bridge-based PKI
It is used for secure communication between
organization in business partnership.
A bridge CA is introduced that establishes a trust relation with a representatives CA from
each organization.
 Certificate Revocation
• the act of stating officially that an agreement, right, or legal
document is no longer effective
Public Key Infrastructure Consists of certifying authorities and users.
Any user checks for certificate validity, provided by
Certificate status information.
1. Certificate revocation list (CRL).
2. Online certificate status protocol (OCSP).
• Certificate Revocation Lists
CA periodically issues the list of revoked certificates.
Frequency of list updating is an important consideration
• Example: issue new CRL every month
High transmission cost: complete list must be downloaded by any party
who wants to check the status of a certificate.

• Online certificate status protocol (OCSP )

CA maintains an online server. Responds to any certificate status query
by generating a fresh signature on the current status.
Reduces transmission cost to a single signature per query. Substantially
increases computation load for the server.
 Identity Based Encryption
• Alice’s e-mail id alice@gmail.com is her public key.
• Alice authenticates herself to an “authority” and obtains the private
key corresponding to this id. The “authority” is called Public Key
Generator (PKG)
• Bob uses alice@gmail.com and some public parameters of the
“authority” to encrypt a message to Alice.
• Alice decrypts using her private key.
• No CA; no certificates; no CRLs; no chain of CAs!