Trusted Third Party

The PKI relies on the concept of a trusted third party. This trusted third party and the associated enrollment protocol combine to form a method that enables scalability. PKI provides scalability to cryptographic applications such as VPNs. The use of a trusted third-party protocol with public key cryptography is also based on the digital signing of public keys. In this case, however, one central authority signs all the public keys, and everybody trusts that central authority. The authority's public key is distributed among the users, who can use it to verify the signatures on public keys of other users.

Figure 13-1 illustrates a network in which each entity has a pair of asymmetric cryptographic keys, a public and a private key. Bob and Alice are users who want to communicate securely, and the certificate authority (CA) is the trusted third party. In the first step, Bob and Alice accept the public key from the CA, as shown in Figure 13-1. In the second step, Bob and Alice send their public keys to the CA.

Figure 13-1 illustrates a network in which each entity has a pair of asymmetric cryptographic keys, a public and a private key. Bob and Alice are users who want to communicate securely, and the certificate authority (CA) is the trusted third party. In the first step, Bob and Alice accept the public key from the CA, as shown in Figure 13-1. In the second step, Bob and Alice send their public keys to the CA.

With certificate authorities, every user in the system trusts the CA through a process of digital signing. Everything the CA signs is considered trusted. The CA sends its public keys to the users to let them verify the signature. And to make sure the trust is mutual, all end users enroll with the CA; that is, they submit their names and public keys to the CA. The CA verifies the submitted information, and if everything is correct, the CA signs the submitted public key with its private key, as shown in Figure 13-2. RSA signing is explained in Chapter 12.

Figure 13-2. Public Key Signing

Figure 13-2. Public Key Signing

After this process, the signed documents, containing the end user names and their public keys together with the CA signature, are sent back to the end users. Because Bob and Alice now both have this document signed by the CA, they can trust the document. The users can establish point-to-point relationships by exchanging their signed public keys, as shown in Figure 13-3.

Figure 13-3. Key Exchange

Figure 13-3. Key Exchange

With this system in place, end users such as Bob and Alice can mutually exchange keys over an untrusted network by using the CA's digital signature as the protection mechanism in the exchange. The other side can always verify the CA signature with the CA's public key, which they all have.

Was this article helpful?

0 0

Post a comment