Previous Page Next Page

Public Key Infrastructure (PKI)

PKI is a framework that provides a mechanism to securely issue and distribute public keys. PKI arrangement enables the transmission of secure data over insecure public networks by using trusted public and private cryptographic key pairs, which are obtained and shared through a trusted authority.

PKI provides a digital certificate that can identify an individual or an organization by binding of public keys to users. When used in IPsec VPN, PKI provides authentication, nonrepudiation, and confidentiality services.

PKI consists of various protocols, services, and standards that support applications of the public key infrastructure.

The public key infrastructure assumes the use of the public key cryptography system, also known as asymmetric cryptography, which is based on two-key pairs: one key for encryption and another for decryption. Asymmetric cryptography standards and protocols are covered in greater detail in Chapter 14.

PKI Components

PKI components include the following:

Note

The term PKI is interchangeably used for both the CA and CA-related components.


Certificate Enrollment

Certificate enrollment is the process of obtaining a certificate from a CA server. Each peer participating in the PKI must enroll with a CA. A number of methods are available for certificate enrollment, such as SCEP, PKCS12, IOS File System (IFS), and Manual (cut-and-paste). Figure 15-15 illustrates the certificate enrollment process.

Figure 15-15. Certificate Enrollment Process


Tip

Refer to this Cisco documentation URL to learn more about certificate enrollment for a PKI and the methods available for certificate enrollment: http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804a5a17.html.


The format of a public key certificate is defined by the ITU-T based X.509 standard for a public key infrastructure. The structure format of an X.509 v3 digital certificate contains the following elements:

Example 15-1 shows a standard X.509 v3 certificate.

Example 15-1. Standard X.509 v3 Certificate

Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: shaWithRSAEncryption
Issuer: CN=ca
Validity
    Not Before: Nov 19 02:41:41 2004 GMT
    Not After : Nov 19 02:41:41 2007 GMT
Subject: CN=myRouter.cisco.com
Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
        Modulus (1024 bit):
             00:94:a8:db:8d:f5:9b:21:c4:47:de:9e:db:84:32:
     b3:f0:ff:f2:30:dc:82:05:0e:4c:19:a8:0b:7c:d1:
     04:3e:82:b6:8d:5c:e6:59:0a:26:23:f5:23:41:78:
     75:cf:03:2e:52:45:e7:2d:4a:78:08:29:ea:8a:44:
     e5:96:ea:b6:2f:7b:71:14:3d:ec:33:b2:cd:75:01:
     49:14:da:72:9c:25:6e:72:a0:aa:60:85:37:2e:57:
     f0:2f:c5:c6:e3:57:17:b2:7a:fd:fb:58:98:2f:5f:
     9e:22:dd:62:f8:55:fa:74:fd:3e:38:66:e7:d9:78:
     df:f0:c1:a0:ae:f3:9c:e1:39
        Exponent: 65537 (0x10001)
71:b1:a5:01:ad:fb:73:20:57:57:b0:54:fc:04:2e:5e:31:ae:69:40:c0:
cf:93:b4:7a:5f:[........]

					  

Tip

In Chapter 14, Figure 14-4 depicts how the asymmetric key encryption process works as it uses the two keys known as public and private keys. Figure 14-6 in Chapter 14 illustrates how the cryptographic keyed-hash algorithm works.


Table 15-7 exemplifies the use of public and private keys in the PKI framework.

Table 15-7. Public and Private Key Functions
FunctionKey-type
To send an encrypted messageUse the receiver's public key
To decrypt an encrypted messageUse the receiver's private key
To send an encrypted signatureUse the sender's private key
To decrypt an encrypted signature (and authenticate the sender)Use the sender's public key


Previous Page Next Page