Part three of our Cryptography Series
Just using Private Keys is no longer the norm in cryptography today – using a combination of both Public and Private Keys is, and it’s known as “Asymmetric Cryptography.” A type of Asymmetric Cryptography that is deployed widely today is known as the “Public Key Infrastructure,” or PKI for short.
The basic premise of PKI is to help create, organize, store, distribute and maintain the Public Keys. In this infrastructure, both the Private and Public Keys are referred to as “Digital Signatures,” and they are not created by the sending and receiving parties. Digital signatures are created by a separate entity known as the “Certificate Authority” (CA). It can even be viewed as the main governing body, or the heart of the PKI.
The CA is usually an outside third party which hosts the technological infrastructure needed to initiate, create, and distribute the Digital Certificates.
In a very macro view, the PKI also consists of:
- The LDAP or X.500 Directories: These are the technical terms for the databases which collect and distribute the digital certificates from the CA.
- The Registration Authority, also known as the RA: If the place of business or organization is very large (such as a multinational corporation), this entity then handles and processes the requests for the required digital certificates, and then transmits those requests to the CA for further processing.
How the first part of the PKI works:
- The request for the Digital Certificate is sent to the appropriate Certificate Authority.
- After this request has been processed, the Digital Certificate is then issued to the person whom is requesting it.
- The Digital Certificate then gets signed by confirming the actual identity of the person requesting it.
- The Digital Certificate can now be used to encrypt the plaintext message into the ciphertext which is then sent from the sending party to the receiving party.
The Registration Authority is merely a subset of the CA – it is not intended to replace or take over the role of the CA. instead, it is designed to help the CA if it becomes overwhelmed with Digital Certificate request traffic.
The RA by itself does not grant any type or kind of Digital Certificates, nor does it confirm the identity of the person requesting it. Its role is to help process the requests until the queue at the CA becomes more manageable.