Peter Bridgeman

Public-key infrastructure (PKI) primer

Published in

Public-key infrastructure (PKI) is an umbrella term for everything related to keys and certificates.
This is a simple yet effective primer on the core topics that will hopefully get you up and running sooner rather than later.

Public-key cryptography

Public-key cryptography involves a key pair: a public key and a private key. Each entity has their own. The public key can be shared around, the private key is secret.

They allow doing two things:

  1. Encrypt a message with the public key, decrypt it with the private key.
  2. Sign a message with the private key, verify it with the public key.

Some common algorithms are RSA (used for both) and EdDSA (only for signatures).

In practice, public-key cryptography can be slow. That’s why nearly all protocols (such as TLS or SSH) only use it for authentication. Much faster symmetric-key algorithms (such as AES) are then used for encryption. This requires a shared secret, which is usually agreed upon using some flavour of Diffie-Hellman.

Hashing

Hashing algorithms (such as SHA) are one-way functions that take any input and compute a unique fixed-size output. The output is called a hash (or sometimes digest).

Signatures

Signatures authenticate messages. Roughly:

  • A signature is calculated from a message and a private key.
  • With only the message and a public key, anyone can verify whether the signature was calculated using its corresponding private key.

Signing the whole message is pretty inefficient, so its hash is signed instead. That’s why you’ll see signature algorithms with descriptions like “ECDSA with SHA-256.”

Certificates

A certificate is a name and public key bound by a signature. It identifies the owner of a public key.

The signee is called a certificate authority (CA). The CA is often some company, like GeoTrust or Let’s Encrypt. With internal PKI, it can be any entity that nodes have been configured to trust.

Another CA can sign a CA’s certificate, and so on. The last certificate in the chain is called a root certificate. Root certificates are trusted and stored locally. They’re usually shipped along browsers and the OS.

Formats

When people talk about certificates, they most often refer to X.509, a flexible format for representing certificates. TLS uses X. 509, which is also used by HTTPS and Kubernetes.

X.509 certificates are written in ASN.1, which is usually serialized into DER. Since binary data can be a pain to transmit, it’s often further encoded into PEM, which is essentially Base64-encoded DER.

Verification

Certificate verification ensures the certificate chain is valid and leads to a trusted root certificate.

Of course, it assumes we trust the CAs, safe in that they conform to sane security practices and only issue certificates to verified entities.

Bundling

Since verification requires a complete chain, certificates are often distributed as a bundle. In the case of TLS, the chain is sent during the handshake.

Usually, PEM files are concatenated into one.

Certificates can also be bundled using PKCS #12 (also known as PFX) or CMS (formerly PKCS #7). The main difference is PKCS #12 can store private keys.

Issuance

When applying for a certificate:

  1. The client sends a certificate signing request (CSR) to the CA. It includes the client’s public key and a bunch of distinguished name attributes (such as country and domain name).
  2. If everything looks good, the CA generates a certificate from the CSR.

The CA only performs Domain Validation (DV) in the simplest case. It’s usually fast and automated, like checking for some specific DNS record.

There’s also Organization Validation (OV) and Extended Validation (EV) for more thorough vetting. OV implies DV and verifying ownership of the legal entity. EV is the slowest and most rigorous of all, based on CA/Browser Forum guidelines. EV certificates are usually displayed prominently (for example, on Safari the URL will be green).

For internal PKI, you can do whatever works best. You could send certificates to the nodes manually, or automate client CSRs and signing.

Revocation

There are two ways to revoke certificates: certificate revocation lists (CRLs) and OCSP. A CRL is an extensive list of certificates revoked by the CA. OCSP is a protocol that allows inquiring about a specific certificate.

Summary

  • With someone’s public key, we can verify their signatures and send them encrypted messages.
  • With our private key, we can sign messages and decrypt messages sent to us.
  • Certificates identify public key owners.
  • We trust a certificate because we trust the CA that signed it.
  • We trust the CA because Apple/Google/Microsoft/whoever added the CA’s certificate on our host trusts them.