A PKI (public key infrastructure) will enable users of the a particular system of a basically unsecure public network such as the Internet to securely and privately exchange data or documents through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when it is necessary, revoke the certificates.
The public key infrastructure assumes the use of public key cryptography, which is the most common method on the Internet for authenticating a message sender or encrypting a message. Traditional cryptography has usually involved the creation and sharing of a secret key for the encryption and decryption of messages. This secret or private key system has the significant flaw that if the key is discovered or intercepted by someone else, messages can easily be decrypted thus it is no longer secure. For this reason, public key cryptography and the public key infrastructure is the preferred approach on the Internet.
A public key infrastructure consists of:
- A certificate authority (CA) that issues and verifies digital certificate. A certificate includes the public key or information about the public key
- A registration authority (RA) that acts as the verifier for the certificate authority before a digital certificate is issued to a requestor
- A validation authority (VA) is a body that checks the validity of a electronic certificate by referring to a list of invalid certificates, and it confirms whether the electronic certificate was issued by a sufficiently trustworthy Certification Authority.
- Digital Certificate is a binding between an entity’s Public Key and one or more attributes relating its identity.
- A certificate revocation list (CRL) is a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation.
- An online certificate status protocol (OCSP) checks if your certificate is still valid or not or if it has been tampered or revoked in real time.
- A digital signature a data item that vouches the origin and the integrity of a message. It is a scheme for demonstrating the authenticity of a digital message or document.
- The Secure Token (ST3) is an advanced secure microprocessor smart chip based USB token that integrates with powerful cryptographic technology designed for strong 2-Factor Authentication (2FA). It can be used to mitigate potential risk of unsafe traditional password based security for digital resources and transactions.
In Fig. 1.0 is an illustration of how a PKI binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain. The third-party validation authority (VA) can provide this information on behalf of CA. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the registration authority (RA). The RA ensures that the public key is bound to the individual to which it is assigned in a way that ensures non-repudiation.
Client side Digital Signing and Verification
ADSS Go>Sign Applet has been designed to make client-side digital signatures easy to implement and use within any web application. It removes all the difficulties associated with locally installed software. In multi-third party environments such as Business to Business (B2B), Business to Customers (B2C) or Government to Citizens (G2C) there is a clear need for zero installation signing.
ADSS Go>Sign Applet is a solution for client-side signing. It has been designed to enable busy, non-technical people to sign documents and data. It works within modern browsers to allow citizens and businesses to go green, eliminate paper and avoid postage and handling costs.
Go>Sign Applet will integrate to the system to protect internal or external financial reports, HR, legal, sales and marketing, support services, compliance, engineering or architectural drawings, in fact any document where trust in authorship, integrity and approval are required.
The available or compatible file type that works well with the Go>Sign applet is a PDF File it is easy to digitally signed a document when its file format is PDF. PDF has been the standard in digitally signing documents all around the world because the applet is easily integrated with a PDF Format document.
When you sign a document in a PDF Format the signature will show onto the document once you’ve finished signing it. Its location will be at the bottom of the page of the document. It is customizable in such a way that you can change the logo of your signature and it also includes your hand written signature.
The metadata that will be included to the document once it is digitally signed is the hash value of that particular document. The metadata is customizable that you can add also who signed that document.
- Serial Number
- Algorithm ID
- Not Before
- Not After
- Subject Public Key Info
- Public Key Algorithm
- Subject Public Key
- Issuer Unique Identifier (optional)
- Subject Unique Identifier (optional)
- Extensions (optional)
- Certificate Signature Algorithm
- Certificate Signature
Soft Certificate vs. Hard Certificate
An electronic certificate confirms that a certain key actually belongs to a certain person. One person can have several certificates for various purposes. They can all be stored on a single token.
Certificates can be soft or hard. Hard certificates provide significantly higher security than soft certificates. Soft certificates (also referred to as file certificates) store keys in a file on a computer hard disk. Hard certificates (also referred to as card certificates) store keys in a chip on a smart card (or a USB memory stick). The private key is stored on one location only – on the receiver’s smart card or hard disk – and has not been copied or placed anywhere else. The open key, however, is available to all in an open folder.
When someone logs on, the certificate authenticates that the person is actually who her or she claims to be. Smart cards or the token along with PINs provide two-factor authentication (something one has and something one knows), which is stronger than traditional single-factor authentication (something one knows) in the form of user names and passwords.
How the encryption works in the pki (public key infrastructure)
Client side signing using the Go>Sign applet
PKCS#7 VS. PKCS#12
PKCS is a group of public-key cryptography standards devised and published by RSA Security Inc, starting in the early 1990s. The company published the standards to promote the use of the cryptography techniques to which they had patents, such as the RSA algorithm, and several others. The standards were not industry standards because the company retained control over them.
PKCS#7 is a standard for signing or encrypting (officially called “enveloping”) data. It is used to sign and/or encrypt messages under a PKI. Used also for certificate dissemination.
PKCS#12 defines a file format commonly used to store private keys with accompanying public key certificates, protected with a password-based symmetric key. This container format can contain multiple embedded objects, such as multiple certificates. Usually protected/encrypted with a password. Usable as a format for the Java key store and to establish client authentication certificates in Mozilla Firefox.
I am one of the 12 PKI Developer who have undergo the training here in the Philippines and I feel honored to be a part of it.