Authentication and public key infrastructure

The Diffie-Hellman key exchange allows two parties to create a private, shared secret. But how do the two parties know they’re talking to the correct entity? We haven’t talked about authentication yet.

What if I picked up the phone and called my friend and we performed a Diffie-Hellman key exchange, but it turns out my call was intercepted and I was actually talking to someone else? I’d still be able to communicate securely with that person — no one else would be able to decode our communication once we negotiated the shared secret — but they’re not who I thought I would be talking to. That’s not very secure!

To solve the authentication problem, we need a Public Key Infrastructure.

A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.

A public key infrastructure (PKI) is a system for the creation, storage, and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity. The PKI creates digital certificates which map public keys to entities, securely stores these certificates in a central repository and revokes them if needed.

A PKI consists of:

  • A certificate authority (CA) that both issues and verifies the digital certificates
  • A registration authority which verifies the identity of users requesting information from the CA
  • A central directory—i.e., a secure location in which to store and index keys
  • A certificate management system[clarification needed]
  • A certificate policy