Public key infrastructure (PKI)

- [Instructor] As we continue our survey of security concepts that you need to be able to describe on the Cisco SCOR exam. Let's examine public key infrastructure or PKI. PKI is an umbrella term for everything used to establish and manage public key encryption, which is one of the most common forms of encryption used on the internet. We've already outlined public key cryptography in a previous video which is an asymmetric encryption method, meaning that we use a pair of keys, one public and one private. These keys help us to authenticate the parties which are attempting to communicate with one another. As an example of how this works, let's look at a scenario where we have Bob and Alice and we have an attacker in between those trying to intercept communications. Bob and Alice wants to establish a VPN connection between one another using digital signatures as a verification that they are communicating with the valid parties. They don't want anyone such as this attacker listening in on the conversation and intercepting their data. They are going to use an asymmetrical cryptography method. Remember that this means they're going to use two different keys that work together in order to obscure their data. So what happens is both Bob and Alice will generate a pair of keys, which are different. There's going to be one private key and one public key. We see here, that's what Bob has. What Bob does next is use the public key that he has generated to create a digital certification of his identity. This is done by providing his public key to a trusted certificate authority or CA for short and a CA simply issues digital certificates for verifying online identities. There are many of those out there that you may have heard of places like VeriSign, Comodo and Digicert. One good way to get your head around what a CA actually is, is to think of them as a notary. Notaries are authorized to perform certain legal activities on our behalf and in our place because the notary acts as a stand-in for us to prove our identity. So for example, if we purchase a used car here in the United States with a notarized title. This helps to verify that the seller is the legitimate owner. Both you and the seller recognize that the notary has the authority to verify the identity. So a CA is somewhat similar to that because they are a trusted third party authority that helps to prove identity. So here both Bob and Alice trust to the certificate authority. What happens next is the CA will provide a digital certificate to Bob. Now, if we open Bob's certificate, we're going to see his public key inside as well as perhaps some personal information about him. We will also see the certificate authority signature and company information and some other information related to the CA itself. There would also be a URL that can be visited to verify the validity. Certificates can be revoked either by individuals or by CAs themselves if it's suspected that they have been compromised in any way. They can also expire because they have specific dates during which they are valid. So all of these things can be verified by visiting the URL found inside the digital certificate. Now, Bob has his digital certificate which contains among other things, his public key. He would then send a copy of his digital certificate to Alice. Which means that Alice now has Bob's public key. Bob then takes a packet and generates a hash value for this packet. Remember when we talked about hashing. Hashing is simply taking an input value and running that through an algorithm to get a unique output value. As long as that input isn't changing, then the output is always going to be the same. He then takes the output hash and he encrypts this using his private key. Once this is done, he takes the encrypted hash and he attaches it to the packet which he then sends over to Alice. Alice takes the encrypted hash and she decrypts it using Bob's public key. She's going to set aside the hash value output that she gets from this for the time being. She then runs the received packet through the exact same hashing algorithm that Bob did previously. If this hash value output matches the previously decrypted hash that she set aside, then Alice has been able to successfully authenticate Bob. So at this point, Alice knows two things; Number one, she knows that the only person that could have encrypted this data is Bob using Bob's key. And number two, she has assurance that the data integrity is intact because if one single bid had changed, if a single one or a zero had flipped, then the hashes would not have matched and Alice would have known that something is wrong. It's a somewhat complex process that takes a little time to get your mind around, but this is how authentication happens through PKI and digital signatures. Now, you may be thinking, this sounds really complex, why is this important? Well, this exact type of authentication happens in both directions with an IP sec VPN tunnel if the peers are using digital signatures. These signatures are referred to as RSA signatures. These are used by IP sec for authentication and IKE Phase 1 when building a VPN tunnel. So that's a look at public key infrastructure or PKI.