Lecture – 32

Advanced Computer Networks

(MCA-206)

by
Ruby Dahiya (Faculty – IT, IITM)
 Task Menu for Today

• Key Predistribution of Asymmetric (Public) Key

• Digital Certificate
• Certification Authority
• Web of trust
• Certification Revocation
• Key Predistribution of Symmetric (Public) Key

2
Key Predistribution of Asymmetric Key
• To use ciphers and authenticators the
communicating participants need to know
what keys to use.
• The problem of getting keys to people is that
they can be sure that the key is legitimate.
• Solution to publicize the keys: The use of
digital certificates.
 Digital Certificate
• The ownership of a predistributed public key
by a certain party can be attested to by a
public key certificate (Digital Certificate) that
is digitally signed by a trusted party.
• Public Key Infrastructure: PKI is a complete
scheme for bindings between public keys and
identities – what key belongs to whom.
• A digital certificate is just a special type of
digitally signed document.
• PKI verifies the identity and bind it to the key
out of band.
 Certification Authority
• A Certification Authority (CA) is an entity claimed
(by someone) to be trustworthy for verifying
identities and issuing public key certificates.
• The idea of certificates allows the building of
“chains of trust.”
• The chains of trust can be build in a tree-
structured hierarchy.
• If everyone has the public key of the root CA,
then any participant can provide a chain of
certificates to another participant and know that
it will be sufficient to build a chain of trust for
that participant.
 Web of Trust
• In the web of trust model, trust is a matter of
degree.
• The PK certificate includes a confidence level
indicating how confident the signer is of the
key binding claimed in the certificate.
• A given user may have to have several
certificates attesting to the same key binding
before he is willing to trust it.
 Certificate Revocation
• How to revoke, or undo, a certificate is an issue
with digital certificate.
• A certification authority can issue a certificate
revocation list (CRL), which is a digitally signed list
of certificates that have been revoked.
• The CRL is periodically updated and made
publicly available.
• With an expiration date to a certificate when it is
issued, the length of time can be limited that a
revoked certificate needs to stay on a CRL.
 X.509
• X.509 is one of the major standards for
certificates.
• The components of a certificate must include:
the name of the entity being certified
the public key of the entity
the name of the certificate authority
a digital signature
expiration time(optional)
 Predistribution of Symmetric Keys
• Predistribution of the secret key is more
difficult because of the following reasons:
1. If there are N entities, N(N-1)/2 key are
required.
2. Unlike public key, these keys must be kept
secret.
Solution: Key Distribution Center (KDC)
 Key Distribution Center (KDC)
• Key Distribution Center (KDC) is a trusted entity
that shares a secret key with each other entity.
• KDC participates in a protocol that authenticates
Alice and Bob using the keys that the KDC shares
with each of them.
• KDC generates a new session key for them to use.
• Session Key: The session key is used to secure
short episode of communication known as
session. It is always a symmetric key for speed.