So we've talked about p K i a couple times now. We referenced it when we were talking about our asymmetric encryption on our hashing algorithms. But let's talk about P K I a little bit more in depth now.
P. K I stands for public key infrastructure and public key infrastructure is what makes use of our asymmetric encryption and are hashing algorithms toe allow us to do things like encrypting our transmissions.
So our p k I does more than just encrypt transmissions. It allows us to do things such as user authentication. We can actually allow people to sign Elektronik documents, and we can verify that they are who they say they are. We can use P k I to allow people to log into their computers using smart cards. We can verify and sign e mails.
P. K. I is a very strong tool for not only user authentication and encryption, but also non repudiation and making sure that people are who they say they are. And you can't and that they, when they performed certain actions, that they can't come back later and say that wasn't me,
p k I can be used in what's called a centralized key management structure. We have other key management structures where it's not a centralized management structure, but we're gonna talk about centralized management structure,
um, and centralized key management in centralized key management structure. We need to have something called a C A a C A is our certificate authority and our certificate authority is the person who creates, manages and distributes and verifies for public and private keys.
They're the person that we need to have some sort of
universal trust in its when we're talking about our see a we're talking about a certificate authority. This is just this is a ah person. This is a certificate that we need to inherently trust.
taking a look at our p k I,
we need to have our see a at the top.
So we have our certificate. We have our centralized p k I. We have our CIA at the top and R C A has their own set of public and private keys that they generate for themselves again. This is why we have to trust the CIA because they generate their own public and private keys.
They generate their part public key and part private key. So private key
And they give everyone in aren't in the environment
for their private key. So they give everybody their public key
r c A convey be 1/3 party company that comes in and that we go in and we identify ourselves with and they create certificates for us A. C A. Could be if, where we could have our own internal See a if we're creating certificates for our environment or if we're connecting to another. If we're connecting to a
using https, we're also using certificates, and those certificates are signed by a C A. Typically a seat that C. A is a company, that our computers are installed with their certificate, their public key that we inherently trust when we go online.
So that certificate is pre installed on our computer before we even go online,
and that's how we know that that website is who they say they are. So ch are very, very important. And C. A S R have to work very hard to make sure that people trust them and know that they're not going to be compromised and know that their public and private know their private key won't be compromised.
the C A is going to use the algorithm to create the public and private key pair. So we're going to say we have facebook dot com
and the sea A. The certificate authority is going to issue a certificate, too.
Facebook are is going to issue a public and private key pair to facebook dot com or so from facebook dot com.
It is going to create that that public and private key and say, Okay, Facebook, here's your private key
and I'm gonna give you and I'm going to sign your private key with
with with my pride, I'm going to sign your private key. So the sea a signs the private key and because we trust the c A.
anything that Facebook signs because we trust Facebook through the c A.
So then when we connect to Facebook, Facebook comes down to us and Facebook says, Okay, here's my Here's this. My certificate. Here's my data
and here's my public key. So I'm gonna send you. So this is the Facebook
I'm gonna send you this data encrypted with my
private key. Here's my public key and this public he is signed by this person you already trust. So you know, this is good. And if you need to you Congar Oh, and check with them and verify and make sure that this is still good.
So we checked. We make sure, and we know that this public key is good.
So after that, we can We will accept.
We will accept sessions from facebook dot com. We'll accept certificates from facebook dot com encrypted with their private key because we accept that private in public key pair. So that's where the CIA comes. That's where the CIA comes and comes into use.
something a little bit different.
Now, we're gonna replace this with our
remote access server
in our network at work.
we have a C A who creates a private key in a public key pair for our remote access server,
and they also create a public and private key for us and well, and they stick it on our smart card.
And that way, when we try to remotely log into the server because both
us, our computer as well as the remote access server. Both trust the C A and the C A has said OK, your certificates air good. Your public and private key pairs air good. We can start talking back and forth by encrypting our data with our pub with our private keys
and the other Incan decrypt them with our public keys.
And we know who we're talking to because we have Those have been established by the certificate authority. The certificate authority says, Okay, here's this person's public key if if someone sends you data and says that they are this person. So if Anthony
if Anthony encrypts data with his private key
and sends you a data packet
and you're able to decrypt it with this key, this public key, then I'm approving that this public key, if you can decrypt that data, means that it was sent from Anthony. I have verified his identity, and this is Anthony and the same thing for the remote access server. If this server sends you data and you're able to decrypt data
with this public key,
that means it was encrypted with that with this service, private key, and you can trust me that they are who they say they are.
So using that method, using that encryption, we can encrypt a beginning negotiation and say, OK, so let's we're gonna encrypt our communications back and forth. I am who I say I am. You need to use this public and you need to use this public key to decrypt. This data will start talking back and forth
and then, after we talked back and forth for a little while, will initiate an encrypted tunnel,
and then we'll just start talking through that encrypted tunnel, and it'll make talking a lot faster.
So that's what our P k I does for us. Our P K also works when we're signing documents because we consign documents with our private key. And essentially we're creating a hash of that document. Were hashing that document,
were encrypting the hash with our private key. And then we're saying that this is our signature. So if someone goes in and this is all done automatically on our computer behind the scenes and someone goes in and says, Oh, is this really that Anthony really signed this document and is this document unchanged from when Anthony signed it,
then they'll check that in and they'll say, Oh, okay, yes,
I can decrypt this hash with Anthony's public key. The hash that he stuck on here matches. When I hash the document, it matches the data, so I know that this document is good to go. I know that he actually signed this document,
So that's how P k I works with authentication. That's how peak I P k. I works with initiating VP ends and initiating user sessions. And that's how picky I can allow us to send secure emails and to sign documents and to make sure that we are who we say we are.