Public Key Infrastructure (PKI)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
21
Video Transcription
00:01
>> Hello Cybrarians and welcome back to
00:01
the Linux plus course here at Cybrary,
00:01
I'm your instructor Rob Goelz.
00:01
In today's lesson we're going to be covering
00:01
public key infrastructure, or PKI.
00:01
Upon completion of today's lesson,
00:01
you're going to be able to understand the purpose of
00:01
PKI as well as the key concepts of PKI,
00:01
which include keys, hashing, and certificates.
00:01
The most important part of
00:01
cryptography is the concept of keys.
00:01
Keys are used when we want to encrypt,
00:01
when we want to change plain text
00:01
into cipher text, and vice versa.
00:01
When we want to use keys to
00:01
decrypt cipher text back to plain text.
00:01
But we run into trouble
00:01
sometimes when we need to share keys with others,
00:01
because how can we be sure that the key is valid
00:01
and how can we be sure that
00:01
the key is coming from a trusted source?
00:01
Well the way that we get around some of
00:01
these issues is by using PKI.
00:01
PKI provides integrity for
00:01
cryptography through a couple of components and its
00:01
structured to ensure authenticity and validity
00:01
of keys as well as the users of those keys.
00:01
Some of the components used in PKI are private keys,
00:01
public and private key pairs,
00:01
and a certificate authority, or CA.
00:01
Hashing also plays a part in PKI and cryptography.
00:01
We're going to cover two concepts in this lesson.
00:01
Those are the message digest and digital signature.
00:01
PKI uses asymmetric encryption,
00:01
which means it's using a key pair,
00:01
a public key which is known to everyone,
00:01
and that public key can only be
00:01
decrypted by the private key,
00:01
and then the private key which is only
00:01
known by the owner and is never shared.
00:01
This key can only be decrypted by the public key.
00:01
By comparison, we also have
00:01
the concept of a symmetric key,
00:01
which is a single key known to both parties.
00:01
This is sometimes known as a private, or secret key.
00:01
In this situation, plain text is encrypted and
00:01
decrypted using just that one key in the symmetric key.
00:01
But generally, asymmetric encryption is what we use to
00:01
establish a trusted connection
00:01
across an untrusted medium like the Internet.
00:01
Then once we have the trusted connection,
00:01
we can use that to share the
00:01
>> symmetric key we're going to
00:01
>> use to handle the encryption going forward.
00:01
Now a certificate authority
00:01
is another thing we got to consider
00:01
here when we're having conversations about PKI.
00:01
A CA's job is basically to issue
00:01
digital certificates that validate a server's identity.
00:01
Some examples of commercial CAs are
00:01
VeriSign, Comodo and DigiCert.
00:01
Digital certificates are either issued,
00:01
or signed by a CA.
00:01
We can request that they issue one for us,
00:01
or we can send in a certificate signing request
00:01
and then get that signed and sent back to us,
00:01
but either way because this is being issued,
00:01
or signed by the CA,
00:01
the CA can verify the certificate.
00:01
All the certificate really is an encrypted key.
00:01
Let's talk about that a little bit more.
00:01
The CA can issue a certificate to a web server owner.
00:01
When it does that,
00:01
the CA signs the certificate that
00:01
it issues with its own private key.
00:01
Well remember this,
00:01
a private key can only be decrypted by a public key,
00:01
but everyone can have access to the public key.
00:01
That's not a secret. We share that readily.
00:01
Because everyone can access the public key,
00:01
that means that everyone can decrypt
00:01
the signature of the CA.
00:01
Thereby by decrypting the signature,
00:01
they verify the authenticity of the issued certificate.
00:01
The certificate signed by a private key,
00:01
which only does CA has.
00:01
It's decrypted by a public key which everyone has,
00:01
and then you can verify the integrity.
00:01
Now it may be cost-prohibitive,
00:01
or unnecessary to obtain
00:01
a digital certificate for each and every situation.
00:01
If you're developing an application,
00:01
you probably don't need to have a certificate.
00:01
If you're performing encryption
00:01
inside of a company network,
00:01
you don't really need to have a CA
00:01
from a third party CA either.
00:01
In these cases, systems administrators
00:01
sometimes choose to make their own certificates.
00:01
Those are called self-signed certificates,
00:01
but they should never be used for production,
00:01
or on any external,
00:01
or public facing sites.
00:01
Now hashing is the last concept we'll talk about here.
00:01
We're going to talk about
00:01
hashing and also we're going to talk
00:01
about signatures in just a second,
00:01
but they're both related.
00:01
Hashing is really just a way of
00:01
verifying the integrity of a file, or a message.
00:01
It uses a one-way algorithm that
00:01
turns your plain text into cipher text.
00:01
That cipher text is called
00:01
a message digest, hash, or fingerprint.
00:01
The question would be,
00:01
why would you want to hash something.
00:01
That's just a one-way trip. You can't get it back.
00:01
Well, hash means useful because
00:01
you can use it to compare data.
00:01
Basically it's a one-way trip.
00:01
If the hash returns the same message for two files,
00:01
they contain the same data,
00:01
if you get the same hash value
00:01
for two different files they contain the same data.
00:01
If you're downloading a file from a website,
00:01
sometimes you'll see an MD5 hash,
00:01
or a SHA-256 hash provided by the vendor.
00:01
Then when you download it to your machine,
00:01
you can run a hash against it as well,
00:01
and provided that you get the same output,
00:01
the same message digest,
00:01
the string of characters we've seen before,
00:01
we know that that file hasn't changed.
00:01
The same thing is true of a file
00:01
that's come across an email.
00:01
If the sender provides you a message hash,
00:01
you can look at it and say, "Okay,
00:01
the file inside of this message is
00:01
the same on both sides because this is
00:01
their hash value that they got for this method.
00:01
When I open the file,
00:01
or when I get the file and I hash it,
00:01
it's the exact same," we can ensure
00:01
the integrity of that file.
00:01
Now a digital signature is
00:01
just an evolution of this concept because all
00:01
that it is a message digest
00:01
of the plain text data of a message.
00:01
Just as we saw with CAs and
00:01
CAs using their private certificate to sign things,
00:01
a user's private key is used to sign this hash,
00:01
or a message digest.
00:01
It creates a cryptographic token,
00:01
and that token can only be
00:01
decrypted with a user's public key.
00:01
Remember everyone has access to the public key.
00:01
Basically if I sign it with my private key,
00:01
I'm the only one that could do it.
00:01
If you decrypt it with my public key,
00:01
you know it came from me.
00:01
It's just since the user
00:01
is the only one that has a private key,
00:01
you can ensure the integrity of the message.
00:01
In this lesson, we covered the purpose of PKI.
00:01
We talked about the keys
00:01
and encryption that are used in PKI.
00:01
Then we also covered the concepts
00:01
of certificates and hashing.
00:01
Thanks so much for being here and I look
00:01
forward to seeing you in the next lesson
Up Next