PKI-Konzepte/Wörter erklärt

PKI-Konzepte/Wörter erklärt

Die PKI-Umgebung innerhalb einer Organisation ist aufgrund der vielen Abkürzungen, Konzepte und Begriffe, die für PKI typisch sind, manchmal schwer zu verstehen. Aus diesem Grund haben wir eine Liste dieser Begriffe mit Erläuterungen erstellt, um Ihnen zu helfen, die Welt der PKI besser zu verstehen.

Term Description
Advanced Encryption Standard (AES) is a specification for the symmetric encryption of electronic data
A-symmetric encryption The act of using two different but mathematically related keys for the purpose of encryption. A public key (which can be shared with anyone) to encrypt messages and a private key (which should be known only to the recipient) to decrypt messages.
Authority Information Access (AIA) Specifies in a certificate where to find up-to-date parent certificates of the certificate
Automatic Certificate Management Environment (ACME) is a communications protocol for automating interactions between certificate authorities and their users’ servers, allowing the automated deployment of public key infrastructure at very low cost.
Certificate and Key Management Solution (CKMS) A set of rules and processes, often combined into a software solution, allowing for the creation and secure management of PKI based certificates and corresponding private keys
Certificate Authority (CA) A resource and sytem to create digital certificates and own the policies, practices and procedures for vetting recipients and issuing the certificates. It’s up to the owners and operators of a CA to determine vetting methods for certificate recipients, the types of certificates they will issue, the parameters contained within each certificate and security and operations procedures.
Certificate Chain A chain of certificates consisting of the subscriber certificate, issuing CA certificate, intermediate CA certificate(s) and the root CA certificate.
Certificate Lifecycle Management (CLM) A set of rules and processes, often combined into a software solution, allowing the the management of PKI based certificates
Certificate Management Protocol (CMPv2) is an Internet protocol standardized by the IETF used for obtaining X.509 digital certificates in a public key infrastructure (PKI).
CMP is a very feature-rich and flexible protocol, supporting any types of cryptography. CMP messages are self-contained, which, as opposed to EST, makes the protocol independent of the transport mechanism and provides end-to-end security.
Certificate Path A chain of certificates consisting of the subscriber certificate, issuing CA certificate, intermediate CA certificate(s) and the root CA certificate.
Certificate Policy (CP) A specialized form of administrative policy tuned to electronic transactions performed during certificate management. A Certificate Policy addresses all aspects associated with the generation, production, distribution, accounting, compromise recovery, and administration of digital certificates. Indirectly, a certificate policy can also govern the transactions conducted using a communications system protected by a certificate-based security system. By controlling critical certificate extensions, such policies and associated enforcement technology can support provision of the security services required by particular applications.
Certificate Profile Detailed description of the structure, components, and the origin of the data in the certificate
Certificate Revocation Lists (CRL) A list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked, and therefore, entities presenting those (revoked) certificates should no longer be trusted
Certificate Signing Request (CSR) The CSR records identifying information in a unique format for a person or device that owns a private key as well as information on the corresponding public key.
Certificate Trust List (CTL) The collection of trusted certificates used by Relying Parties to authenticate other certificates.
Certification Practice Statement (CPS) A statement of the practices that a CA employs in issuing, suspending, revoking, and renewing certificates and providing access to them, in accordance with specific requirements (i.e., requirements specified in this Certificate Policy, or requirements specified in a contract for services).
CRL Distribution Point (CDP) The location where you can download the latest CRL.
Digital Signature is a way to verify authenticity through the use of a unique digital identifier. Digital signatures rely on asymmetric encryption, as a private key owner can use that key to digitally sign a message. Third parties can then use the corresponding public key to verify the signature and confirm that the message was not modified in transit, which would cause the verification to fail. Digital signatures also offer non-repudiation, as signers cannot deny their signature.
Elliptic-curve cryptography (ECC) Is an encryption approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography auch as RSA to provide equivalent security.
Encryption Certificate A certificate containing a public key and corresponding Key Usage that is used to encrypt electronic messages, files, documents, or data transmissions, or to establish or exchange a session key for these same purposes.
End-Entity Certificate A certificate that resides at the bottom of the CA hierarchy and can not be used to sign any other certificates. Most end-user, device and server certificates are end-entity certificates
Enrollment over Secure Transport (EST) is a cryptographic protocol that describes an X.509 certificate management protocol targeting public key infrastructure (PKI) clients that need to acquire client certificates and associated certificate authority (CA) certificates. EST is described in RFC 7030. EST has been put forward as a replacement for SCEP, being easier to implement on devices already having an HTTPS stack. EST uses HTTPS as transport and leverages TLS for many of its security attributes.
Extended Key Usage (EKU) Defines the advanced properties as to what a certificate will be used for.
Hardware Security Module (HSM) A hardware security module is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptographic operations processing.
Hash A digital fingerprint commonly used in digital signatures, to ensure that data has not been tampered with. Specifically, it is a one-way algorithm used to convert one value into another to mask information through a mathematical output.
Intermediate Certification Authority (Intermediate) A CA that is subordinate to another CA, and has a CA subordinate to itself.
Issuing Certification Authority A subordinate CA that issues certificate to end user and computers (certificate subjects).
Key Attestation is the technical ability to prove to a remote party that an encryptin private key was generated inside, and is managed inside, and not exportable from, a hardware cryptographic module such as trusted platform module (TPM) or Hardware Security Module (HSM)
Key Usage (KU) Defines the basic properties as to what a certificate will be used for.
Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network.
An LDAP is often used to store S/MIME certificate data of a user account
Multipurpose Internet Mail Extensions (MIME) is an Internet standard that extends the format of email messages to support text in character sets other than ASCII, as well as attachments of audio, video, images, and application programs.
Object Identifier (OID) A globally unique value associated with an object to unambiguously identify it used in Abstract Syntax Notation (ASN.1)
Online Certificate Status Protocol (OCSP) An online protocol used to determine the status of a public key certificate.
Public Key Cryptography Standards (PKCS) A set of standards to describe the use of standard cryptography techniques within PKI programs. These standards are defined and published by RSA Security LLC and include techniques like PKCS 7, PKCS 10, PKCS 11 and PCKS 12, which cover things like messaging syntax and formatting for digital certificates and how private keys get stored.
Public Key Infrastructure (PKI) Is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.
Registration Authority (RA) A trusted entity that establishes and vouches for the identity of a Subscriber to a CA. The RA may be an integral part of a CA, or it may be independent of a CA, but it has a relationship to the CA.
Rekeying To change the value of a cryptographic key that is being used in a cryptographic system application; this normally entails issuing a new certificate on the new public key.
Renewal The act or process of extending the validity of the data binding asserted by a public key certificate by issuing a new certificate.
Request for Comments (RFC) is a publication in a series from the principal technical development and standards-setting bodies for the Internet, most prominently the Internet Engineering Task Force (IETF). An RFC is authored by individuals or groups of engineers and computer scientists in the form of a memorandum describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.
PKI related RFCs are 8399 and 5280
Revocation To prematurely end the operational period of a certificate effective at a specific date and time.
Rivest–Shamir–Adleman cryptography (RSA) Is a public-key cryptosystem, one of the oldest, that is widely used for secure data transmission. The security of RSA relies on the practical difficulty of factoring the product of two large prime numbers
Root Certificate Authority (Root) The CA at the top of a PKI hierarchy that is explicitly trusted by all subscribers and relying parties whose public key serves as the most trusted datum (i.e., the beginning of trust paths) for a security domain.
Secure Socket Layer (SSL) A deprecated protocol pre-dating the TLS standard.
Because Certificate Authority issued end-point certificates are required to make both SSL and TLS possible, X.509 certificates are often referred to as SSL certificates
Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for public-key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFC 8551
Self-signed Certificate A certificate that 1: uses its public key to verify its own signature; 2: the subject name is identical to the issuer name.
Contrary to popular believe Self Signed certificates are not reserved to private CA’s, they are also present in public CA’s (Ie its Root)
Signing Certificate A public key certificate that contains a public key intended for verifying digital signatures rather than encrypting data or performing any other cryptographic functions.
Simple Certificate Enrollment Protocol (SCEP) is a protocol for digital certificates that supports certificate authority (CA) and registration authority (RA) public key distribution, certificate enrollment, certificate revocation, certificate queries, and certificate revocation list (CRL) queries.
Subordinate Certification Authority A CA whose certificate signature key is certified by another CA, and whose activities are constrained by that other CA.
Symmetric Encryption The act of using mathematical permutations to encrypt a plain text message. The same key is used to both encrypt and decrypt these messages.
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. TLS replaced the SSL protocol
Trusted Platform Module (TPM ) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.
TPM version 2.0 is the current standard, making version 1.0 obsolete
X.509 is a standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures.