Abstract
Public key infrastructure (PKI) plays a fundamental role in securing the infrastructure of the Internet through the certification of public keys used in asymmetric encryption. It is an industry standard used by both public and private entities that costs a lot of resources to maintain and secure. On the other hand, identity-based cryptography removes the need for certificates, which in turn lowers the cost. In this work, we present a practical implementation of a hybrid PKI that can issue new identity-based cryptographic keys for authentication purposes while bootstrapping trust with existing certificate authorities. We provide a set of utilities to generate and use such keys within the context of an identity-based environment as well as an external environment (i.e., without root trust to the private key generator). Key revocation is solved through our custom naming design which currently supports a few scenarios (e.g., expire by date, expire by year and valid for year). Our implementation offers a high degree of interoperability by incorporating X.509 standards into identity-based cryptography (IBC) compared to existing works on hybrid PKI–IBC systems. The utilities provided are minimalist and can be integrated with existing tools such as the Enterprise Java Bean Certified Authority (EJBCA).
Highlights
Public key infrastructure (PKI) systems are favorable in systems where key leakages are common (e.g., Internet) while identity-based cryptography (IBC) systems are suitable for closed systems
We argue that our implementation is much more lightweight in terms of memory footprint as it is decoupled with Enterprise Java Bean Certified Authority (EJBCA)’s core library (While this may not be an issue if an organization is using EJBCA as their PKI software, an organization that does not use EJBCA would need to install and run EJBCA regardless of whether they are using it)
We presented a hybrid PKI framework and showed an implementation of it along with utilities such as browser and email plugins
Summary
Public key infrastructure (PKI) provide a means to verify authenticity and encrypt messages sent over insecure channels [1,2] It has become an industry standard because it secures the use of asymmetric cryptography against man-in-the-middle attacks, which solves the key distribution problem [3]. Upon validation of the documents, the RA forwards the CSR to a CA for signing, which generates the digital certificate for Bob. When Alice wants to communicate with Bob, she first requests Bob’s certificate from a public directory and checks whether the certificate is authentically signed by a trusted CA. This is because Bob’s public key is their identity, through which Alice can verify this fact without the need for a digital certificate. As mentioned by Bai, the delivery of user private keys (UPK) poses an issue, since in a PKI setting, users may opt to generate the private key privately and only transmit the CSR across to the RA for certification
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.