Reshma Afshar

Public Key Infrastructure (PKI) is a collection of servers used to create and manage public keys and digital certificates. It creates

digital certificates which bind public keys to entities, stores them securely and revokes them when required.

The public key infrastructure provides a secure environment for online transactions, confidential email and e-commerce by:

* Authenticating the identity of the entities (the sender and the receiver)

* Maintaining the data integrity.

A Digital Certificate is an electronic document which provides information to prove the identity of an entity. It binds the identity

of an entity to its public key. Digital certificates contain some standard information such as the name of the certificate holder,

public key, validity period, and also the digital signature of the certification authority.

Digital Certificates in a Public Key Infrastructure work in the following way:

1. Consider an online shopping web site such as Amazon. The server of the Amazon company requests for a digital certificate from

a certificate authority.

2. The certificate authority verifies the identity of the company and generates a digital certificate. It hashes the contents of the

certificate and signs (encrypts) the hash value using its private key. It includes this signature in the certificate and issues the

certificate to the company.

3. A user who wants to connect to the Amazon web site enters the HTTPS web address in his browser. The browser tries to

connect to the web site.

4. A digital certificate is sent from the webserver of the Amazon company to the browser.

5. When the browser receives a certificate from the webserver it performs the following tasks:

         * It checks whether the CA who signed the certificate is trusted by the browser. The browser already has the trusted CA

            certificates installed, so it has the public key information of the CA.

         * With the public key of the CA, the browser decrypts the signature in the company's certificate and obtains a hash.

         * It also computes a new hash of the content in the certificate..

         * If both the hashes match, then the signature in the certificate is verified to be signed by the trusted CA and the public key in

           the certificate is valid.

         * Now the name in the certificate is checked against the web site's name. If it matches then a secure connection is established

           for the online transactions.

          * The browser also checks whether the certificate is within its expiry period.

How does the user know that the website has a valid certificate:

A site which is secured with a digital certificate has a 'https://' as a prefix to the web address. This means "secure HTTP". When a

browser connects to an https site, it displays a padlock symbol or a green browser bar (depending on the browser being used), to

show that the web site has a valid certificate and is trusted. Internet explorer shows a locked icon in the status bar, where as

Google Chrome shows a padlock with green address bar.

Figure 1: Different browsers indicating that the certificate is valid.

By clicking on the padlock in the address bar, it shows which certificate authority signed the certificate and which algorithms are

used for encryption and authentication.

Figure 2: Shows which CA signed the certificate and the encryption algorithm used for the connection.

When the certificate given by the website is not valid, a security message is displayed. The user can continue to the website

on their own risk.

Figure 3: Browser indicating that the certificate is not valid.