Changes

So far in this book we have looked at both symmetric and asymmetric key encryption. Both approaches to encryption involve the exchanging of keys between the entities wishing to establish a communications through the use of cryptography. The one missing element from these encryption mechanisms involves trust and proof of identity. Suppose, for example, two parties wish to communicate using public key encryption. The sender uses the public key belonging to the recipient and uses it to encrypt the information. On receipt of the encrypted information, the recipient uses a private key to decrypt, and thereby access, the information. The weak point in this scenario is that the sender has no way to validate that the person who provide them with the public key is who they say they are. The sender has to take completely on trust the fact that they person they are sending the information to is who they say they are.

This is where the public key infrastructure (PKI) comes in. A PKI involves the participation of trusted third parties who verify the identity of the parties wishing to engage in a secure communication through the issuing of digital certificates. A real world analogy might involve customs and immigration. When a person arrives at an airport aboard an international flight they have to pass through customs. If an arriving passenger simply verbally claims to be John Smith there is no way for the customs officer to know if John Smith is who is says he is. It is entirely possible that he really is John Smith, but because the customs office doesn't know the person he has know way of knowing whether he is trustworthy. Instead, the customs officer relies on a trusted third party in the form of a government passport issuing office. The passport office goes through the process of confirming a persons identity before issuing a passport. The passenger then uses this passport to confirm to the customs officer that they are who they say they are. Because the person has a passport, and the customs officer trusts the passport office the person is permitted into the country. Public key infrastructures work in a very similar way. A trusted third party called a ''registration authority'' verifies the identity of a person or entity and instructs another body, the ''certificate authority'' to issue a ''digital certificate'' which also contains that entities public key. This certificate (and the public key contained therein) may subsequently be used to prove identity and enable secure transactions with other parties.