Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Public-key cryptography
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== Public key infrastructure === One approach to prevent such attacks involves the use of a [[public key infrastructure]] (PKI); a set of roles, policies, and procedures needed to create, manage, distribute, use, store and [[certificate revocation|revoke]] digital certificates and manage public-key encryption. However, this has potential weaknesses. For example, the certificate authority issuing the certificate must be trusted by all participating parties to have properly checked the identity of the key-holder, to have ensured the correctness of the public key when it issues a certificate, to be secure from computer piracy, and to have made arrangements with all participants to check all their certificates before protected communications can begin. [[Web browser]]s, for instance, are supplied with a long list of "self-signed identity certificates" from PKI providers β these are used to check the ''bona fides'' of the certificate authority and then, in a second step, the certificates of potential communicators. An attacker who could subvert one of those certificate authorities into issuing a certificate for a bogus public key could then mount a "man-in-the-middle" attack as easily as if the certificate scheme were not used at all. An attacker who penetrates an authority's servers and obtains its store of certificates and keys (public and private) would be able to spoof, masquerade, decrypt, and forge transactions without limit, assuming that they were able to place themselves in the communication stream. Despite its theoretical and potential problems, Public key infrastructure is widely used. Examples include [[Transport Layer Security|TLS]] and its predecessor [[Transport Layer Security#SSL 1.0, 2.0, and 3.0|SSL]], which are commonly used to provide security for web browser transactions (for example, most websites utilize TLS for [[HTTPS]]). Aside from the resistance to attack of a particular key pair, the security of the certification [[hierarchy]] must be considered when deploying public key systems. Some certificate authority β usually a purpose-built program running on a server computer β vouches for the identities assigned to specific private keys by producing a digital certificate. [[Digital certificate|Public key digital certificates]] are typically valid for several years at a time, so the associated private keys must be held securely over that time. When a private key used for certificate creation higher in the PKI server hierarchy is compromised, or accidentally disclosed, then a "[[man-in-the-middle attack]]" is possible, making any subordinate certificate wholly insecure.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)