Changes to "05-SEP-2013: PKI and Tcl" between r2 and r3

Changes to 05-SEP-2013: PKI and Tcl between r2 and r3

'''Trust me.'''

Public Key Infrastructure (PKI) is, as the name implies, all of the infrastructure required to operate a public key cryptography system.  The name also implies that PKI is a complex system with lots of mandatory parts however this is not the case. --> Public Key Infrastructure (PKI) is, as the name implies, all of the infrastructure required to operate a public key cryptography system.  The name also implies that PKI is a complex system with lots of mandatory parts however this is not the case.  A simple PKI implementation is fairly straight-forward.

A simple PKI implementation is fairly straight-forward.  The goal of PKI is to provide a mechanism to trust an unknown party.  This is done using certificates, which certify that another entity (which you may trust) has verified that this entity is who it claims to be.  This certificate is presented by the unknown party as a means of identifying itself to you. --> The goal of PKI is to provide a mechanism to trust an unknown party.  This is done using certificates, which certify that another entity (which you may trust) has verified that this entity is who it claims to be.  This certificate is presented by the unknown party as a means of identifying itself to you.

So what is to stop someone from providing false information in a certificate ?  Well, that's where the public key aspect of PKI comes into play.  Certificates are digitally signed by their issuer (also called a "Certificate Authority").  This means that if the certificate is altered or forged after being signed it will be detected.
So what is to stop someone from providing false information in a certificate ?  Well, that's where the public key aspect of PKI comes into play.  Certificates are digitally signed by the issuer (also called a "Certificate Authority") of the certificate.
(blank line)
To explain how digital signatures work we must first explain public key cryptography.  Public key cryptography uses the properties of certain mathematical operations to perform operations on numerical values that can only be reversed or verified with the "opposite" key. That is, if something is encrypted with the private key it can only be decrypted or verified with the public key and conversely if something is encrypted with the public key it can only be decrypted or verified with the private key (and not the public key).
(blank line)
The most common public key cryptography algorithm in use today is RSA [[citation needed]], and it is also one of the easiest to demonstrate.  RSA is named for Ron Rivest, Adi Shamir, and Leonard Adleman who made the algorithm public and are thus widely credited as the inventors of the algorithm.
(blank line)
RSA is described in PKCS #1 [http://www.emc.com/collateral/white-papers/h11300-pkcs-1v2-2-rsa-cryptography-standard-wp.pdf] which was later published as RFC 3447 [http://www.ietf.org/rfc/rfc3447.txt] but a simple definition of applying RSA is "modular exponentation".  That is modular arithmetic (as in the modulus operator) applied to values that have had the the exponentiation operator applied to them.  For example
    26729 (plain-text) ^ 65537 (exponent) mod 37837 (public-modulus) = 36784 (cipher-text)
is modular exponentiation of `26729` raised the power of `65537` all modulo `37837`, which results in `36784`.
(blank line)
Looking closer at this example of modular exponentiation we can see some of the public key cryptography properties that we need starting to emerge.  Specifically we cannot take the `cipher-text` and convert it back to the `plain-text` with just the information that we know.  We must know the `private-key` (or be able to derive it by factoring the `public-modulus`, but more on that later).
(blank line)
----
Fragments:
(blank line)
This means that if the certificate is altered or forged after being signed it will be detected.

Legend

     Only in r2
     Only in r3
     -->      Modified slightly between r2 and r3