1
00:00:00,090 --> 00:00:00,990
In this lesson,

2
00:00:00,990 --> 00:00:03,120
we're going to cover public key infrastructure,

3
00:00:03,120 --> 00:00:05,310
also known as PKI.

4
00:00:05,310 --> 00:00:07,830
Now, public key infrastructure, or PKI,

5
00:00:07,830 --> 00:00:10,860
is an entire system of hardware, software, policies,

6
00:00:10,860 --> 00:00:12,300
procedures, and people

7
00:00:12,300 --> 00:00:14,490
that is based on asymmetric encryption.

8
00:00:14,490 --> 00:00:15,990
If you've ever connected to a website

9
00:00:15,990 --> 00:00:17,970
using an HTTPS connection,

10
00:00:17,970 --> 00:00:21,030
you've already been part of the public key infrastructure.

11
00:00:21,030 --> 00:00:22,860
Now, if you want to establish a secure connection

12
00:00:22,860 --> 00:00:25,290
to a website, like diontraining.com,

13
00:00:25,290 --> 00:00:26,610
you would go into your web browser

14
00:00:26,610 --> 00:00:31,553
and type in https://www.diontraining.com.

15
00:00:32,729 --> 00:00:35,280
Your web browser will then go to a trusted third party

16
00:00:35,280 --> 00:00:36,840
called the certificate authority

17
00:00:36,840 --> 00:00:38,220
and they're going to ask them for a copy

18
00:00:38,220 --> 00:00:40,080
of my web server's public key.

19
00:00:40,080 --> 00:00:41,610
Then your web browser

20
00:00:41,610 --> 00:00:43,920
will pick a long random string of numbers

21
00:00:43,920 --> 00:00:45,950
and it's going to use that as a shared secret key

22
00:00:45,950 --> 00:00:49,110
to you use with a symmetric algorithm for bulk encryption,

23
00:00:49,110 --> 00:00:51,630
something like AES as we start transferring data back

24
00:00:51,630 --> 00:00:54,570
and forth between your web browser and my web server.

25
00:00:54,570 --> 00:00:55,830
But first, you have to get

26
00:00:55,830 --> 00:00:57,960
that randomly chosen shared secret key

27
00:00:57,960 --> 00:00:59,880
over to my web server securely

28
00:00:59,880 --> 00:01:02,730
and for that, we're actually going to use public key encryption

29
00:01:02,730 --> 00:01:05,010
known as asymmetrical encryption.

30
00:01:05,010 --> 00:01:06,450
Now, using my public key

31
00:01:06,450 --> 00:01:08,490
that you downloaded from the certificate authority,

32
00:01:08,490 --> 00:01:09,990
your computer will then encrypt

33
00:01:09,990 --> 00:01:11,310
that random shared secret key

34
00:01:11,310 --> 00:01:13,200
that you just randomly created.

35
00:01:13,200 --> 00:01:14,430
Now, in the example here,

36
00:01:14,430 --> 00:01:17,550
I'm going to use a short number like 51363

37
00:01:17,550 --> 00:01:18,990
as our shared secret.

38
00:01:18,990 --> 00:01:21,840
Now, once you encrypt that using my servers public key,

39
00:01:21,840 --> 00:01:23,940
which anyone in the world has access to,

40
00:01:23,940 --> 00:01:26,940
you can then send it over the internet to my web server.

41
00:01:26,940 --> 00:01:29,490
Now, because it's encrypted with my public key though,

42
00:01:29,490 --> 00:01:32,190
no one on the internet is going to be able to decrypt it

43
00:01:32,190 --> 00:01:34,050
unless they have my private key

44
00:01:34,050 --> 00:01:34,890
and the only person

45
00:01:34,890 --> 00:01:37,410
who has that private key is my web server.

46
00:01:37,410 --> 00:01:40,680
So as we go across the internet, no one can see the fact

47
00:01:40,680 --> 00:01:44,910
that we are going to use 51363 as our shared secret code.

48
00:01:44,910 --> 00:01:47,970
Now, once my web server receives that encrypted cipher text,

49
00:01:47,970 --> 00:01:50,610
it's going to use my server's private key to decrypt it

50
00:01:50,610 --> 00:01:52,590
and then get it back to that shared secret key

51
00:01:52,590 --> 00:01:53,820
that you submitted.

52
00:01:53,820 --> 00:01:55,680
Now, I can read the plain text

53
00:01:55,680 --> 00:01:58,680
and I know the number is 51363.

54
00:01:58,680 --> 00:02:01,710
So far, this is all using asymmetrical encryption

55
00:02:01,710 --> 00:02:03,540
like we discussed before.

56
00:02:03,540 --> 00:02:04,410
Now up to this point,

57
00:02:04,410 --> 00:02:07,500
everything we've done has to do with asymmetric encryption,

58
00:02:07,500 --> 00:02:08,759
but now that both you

59
00:02:08,759 --> 00:02:11,340
and my web server know the shared secret key,

60
00:02:11,340 --> 00:02:14,160
we can switch over and create a symmetric tunnel.

61
00:02:14,160 --> 00:02:16,704
Now, to do this, we're going to use something like AES

62
00:02:16,704 --> 00:02:19,830
to create a TLS or SSL tunnel over the internet

63
00:02:19,830 --> 00:02:20,940
and then communicate safely

64
00:02:20,940 --> 00:02:22,740
and securely through that tunnel

65
00:02:22,740 --> 00:02:25,290
to make sure nobody can see the data you're entering in,

66
00:02:25,290 --> 00:02:26,550
like your credit card number,

67
00:02:26,550 --> 00:02:28,740
if you're trying to buy an exam voucher.

68
00:02:28,740 --> 00:02:30,420
Now, this is going to be able to ensure

69
00:02:30,420 --> 00:02:31,650
that we have confidentiality

70
00:02:31,650 --> 00:02:34,860
because only we have access to this shared tunnel

71
00:02:34,860 --> 00:02:37,380
because we both have that shared secret key

72
00:02:37,380 --> 00:02:39,510
and because my web server is the only device

73
00:02:39,510 --> 00:02:41,940
in the entire world that has its private key,

74
00:02:41,940 --> 00:02:42,840
you can be assured

75
00:02:42,840 --> 00:02:45,780
that only my web server knows who it is

76
00:02:45,780 --> 00:02:48,900
and who it claims to be when you sent that code over.

77
00:02:48,900 --> 00:02:50,730
This way, we now have authentication.

78
00:02:50,730 --> 00:02:52,830
You know it's diontraining.com.

79
00:02:52,830 --> 00:02:54,480
This gives us the identity of my server

80
00:02:54,480 --> 00:02:57,660
and it also lets your web browser know it can trust me.

81
00:02:57,660 --> 00:02:59,550
Now, if all that occurs successfully,

82
00:02:59,550 --> 00:03:01,950
you're going to get that little padlock in your browser

83
00:03:01,950 --> 00:03:03,840
showing that we both can communicate securely

84
00:03:03,840 --> 00:03:06,300
with each other over this encrypted tunnel.

85
00:03:06,300 --> 00:03:09,720
Now, PKI and public cryptography are closely related,

86
00:03:09,720 --> 00:03:11,910
but they are not the same thing.

87
00:03:11,910 --> 00:03:14,490
When we talk about PKI, this is the system

88
00:03:14,490 --> 00:03:16,680
that creates the asymmetrical key pairs

89
00:03:16,680 --> 00:03:18,870
that consists of those public and private keys

90
00:03:18,870 --> 00:03:20,460
that are going to be used in the encryption

91
00:03:20,460 --> 00:03:23,340
and decryption process, as well as managing those key pairs

92
00:03:23,340 --> 00:03:25,800
to make sure they're valid and can be trusted.

93
00:03:25,800 --> 00:03:27,570
When we talk about public key cryptography

94
00:03:27,570 --> 00:03:30,000
on the other hand, we're just talking about the encryption

95
00:03:30,000 --> 00:03:32,370
and decryption process and this encryption

96
00:03:32,370 --> 00:03:33,540
and decryption process,

97
00:03:33,540 --> 00:03:37,530
it's just one small part of the overall PKI architecture.

98
00:03:37,530 --> 00:03:39,450
Now, for all of this, to work successfully,

99
00:03:39,450 --> 00:03:42,150
you need to have a trusted third party involved.

100
00:03:42,150 --> 00:03:43,470
This trusted third party

101
00:03:43,470 --> 00:03:45,630
is known as a certificate authority.

102
00:03:45,630 --> 00:03:46,830
These certificate authorities

103
00:03:46,830 --> 00:03:48,540
are going to issue digital certificates

104
00:03:48,540 --> 00:03:49,740
and these certificate authorities

105
00:03:49,740 --> 00:03:51,330
are also going to keep the level of trust

106
00:03:51,330 --> 00:03:53,040
between all the certificate authorities

107
00:03:53,040 --> 00:03:55,080
around the world intact.

108
00:03:55,080 --> 00:03:56,250
Another essential component

109
00:03:56,250 --> 00:03:59,430
of the PKI system is what's known as key escrow.

110
00:03:59,430 --> 00:04:01,290
Now, key escrow refers to the process

111
00:04:01,290 --> 00:04:03,120
where cryptographic keys are going to be stored

112
00:04:03,120 --> 00:04:05,250
in a secure third party location,

113
00:04:05,250 --> 00:04:07,620
which is effectively called an escrow.

114
00:04:07,620 --> 00:04:09,090
In the event that an organization

115
00:04:09,090 --> 00:04:11,610
or individual loses access to their encryption keys,

116
00:04:11,610 --> 00:04:13,980
or in cases of legal investigations,

117
00:04:13,980 --> 00:04:16,980
these keys can be retrieved from that escrow account.

118
00:04:16,980 --> 00:04:18,480
This ensures that the encrypted data

119
00:04:18,480 --> 00:04:21,209
will never be completely inaccessible to us.

120
00:04:21,209 --> 00:04:23,070
Now, in the context of PKI,

121
00:04:23,070 --> 00:04:25,500
key escrow can be particularly relevant.

122
00:04:25,500 --> 00:04:26,670
Let's consider a situation

123
00:04:26,670 --> 00:04:28,650
where an employee encrypts sensitive documents

124
00:04:28,650 --> 00:04:30,840
using their personal PKI certificates

125
00:04:30,840 --> 00:04:32,670
and then unexpectedly leaves the company

126
00:04:32,670 --> 00:04:34,650
or loses their private key.

127
00:04:34,650 --> 00:04:36,630
Without a means to decrypt these documents,

128
00:04:36,630 --> 00:04:39,240
the organization would be at a significant loss.

129
00:04:39,240 --> 00:04:42,540
However, if the encryption keys were stored in a key escrow,

130
00:04:42,540 --> 00:04:44,070
the organization could retrieve them

131
00:04:44,070 --> 00:04:46,590
and then access the encrypted information.

132
00:04:46,590 --> 00:04:49,140
Now, while a key escrow can be very beneficial,

133
00:04:49,140 --> 00:04:51,270
it is not without its controversies.

134
00:04:51,270 --> 00:04:53,640
The primary concern here is going to be security

135
00:04:53,640 --> 00:04:55,650
because if a malicious actor can gain access

136
00:04:55,650 --> 00:04:56,970
to those escrow keys,

137
00:04:56,970 --> 00:04:59,730
they can potentially decrypt vast amounts of data.

138
00:04:59,730 --> 00:05:01,110
As a result, the storage

139
00:05:01,110 --> 00:05:02,730
and management of keys in an escrow

140
00:05:02,730 --> 00:05:04,710
must be incredibly secure

141
00:05:04,710 --> 00:05:07,890
and access to those keys should be strongly regulated.

142
00:05:07,890 --> 00:05:10,050
Now, remember, the public key infrastructure

143
00:05:10,050 --> 00:05:12,780
or PKI is a framework for managing digital keys

144
00:05:12,780 --> 00:05:15,840
and certificates that facilitate secure data transfer,

145
00:05:15,840 --> 00:05:17,880
authentication, and encrypted communications

146
00:05:17,880 --> 00:05:19,200
over our networks.

147
00:05:19,200 --> 00:05:22,770
PKI uses public key cryptography to do all of its functions,

148
00:05:22,770 --> 00:05:25,814
but the PKI system itself is an entire system

149
00:05:25,814 --> 00:05:27,030
that is going to be used to be able

150
00:05:27,030 --> 00:05:29,790
to create a secure connection from end-to-end.

151
00:05:29,790 --> 00:05:31,980
Now, if we're talking about the public key encryption,

152
00:05:31,980 --> 00:05:34,230
we're just talking about the asymmetric encryption

153
00:05:34,230 --> 00:05:36,720
and decryption portion of this process,

154
00:05:36,720 --> 00:05:38,520
but when we talk about PKI,

155
00:05:38,520 --> 00:05:40,860
we are talking about everything together.

156
00:05:40,860 --> 00:05:43,860
Now, PKI is pivotal to ensure the secure communication

157
00:05:43,860 --> 00:05:46,110
and data exchange that happens on the internet

158
00:05:46,110 --> 00:05:48,210
and components like key escrow are going to provide us

159
00:05:48,210 --> 00:05:50,490
with additional layers of flexibility and assurance,

160
00:05:50,490 --> 00:05:52,770
but they also introduce their own sets of challenges

161
00:05:52,770 --> 00:05:55,290
that we must manage effectively to ensure the security

162
00:05:55,290 --> 00:05:56,703
of our enterprise networks.