The process of encryption – the scrambling of information so that it can’t be readily understood, even if it’s intercepted in transit – is all very well as a standalone process for safeguarding the content of the data involved.
But encryption is typically performed on documents and messages as a prelude to their transmission. And if the recipient of an encrypted communication can’t verify the true identity of the person or organization that sent it, the authenticity and integrity of the information may be called into question.
It’s for this purpose that keys are exchanged between the sender and receivers of encrypted communications and that digital certificates are issued to establish the bona fides of the originating party, and the data they’ve transmitted. And it’s for this reason too that a Public Key Infrastructure or PKI comes into play.
Public Key Encryption
Encryption is performed to ensure the safety and privacy of information sent from one party to another. “Keys” are used to lock (encrypt) and unlock (decrypt) the data that’s transmitted, and if a single key is used for this purpose then symmetric encryption is said to have occurred. This method only works when the key that’s used is kept absolutely secure, and as a secret between the two communicating parties.
But for most practical applications, several parties or communication transactions may be involved, and it becomes necessary for encryption keys to be transmitted over networks whose security may be in doubt. That’s where asymmetric encryption comes into the picture.
Here, a pair of keys is used to encrypt or decrypt communications. There’s a private key, held separately by its owner, and a public key which can be visible to everyone, and distributed to intended recipients. Messages are encrypted with the public key, then decrypted by the holder’s unique private key – which may also be used in creating digital signatures.
Public Key Infrastructure (PKI) uses a combination of asymmetric and symmetric processes. An initial “handshake” between communicating parties uses asymmetric encryption to protect the secret key which is exchanged to enable symmetric encryption. Asymmetric encryption is used for the rest of the communication, once the secret key has been exchanged.
Digital certificates are vital to PKI operations. Each certificate acts as an “electronic fingerprint” for a digital transaction, giving a unique identity to each key pair, and establishing the identity of communicating parties within a group.
What is Public Key Infrastructure (PKI)?
A Public Key Infrastructure (PKI) is a framework which supports the identification and distribution of public encryption keys. It provides a set of procedures and policies for establishing the secure exchange of information and enables individuals and systems to exchange data over potentially unsecured networks like the Internet and to authenticate and verify the identity of the party they’re communicating with.
PKI is a standards-based technology that enhances security policies with communications protocols, mechanisms, and procedures to facilitate confidential and trusted exchanges of information between different parties within and outside an organization. The infrastructure framework also provides security services such as authentication, integrity checking, confidentiality, and non-repudiation (legal non-deniability).
In addition to public key encryption and the use of digital certificates, a Public Key Infrastructure consists of several elements.
Public Key Infrastructure – Certificate Authority (CA)
A Certificate Authority or CA is responsible for issuing digital certificates within the PKI framework. The CA provides services to authenticate the identities of individuals, organizations, computer systems, or other entities such as network users, administrators, databases, clients, and servers.
The CA can be maintained in-house or as a trusted and independent third party provider of certificates. Both the owner of a certificate and the party using the certificate must be able to trust the CA.
When an issuing request is received, the Certificate Authority performs background checks to guard against giving digital certificates to bogus entities. The CA also manages the life-cycle of all digital certificates within the PKI framework.
The CA signs certificates with its own private key and issues a self-signed CA certificate to make its public key available to all interested parties.
Public Key Infrastructure – Registration Authority
Often referred to as a subordinate CA (derived from its use in Microsoft environments), a Registration Authority (RA) is an agency certified by a root Certificate Authority to issue digital certificates for specific use cases permitted by the root CA.
The certificate database saves all the certificate requests received, along with certificates issued and revoked by the CA or RA.
A certificate store typically resides on a local computer and acts as a storage space for private encryption keys and issued certificates. Pending or rejected certificate requests from the local system may also be stored here.
On a local system, a collection of security credentials is typically stored in a “wallet” (which may be a portion of the hard drive or web browser storage). These credentials might include public and private key pairs, user certificates, trusted certificates, and a certificate chain.
The Issuing Process: Chain of Trust
The self-signed or root certificate issued by a Certificate Authority initiates a “chain of trust” through which identities on a network may be verified. Many web browsers have a pre-installed cache of root certificates from trusted CAs, as do other devices and software such as smartphones, email clients, and web servers that support PKI.
Security Standards and Enforcement
Though there are several standards governing aspects of Public Key Infrastructure, there’s no central governing body to enforce them all. And some recent lax security practices on the part of Certificate Authorities (such as the blacklisting of all certificates issued by the Dutch CA DigiNotar in 2011) have left them open to attack, and eroded confidence in the PKI underpinning data transfer on the internet.
Web of Trust
A decentralized trust model, known as a “Web of trust,” has been proposed as an alternative to relying on a CA to authenticate public key information. Here, certificates are signed by other users to endorse the association of a particular public key with the person or entity listed on its certificate.
Since all members of a key chain have to be trusted under this model, it’s most appropriate for self-contained networks and organizations, or small user communities.
Public Key Infrastructure may be used to manage single sign-on processes. Under a single sign-on policy, users can enter a single password to gain access to multiple accounts or applications. This simplifies matters for the user and makes user account and password management easier for system administrators.
Public Key Infrastructure In Network Security
In network security, PKI allows for the centralization of network authentication. A Public Key Infrastructure can provide integrity checking and the encryption of network data traffic.
PKI technology is used in the authentication of users via smart card logins, and the authentication of client systems using SSL (Secure Socket Layer) signatures or encryption. Other applications include the encryption of documents with eXtended Markup Language (XML), and the transmission of authenticated email messages using S/MIME (Secure/Multipurpose Internet Mail Extensions), OpenPGP (Open Pretty Good Privacy) and other technologies.
PKI is also employed in the signing of electronic documents and forms, the management of enterprise-class databases, secure instant messaging, mobile device security, and the securing of USB storage devices.
Share this Post