PKI and Encryption Notes

Public Key Infrastructure and Encryption

Topics

  • What a public key infrastructure (PKI) is.

  • How integrity, confidentiality, authentication, and nonrepudiation are ensured within the PKI.

  • What digital certificates are and how they are used as part of a PKI.

  • What risks are associated with a PKI.

  • What the best practices for PKI are.

Goals

  • Understand what a PKI is and what it is not.

  • Identify the multiple functions within the PKI.

  • Identify the multiple functions of a certificate authority (CA).

  • Understand how digital signatures provide nonrepudiation.

  • Apply best practices for a PKI within an organization.

What is PKI?

  • A public key infrastructure (PKI) is a framework that consists of programs, procedures, and security policies and employs public key cryptography and digital certificates (X.509 standard) for secure communications.

  • It is also an infrastructure that identifies users, creates and distributes certificates, maintains and revokes certificates, distributes and maintains encryption keys, and enables technologies to communicate via encrypted communications.

  • PKI relies on a level of trust within this framework in order for it to be successful and secure.

What is PKI? Components of a PKI:

  • Certificate authority (CA) – an entity, usually a trusted third party, that issues digital identity certificates. A certificate associates the identity of a person or server with the corresponding public key.

  • Registration authority – an entity responsible for the registration and initial authentication of users who are issued certificates after a registration request is approved. These users are also called subscribers.

  • Certificate server – the machine or service responsible for issuing digital certificates based on the information provided during registration. This is a component of the CA.

  • Certificate repository – a database that stores the digital certificates belonging to users of the PKI

  • Certificate validation – the process of determining that a certificate is valid and can be used by the user for his or her specific needs

  • Key Recovery Service – the service that archives and recovers encryption keys

  • Time server – a server that provides a digital timestamp for use by the services and applications

  • Signing server – a server that provides central digital signing and verification services

What PKI is NOT

  • PKI is not an answer to all security questions or concerns

  • PKI will not stop attacks on organizations, it will not prevent downloading of malicious codes, and it is not a firewall

  • PKI does not provide authorization

  • PKI does not ensure that the end user can be trusted

Encryption and Cryptography

  • A PKI provides the capability to distribute public encryption keys while keeping the decryption keys private. In order to understand PKI, it is important to understand the background of encryption and therefore how PKI came to be.

  • Encryption – the process of applying an algorithm to plaintext data resulting in ciphertext

  • Cryptosystem – a hardware or software system that provides encryption and decryption

  • Decryption – for any system or user to read the ciphertext, the data needs to be decrypted, resulting in the original plaintext

Digital Certificates and Key Management

  • Digital certificates are used by individuals and servers to provide unknown third parties with a known secure copy of their public encryption key. CAs issue digital certificates after verifying the identity of the end user and the end user can then use that certificate to share its public key with others.

  • The certificates contain the following fields:

    • Version of the certificate

    • Unique serial number associated with the certificate

    • Algorithm ID used to sign the certificate

    • Name of the certificate issuer

    • Validity dates of the certificate

    • Name of the owner of the certificate

    • Public key of the owner

    • ID of the issuing CA

    • ID of the owner, and some other optional extensions

Registration Authority

  • A Registration Authority (RA) verifies the identity of an individual, initiates the certification process with a CA on behalf of the user, and performs certificate life-cycle management. When a user requires a new certificate, the request is made to the RA, and the RA verifies all necessary information before the request is made to CA.

Key management

  • Key management ensures the security of the cryptographic keys through each key’s life cycle. Components of this are:

    • Key generation – the initial creation keys

    • Key distribution – moving keys from one point to another

    • Key storage – storing the keys after they are distributed

    • Key usage – when keys are in the production environment and are being used

    • Key recovery – restoring a key after a failure has occurred to key storage

    • Key termination – destruction of keys because they have reached the end of their life cycle

    • Key archival – retaining a key that has been terminated

  • Some additional considerations with regard to key management that help to provide a secure PKI system are:

    • The key should be long enough to provide the necessary level of protection

    • Keys should be random and the algorithm should use the full keyspace

    • A key’s lifetime should correspond with the sensitivity of the data

    • The more a key is used, the shorter its lifetime should be

Certificate Authority (CA)

  • A CA is a trusted organization that maintains, issues, and distributes digital certificates. When a user requests a digital certificate, the RA verifies the user’s identity and sends the request to the CA. The CA creates the certificates, signs it, send it to the user, and maintains it over the life of the certificate. When a new user wants to communicate with the subject of the certificate, the new user can verify that the certificate bears the valid signature of a trusted CA.

Ensuring Integrity, Confidentiality, Authentication, and Nonrepudiation

  • These security services allow for a secure solution to be developed for delivery of information across the Internet:

    • Confidentiality – ensures that only the intended recipient can read a message

    • Integrity – ensures that the recipient of a message can be certain that the message received was the message sent

    • Authentication – allows someone to prove his or her identity to another

    • Nonrepudiation – ensures that any objective third party can verify that a message came from the purported sender and was not forged by the recipient or anyone else.

Use of Digital Signatures

  • Digitally signing an email allows the receiver to verify the contents were not modified after the data was sent. Digital signatures also provide nonrepudiation, that is, they allow the recipient to conclusively prove to a third party that the sender actually sent the message.

  • Creating digital signatures requires that a cryptographic hash function be applied to the message , resulting in a message digest or hash value.

  • Verifying the digitally signed document requires the receiver to apply the same cryptographic hash function to the document in order to produce the message digest or hash value. If the two hash values match, the digital signature is verified.

Potential Risks Associated with PKI

  • If PKI key management is mishandled, the entire PKI system could fail

  • Managing a secure environment with multiple keys and multiple entities can be overwhelming , and it’s a challenge some organizations are not willing to take

  • Some organizations find themselves unwilling or unable to take on the financial burden of properly maintaining a PKI

Why outsourcing a CA may be Advantageous

  • Communication with suppliers, customers, and business partners should be seamless

  • Organizations may be geographically dispersed, and it would be more advantageous to have multiple CAs available at these various locations

  • Organizations do not want to take on the cost associated with managing a CA on-site.

Best Practices for PKI Use within Large Enterprises and Organizations

  • The best practices can be determined by answering the following questions:

    • What are the business drivers for using PKI within the organization?

    • What applications will be using PKI? Is it for secure email, communications, transactions?

    • What does the PKI architecture look like and how will it be used?

    • What impact will this implementation have on the users, customers, and business partners?

    • Where will the infrastructure reside? Will various components be outsourced, or will they all be located in-house?

    • Can the current organizational infrastructure support this technology?

    • What database will be used for PKI? Will existing databases be used to streamline enrolment?

    • What are the legal and policy considerations for the CA? How will certificates be renewed?

    • What are the trust relationships and how are they established? What trust model will the PKI use? Do products support this model?

    • How will the PKI be deployed? Who are the vendors how will they support you?

    • Who will have access to the systems and how will these access be monitored?

Case Study Example

  • As much as it is important to understand how large organizations solve business challenges, it is also important to understand how protection can be put in place but not secured. The following is an example of a security breach associated with PKI and encryption.

  • In 2001, two digital certificates were issued to a virus writer who was posing as a Microsoft employee. VeriSign issued these certificates in Microsoft’s name. These certificates were necessary for consumers who downloaded software that they thought was created by Microsoft. Instead, the software was designed to deploy a virus onto systems on which it was installed. According to Microsoft, the certificates could have been used to sign programs, Microsoft Office macros, and other executable content.

Case Study Example

  • VeriSign did not provide information as to how it validated the virus writer after receiving the request for the certificates. The company did state that human error was the cause of issuing the certificates incorrectly. Once VeriSign realized that the certificates should not have been issued, the company revoked the certificates. However, VeriSign did not have a way to determine who had downloaded the fraudulent software.

  • Microsoft released a bulletin to its users informing them when the “security warning” screen appears regarding details of the signed software, they need to click the Microsoft Corporation hyperlink to see if the certificate’s valid date is January 29, 2001, or January 30, 2001. If one of these dates matched, the software should be considered fraudulent and the software should not be downloaded.

Case Study Example

  • This example shows how the PKI process failed because the CA issued a certificate without the appropriate verification. Although this is not a normal process and was caught immediately, it shows that any weakness in the system can provide disastrous consequences.