Tag Archives: public-key infrastructure

PKI a Security Enabler

Image retrieved from http://www.cartaodecidadao.pt/

Image retrieved from http://www.cartaodecidadao.pt/

Now that you know which security mechanisms a Public Key Infrastructure can provide let’s review some cases where a PKI framework can be a security enabler. A PKI is normally deployed in a organization to fulfill a business requirement. For example the use of secure email might be one of the most popular ones. Below is a list of popular use cases that can influence the adoption and deployment of a PKI in a organization:

  • 802.1x Port-Based Authentication : A client/server-based access control and authentication protocol that restricts unauthorized devices from connecting to either an 802.11 wireless network or a wired LAN. EAP-TLS is one of the 802.1x mechanisms that will support the usage of client to connect to the the network infrastructure using certificate-based authentication.
  • Remote Access : Trough the usage of VPNs, remote users can connect to a private network by using a variety tunneling protocols. Certificates increase the strength of the authentication mechanisms used for either IPsec or SSL based VPNs.
  • Secure Email : Majority of people will hesitate to send plans, contracts or other confidential data in unsecure envelopes trough the postal service, however they do send the same type of content tough unsecure email. Worst still is how easy is to spoof an email. By using certificates the email security will be enhanced. Using certificates its possible to verify the sender digital identity, the proof of origin and message authenticity. Plus the content can be protected trough the use of encryption.
  • SET for E-Commerce Transactions : The Secure Electronic Transaction (SET) is a protocol designed for protecting credit card transactions over the Internet. It is an industry-backed standard that was formed by MasterCard and Visa (acting as the governing body) in February 1996. SET relies on cryptography and digital certificates to ensure message confidentiality and security.  Note that SET failed to be adopted by the industry.
  • Software protection. Digital signatures can be used to protect software. By signing the software, the integrity of the software is assured when it is distributed. The signature may be verified when the software is installed trough code signing processes to ensure that it was not modified during the distribution process and to prevent the installation of unauthorized software.
  • Web Authentication and Encryption : The Secure Sockets Layer and Transport Layer Security (SSL/TLS) are cryptographic protocols for securing bidirectional communication channels. SSL/TLS are commonly used with TCP/IP. One of the most powerful advantages of these protocols is that can use certificates to do server and/or client authentication allowing mutual authentication.
  • Internet Protocol security : Certificates can be used to authenticate the two endpoints participating in an Internet Protocol security (IPsec) connection. Once authenticated, IPsec can be used to encrypt and digitally sign all communications between the two endpoints. Certificates do not play a part in the actual encryption and signing of IPsec-protected data—they are used only to authenticate the two endpoints.
  • Smart Card  : The usage of a Smart card as a form of authentication that supports certificate-based strong authentication is ideal for critical security uses (e.g banking transactions, e-ID). Examples of such implementation is the Portuguese e-ID card which can be used to access specific applications, digital sign emails and documents with legal binding or authenticate the user. To perform these tasks,  a user must possess the smart card and he needs to know its personal identification number (PIN).
  • Data Encryption : Ability to encrypts data at rest by using a combination of symmetric and asymmetric encryption methods.


B. Komar, Microsoft Press, Windows Server 2008 PKI and Certificate Security
B Ballad; T Ballad; E Banks , Access Control, Authentication, and Public Key Infrastructure, Jones & Bartlett Learning

Tagged , , , , ,

Security Mechanisms powered by PKI

digital-keyPublic Key Infrastructure (PKI) is a solution to manage digital keys which are used to provide a mechanism for securing electronic transactions and securing the exchange of information in public networks. PKI provides confidentiality and integrity of information, along with identity authentication by performing digital signatures and other cryptography functions, combined with registration and verification processes.

Long ago I was privileged enough to participate in PKI projects. One of them was for sure one of the most interesting projects I ever did. Under tight security procedures a Public Key Infrastructure was built following what is known as a Root Key Generation Ceremony. The RKGC is a set of strict steps carried out under tight security and careful assessment by international auditors. This resulted in a cross certification with one of the industry PKI vendors. The project was executed during 18 months and the security spectacle known as the ceremony took 48 hours. During the project the auditors reviewed documented policies, standards, and, procedures and ensured that the generation of the Root Certificate Authority (CA) keys adhered to the strictest and most rigorous globally-recognized standards. A remarkable project, I still remember the gigantic amount of documentation produced, documents such as Certificate Policies (CP) and Certificate Practices statement (CPS) were completed along with the development of security policies, operational procedures, business continuity routines, support and other documentation.

History apart, PKI can be a very interesting but also a complex topic. There is plenty of literature available on this topic but would like to write about key security mechanisms that form the foundations of a PKI. Eventually will be easier to start understanding and to familiarize with the concepts. Let’s start the high level description of 4 key security mechanism that a PKI can offer, using the terminology from the Internet Security Glossary [RFC 2828] :

  • Authentication: The process of verifying an identity claimed by or for a system entity.
  • Confidentiality : The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
  • Integrity: The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner.
  • Non-repudiation : A security service that provide protection against false denial of involvement in a communication.

How can a PKI solution offer such things?
Trough the usage of public key encryption and digital signatures. Lets looking into more detail how a PKI provides those security mechanism :

  • Authentication can be ensured trough the usage of digital signatures which are used to verify the senders identity. A combination of username and password can be used to establish identify but is better to use public-key signatures because they offer strong authentication mechanism. DSA, RSA and ECDSA are examples of digital signatures algorithms. in a PKI the digital signature will associate the users identity to a users public key. In addition that association with additional set of properties will be signed by a certification authority (CA) wrapping all together in a certificate.
  • Confidentiality can be ensured trough the usage of asymmetric and symmetric encryption. The symmetric encryption uses the same key for cipher and decipher. AES and DES are examples of symmetric encryption algorithms. This is analogous to your house door key which can be used to lock and unlock the door. On the other hand the asymmetric encryption (also called public-key algorithms) uses a pair of keys that are different but mathematically related. One of the keys is private and the other is public. RSA and Diffie-Helman are examples of asymmetric encryption algorithms.
  • Integrity can be ensure through the usage of hash functions (MD5, SHA-1), Message Authentication Codes (MAC) and Keyed HASH Message Authentication Codes (HMAC). These mechanisms will ensure the data is not altered while in transit or stored. In practical a digital signature can provide integrity because it uses hash functions (also called. message digests or fingerprints).
  • Non-Repudiation can be ensured trough the use of digital signatures which bind the identity of a party to a transaction so that the participation on that transaction cannot be denied. With this property when a transaction occurs either the sender or the receiver can prove that the alleged sender sent the message. To digitally sign a message you need to use your private key therefore guaranteeing the origin of the message.

With this I have introduced the four principal security mechanisms that form the foundations of a PKI. Much more and in much more detail can be written. In the future I plan to further write about PKI components and give illustrations so you can become more familiar with the terms and the security mechanisms used behind the scenes.

B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd ed. (New York: John Wiley & Sons, 1995).
W. Stallings, Network Security Essentials: Applications and Standarts, 3rd ed. (Prentice Hall, 2007).
IETF PKI Working Group

Tagged , , ,