This week’s tip is a brief look at the basics of Public Key Infrastructure (PKI)
Public Key Infrastructure (PKI) is a set of technologies, process and practices that create a secure infrastructure that can be deployed over any form of network. It is used by a variety of different people and organisations to validate email as well as to ensure that banking and e-commerce transactions are safe and secure.
It consists of a few key elements:
- Digital Certificates: These identify an individual, a computer or even a piece of software and can be considered the electronic equivalent of a passport. They are used as part of the authentication process.
- Certificate Authority (CA): The organisation that issues the Digital Certificates. It is important that the CA is seen as trustworthy otherwise the digital certificates it issues have no validity.
- Validation Authority: These help Certificate Authorities deal with requests to check digital certificates ensuring that the system works quickly and efficiently.
- Registration Authority: This verifies the identity of the user who is requesting information from the CA.
- Integrity: This means that there should be no possibility of a message being altered while it is traversing the network. This is done through the use of message hashing which creates a unique identifier for each message so that even if one character or bit is changed, the message hash will not match the message.
- Encryption: This ensures that all data that is passed over the network cannot be read except by the sender and the person to who the message is addressed.
- Key pairs: Each person generates a pair of keys, one private and one public. These are used to sign messages and to ensure that only the sender and receiver can decrypt the messages.
Using PKI to send and receive messages
One of the examples that is often provided for PKI is that of Alice and Bob. Alice wants to send a message to Bob but doesn’t want anyone else to read it. She creates the message and uses her private key and Bob’s public key to create the encryption to protect the message. When Bob receives the message he uses his private key and Alice’s public key to decrypt the message.
As you can see the basics of the process are very simple. In early implementations it was possible to ensure that public keys were protected and that people were able to exchange keys with each other securely. This meant that they were able to trust all messages. As PKI grew it became easier for people to impersonate other people.
If we take the example above it is possible for Harry to create two signatures. He calls one Alice and the other Bob. He sends Alice the fake public key for Bob and sends Bob the fake public key for Alice. He then intercepts all the messages between Alice and Bob. He is able to encrypt and decrypt messages as both Alice and Bob think that they are talking to each other when, in fact, they are talking to Harry.
Adding authenticity into the process
To prevent this from happening Certificate Authorities were created. These are trusted entities that create digital certificates and ensure that the parties involved are who they say they are. This is still not a perfect mechanism.
Over the last few years we have seen how hackers have managed to penetrate the systems used by Certificate Authorities and create fake Digital Certificates which has enabled them to pass off malware as if it came from a reputable company. While such instances have occurred and are in the public record, they are generally rare and the process of a Certificate Authority being the trusted issuer of Digital Certificates generally works well.
One of the benefits of a Certificate Authority is that should a fake certificate be issued or an existing certificate be thought to have been compromised, they can revoke the certificate. This means that anyone attempting to use the certificate will be informed that it is no longer valid. This is done using what is called a certificate revocation list (CRL). The CRL is very important because every time a certificate is used, the process should check the CRL to ensure that the certificate is valid.
PKI is an very interesting and at time a very complex subject. Most vendors selling PKI solutions have primers on their websites although they are often tuned to support what the vendor is selling rather than being independent. The Wikipedia PKI page is a good place to start for further investigation and will take the reader to a number of reliable links.