The public key infrastructure or PKI is a data security architecture which is based on cryptography, a branch of applied mathematics. Unlike other earlier systems, it uses a pair of keys, one public and available freely to end users on the network, and another secret or private key that is known only to its owner. Data communication and storage systems need to ensure that data or systems are identifiable, messages may be authenticated, data is confidential and also that, data once transmitted, cannot be repudiated by the receiver. The basic functions of the PKI is to achieve these very ends and it does this as per a clearly defined and published set of policies and procedures, geared to build on trust and participation in the system. A PKI has some essential components like the CA, the Digital certificates, the CRL, the certificate repository, the RA, etc. The CA is the vital component for ensuring maintenance and management of the infrastructure, on which, modern business and individuals have come to rely on, for effecting secure transactions and operations in a global and complex virtual environment. Optimal security is sought to be provided in the storage and transmission of data by the PKI and, in spite of some flaws in the system, it is a distinct improvement over previous security control systems and is still evolving through efforts of discrete entities, spread across the globe and over time. However, PKI is a vital and necessary feature of today’s globalized and complex network systems and is increasingly vital for growth of modern e-commerce and other such initiatives.
Public Key Infrastructure: An Introduction
The growing trend of electronic commerce and considerable use of information communications require an enhanced information systems security structure. Increased use of the Internet and the need for ensuring that information systems, whether for data storage or transmission, are not compromised, means that an appropriate IS security infrastructure needs to be developed and maintained. Organizations, IT professionals and governments the world over are aware since long now that traditional security systems are often ineffective in dealing with modern varied IS security violations spanning diverse locations and time zones. Financial transactions, archival systems, and other data communication and storage operations in cyberspace require a strong security infrastructure which may be provided by using non-cryptographic or cryptographic information security systems. Cryptography was felt to be an advanced and complex approach to the issue. In this method, applied mathematical concepts are utilized whereby information to be transmitted is first encrypted i.e., unprotected plain text is coded or transformed into protected cipher text and after transmission is decrypted by the user to revert the cipher text to its original text form. Public Key Cryptography (PKC) is an advanced crypto graphical system in which two distinct keys are used, one a public key to first encrypt the data, and the second, a private or secret key used to decrypt the data back to its original plain text form. A Public Key Infrastructure or PKI is a PKC based information systems security architecture that seeks to protect data being transmitted and ensure a secure data distribution mechanism, almost perfectly feasible across locations and over time. Kuhn, D.R., et al (2001) defines Public Key Infrastructure as “the combination of software, encryption technologies, and services that enables enterprises to protect the security of their communications and business transactions on networks“. The Public Key Cryptography utilizes a pair of keys. One is the public key, available to all online. The other is the secret or private key, which is known only to the entity that owns it. This owner may be an individual, service or software application.
Key PKI Functions
Weise. J. (2001) maintains that the primary function of a PKI is to allow the distribution and use of public keys and certificates with security and integrity. He also states that a PKI is a foundation on which other applications and network security components are built. Various systems require the use of PKI. These include email, chip card operations, e-commerce (like, debit or credit cards), e-banking, etc. Actually, it was Diffie, W. and Hellman, M. (1976) who invented the public key system, as new cryptography information exchanges mechanism. Suri, P. R. and Puri, Priti (2007), state that by this method, a network user has an individual private key and a public key, where the public key is distributed to all members of the network, while only the user holds the private key. They add that a message encrypted with the public key of a person can only be decrypted with the Private Key of the same person and vice-versa. Most modern digital signatures and certificates are based upon PKI technology which essentially integrates digital certificates, public key cryptography (PKC) and certification authorities (CA) into one whole, network security architecture. The PKI helps to issue digital certificates to users and servers, provides enrollment software for the end user, integrates certificate directories and tools for managing and renewing certificates, as also revokes the same. PKI also encompasses related support and services. John Marchesini and Sean Smith have defined PKIs as complex distributed systems that are responsible for giving users enough information to make reasonable trust judgments about one another (2005).
One of the basic functions of a PKI is the encryption of data through cryptographic mechanisms; it thereby ensures data confidentiality or data secrecy and privacy. As compared to public keys, the preferred choice of keys is the secret or private keys for ensuring data confidentiality. Another function is that of ensuring integrity of data. Data needs to be incorruptible and unalterable while in storage or during transmission through networks. A third function is that of authentication or entity identification, achieved through digital certificates and signatures. A fourth function, very relevant in case of e-commerce transactions, is that of data repudiation, which means that data, once transmitted and received, cannot be renounced by the receiver.
Cryptographic Concepts: An Overview of PKI
Since PKI is a form of cryptography, some basic information on key cryptography concepts may be in order. Kuhn, D.R. (2001) defines cryptography as a branch of applied mathematics concerned with transformations of data for security. They add that in a cryptographic mechanism, an information sender transforms unprotected information or plaintext into coded text or cipher text and after such message is transmitted, the receiver transforms the cipher text back into plaintext or verifies the sender’s identity or data’s integrity (p. 9). The basic requirements of a cryptographic or a PKI system (as per the Open Group, 1997) are the establishment of trust and governance domains, ensuring confidentiality of communications, maintaining data integrity, authenticating users, non-repudiation, and achieving end-to-end monitoring, auditing and reporting of (PKI) security services. Kuhn, et al has identified a few key PKI services (2001): integrity and confidentiality of information exchanged, identification and authentication of users and entities, and non-repudiation. The Public Key Cryptography, on which the PKI is based, is also termed as Asymmetric Cryptography. Dam, K. W., and Lin, H. S.,(1996) identifies the asymmetric cryptographic systems in primary use as cryptographic systems that base their security on the difficulty of two related computational problems, viz, factoring integers and finding of discrete logarithms.
Certificate Authorities or CA
Weise, J. (2001) in his overview of public key infrastructure, has identified a PKI framework as essentially consisting of various operational and security policies and services, and, additionally, some interoperability protocols that support a PKC driven management and control of keys and certificates. This framework works through some key logical components namely, Certification Authorities or CA, end-users or subscribers, certificate policies (CP) and practices statement (CPS), hardware components, public key certificates, certificate extensions, certificate depositories and Registration Authorities (RA). The CA is the most important and critical component of the system. An end-user or entity is an entity which is not a CA (Weise, J, 2001). The CA identifies and certifies the end user or entity. The message generated by the CA on successful identification of an end entity is called a Certificate and essentially contains the entity’s identity and public key. This certificate is signed cryptographically by the CA. In identifying the end entity, the CA establishes and maintains a set of policies and procedures and essentially generates or revokes a certificate. A Certificate Policy or CP statement specifies the way of handling of various data and systems within the PKI security framework. The procedural details and operational practices are published in a certificate policy statement or CPS which are supposed to contribute to building of trust in the PKI, and may help improve user participation in the same. The CA also has hardware security modules or HSM s, which are used by the CA for storing and using its private keys-those keys which a CA uses to certify subscriber public keys. Also, various standards like the FIPS-140-1 define the HRM s for ensuring trust and security of the entire system.
Digital Certificates
The CA’s basic purpose is to ensure the upkeep and control of a security infrastructure which is done through the management, storage, deployment, and revocation of public key certificates or Digital Certificates that essentially verify the binding of an end entity’s identity to its public key (Weise, J., 2001). Accordingly, the Digital Certificate contains all such relevant information that help another user identify the owner of the certificate. This basically includes the entity name, information on its identity, period of validity (expiry) of the certificate, and the entity’s public key. Also, the Digital Certificates, for effective global network operations, particularly e-business transactions, need to be suitably standardized. The most widely used common standards now appears to be the X.509 formulated by the IETF
Registration Authorities or RA
This component of the PKI is optional and undertakes some of the administrative tasks delegated by the CA. Essentially the RA identifies an end entity and determines whether a public key can be issued by the CA to it. It also helps implement the policies and procedures mandated through the CPS and the CP.
Certificate Depositories
This component of the PKI enables the distribution of certificates through regularly publishing and updating certificates issued by the CA. The depository or directory is accessible publicly on the network. The LDAP is the defining and most currently used protocol in this regards. But some like the X.500 are more robust. In addition, certificates which are no longer required may be revoked by the CA through a Certificate Revocation List or CRL on which entities may rely to check certificate validity, The CRL is published by the CA in a publicly available depository
Conclusion
Public Key Infrastructure has developed to chart an enterprising and long way from the original non-cryptographic information security systems of the past decades. But with increasing dependence of the global community on data communications that can effectively surmount all space and time barriers, and the proliferating and diverse attacks on the security infrastructure developed by leading IT experts over the years through spy software and viruses, data systems and data storage and communications architecture need to be better equipped and fool proofed to thwart any information system security compromise attempt quite effectively and successfully. Ellison, C. and Schneier, B. advise caution as to choice of security systems and opine that no one system, whether it be firewalls, intrusion detection systems, VPN s, or PKIs are actually fully secure or are effective against any and every security threat in the present global complex data communications environment (2000). Effective security risk management, in their opinion, is hamstrung by false commercial promises without any actual basis and the user of any particular system would do well to understand the critical security requirements. However, not all experts are gloomy. For instance, Benantar (2001) has opined that the PKI concept is based on mathematical foundations and is computationally reliable, simple, and elegant. Benantar also believes that the presently used X. 509 certificates are an improvement over previously used protocols, and that, the underlying PKIX technologies providing the solution are robust and promising (2001). Time and further developments in the field alone can tell the actual truth.
References
- Benantar, M., (2001), “The Public Key Infrastructure”, IBM Systems Journal, Vol. 40, No 3, 2001, 648-665
- Cheng, P.C., (2001), “An Architecture for the Internet Key Protocol”, IBM Systems Journal, Vol. 40, No 3, 2001
- Diffie, W., and Hellman, M, (1976), New Directions in Cryptography, IEEE Transactions on Information Theory, 22 (1976), 644-654
- Ellison, C., and Schneier, B., (2000), Ten Risks of PKI: What you are not being told about Public Key Infrastructure, Computer Security Journal, Vol. XVI, No. 1
- Guide: Architecture for Public-Key Infrastructure (APKI), (1997), Draft 1, the Open Group, 1997
- Kuhn, D.R. et al, (2001), Introduction to Public Key Technology and the Federal PKI Structure, NIST [Online: 2008]
- Marchesini, J., and Smith, S., (2005), Modeling Public Key Infrastructure in the Real World, Public Key Infrastructure: Euro-PKI [Online: 2008]
- National Research Council, (1996), “Cryptography’s Role in Securing the Information Society”, Kenneth, W. D. and Herbert, S. L., Ed., Committee to Study National Cryptography Policy, Washington D.C.: National Academy of Sciences. ISBN: 0-309-52254-4
- Suri, Pushpa. R. And Puri, Priti, (2007), Asymmetric Cryptographic Protocol with Modified Approach, International Journal of Computer Science and Network Security (IJCSNS), VOL.7 No.4, 2007. 107-110
- Weise, J. (2001), Public Key Infrastructure: Overview, Palo Alto, California: Sun Microsystems Inc.