What is PKI?
A
PKI is a collection of technical services, policies and business practices that
used together to provide automated solution over networked communications that
ensures the legal and business capabilities that until now carried out in the
paper world.
PKI
is summerized in the following main concepts:
1.Authentication - Assures that each end user and resource are identified
correctly. The authentication is necessary to ascribe network
objects such as end users and resource to the real identity. These identities
are stored in a digital format known as a public key certificate.
2.Authorization - Assures that each network object have the proper permissions
to perform the requested activities locally and in the network.
3.Data Integrity - Assures that the content has not been altered, either on
purpose (hacker) or by accident.
4.Confidentiality - Assures that the content is accessible only to the intended
entity. Confidentiality provides secure transport and file encryption.
5.Non-repudiation - Assures that the signer of a message cannot later deny
signing it. Note: There is a law of the digital signatures that the
Israeli court reference to.
PKI
Implementations:
There
are number of practical implementations to PKI, for example:
Securing communication with web servers.
Setting up VPN's (Virtual Private Networks).
Securing e-mail communication.
Access control for different resources such as network, servers, domain,
applications, data etc.
Strong authentication.
Non-repudiation of electronic actions.
What is Strong Authentication?
Two factor authentication means user must have at least 2 of 3 authentication
types: something you know (password), something you have (smart card\token) and
something you are (biometric authentication). Before users can log in, they
must present at least 2 credentials that predefined by the
management\IT\security officer.
What
is digital signature?
Digital
signature can be used to authenticate the identity of the sender of a message
or the signer of a document, and possibly to ensure that the original content
of the message\document that has been sent is unchanged. The ability to ensure
that the original signed message arrived means that the sender cannot easily
repudiate it later.
A digital signature can be used with any kind of message, whether it is
encrypted or not. A digital certificate contains the digital signature of the
certificate-issuing authority so that anyone can verify that the certificate is
real.
What
is digital certificate?
A
digital certificate is an electronic "credit card" that establishes
your credentials when doing transactions on the Web. It is issued by a
certification authority (CA). It contains your name, a serial number,
expiration dates, a copy of the certificate holder's public key (used for encrypting
messages and digital signatures), and the digital signature of the
certificate-issuing authority so that a recipient can verify that the
certificate is real. Some digital certificates conform to a standard, X.509.
Digital certificates can be kept in registries so that authenticating users can
look up other users' public keys.
What
are a Certificate Authority and a Registration Authority?
The
CA includes the people, processes, and tools to create digital certificates
that securely bind the names of users to their public keys. In creating
certificates, the CA acts as an agent of trust. The RA supports the
administration of a CA by instituting operational and technical controls,
establishing procedures for providing certificates, creating policies and
providing authentication and certification services to clients.
Security policies sets out and defines the organization's top-level direction
on information security as well as the processes and principles for the
use of cryptography.
The CA creates certificates for users by digitally signing a set of data that
includes:
User's distinguished name (DN), which is unique. The DN specifies the user's
name and any additional attributes required to uniquely identify the user.
A public key of the user, which is required so others can encrypt
data\session\key to the user or verify user's digital signature.
The validity period of the certificate.
The specific operations for which the public key is to be used, for example: CA
signing certificate, SSL server certificate, SSL client certificate, User
certificate, etc.
How
to maintain revoked certificates?
There
are two common methods to maintain the revoked certificates when using PKI for
maintaining access to servers in a network.
The Certificate Revocation List (CRL) is a list of subscribers paired with
digital certificate status. The list enumerates revoked certificates along with
the reasons for revocation, the dates of certificate issue and the entities
that issued them. In addition, each list contains a proposed date for the next
release. When a potential user attempts to access a server, the server allows
or denies access based on the CRL entry for that particular user.
The main limitation of CRL is the fact that updates must be frequently
dowloaded to keep the list current. Online Certificate Status Protocol (OCSP)
overcomes this limitation by checking certificate status in real time.
--------------------
Nir Valtman
Technologic Information Security Consultant
www.avnet.co.il