Cryptography: Public Key Infrastructure (PKI)

Cryptography: Public Key Infrastructure (PKI)

Data security and privacy protection are at the core of most internet users’ concerns. Encryption is a fundamental security measure designed to protect data from unauthorized access. And public key infrastructure (PKI) is perhaps the most common cryptography method.

PKI involves a set of physical components (computers and software or hardware cryptographic equipment such as Hardware Security Module “HSM” or smart cards), human procedures (checks, validation), and software (system and application), all of which issue and manage the life cycle of digital certificates or electronic certificates. These tools enable cryptographic operations (e.g., encryption and digital signatures), which promote the following key security characteristics during the transmission of data:

  • Confidentiality: only the legitimate receiver (or owner) of data has intelligible access to it;
  • Authentication: the legitimacy of an entity’s access request (human, system, etc.) to system resources (systems, networks, applications, etc.).
  • Integrity: the data has not been altered, accidentally or intentionally.
  • Non-repudiation: the data source cannot deny the data’s sending authenticity.
  1. Components of the public key infrastructure

The PKI is generally composed of a certification authority, a registration authority, and a central directory. Collectively, these components distribute and validate certificates.

Certification authority (CA): Issues certificates to users, computers, and services and manages certificates. A certification authority signs each certificate it issues with its own digital certificate.

Registration authority (RA): The interface between the user and the certification authority. It is responsible for identifying applicants or certificate holders and ensuring that the certificate usage constraints are met.

Central Directory (CD): Responsible for storing digital certificates. It centralizes and organizes the archiving of certificates. It also manages the list of expired or revoked certificates (CRL) and makes public-key certificates issued by the certification authority available to all users.

  1. Cryptography

Cryptography provides a way to protect data by converting it into an unreadable format for transmission or storage purposes. Cryptography is an important technology for electronic commerce, intranets, extranets, and many other web applications.

There are two types of cryptography techniques: symmetric and asymmetric. Symmetric and asymmetric keys are used to provide a variety of security functions.

2.1. Symmetric cryptography

Symmetric encryption uses the same key for encryption and decryption. When encrypting data, the sender uses the symmetric key to ensure that an unauthorized person or process cannot access the original data. The recipient uses the same symmetric key to decrypt the data once they receive it.

2.2. Asymmetric cryptography

Asymmetric encryption uses a pair of keys to encrypt and decrypt data. The public key encrypts the data, and the associated private key decrypts data. The private key is intended to never be exposed to network users. It is stored in a physical device, such as a smart card or a computer. The public key, which is an attribute of the certificate, is widely distributed in the network to allow users to perform encryption operations and digitally sign data.

  1. Digital signature

The digital signature process ensures the authenticity of the sender (authentication function) and verifies the integrity of the received message. The digital signature also provides a non-repudiation function: it prevents the sender from denying having sent the message.

It contains the algorithm identifier (hash function) used by the certification authority to sign the certificate and the value of the digital signature. The hash function is used to generate a “hash value” for the encrypted message to be sent. The function always returns the same hash value if the message is not changed. However, if even one character in the message is changed, added, or deleted, the hash function will generate a different hash value. By encrypting the hash value using the sender’s private key, a digital signature of the message is generated. This signature is sent in addition to its encrypted message. The receiver can verify the message’s integrity by decrypting the signature and producing the received message’s hash value. If the hash function generated by the receiver is the same as the hash function included in the received message, the message integrity is validated.

  1. Digital certificate

A digital certificate provides information about the certificate’s subject, its validity, the applications, and services that the certificate can use. A digital certificate also provides a mechanism to identify the certificate holder. Certificates use cryptographic techniques to solve the lack of physical contact between the two entities carrying out a transaction. Instead of identifying the certificate holder in a face-to-face meeting, an application or service verifies the certificate holder by verifying the validity of the certificate that he presents.

A user or a computer is unable to impersonate someone else because the certificates are digitally signed by the CA that issues the certificate. An attacker cannot modify the certificate without the competence of the CA. A digital certificate contains the following information:

  • The public encryption key of the certificate subject key pair.
  • Information on the certification authority that issued the certificate.
  • Information about the subject that requested the certificate.
  • Date of issuing: Provides the date and time when the certificate becomes valid.
  • Date of expiration: Provides the date and time when the certificate is no longer considered
  1. Example of applications of PKI

Web browsers natively integrate a list of certificates provided from different Certification Authorities. These certificates are chosen according to the browser’s developers’ internal rules. When a natural or legal person wishes to set up a web server using HTTPs communication secured by the Transport Layer Security protocol (TLS), it generates a public key and a private key.

It then sends a certificate signing request (CSR) to one of the Certification Authorities containing its public key and information related to its identity. After verifying the applicant’s identity through a registration authority (RA), the Certification Authority signs the CSR using its private key (and not with the person’s private key), generates a certificate, and sends it back to the person who requested it.

The returned certificate is integrated into the applicant’s web server. When a user connects to this web server, it, in turn, transmits the certificate previously provided by the Certification Authority. The client’s web browser authenticates the server’s certificate using the Certificate Authority’s certificate, which was previously signed. The identity of the server is thus confirmed to the user by the Certification Authority. The web browser then contacts the relevant Certification Authority to determine if the server’s certificate has not been revoked.

References

[1] What Are Hardware Security Modules (HSMS)? Entrust.

[2] Tuecke, et al, Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile, The Internet Society.