Understanding PKI (Public Key Infrastructure) for Information Security
“PKI is a system composed of digital certificates, digital signatures, processes, procedures, and other services necessary to ensure confidentiality, integrity, authentication, non-repudiation and access control.” (Lawrence C. Miller & Peter H. Gregory)
Public Key Infrastructure (PKI) is used to encrypt data. Data is encrypted to authenticate. And authentication is used to verify the right person is accessing the information.
So how is this done?
One example of encryption is the Caesar cipher.
In the sample graph above, the action is to replace each plaintext letter with a different one. Which is a fixed number of places down the alphabet. The cipher illustrated uses a left shift of three, so that each occurrence of E in the plaintext becomes B in the ciphertext.
Additionally, there are four components of a PKI:
- Certificate Authority (CA): Hardware, software and personnel administering the status.
- Registration Authority (RA): Hardware, software and personnel in charge of verifying certificate contents for the CA.
- Repository: A system that accepts certificates and Certificate Revocation Lists (CRLs) from a CA and distributes them to authorized parties.
- Archive: Offers long-term storage of archived information from the CA.
Nevertheless, what is a digital certificate?
Is a certificate that binds and identify with a public encryption key as shown below.
That sounds good, yet when are digital certificates used?
Digital certificates are used in public key cryptography functions; they are most commonly used for initializing secure SSL connections between web browsers and web servers. Digital certificates are also used for sharing keys to be used for public key encryption and authentication of digital signatures.
What about digital signatures?
A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very strong reason to believe that the message was created by a known sender (authentication), and that the message was not altered in transit (integrity).
How it happens:
Step 1: You type out a message or create a file with sensitive information. You will then stamp the file with your private key that can be a password or a code. You press send and the email makes its way through the internet to Office B.
Step 2: When Office B receives the information, they will be required to use your public key to verify your signature and unlock the encrypted information.
Step 3: And then office B needs to use your Private Key (which you have shared with them) to reveal the confidential information on the email. Unless the recipient in Office B has your Private Key, they will be unable to unlock the information in the document.
Great! The last (for now) big piece of the puzzle:
What is confidentiality, integrity, authentication, access control, and non-repudiation?
Confidentiality is having the information private. Is the concept of limiting access to information to users and machines that require it.
Integrity is making sure the data stays unaltered. It protects the accuracy and completeness of information and processing methods.
Authentication verifies if the users are who they say they are. Just as the process of verifying a subject’s claimed identity in an access control system.
By way of illustration, an Access Control System (ACS) will enable visual control of entrances and exits from enclosed areas and will even record any attempts by employees or visitors to access restricted areas/premises within a guarded facility.
Access control is a fundamental component of data security that dictates who’s allowed to access and use company information and resources. Another definition is the capability to permit or deny the use of an object by a subject.
Last but not least, non-repudiation is being unable to deny one did something. As the inability for a user to deny an action and his or her identity is associated with that action.
In conclusion, with all the hacking going on, if all organizations implement PKI and other security solutions to mitigate risk and ransomware, we may be less vulnerable to be hoarding gas, or food, or afraid of the hospital running out of electricity in the middle of an operation, etc.
If you enjoyed this article, please hit the applause button 50 times, and share it with others. Thank you!
Note: Information on this site are my own and do not represent the positions, strategies, or opinions of my current or any previous employer.