Photo by Duy Hoang on Unsplash

Understanding PKI (Public Key Infrastructure) for Information Security

“PKI is a system composed of digital certificates, digital signatures, processes, procedures, and other services necessary to ensure confidentiality, integrity, authentication, non-repudiation and access control.” (Lawrence C. Miller & Peter H. Gregory)

Public Key Infrastructure (PKI) is used to encrypt data. Data is encrypted to authenticate. And authentication is used to verify the right person is accessing the information.

So how is this done?

One example of encryption is the Caesar cipher.

Example of Caesar cipher. Source: https://en.wikipedia.org/wiki/Caesar_cipher

In the sample graph above, the action is to replace each plaintext letter with a different one. Which is a fixed number of places down the alphabet. The cipher illustrated uses a left shift of three, so that each occurrence of E in the plaintext becomes B in the ciphertext.

Additionally, there are four components of a PKI:

  1. Certificate Authority (CA): Hardware, software and personnel administering the status.
  2. Registration Authority (RA): Hardware, software and personnel in charge of verifying certificate contents for the CA.
  3. Repository: A system that accepts certificates and Certificate Revocation Lists (CRLs) from a CA and distributes them to authorized parties.
  4. Archive: Offers long-term storage of archived information from the CA.
Sample of PKI. Source: https://www.thesslstore.com/blog/how-pki-works/

Nevertheless, what is a digital certificate?

Is a certificate that binds and identify with a public encryption key as shown below.

Sample of digital certificate. Source: https://upload.wikimedia.org/wikipedia/commons/6/65/PublicKeyCertificateDiagram_It.svg

That sounds good, yet when are digital certificates used?

Digital certificates are used in public key cryptography functions; they are most commonly used for initializing secure SSL connections between web browsers and web servers. Digital certificates are also used for sharing keys to be used for public key encryption and authentication of digital signatures.

What about digital signatures?

A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very strong reason to believe that the message was created by a known sender (authentication), and that the message was not altered in transit (integrity).

Sample of digital signature. Source: https://signx.wondershare.com/knowledge/digital-signature-example.html

How it happens:

Step 1: You type out a message or create a file with sensitive information. You will then stamp the file with your private key that can be a password or a code. You press send and the email makes its way through the internet to Office B.

Step 2: When Office B receives the information, they will be required to use your public key to verify your signature and unlock the encrypted information.

Step 3: And then office B needs to use your Private Key (which you have shared with them) to reveal the confidential information on the email. Unless the recipient in Office B has your Private Key, they will be unable to unlock the information in the document.

Outlook email digital signature setup sample. Source: https://www.thewindowsclub.com/add-digital-signature-to-outlook

Great! The last (for now) big piece of the puzzle:

What is confidentiality, integrity, authentication, access control, and non-repudiation?

Confidentiality is having the information private. Is the concept of limiting access to information to users and machines that require it.

Integrity is making sure the data stays unaltered. It protects the accuracy and completeness of information and processing methods.

Authentication verifies if the users are who they say they are. Just as the process of verifying a subject’s claimed identity in an access control system.

Source: http://zafatech.com/wp-content/uploads/2017/06/access_header-1100x400.jpg

By way of illustration, an Access Control System (ACS) will enable visual control of entrances and exits from enclosed areas and will even record any attempts by employees or visitors to access restricted areas/premises within a guarded facility.

Access control is a fundamental component of data security that dictates who’s allowed to access and use company information and resources. Another definition is the capability to permit or deny the use of an object by a subject.

Last but not least, non-repudiation is being unable to deny one did something. As the inability for a user to deny an action and his or her identity is associated with that action.

In conclusion, with all the hacking going on, if all organizations implement PKI and other security solutions to mitigate risk and ransomware, we may be less vulnerable to be hoarding gas, or food, or afraid of the hospital running out of electricity in the middle of an operation, etc.

If you enjoyed this article, please hit the applause button 50 times, and share it with others. Thank you!

Note: Information on this site are my own and do not represent the positions, strategies, or opinions of my current or any previous employer.

--

--

--

Real stories to save you time. | Cybersecurity Professional, ex-Googler, former US Navy Nuclear Submariner.

Recommended from Medium

Choosing an Identity Vendor

Identity Theft — ?

Understanding OAuth 2.0

Razor Network: An End-to-end Decentralized Oracle Network

{UPDATE} Il libro bianco Hack Free Resources Generator

#Gamejet NFT Platform #Airdrop Is Live 👋

How to stake Rose Tokens?

Preventing SQL Injection and XSS Attacks

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alfe Corona, MSCy, MSOL

Alfe Corona, MSCy, MSOL

Real stories to save you time. | Cybersecurity Professional, ex-Googler, former US Navy Nuclear Submariner.

More from Medium

HTB Blackfield Machine Walkthrough.

Egg Hunter: looking for a needle in a haystack

log4shell 0-day Exploit in log4j v2 — What it is?

log4shell 0-day Exploit in log4j v2 - What it is? How to Identify and Mitigate the Vulnerability (CVE-2021-44228)

Flare on 2014 Challenge2