@RISK Online - The Security Blog

[Previous entry: "Can you keep a secret?"] [Main Index] [Next entry: "Risk e-Business"]

09/15/1999: "PKI: It's all about Trust"

By now I'm sure everyone has heard of Public Key Infrastructure or PKI. It seems to be the latest buzz everywhere you read. The pundits say it's the solution to all our problems, from E-Commerce, to VPN's, to Digital Signatures, but what is it?


What exactly is PKI? Simply put, a PKI is an overall process of positively identifying someone in an electronic environment. It consolidates every piece of your security system into one centralized, easy-to-manage solution. To accomplish this, technologies such as digital certificates and encryption are combined to provide authentication and privacy for secure networking. It is not an application in and of itself, but will likely be integrated into the network environment, and into business applications. The applications may be implemented in part or in whole, depending upon the needs of your organization. This means you aren't going to buy a PKI in a box. You will find several components of a PKI that can be purchased either in a pre-designed configuration, or in parts to meet your specific needs. You will also very likely need to either purchase PKI-ready applications, or have your existing applications rewritten to include PKI integration. The technology isn't new, but it is still in development. This means it may be a while before you can trust your electronic neighbors the way you do your hometown bank, but that day is coming soon.

How does it work? To have a secure environment, you must trust the persons working in that environment. To trust someone, you must know whom you are dealing with. When you make a bank transaction you are required to show the teller some form of identification issued from a trusted authority, such as your government-issued driver's license. In an electronic environment you need an electronic form of identification that you've obtained from some trusted authority. This identification is known as a digital certificate. A trusted Certificate Authority or CA must issue these certificates, which will hold the user's name and other related information. To prevent tampering, this certificate is electronically signed by the CA before it's issued to a user. Once the certificate is created, it is stored in a directory. The CA generates two separate pairs of public and private keys for each user. One pair is for encrypting and decrypting the information, and the other is used by client applications to create a digital signature on a document or transmission.

What does it do for me? A PKI provides four main security benefits: Privacy, Authentication, Integrity, and Non-repudiation. These can collectively be referred to as PAIN. Let's discuss each briefly:

Privacy: In discussing Privacy we are generally talking about Encryption. What we want is evidence that data has not been disclosed to third parties. Encrypting an email message would give you reasonable assurance that it may not be read by anyone but the intended recipient.

Authentication: This refers to a digital guarantee that data (or a message) really has come from the person who claims to have sent it. In other words, it provides assurances that "you are who you say you are".

Integrity: Proof that data has not been altered, deliberately or accidentally, during transmission (This data may be email, a file, or just normal network traffic). Once the message or data is received, the signature is checked for validity. If the signature is valid, this proves that it hasn't been altered in any way.

Non-repudiation: Non-repudiation equates to signing your name on a written statement and having it notarized. When you send an email or write a document you can sign it with your digital signature. Because the CA maintains two key pairs, the recipient of your digital signature can compare it to the signature with the senders public key, thereby confirming that the file or message was actually made by the person assumed.

Why do I need it? A PKI is useful, even necessary, to provide security for everyday business needs. To determine your PKI needs, first look at your existing business needs and perform a Risk/Threat Analysis. Some questions to ask yourself might be:

• What business processes or information need to be protected?
• If any of these processes or information were compromised in any way (damaged, stolen, or made public) what potential loss or damage would I incur?
• How much protection should I use to protect these assets?

There are several points to consider after this analysis has been done. First, you don't need to protect everything. You only need to protect that which has value. Second, you don't necessarily need the highest level of protection. Apply security in proportion to the potential for loss. As an example, you wouldn't spend $100,000 to protect against losses of a few thousand dollars. Protection comes in varying degrees. The simplest form of protection is in widespread use on networks; you need a valid account and password to log in. In increasing degrees of protection and cost there are:

• Smart Cards - A personal ID card with an embedded computer chip that can store a digital certificate
• Tokens - A PCMCIA device that can store multiple digital certificates, and perhaps an encryption module or biometric information.
• Biometrics - This can be appropriate hardware and software to perform Retinal Scanning, Fingerprint recognition, or other forms of biological verification.

What are some other implementations? What can I do besides sign and encrypt messages and documents? One of the largest potential areas of usage will be in custom applications that need some stronger forms of authentication and non-repudiation. Some categories of applications with obvious needs would be in finance, or medical information. These applications can be rewritten to make use of digital certificates to control access to the application and it's associated information. They can also be designed to require a digital signature for tracking or approval processes.

Do I really need a PKI? That's a question that only you can decide, and that decision must come after great deliberation and study. Establishing a Public Key Infrastructure is not a silver bullet that will answer all your security needs. In order to be a success, it must be properly planned and implemented. The PKI world is still young and evolving, so there will be many obstacles to overcome. One of the biggest will be interoperability. The specific aspect will be the ability to share and authenticate certificates from multiple sources or vendors. Without this ability, your PKI may not be able to communicate with the PKI of a potential vendor, customer or business partner. The problems here become obvious as you consider having multiple certificates for a person to be identified by multiple authorities. This problem becomes amplified if you consider questions such as "Which certificate uniquely identifies an individual?" There are many other issues, but they are beyond the scope of this article. Suffice it to say, if you take on the challenge of a PKI implementation, be patient and thorough!

Navigation:

My Blogroll:

Security Advisories:

Defacements Archive:

Security News:

Security Tools: