PKI Infrastructure

Introduction-

Public Key Infrastructure (PKI) is a system of processes, technologies, and policies that allows you to encrypt and sign data. You can issue digital certificates that authenticate the identity of users, devices, or services. These certificates create a secure connection for both public web pages and private systems—such as your virtual private network (VPN), internal Wi-Fi, wiki pages, and other services that support MFA (Multi-factor Authentication )




Common use cases for PKI include, but are not limited to-

  • Securing web pages
  • Encrypting files
  • Authenticating and encrypting email messages using S/MIME
  • Authenticating nodes connecting to a wireless network
  • Authenticating connections to your VPN
  • Authenticating connections to sites and services containing corporate data using TLS mutual authentication.

key benefits-

  • Authentication: Validate identities to ensure only authorized users and devices have access to a server.
  • Encryption: Use a certificate to create an encrypted session, so information can be transmitted privately.
  • Data Integrity: Ensure any messages or data transferred to and from devices and servers are not altered.
Terms used in PKI-

End-to-end encryption is when a message is encrypted at your device, and the decryption is done at the recipient’s device. This means that no third party can intercept your sensitive data.

A Certificate Authority (CA) is a trusted third party that verifies the identity of an organization applying for a digital certificate. After verifying the organization’s identity, the CA issues a certificate and binds the organization’s identity to a public key. A digital certificate can be trusted because it is chained to the CAs root certificate.

A digital certificate vouches for the holder’s identity. Like a driver’s license, the certificate has been issued by a trusted third party, cannot be forged, and contains identifying information.

A root certificate provides the signature when binding an identity to the public key. This is how you identify whether a certificate is valid, and whether you should trust it.

Managed PKI (MPKI) is a solution provided by a CA that allows you to begin automating certificate processes and customizing PKI workflows. Once your organization gets to the point that it requires a high volume of certificates, you’ll benefit from an MPKI solution that simplifies certificate management.

Key storage, often referred to as key archival, is securely storing the private key in case it’s lost. To meet FIPS compliance , and ensure the highest level of security, we suggest storing your keys using a Hardware Security Module (HSM).

An HSM is a cryptographic hardware-based option for secure key storage. Typically, HSMS are physically located on-premises, and require internal resources to maintain. This can be cost intensive, but less expensive options do exist.

Type of Encryption PKI use

PKI merges the use of both asymmetric and symmetric Both symmetric and asymmetric encryption have their own strengths and best use case scenarios, which is what makes the combination of both so powerful in Public Key Infrastructure.


1. symmetric encryption

Symmetrical encryption protects the single private key that is generated upon the initial exchange between parties—the digital handshake, if you will. This secret key must be passed from one party to another in order for all parties involved to encrypt and decrypt the information that was exchanged. This secret key can be in the form of a password, or it can be a series of random numbers or letters generated by a random number generator (RNG). 


2. Asymmetric encryption

Asymmetric encryption is fairly new to the game and you may know it better as “public key cryptography.” Asymmetric encryption uses two keys, one public and one private. The public key encrypts and the private key decrypts. 


 Steps to Implementing Your PKI-

Identity and access management (IAM) is the process of managing a user’s login credentials, verifying them and confirming authorization that follows the company’s existing information security policies. IAM offers a two-step identity verification where the person accessing data is first authorized and then allowed access to decrypted data.

1. Certificate Authority (CA):

This serves as the ‘root of trust’ and helps authenticate the identity of an individual, computer or entity in the network.

2. Registration Authority (RA):

This is often called a subordinate CA as well, as it is certified by a root CA to issue out certificates for uses designated and permitted by the CA.

3. Certificate Database:

This saves all certificate requests that been issued, as well as all certificates that have been revoked from the RA or CA. It serves fundamentally as a log of all security certification transactions within the system.

4. Certificate Store:
This saves all issued certificates as well as any temporary pending or rejected certificate requests from the local computer. Certificates that are not signed by an authority in the local certificate store will not be trusted by the local system.

5.Key Archival Server:
This saves encrypted private keys in a certificate database. This is used generally for disaster recovery purposes as a backup in case the original Certificate Database is lost or becomes damaged somehow.

There are four major advantages to PKI authentication:

  • you are able to authenticate the source of the data. A third party is able to ensure that you are dealing with a secure, trusted party.
  • You can maintain the privacy of your data. No one without the private keys will be able to unencrypt and view your data.
  • Your data cannot be interfered with. A "middleman" attack cannot be launched that changes the data being sent or received.
  • You can validate the source of the data. Not only is it authenticated, but you can prove you received that data from the given party.



Comments

Popular Posts