Fundamentals of the PKI Infrastructure
Securing corporate information can be a challenge, considering the numerous technologies and platforms that need to be protected. One technology that definitely helps achieve secure data is public key infrastructure (PKI), which enhances the security of data by using advanced access methods and making sure the authenticity of the data flow is preserved.
Securing corporate information can be a challenge these days, considering the numerous technologies and platforms that need to be protected-it can be especially challenging for companies that lack a unified security system that can circumvent and mitigate issues. It is well known that organizations have to rely on an in-depth defense approach to make sure access to information stays secure at all times.
In order to remain in a secured state, information needs to:
- Be accessible only by authorized entities (confidentiality)
- Be unable to be tampered with (integrity)
- Remain online without interruption (availability)
These three conditions are known as the CIA triad. One technology that definitely helps achieve some of these objectives is public key infrastructure (PKI). Although it does not guarantee data availability, the PKI is a mechanism that greatly enhances the security of our data by using advanced access methods and making sure the authenticity of the data flow is preserved.
Given a complex system, how does the PKI help achieve these objectives? How does it integrate into the CIA triad? What major components does it use, and what are system administrators required to perform to maintain this technology? This paper is all about the foundations of PKI, since it's becoming mainstream in many companies to implement PKI. But I've often seen a lack of real understanding of the PKI in order to insure proper integration of the system.
Let's explore and see how PKI works!
Symmetric and Asymmetric Cryptography
The PKI relies on cryptography to encrypt and decrypt data. At the very base of the PKI, we find different ciphers or encryption algorithms that are able to masquerade the data (initially known as the plaintext) and make it unreadable, if some conditions are not met.
To help us understand how a cipher works, let's take this basic example:
Plaintext (unsecured data): PKI IS FUN!
Cipher text (secured data): CXV VF SHA!
How did we actually generate that cipher text? If you take a deeper look, you will find we have used a working cipher by the name of ROT13. This cipher replaces a letter with the letter 13 letters after it.
Knowing this fact is the key that helps in the decryption of the message.
Of course, much stronger ciphers are now used to make the data unreadable in case the user or system does not have the key.
Within PKI, we need two kinds of encryption systems:
1. Symmetric cryptography: This type of encryption uses a very low overhead method to encrypt data and is very fast and efficient. We use symmetric encryption as a first layer of security over a plaintext. With this kind of encryption, the key that encrypts and decrypts the message is the same. Some examples of encryption algorithms within this category include AES, Blowfish, CAST, IDEA, and RC4. The main reason we have to use another kind of encryption on top of it is because of a fundamental problem this technology has: the use of the same key. Why is it an issue? Because there is no way to guarantee a safe delivery of the key to the other end. The key cannot be kept secure, presenting a problem when information is sent.
2. Asymmetric cryptography: This type of encryption adds much more overhead to the encryption process. It uses a pair of keys, making users performing the encryption and decryption process use different keys. One key is used to encrypt the data (public key), and the other is used to decrypt it (private key). These two keys are mathematically related and unlock each other. But, in strong ciphers, one key cannot be found by having the other from the pair. In the most basic sense, the asymmetric system has been developed to allow the secure transport of the first key, initialized by symmetric cryptography. Some examples of asymmetric algorithms include Diffie-Hellman, El Gamal, RSA, and Elliptic curve. When dealing with PKI, we mostly deal with asymmetric cryptography, as we do not have much control over the symmetric encryption process. But, with our own pair of keys, we can decide to encrypt data and select who else is able to read it through decryption.