Public Key Infrastructure

The digital era offers countless possibilities for communication and exchange of information between people, organizations, businesses, etc. A significant part of this communication is intended to be private and confidential, so the public should be unaware of it. The Internet is a convenient way to connect, but it comes with many hidden traps and cyber risks that can intercept any sensitive data that travels in digital space, such as zeros and ones. Private information is intended for limited audiences that we trust; besides private intimate relationships between two people, there are other types of private information that we all share in certain moments.

Public Key Infrastructure is the natural response to the need to protect and authenticate information. It is a collection of technologies and processes that deploy asymmetric encryption to secure digital communications. This infrastructure uses public keys related to digital certificates issued by some trusted certificate authorities, which authenticate specific devices or users that are the source of the communication. This exchange of information could be between servers and users or a method of secure communication inside an organization. Public Key Infrastructure ensures that all messages are accessible only to the sender and the intended recipient and that the packets have not been altered en route. The Public Key Infrastructure summarizes six significant components that are responsible for the deployment of the secure encrypted environment:

·???????? Certificate Authority (CA) – the trusted institution governing security certificates. By governing, security certificates are issued, stored, and signed. Signing the security certificates involves encryption with a private key that belongs to the CA, followed by publishing the public key that is accessible upon request.

·???????? Registration Authority (RA)—The CA can also assume the function of the RA, but often, this is a third-party provider. The main goal of the RA is to verify the identity of the user or device that requests a digital certificate.

·???????? Certificate database—a place for storing the digital certificate and all associated information, such as the expiration date.

·???????? Central directory - a place that looks like a library where all encrypted keys are stored and indexed.

·???????? Certificate management system: It is responsible for the distribution of digital certificates and routines for accessing them.

·???????? Certificate policy – this collection of procedures aims to ensure users the trustworthiness of the Public Key Infrastructure.

Different types of open-source Public Key Infrastructures are available to the public: EJBCA Enterprise (Java developed full stack CA that could be set as a service or for internal use), OpenSSL (a complete stack toolkit embedded in Linux distributions to build a simple CA), CFSSL (Cloudflare’s PKI/SSL toolkit), XiPKI (Java implemented powerful CA and RA with SHA-3 support), and Dogtag Certificate System (full stack CA that governs all stages of certificate lifecycle).

As mentioned above, the Public Key Infrastructure is based on asymmetric encryption methods. Asymmetric cryptography involves the use of a public and a private key. Usually, a cryptographic key is a very long string of bits that encrypt data and is split into two pairs: a public key that is available to the public upon request and is used to authenticate the sender of the digital traffic and a private key that is kept private and ensures that only the receiver of that communication will be able to decrypt it.

?

This leads us to the second question in this article: why can an active attacker break an SSL connection but not an IPsec connection?

SSL/TLS encryption protocols work in the Transport layer of the OSI network model. These protocols are responsible for the authentication and encryption of traffic between different connected network devices and network applications.? IPsec includes several secure communication protocols that protect network traffic by establishing a tunnel between nodes connected over an unsecured public network.? IPsec encapsulates traffic in the Network layer of the OSI model and guarantees confidentiality and integrity of the flow. According to the French National Cybersecurity Agency (ANSSI) guide published in 2018, the significant advantage of IPsec over SSL is that IPsec has a smaller attack surface, which means that all critical tasks, like functions that use keys, are performed in an isolated environment within the operating system kernel. SSL/TLS runs in the user space from the Application layer. In addition, mechanisms for an initial choice of algorithms are more secure in IPsec than TLS. According to the same agency, the most recent vulnerabilities address implementations of the SSL and TLS protocols. Besides, SSL has applications that are in tandem with symmetric and asymmetric encryption methods. Symmetric encryption uses the same secret key to encrypt and decrypt data. That means the sender and the receiver should share the same secret key. This method is a faster cryptographic method than the asymmetric one. Still, suppose a hacker exploits vulnerabilities in the SSL/TLS stack (POODLE, BEAST, CRIME, FREAK, Heartbleed, etc.). In that case, it can capture that shared secret key and access encrypted communication. IPsec stack mitigates that risk by encapsulating the traffic in the Network layer, creating a “tunnel” to ensure privacy and confidentiality.

?There are three types of PKI architectures: one-tier, two-tier, and three-tier. The two-tier architecture is a compromise between the first two.

Two-tier PKI comprises two types of certificate authorities: Root CA and Issuing CA. The Root CA is the most trusted entity and generates certificates for the Issuing CA. In turn, the Issuing CA issues certificates to the users or devices. This model is suitable for small organizations because it is simpler to manage. The Root CA and Issuing CA roles are separated by placing the Root CA offline. This way, the private key of the Root CA is better protected, and overall, the level of security is higher within this hierarchy. This model supports the existence of multiple Issuing CAs in different geographical locations or different security levels.

?

?

?

?

References:

Okta (2023, June 26). What Is Public Key Infrastructure (PKI) and How Does It Work? Learn how Adaptive Multi-Factor Authentication combats data breaches, weak passwords, and phishing attacks. Okta.com. Retrieved April 4, 2024, from https://www.okta.com/identity-101/public-key-infrastructure/

?PrimeKey AB (n.d.). EJBCA? Enterprise. Primekey.com. Retrieved April 4, 2024, from https://www.primekey.com/products/ejbca-enterprise/

?OpenSSL Project Authors (n.d.). OpenSSL: Cryptography and SSL/TLS Toolkit. Openssl.org. Retrieved April 4, 2024, from https://www.openssl.org/

?GitHub, Inc. (n.d.). Cloudflare/CFSSL. Github.com. Retrieved April 4, 2024, from https://github.com/cloudflare/cfssl

?GitHub, Inc. (n.d.). XiPKI. Github.com. Retrieved April 4, 2024, from https://github.com/xipki/xipki

?Quigley, C. (2021, February 15). The difference between symmetric and asymmetric encryption. Ssls.com. Retrieved April 4, 2024, from https://www.ssls.com/blog/the-difference-between-symmetric-and-asymmetric-encryption/

?Microsoft (2016, August 31). Securing PKI: Planning a CA Hierarchy. Microsoft.com. Retrieved April 7, 2024, from https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786436(v=ws.11)

?Labos, M. (2023, May 31). PKI & Offline Root Ceremonies for Enterprise Security. Ssl.com. Retrieved April 7, 2024, from https://www.ssl.com/article/3tier-pki-enterprise-security-offline-root-ceremonies/#ftoc-heading-7

?

?

?