PKI (Public Key Infrastructure), is a framework that enables the encryption of public keys and includes their affiliated crypto-mechanisms. The underlying purpose of any PKI setup is to manage the keys and certificates associated with it, thereby creating a highly secure network environment for use by applications and hardware. X.509 certificates and public keys form the cornerstone of PKI, acting as the mechanism through which cryptography can be established for an endpoint – consequently, PKI may refer to any software, policy, process, or procedure that may be employed while configuring and managing those certificates and keys.
In a nutshell, PKI is responsible for making online interactions more secure, and it does this by:
It does this by using private keys and public keys for encryption and decryption respectively, which are facilitated in turn by digital certificates.
In today’s hyper-connected world, the need for a robust PKI cannot be understated, especially since there is an explosion in the number of devices that are capable of leveraging the internet to communicate with each other – mobile devices, IoT-enabled hardware, and payment systems are just a few examples of infrastructures that require PKI for security, without which they would expose themselves to cyber risk and also failure of compliance standards imposed upon them by various bodies.
…and so on.
PKI infrastructures involve the participation of some or all of the below entities:
Now that the anatomy of PKI has been deciphered, let’s take a look at how they can be woven together into a working cryptographic system.
Public Key Infrastructure uses Public Key Cryptography as the basis for providing encryption, with the underlying principles, procedures, and policies being part of the overlying ‘infrastructure’ that is compatible with SSL/TLS protocols. Public Key Cryptography uses asymmetric key algorithms to perform its role. According to this principle, both communicating parties establish a working relationship by verifying each other’s identities. Consider the following exchange which enables a server and a web application, for instance, a browser, to communicate with each other:
The entire exchange is facilitated by x.509 certificates (also called digital certificates or PKI certificates), since only those public keys that have been signed by a Certificate Authority and bound to a certificate are considered acceptable for use online.
Certificates are the gatekeepers to ensuring that the underlying PKI works properly. We’ve covered how certificates are linked to the Public Key Cryptography process in the previous section already – now, let’s take a brief look at the anatomy of a digital certificate.
Certificate Authorities (CAs) provide much-needed trust for the entire PKI framework. Several major CAs are trusted across the globe to provide authenticity to certificates, and by extension, signed keys. A typical certificate consists of the following information:
A digital certificate, once issued, has to be diligently managed to ensure that it remains secure. An expired certificate is of no use to anyone, and neither is a compromised one. Certificate Management is a discipline that overlaps with PKI management, and has its own set of rules and protocols that have to be followed.
Establishing and managing an ideal PKI system would involve an impeccably managed infrastructure that included certificates and keys, CAs, HSMs, associated DevOps, ITSM, and IAM tools, and a lot more. The management of each of those systems is a vast topic that we will be covering in later articles. For now, here are some high-level considerations prior to (or during, or even after) a PKI implementation.
For reasons that involve security, accessibility, ease of use, and overhead costs, organizations may choose to pick either on-premise PKI deployments, or cloud-based ones.
On-premise is the deployment method traditionally used by most established PKI providers. Here, the PKI is installed on the organization’s own servers – it is administered and governed by the organization’s internal PKI team, and the root certificate is kept in a highly secure location within this infrastructure. Many providers of external CAs exclusively provide on-premise PKI, as it is considered to be more secure than the alternative (hosting a PKI elsewhere) – this is primarily because on-prem setups retain full control over the private keys and certificate issuance process. However, on-premise offerings have certain shortcomings, which come in the form of increased complexity and associated costs, including a need to procure:
An characteristic that PKI deployments absolutely must possess is scalability i.e the ability to grow and change in an agile fashion, without requiring a complete overhaul of the system to do so. This is a challenge many on-premise PKI providers struggle with, as all of the infrastructure is on the client’s servers, and hence, requires significant physical efforts to redesign or upgrade.
Cloud PKI is the modern alternative to its on-premise cousin. Here, the entire PKI is hosted on the provider’s servers, and PKI is supplied to clients on-demand. This way, the client receives all the benefits of a full-fledged public PKI, without having to deal with the hosting, maintenance, and physical management costs involved. There is also the assurance of 100% availability, since the back-end is handled exclusively by the providers. This allows for relatively easier scalability, since the cloud PKI provider handles installations, maintenance, security, and backups, and provides only the necessary PKI to the client on-demand.
Furthermore, since cloud-based PKI usually operates on a pay-as-you-go basis, the costs incurred by customers are also significantly lower (as opposed to the considerable fixed costs incurred by practitioners of on-premise PKI).
‘Improper PKI Management’ is a blanket term for Public Key Infrastructure handling techniques that leave room for error, malfunction, or compromise. These less-than-ideal techniques usually fall into one of four categories: a lack of visibility, agility, integration, and/or automation. When best practices are not adhered to, crypto-systems run the risk of encountering service outages or data breaches and information compromise.
While no PKI management process can be perfect, organizations must strive to follow the mandated best practices to ensure that they minimize the chances of outages or breaches affecting their organizations.
Let’s take a closer look at how individual industries leverage PKI.
Firms which provide financial services rely on a standardized high level of confidentiality, security, and reliability in order to operate efficiently. PKI is used in several areas, such as their websites, which serve as portals for customers in order to make financial transactions, and their internal servers, access to which is usually protected with access cards or other PKI-backed services. Firms and functions which facilitate card-based payments also comply with another mandated standard – the PCI-DSS – and require all crypto-services (such as HSMs) to adhere to these standards.
While PKI has traditionally been used in hospitals to secure sensitive patient records, cryptography is finding new applications in wearable/remote IoT-enabled medical devices. With such devices capturing user information and relaying it back to healthcare professionals by the minute, it is incredibly important to ensure that the line of communication is not intercepted. It’s also crucial to keep the device up-to-date via regular updates so that it’s at optimum security. By providing a device identity and a layer of protection to medical devices, PKI makes this possible.
PKI has become a crucial component of Industry 4.0. With sensors and connected devices being a part of virtually all manufacturing processes (thereby providing control room personnel second-by-second updates on process health), ensuring that these sensors are secure becomes a necessary step. Not only does a compromised sensor risk leaking sensitive information, it could cause malfunction and large-scale process errors (for instance, a sensor with an expired certificate would refuse to relay information back to the control room). High-grade PKI management is a necessary capability to have.
Today’s automobiles are highly connected, and in many cases, operate in conjunction with smartphones (Android Auto and Apple CarPlay, for instance). IoT devices enable them to be virtually connected to access points, and this capability allows for steady updates as well. It is critical for on-board digital systems to be secured with PKI to disallow unauthorized third-parties from gaining access to user/manufacturer information that could have a negative effect on consumers. The same applies to digital consumer devices on airplanes such as entertainment systems.
The functions of both these PKIs are almost the same, the difference lies in the method of establishing trust.
The external PKIs get the trust through client software automatically, while the internal PKIs need to get the trust by an individual user in the corporate environment, deployed to all devices by the administrator.
For the external PKI management, there is a Certifying Authority, which maintains certificates for establishing trust, externally.
There are specific standards like CA/Browser Forum Baseline Requirements against which the certifying authorities are audited. Then only they are accepted in external store programs.
An important thing to note here is that the internal PKI is as secure as the external ones but is not trusted by default. This is because of their non-compliant with the baseline guidelines.
The identity of a certifying authority is associated with its public keys through a special ‘root certificate’. Being externally trusted interprets that those root certificates are by default configured with the client applications. Operating systems, web browsers, and other applications are offered with information regarding these root certificates and the related external keys.
If one is accessing any website or any other internet-based resource then such externally trusted certificates are the best way to secure that data transfer.
Internal PKIs, which are required to be manually developed and inserted for each network connection, is not a practical way in such connections.
The external PKIs are trusted only when they stringently comply with the regulations rolled out from time to time and need to undergo timely audits. The internal PKI need not adhere to any regulation. They can be different from the conventional standards and can freely operate in a way the operator finds correct.
This may interpret that the internal PKI might not be as per the best practices prescribed, but the major advantage lies in getting the personalized approach in security certificates. The users get better flexibility in their policies.
In addition to the security certificates, internal PKI also facilitates complete control of the credential’s authentication process. The client’s access control system can freely be integrated with the internal PKI services and can easily provide security certificates to the systems trusted by the operator.
External PKIs require stern manual and automated checks, followed by validation of the certificates against the qualified database.
Introduced by Google, the certificate transparency project lessens the structural flaw in the existing SSL certification system. With this system, one can easily detect the authenticity and validity of the SSL certificate.
Many times, it has been found that an authentic certificate was either mistakenly issued or was maliciously acquired from the certifying authority. Such certificates put digital security at a compromising position and with certificate transparency those certificates can be detected.
Web Browsers, Certifying Authorities, and any other party can use the certificate transparency approach, in addition to their existing technologies to corroborate the correctness of a certificate.
Note: Internal PKIs don’t need to participate in Certificate Transparency norms.