In our first series, we covered the following 7 articles:
If you are new to the field of cybersecurity, taking our Inro to Cybersecurity (free self-paced) course is highly recommended. Also, if you are already familiar with cybersecurity, taking our Intro to Blockchain Cybersecurity course is highly recommended.
Organizations have many applications to manage, and these are hosted by different systems and servers. Organizations have deployed several ways to authenticate users, based on methods such as multi-factor authentication, one for each system/application, Single Sign-On (SSO), and the directory server; however, authenticating users on the internet is a comparatively difficult mechanism. It is also extremely important to achieve trust over the internet before exchanging information because the internet has been kept open for trusted and untrusted parties. In order to established trust over a public network, there is the need for an independent trusted party. A Public Key Infrastructure (PKI) is an open framework built to resolve trust factors between internet-connected users.
In this article, we will learn about the following topics:
Organizations may have hundreds of cloud-based applications to manage and maintain. Managing individual access control and authentication is a difficult daily task. When it comes to internet users and enormous web applications, it becomes difficult to trust individual websites, and users tend to lose their private and confidential information through them. A PKI provides a secure means of authenticating an individual's identity.
Businesses can reduce the number of deployment and management issues that are encountered with applications by employing a PKI. As businesses are moving more toward cloud-based applications, it is critical to protect security-sensitive applications from emerging threats. There are many security threats when communicating online such as identity theft, Man-In-The-Middle (MITM) attacks, and data leaks.
The internet allows anyone to connect to anyone else and, unlike the real world, geographical/physical barriers don't exist. This makes it difficult to identify a person over the internet and establish trust for further communication. In the following diagram, Alice wants to talk to Bob over the internet; however, Bob refuses because he doesn't have any means of verifying Alice's identity:
The PKI solves this problem by appending a Trusted Third Party (TTP) between Bob and Alice. So, before they can start getting to know each other, they have to establish trust and the TTP helps to accomplish that. In the following diagram, Alice shares a digital certificate with Bob and Bob uses the public key from a trusted certificate authority to decrypt this signature and authenticate Alice:
In the preceding diagram, the TTP is the Certificate Authority (CA). This CA generates a certificate that helps an internet user show his/her identity over the internet:
The following diagram shows PKI security architecture:
The X.509 design elaborates data formats and procedures for the storage and distribution of public keys through certificates that are digitally signed by CA. However, X.509 does not include a profile to specify supporting many of the certificate's subfields and extensions, shown as follows:
The standard efforts prepared an outline for PKI of X.509 version 3 as well as version 2 certificate revocation lists. Before moving on to RFC 2459, there were around 11 drafts to enhance the X.509 standard.
RFC 2510 was developed to specify a message protocol used in PKI. After this, there were two parallel developments with the need of an enrollment protocol and the preference to use the PKCS#10 message format. The following diagram explains the evolution of the PKI header. In version 2, a unique issuer ID and unique subject ID were added to the header. In version 3, an extension field was introduced to identify policy and other related information, illustrated as follows:
Furthermore, the certificate request syntax was developed in S/MIME WG with PKCS#10. With RFC 2510, a simple enrollment protocol was defined, but it did not use PKCS#10 as a certificate request format.
PKI is a collection of a wide variety of components, applications, policies, and practices that combine and accomplish the three security principles, which are integrity, authentication, and non-repudiation. Digital certificates are the main components in PKI as they act as a digital identity over the internet. The five core components of PKI are explained in the following subsections.
In cryptography, encryption is the process of encoding information so that only the intended party can see it. There are two methods of accomplishing this cryptography encryption, symmetric encryption and asymmetric encryption (take our free Intro to Cybersecurity course to learn more about encryption methods), defined as follows:
The public and private key pair consist of two uniquely related cryptographic keys. Here is an example of a public key:
3048 0241 00C9 18FA CF8D EB2D EFD5 FD37 89B9 E069 EA97 FC20
5E35 F577 EE31 C4FB C6E4 4811 7D86 BC8F BAFA 362F 922B F01B
2F40 C744 2654 C0DD 2881 D673 CA2B 4003 C266 E2CD CB02 0301
A public key is made available to everyone through the internet and is stored in an accessible repository or directory. On the other hand, the private key must remain private to its owner; hence, it is also named a secret key.
Both public key and secret key are mathematically connected with each other; hence, data encrypted with a public key can only be decrypted by the respective secret key.
A certificate is an electronic ID that represents the identity of a user or a device interested in communicating over a network. The certificate basically ensures that only a legitimate user can connect to the network. A certificate is generated by signing the public key by a trusted third party, that is, the CA.
The following are the three main types of certificates:
The CA is a trusted third-party that certifies that users, servers, databases, and administrators are who they say they are. The CA checks the credentials of users and grants the certificate, signing it with a secret key. The CA can be an on-premises solution or it can be a managed solution that offers certificate services, illustrated as follows:
The functions of the CA are as follows:
In the following screenshot, we can see the list of digital signatures in a client system. There is a list of certificates from several certificate authorities with their expiry dates:
The different types of CA are as follows:
The RA is responsible for authenticating the identity of newer entities that require a certificate from the certificate authority. It also maintains local registration data information and initiates the renewal and revocation process for old certificates.
The functions of the RA are as follows and are illustrated in the subsequent diagram:
The CR is a certificate database that is accessible by all nodes in the PKI environment. It also holds certificate revocation-related information and the governing policy information. Certificate revocation lists are used in this repository to get an updated list of certificates.
The functions of the certificate repository are as follows:
The entire PKI architecture works on a model named the chain of trust. This model lies within the trust relationship between each identity. Specifically, the difference between a two-tier hierarchy and three-tier hierarchy is that the second tier is placed between the root CA and the issuing CA. The main reason for using a second-tier CA is to have a policy CA that is responsible for issuing certificates to the issuing CA; however, a three tier hierarchy provides better security. This policy CA can also be used as an administrative boundary. This design is also useful if the administrator needs to revoke a number of CAs due to a key compromise; the revoke can be performed at the second level, leaving other branches of the root available, as shown in the following diagram:
During the signing process, the root CA digitally signs the intermediate certificate using its secret key. This process achieves authenticity, stating that the intermediate certificate is trusted by the root CA. Each CA can receive the certificate request from the client and issue it. Normally, the root CA can't be reached by the client, but the client is eligible to hold the root CA certificates. The client sends the certificate request to some subordinate CAs and gets the certificate installed, as shown in the following diagram:
In the following diagram, we can see the flow of sharing digital certificates and their decryption. In order to authenticate the party, the digital certificate is decrypted using the public key:
After understanding the hierarchy of digital certificates with identity, intermediate, and root certificate authorities, now we will learn how communication is established and processed between end clients with browsers and SSL websites. A client requests to access the HTTPS website. A client's browser is preloaded with a number of root CA certificates. Consider the steps as follows:
As per the National Institute of Standards and Technology (NIST), the encryption key life cycle is a combination of the pre-operational, operational, post-operational, and deletion stages of key management. It is important to consider the time spent in the account as the validity of a key is always limited. Hence, the crypto period is used to record the time during which a specific key is authorized for use. The crypto period is determined by combining the estimated time during which the encryption will be applicable and the time when it will be decrypted for use, illustrated as follows:
The following diagram shows the crypto period flowchart with multiple keys:
Now, we can examine the stages in which a key is used and processed:
The Key Management Interoperability Protocol (KMIP) is used for communication between clients and servers to perform management operations on stored objects, which are maintained by a key management system. This is a standardized way to manage encryption keys throughout their life cycle and it has been developed to facilitate both symmetric and asymmetric cryptographic keys, digital certificates, and other related templates to streamline object creation and management, illustrated as follows:
Under the guidelines of the Organization for the Advancement of Structured Information Standards (OASIS), a nonprofit consortium that provides standards for people to exchange information over the internet and within their organizations, there are certain lists of objects a client can request to the key management server:
The challenges of the existing PKI model are as follows:
Furthermore, these trusted third parties are very much capable of intercepting and compromising the integrity and security of users worldwide. There have been several cases where these trusted third parties have shared their customer's information to security agencies and other bodies. They can either do this for financial gain or to prepare customer behavior analytics.
PKI has major vulnerability because of its centralized management system. Blockchain, however, is fundamentally decentralized and allow communication between several parties without any third-party involvement. The approach of going decentralized can be a paradigm shift in the PKI; therefore, it needs a systematic approach to deploy it.
Blockchain is about achieving a decentralized network of multiple participants without third-party involvement. A Decentralized Public Key Infrastructure (DPKI) is an innovative concept that creates authentication systems over public systems without depending on a single third party that can compromise the integrity and security of the system. As we already know, blockchain is built with a trustless approach that allows both trusted and untrusted parties to communicate with each other. However, trust is usually established among geographically and politically disparate participants with several consensus models for the state of the ledger. By definition, blockchain allows you to store any kind of value with several nodes in the network. With DPKI, this value will be a form of secret property.
A principal can be given direct control over global readable identifiers, such as a website domain, by registering the identifier in the blockchain. With the key-value database, the principal uses the identifier as the lookup key. Blockchain can allow the assignment of confidential assets, such as public keys and other attributes, and permit these values to be globally readable in a secure manner that can't be compromised by any MITM, which is possible in PKIX. This is accomplished by allowing the most correct public key to link with the identifier value, and authentication is performed by an identifier lookup of the latest public key.
In this design of DPKI, the system remains decentralized, and control over the identifier remains with the principal. This eliminates the risk of the identifier data store getting compromised.
Ethereum is one of the most flexible and reliable blockchains. It is a programmable blockchain and fits with a granular and policy-based PKI. The PKI is implemented as a function in a smart contract in an Ethereum blockchain. Each entity can have multiple attributes to authenticate ownership. This entity can be a public key or an Ethereum address. Each transaction is identified using a public key and then represented by a corresponding entity ID and PKI. A smart contract is used to program the events and functions of various operations in the PKI. The smart contract can also be configured to invoke specific PKI operations such as create, derive, remove, destroy, and many more. These functions and processes will be written in Solidity and deployed in EVM, which will deliver easier user management for PKI operations. The following sets of PKI operations are made available by programming a smart contract:
In the DPKI deployment, the registrar still has a role in the infrastructure, but it is restricted as follows to ensure that the identities of entities are represented in the network:
This article is written in collaboration with Raj Gupta who has CISA, CPISI, Cobit 5, ISMS LA, CDPO-GDPR, CEH, and CHFI certifications. He is also the author of Hands-on Cybersecurty with Blockchain book.
If you are interested in exploring more complex yet novel topics on blockchain security, you can read our below articles. If you are new to blockchain technology, taking our Intro to Blockchain Technology (self-paced) course is highly recommended.
Here is the list of our free webinars that are highly recommended:
Here is the list of our 10 free self-paced courses that are highly recommended:
If you like to learn more about Hyperledger Fabric, Hyperledger Sawtooth, Ethereum or Corda, taking the following self-paced classes is highly recommended:
If you want to master Hyperledger Fabric, Ethereum or Corda, taking the following live classes is highly recommended:
If you like to learn more about blockchain, reading the following articles and tutorials is highly recommended:
We offer private custom tutoring classes both online and in DC, MD and VA for almost all of our courses or bootcamps. Give us a call or email us to discuss your needs.
$50 Limited OfferREGISTER NOW