Public Key Infrastructure

Jim Hurst
 Public Key Infrastructure
Introduction
Secure communications is an essential requirement for any modern organization. In
practical terms, this often means sending encrypted information across the Internet—
through electronic mails, file transfers, secure web transactions, or telephony. Public key
infrastructure, or PKI, addresses the problem of managing encryption and decryption
keys for groups of users to assure the confidentiality of information. PKI also provides
for the use of digital signatures, which allows for verification of the integrity of digital
information. A final benefit of PKI is non-repudiation, which verifies that a particular
author sent a given message.

PKI is based upon three principle technologies: public key cryptography, digital
signatures, and digital certificates. These key components are discussed in the next
sections. This is followed by an explanation of how PKI is implemented in the enterprise,
and the problems that it must address.

Public Key Cryptography

Any discussion of public key infrastructure must begin with public key cryptography.
Public key cryptography, also known as asymmetric cryptography, allows users to
communicate secretly without having a shared secret key. The trick is that each user has
both a public and a private key. Anyone can access the public key, but only the user has
access to the private key. The true magic of public key systems is that when a particular
public key is used to encrypt information, only the corresponding private key can decrypt
it (because the keys are mathematically related). To send you a secret message, I use your
public key to encrypt my message. I can then send you the message via public means,
because no one can read the message without your private key.

Mathematicians Whitfield Diffie and Martin Hellman developed the first published
practical application of public key cryptography in 1976 (although classified systems
were probably already in use at this time). Their method of jointly establishing a secret
key is now known as Diffie-Hellman key exchange.

In 1978, the team of Rivest, Shapiro, and Adelman published a method of using two large
primes for encryption and decryption that combined public key encryption and digital
signatures. The method, still used today, is known as RSA, and it is based on the
computational difficulty of factoring large prime integers. Other well known public key
algorithms include El Gamal, which is based on discrete logarithms, and ECC (elliptic
curve cryptography), which is based on the algebraic structure of elliptic curves over
finite fields.

Digital Signatures
A second crucial application of public key cryptography is digital signing. A digital
signature allows verification that a given private key signed a particular message, which
provides the benefits of integrity and non-repudiation. An author can sign a document by
creating an electronic fingerprint of the document (a hash), and then encrypting the hash
with the author’s private key. The recipient of the document decrypts the hash with the
author’s public key and tests it against a current hash of the document. Because the
author’s private key is required to generate the original hash, the author must have
generated the signed document. If the two hashes do not match, the document has been
modified since the original hash was made. If the two hashes match, this verifies that the
document has not been modified. Therefore, it was signed with the author’s private key,
which makes the author responsible for the document. This ability to verify that a given
sender did indeed send a particular message is known as non-repudiation.

Digital Certificates
Current implementations of PKI depend on digital certificates, also known as public key
certificates or identity certificates. This is a certificate that uses a digital signature to bind
a user identity to a public key. The user identity can include arbitrary fields, usually
including name, organization, and address. A certificate authority (CA) creates and
maintains the digital signatures. Certificate authorities function as trusted third parties,
validating the identities of all user certificates they create. Governments and large
organizations can have their own CAs. There are numerous commercial CAs, and a
certificate authority and the tools to use it are integral parts of any PKI.

The most common digital certificate standard is the ITU-T X.509. X.509 provides
standard formats for certificates and a set of procedures to determine is a given certificate
is valid. An X.509 certificate has a start date and an expiration date defined when it is
created. The CA might also have revoked the certificate. X.509 certificates use a
Certificate Revocation List to keep track of certificates that have been voided.

A common use of X.509 certificates is for one CA (the root CA or root authority) to
endorse a second tier CA, which then generates user certificates. Validating the user
certificates means validating the parent CA that issued them, which in turn requires
validating the root CA that endorsed the issuing CA. The most common application of
digital certificates is the secure sockets layer (SSL) used in web commerce. SSL is not a
true PKI system, because the server is validated, although the client is not.

Implementations
Consider a simple example of a PKI system at work. Alice, an employee of Atlas
Amalgamated, needs to send a secret bid to Bob at Better Business. Alice uses her normal
email client, but flags the message as encrypted. The corporate PKI system must
authenticate Alice’s identity, then contact Bob’s CA, retrieve his public key, and use this
key to encrypt the message. It also digitally signs the email with Alice’s private key, and
then sends it to Bob across the Internet. When Bob receives the message, his PKI system
authenticates his identity, notes that the email is signed, and contacts Alice’s certificate
authority to retrieve her public key. The system uses Alice’s public key to decrypt the
hash. It then generates a new hash to verify that Alice sent the message and it has not
been modified. The PKI next decrypts the message using Bob’s private key and delivers
the plaintext into Bob’s inbox.
This is one of the simplest applications of a PKI, which highlights the challenges that PKI
systems face. Different organizations might use different certificate authorities. Does
Alice’s organization trust Bob’s CA? How does her PKI system know where to find
Bob’s public key? PKI offers huge benefits, but real-world experience has proven that a
workable implementation is non-trivial. An effective PKI system must be seamless,
meaning that it works with existing enterprise applications and existing organizational
workflows. It must be secure, so that access to private keys is tightly controlled. Users
should not be able to copy or extract private keys. The PKI must provide means to
publish public keys, validate certificates, and revoke certificates. Deploying a PKI
represents a serious commitment of resources. To date, its use has largely been restricted
to governments and large enterprises.

In the 1990s, vendors sensed a large market for PKI and began delivering products,
although both technical issues and operational problems slowed uptake in the enterprise.
Besides the technical issues illustrated in the example above, PKI systems must fit into an
organization’s operating procedures, which means that they must integrate into the many
and various workflows of a complex organization and gain acceptance from the work
force. Early vendor offerings tended to lack the flexibility required for easy integration.

The simple public key infrastructure (SPKI) promised an alternative to the

“heavyweight” PKI described above. SPKI grew out of multiple independent efforts to
simplify the use of digital certificates. SPKI binds users directly to keys with a local trust
model.

PKI offerings have found a market, although it has grown more slowly than anticipated.
Enterprise PKI schemes are often integrated into a directory structure, such as LDAP,
tying a public key embedded in a certificate to personal information. Current PKI
offerings are often integrated with smartcards, so that users can carry both public and
private keys with them with little risk of keys being compromised. The largest
deployment of PKI to date is the United States government’s Defense Information
System Agency’s Common Access Card program. Because PKI systems are intended to
interoperate, they require well defined standards. The Internet Engineering Task Force
(IETF) PKIx working group develops most of the standards for PKI systems.

PKI’s Security
PKI systems are large, complex systems that use public key cryptography, which is
neither more nor less secure than symmetric cryptography. There is always a risk that as a
system grows more complex, unexpected interactions between components will introduce
vulnerabilities. PKI systems are rigorously designed and tested to avoid such
vulnerabilities. Ideally, these systems introduce seamless, well engineered security to
digital information. However, they remain subject to improper configuration, human
error, and social engineering.

Summary - The Future

PKI fills an essential function; therefore, its role will continue to grow. The integration of
smartcards and PKI systems is growing in popularity. The market for a cheap and
effective PKI is huge, although the complexity of the problem PKI addresses means that
implementing a PKI requires a major commitment. In turn, commercial offerings will
remain relatively expensive to deploy and maintain. Because of the expense, large
organizations will continue to dominate PKI uptake in the near term.

References:
Bellare, M., and P. Rogaway. The exact security of digital signatures---how to sign with
RSA and Rabin. In U. Maurer, editor, Advances in Cryptology, Proc. of Eurocrypt '96,
pages 399–416. Springer-Verlag, 1996. Zaragoza, Spain, May 11–16.
http://citeseer.ist.psu.edu/bellare96exact.html

“Public Key Infrastructure” Wikipedia, http://en.wikipedia.org/wiki/Pki.

Rivest, R. L., Shamir, A., Adleman, L. A.: A method for obtaining digital signatures and
public-key cryptosystems; Communications of the ACM, Vol.21, Nr.2, 1978, S.120-126.
http://citeseer.ist.psu.edu/rivest78method.html.

Rivest, R. L. and B. Lampson. SDSI—A Simple Distributed Security Infrastructure.

Version 1.1, at http://theory. lcs.mit.edu/rivest/sdsi11.html, October 2, 1996.

Shoup, V. On Formal Models for Secure Key Exchange. Theory of Cryptography Library
Record 99–12, http://philby.ucsd.edu/cryptolib/ and invited talk at ACM Computer and
Communications Security conference, 1999.
http://citeseer.ist.psu.edu/article/shoup99formal.html

“Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure,” C.
Ellison and B. Schneier, http://www.schneier.com/paper-pki.html.

“What is a PKI?” Entrust Corporation, http://www.entrust.com/pki.htm.