PKI, or Public Key Infrastructure, is the general term used for establishing and managing public key encryption, one of the most common forms of internet encryption. It is baked into every web browser (and many other applications) in use today to secure traffic across the public internet, but organizations can also deploy it to secure their internal communications and access to connected devices.
The most crucial concept involved in PKI is, as its name implies, the paired cryptographic keys that are at its core. These keys are not only part of the encryption process, but they help authenticate the identity of the communicating parties or devices.
Why is PKI important? It’s because this combination of encryption and authentication makes trustworthy online communication possible.
There are 2 core types of encryption:
- symmetric – the same key, used for encryption, is used for decryption
- asymmetric – the encryption and decryption keys are different
It’s important to note that PKI is a form of asymmetric encryption (only).
There are 2 concepts of PKI that are the most important in this discussion:
A key is used to encrypt data, while a recipient of the encrypted data needs to have the same key as well as the cipher used to encrypt the data, if they want to decrypt the data.
A certificate is different as the recipient does not have/get the key to decrypt the data. An alternate solution is required here.
Basic PKI operation
Certificates are a form of identification that can also be used to encrypt and decrypt data. There are 2 forms of certificates, private and public.
The public key is available to anyone who requests it and is issued by a trusted certificate authority (CA). This public key verifies and authenticates the sender of the encrypted message. The second component of a cryptographic key pair used in public key infrastructure is the private, or secret, key. This key is kept private by the recipient of the encrypted message and is used to decrypt the transmission.
Complex algorithms and ciphers are used to encrypt and decrypt public/private key pairs and aid in communication of this information. The public key authenticates the sender of the digital message, while the private key ensures that only the recipient can open and read it.
The most common use of PKI is the TLS/SSL protocol which is most often used to secure HTTP web traffic (although it can be used in any other scenario where asymmetric encryption is required (ie. where the recipient of an encrypted data will not know the encryption key).
PKI infrastructure and operation
There is an infrastructure required for PKI which includes trusted authorities (a CA), a service provider (web site or app) and a service consumer (browser).
The flow of PKI is as follows:
- a site/service owner generates a private key
- the private key is used to generate a certificate request
- the certificate request is submitted to a certificate authority (CA)
- the CA requires the submitter to verify their identity (multiple options here including email, dns and interactive) depending on the certificate type
- the submitter validates the certificate verification request
- the CA acknowledges the validation and issues the certificate
- the site/service owner downloads and configures the public certificate on their service
- a client connects to the site/service and validates the site certificate against the signing CA
CA’s form an important part of a chain of trust between the service operator and the service consumer. Becoming a CA is a significant undertaking and requires adherence to a onerous and rigorous set of requirements and rules as set out by the CAB forum, an industry standard organisation overseeing PKI operations.
Issues surrounding PKI
downtime/outages due to certificate mismanagement
Issues around certificate management can include misconfigured PKI, expired certificates and incorrect extensions selection; these can result in unwanted public access to encrypted resources
unsecured certificates undermine trust
Expired and/or invalid certificates can reduce (or remove completely) the trust in a service – trust is only expected when the service is actually trustworthy
CA compromise are a big threat
Not a common issue but compromised CAs (intentionally or not) can result in malicious (and potentially duplicate) certificates being issued for valid services
encryption increases operational complexity and cost
Managing PKI in an organisation takes time, skill and resources which are often in short supply
lack of resources to support PKI and no (clear) assigned ownership
PKI is often an afterthought in many organisation, resulting in issues and potential security risks
The above issues clearly indicate that PKI needs to be taken seriously and managed (correctly). What can we do to improve the PKI function?
A fully managed PKI service
There are clearly operational and security concerns around PKI that need to be managed. The following provides some aspects of PKI that should be part of your PKI solution.
It is critical that PKI certificates and infrastructure be seen as an integral part of the security of an organisation.
- secure private certificates in storage, operational use and transit
- consider private certificates/keys a secret of the organisation and treat them accordingly
- use secure storage to store private keys
- secure operational private keys effectively with authentication, permissions and access control
- use secure methods to transport private keys
- don’t (unnecessarily) share private keys with 3rd parties
- use wildcard certificates sparingly (if at all)
PKI resources and skill
- retain/assign resources (in-house or 3rd party) skilled in the operation of a secure PKI infrastructure
- track the security feed of your chosen CA partner
- document resources applicable to your PKI operations via your CA partner
- make use of CA or 3rd party tools for certificate lifecycle management – this should include tracking, issuance, renewal, notification, reporting and compromise of certificates and CAs
- regularly audit your PKI solution
- track certificate location, expiry, type and assignment
- track who has access to your PKI and certificates
- implement (access to) CRLs and configure internal browser systems accordingly
3rd party PKI handling
It’s a common scenario that 3rd parties require access to your PKI certificates. This is a difficult situation as you will be giving a core secret (private keys) to someone else. Handling is critical here.
- only provide to 3rd parties what is minimally required
- 3rd parties should sign or acknowledge receipt of your PKI resources
- 3rd parties should make their PKI handling processes available to you
- 3rd parties should have a breach/compromise notification process in place, as well as an IRP
- an NDA may be used to associate compliance to the various parties
PKI is a requirement to conduct secure operations on the internet and on internal private networks. It secures a service via encryption and confirms to service users that the service is what it says it is. Encryption and identity …
It also has the “keys to the kingdom” and should be managed accordingly. Unfortunately, and to the detriment of many, PKI typically goes unmanaged even though it deserves a closer look and input by most organisations.