The PKI explained. Not that anyone asked.

***Disclaimer. I’m serious, all I do in this is explain some of the basics of information security. It’s honestly pretty boring stuff, and it’s remembered from when I certified in Security +, well over a year and a half ago. This is also the first time of really done anything with this knowledge since then, as I’m not concerned with any type of security. So in addition to being boring, there is a very good chance that a lot of this is wrong. So if you want to read something long, boring, and potentially incorrect, you’ve been warned.***

Security is predicated on possession of at least two of three things, what you have, what you know, and what you are. Rather, good security is based on this principle; a car is secured with only one of those three, what you have, and as a result is relatively easy to steal. One can obtain a key, or pick the lock (which we could consider an example of a brute force attack). If you combine two elements you drastically increase the difficulty of the problem, which is why modern banking relies on Debit cards, which combine what you have, a card containing a hash, and what you know, your pin number.

Computer security is in large part based on this principle. A secure modern network will probably implement this through the use of what you have and what you know, in a manner rather like a bank. An individual will be issued with a Common Access Card (CAC) and told to create a pin number. This then ensures physical security of the computer, a user can lose their CAC, or divulge their PIN and security is not compromised (except for the user’s who wrte their PIN on their CAC….).

So now that we have ensured the physical security of the computer how do we secure the network, or at the very least communication within the network? As the OSI model would tell us, the first thing we should secure is the physical. Put up a fence. But in the modern world where people cannot be trusted and all you need to do is splice in a hub to capture every single packet being passed, how do we maintain the intergrity of our network?

This is where the Public Key Infrastructure ( PKI – do not refer to it as the PKI infrastructure, you will look like a moron) comes in. Operating in conjunction with your common access card(the two are part and parcel), the PKI enables you to encrypt a message and send it to anyone also a member of the infrastructure. Everyone a member is in possession of two key’s, a public and a private; the public is made available to all members of the network, and the private is kept, as implied, private. The two keys are married to each other, a message encrypted with the public will only decrypt with the private. So if you need to send a message to A, you take his Public key, encrypt the message and hit send. Voila, information security.

But wait (you cry), this approach means that while the Confidentiality of the message will be ensured, this does not matter, as the Integrity is compromised. And by this, of course, you mean that as everyone has access to the public certificates, you cannot verify the the identity of the sender, thus the content cannot be trusted. This, (I reply, triumphantly) is where digital signature’s come in.

When I send that message to A, I run it through a common function which generates a hash, or a string of bits. This hash I then encrypt using my private key, and attach to the original message as my “Digital Signature”. Then, when the sender receives my message, he both decrypts my signature using my public key and hashes the message himself, if the two hashes match, then he knows that it was indeed myself who sent the message, as only I am in possession of my private key; and that the message itself was not tampered with, if it was his hash would not match that of the signature. Integrity.

Still (you plaintively moan) where do these key’s come from, and how do you trust their authenticity? In a large corporate network, you will have a Certifying Authority responsible for the issue of public and private keys, and an information infrastructure which will support the continual addition of new keys, an enterprise network. In an enterprise network all of what I described will be transparent to the user, a button is clicked, magic happens. You can build a PKI in your private life however, most commonly (among the tin-foil hat brigade) by using what’s called a web of trust.

A web of trust is an implementation of PKI where you rely on personal interaction as opposed to an network to share keys. Instead of relying on a CA to ensure that a person is who their key claims to be, you rely on the digital signatures of others with in the web. So having made your key available to the world, others can verify it’s authenticity by viewing the number of people who have digitally signed your key, the people vouching for the trustworthiness of your key. This signing is done at a key-signing party, once satisfied as to the authenticity of your key other individuals will attach their digital signature, thus, the web of trust. As you can imagine these parties are quite lively, I’ve always held that no party is complete without the transfer of long strings of meaningless ones and zeros.

So (you say, perking up considerably) information security professionals are not total strangers to the world of parties. Unfortunately (I reply with eyes that you have just noticed look particularly deadish) , they are total strangers to the world of parties that occur outside the realm of key-signing, as any kind of work in the field of information technology kills your soul.


One Response to “The PKI explained. Not that anyone asked.”

  1. Adam Says:

    This is by far the best description of PKI I have found and even makes Dummies guides look complex. Thanks man, much apprecited.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: