Encryption: Public Key Encryption and Public Key Infrastructure (PKI)

Access Control, Big Data Analytics (BDA), Encryption, Foundation of Digital Systems Security, Risk Management and Risk Assessment, Security 6 Minutes

Dr. Aly, O.
Computer Science

Introduction

The purpose of this discussion is to elaborate on the previous discussion of the Encryption  and discuss the functionality provided by the public key encryption and public key infrastructure (PKI).

Public Key Infrastructure (PKI)

The PKI is a framework which enables the integration of various services which are related to cryptography. The purpose of the PKI is to provide confidentiality, integrity, access control, authentication and most importantly non-repudiation.  The encryption/decryption, digital signature, and key exchange are the three primary functions of the PKI (Srinivasan, 2016).

There are three major functional components to the PKI.  The first component involves The Certificate Authority (CA), an entity which issues certificates. One or more in-house servers, or a trusted third party such as VeriSign or GTE, can provide the CA function.  The second component involves the repository for keys, certificates, and Certificate Revocation List (CRLs), which is usually based on a Light-weight Directory Access Protocol (LDAP)-enabled directory service.  The third component involves the management function, which is typically implemented via a management console (RSA, 1999).  Moreover, if the PKI provides automated key recovery, there may also be a key recovery service. The Key Recovery is an advanced function required to recover data or messages when a key is lost.  PKI may also include Registration Authority (RA) which is an entity dedicated to user registration and accepting requests for certificates.  The user registration is the process of collecting information of the user and verifying the user identity, which is then used to register the user according to a policy.  This process is different from the process of creating, signing, and issuing a certificate.  For instance, the Human Resources department may manage the RA function, while the IT department manages the CA.  Moreover, a separate RA makes it harder for any single department to subvert the security system.  Organizations can choose to have registration handled by a separate RA, or included as a function of the CA.  Figure 1 illustrates the main server components of a PKI; certificate server, certificate repository, and key recovery server accompanied with management console, as well as PKI-enabled applications building blocks (RSA, 1999).

Figure 1.  The Main Server Components of PKI (RSA, 1999).

PKI Standards

The PKI standards permit multiple PKIs to interoperate, and multiple applications to interface with a single, consolidated PKI.  The PKI standards are required for enrollment procedures, certificate formats, CRL formats, certificate enrollment messages formats, digital signature formats, and challenge and response protocols.  The primary focus of interoperable PKI standards is the PKI working group of the Internet Engineering Task Force (IETF), also known as the PKIX group for PKI for X.509 certificates (RSA, 1999).  The PKIX specification is based on two other standards X.509 from the International Telecommunication Union (ITU) and the Public Key Cryptography Standards (PKCS) from RSA Data Security (RSA, 1999). 

Standards Rely on PKI

There are standards which rely on PKI.  Most major security standards are designed to work with PKI.  Secure Socket Layer (SSL) and Transport Layer Security (TLS), which are used to secure access to Web servers and web-based applications, rely on PKI.  The Secure Multipurpose Internet Mail Extensions (S/MIME), which is used to secure messaging rely on PKI.  The Secure Electronic Transaction (SET) to secure bank card payments, and  IPSEC to secure connection using VPN require PKI (Abernathy & McMillan, 2016; RSA, 1999; Stewart, Chapple, & Gibson, 2015).

The PKI Functions

The most common PKI functions are issuing certificates, revoking certificates, creating and publishing CRLs, storing and retrieving certificates and CRLs, and key lifecycle management.  The enhanced and emerging functions of PKI include the time-stamping and policy-based certificate validation.  The summary of the PKI functions is illustrated in Table 1, adapted from (RSA, 1999). 

Table 1.  PKI Functions (RSA, 1999).

Public Key Encryption

In 1976, the idea of public key cryptography was first presented in Stanford University by Martin Hellman, Ralph Merkle, and Whitfield Diffie (Janczewski, 2007; Maiwald, 2001; Srinivasan, 2016).  There are three requirements for the public key encryption method.  When the decryption process is applied to the encrypted message, the result must be the same as the original message before it was encrypted.  It must be exceedingly difficult to deduce the decryption (private) key from the encryption (public) key.  The encryption must not be able to be broken by a plaintext attack. Since the encryption and decryption algorithms and the encryption key will be public, people attempting to break the encryption will be able to experiment with the algorithms to attempt to find any flaws in the system (Janczewski, 2007).

One popular method of the public key encryption was discovered by a group of MIT in 1978 and was named RSA after the initials of the three members of the group Ron Rivest, Adi Shamir, and Leonard Adleman (Janczewski, 2007).   The RSA Algorithm was patented by MIT, and then this patent was handed over to a company in California called Public Key Partners (PKP), which holds an exclusive commercial license to sell and sublicense the RSA public key cryptosystem.  PKP also holds other patents which cover public key cryptography algorithm.  RSA encryption can be broken based on factoring numbers involved, which can be ignored due to the massive amount of time required to factor large numbers.   However, RSA is too slow for encrypting large amounts of data.  Thus, it is often used for encrypting the key used in a private key method such the International Data Encryption Algorithm (IDEA) (Janczewski, 2007).

The main difference between the symmetric key encryption and the public key encryption is the number of keys used in operation.  The symmetric key encryption utilizes a single key both to encrypt and decrypt information, while the public key encryption utilizes two keys, one key is used toencrypt, and a different key is then used to decrypt the information (Maiwald, 2001).  Figure 2 illustrates the primary public key or asymmetric encryption operation.  Both the sender and receiver must have a key. The keys are related to each other and called key pair, but they are different.  The relationship between the keys is that the information encrypted by one key can be decrypted by the other key.  One key is called private, while the other key is called public.  The private key is kept secret by the owner of the key pair.  The public key is published with information about who the owner is.  It is published as public because there is no way to publish a private key from it.

Figure 2.  Public Key Encryption Operation (Maiwald, 2001).

The encryption is performed with the public key, where only the owner of the key pair can decrypt the information since the private key is kept secret by the owner if the confidentiality is desired.   The owner of the key pair encrypts the information with the private key if authentication is desired.   The integrity of the information can be checked if the original information was encrypted with the private key of the owner (Maiwald, 2001; Stewart et al., 2015).

The asymmetric key cryptography or public key encryption provides an extremely flexible infrastructure, facilitating simple, secure communication between parties that do not necessarily know each other before initiating the communication.  The public key encryption also provides the framework for the digital signing of messages to ensure non-repudiation and message integrity.  It also provides a scalable cryptographic architecture for use by large numbers of users).  The significant strength of the public key encryption is the ability to facilitate communication between parties previously unknown to each other.  This process is made possible by PKI hierarchy of trust relationships.  These trusts permit combining asymmetric cryptography with symmetric cryptography along with hashing and digital certificates, providing hybrid cryptography (Abernathy & McMillan, 2016; Maiwald, 2001; Stewart et al., 2015)

The limitation of the public key encryption is that they tend to be computationally intensive and thus are much slower than symmetric key systems.  However, if the public key is teamed with the symmetric key encryption, the result is the much stronger system. The public key system is used to exchange keys and authenticate both ends of the connection.  The symmetric key system is then used to encrypt the rest of the traffic as it is faster than the public key system (Abernathy & McMillan, 2016; Maiwald, 2001; Stewart et al., 2015).

References

Abernathy, R., & McMillan, T. (2016). CISSP Cert Guide: Pearson IT Certification.

Janczewski, L. (2007). Cyber warfare and cyber terrorism: IGI Global.

Maiwald, E. (2001). Network security: a beginner’s guide: McGraw-Hill Professional.

RSA. (1999). Understanding Public Key Infrastructure (PKI). Retrieved from ftp://ftp.rsa.com/pub/pdfs/understanding_pki.pdf, White Paper

Srinivasan, M. (2016). CISSP in 21 Days: Packt Publishing Ltd.

Stewart, J., Chapple, M., & Gibson, D. (2015). ISC Official Study Guide.  CISSP Security Professional Official Study Guide (7th ed.): Wiley.

Unknown's avatar

Published by Think and Knowledge Tank

Published