Friday, November 28, 2014

Information Security Basics Part 4:Public Key Infrastructrue (PKI)

On my last post, I talked about cryptography and one of the Cryptographic algorithms is Public Key where a pair of keys are generated.

I am sure everyone would have seen this on their browser:

Usually, user will just click "I Understand the Risks" and move on.  User education is a major part of security in an enterprise or as a matter of fact any organization.  An organization can have the state of the art firewall and IPS/IDS but the users are always the weakest link for security.  Nowadays, USB comes in 4G, 8G or 16G.  Way back when most USB is 256 MB, hackers would put a 1G USB (with virus) on a cooperation's packing lot hoping some employee would pick that up and plug that onto their PC at work to checkout what is in the USB.  It is very possible to gain access to a cooperation's network this way.

Anyways, back to the topic of this post. On a web browser when we are using https we are using a digital certificate to prove the identity of the web server.  Digital certificate is usually generated in a Public Key Infrastructure(PKI). Since we get in touch with digital certificate on a daily basis I think it will be interesting to take a look PKI.

PKI is a big topic and I can only touch on the most important elements so we can have a general overview of what PKI is.  

Digital Certificate
Wikipedia defines Digital Certificate as "an electronic document used to prove ownership of a public key. The certificate includes information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner."

Digital certificates are in the X.509 format where there is a data section and a signature section.
 image source:http://pic.dhe.ibm.com/infocenter/tpfhelp/current/topic/com.ibm.ztpf-ztpfdf.doc_put.cur/gtps5/ssldig17.gif

The above diagram breaks down the different sections of a digital certificate.  For a more detailed description of digital certificate take a look at this IBM article.

One important information included in the certificate is the public key.  When a certificate is generated a private key and a public is issued.  The private key is keep by the owner of the certificate while the public key is included in the digital certificate and thus we have the name "Public Key" Infrastructure.
 
Online banking and eCommerce while being the most common use case for digital certificate, there are other use cases for digital certificates such as VPN (Virtual Private Network) that we can enable remote employees to gain access to the cooperate computer resources.  Company issued digital certificates are installed on the remote employee's laptop.  With a company issued/trusted certificate, the device is able to prove identity and gain access from home or from hotel securely over certificate based VPN.  Even for SSL based VPN, certifcate are also used.

Public Key Infrastructure (PKI)
For banking and eCommerce, the digital certificates are bought from well know digital certificate vendors such as Verisign, GeoTrust or Thawte.

It is also common for organization to setup it own Public key Infrastructure for its internal use.

When we see the word "infrastructure", we will think of complicated system such as OpenStack as a cloud infrastructure.  According to this article, PKI at its core is abut certificate:
  • How they are created
  • What information they contain
  • How they are used
  • What is the level of trust 
  • What to do when the certificate is lost
Planning and writing up of of the security procedure are an essential part of setting up a Public Key Infrastructure.  Written documents are particular important for security audit and to comply to regulatory requirements.

When we think of PKI we think of a PKI hierarchy.  In a PKI hierarchy, there is the the concept of Root CA and the Issuing CA. 

In the simplest form, PKI will have one server being the Certification Authority (CA) to generate and to revoke certificates.   In a more complex environment, there is a Root CA and then there are subordinate CA  This is useful for a big cooperation to configure subordinate CA to handle the certificate issue of a particular division.

This is the concept of CA tiering.  In general there are 3 types of tiering design.

Single/One Tier Hierarchy
A single machine handles all the operations concerning certificate.  As mentioned before in a PKI hierarchy there is the Root CA and there is the Issuing CA.  In this case of a single machine, it performs both functions.  While it is the simplest way, it is not a secure way.  User will have to decide if this single tier hierarchy is sufficient to serve the organization.
image source: http://blogs.technet.com/blogfiles/askds/WindowsLiveWriter/DesigningandImplementingaPKIPartIDesigna_884F/image_2.png

Two Tier Hierarchy
In this model, the Root and Issuing CA are on a different machine.  In this tier, the Root CA is put offline so as to protect the private key of the Root CA.  In this model there can be multiple Issuing CAs and it can be distributed according to geographic or departmental need.

image source: http://blogs.technet.com/blogfiles/askds/WindowsLiveWriter/DesigningandImplementingaPKIPartIDesigna_884F/image_4.png

Three Tier Hierarchy
In this tier there is a new type of CA - Policy CA in between the Root CA and the Issuing CA.  The purpose of the Policy CA is to issue certificate to the Issuing CA according to administrative boundary and restriction.  Each Policy CA will have its own Issuing CA.  Same as the Root CA, once the PKI is setup the Policy CA is put offline for security purpose.

Another advantage of this model is that if some certificate is compromised, user can only revoke the a single Policy CA's certificate without having to affect the other certificate under a different Policy CA.  For example, if the Policy CA is configure for different remote offices based on it geographic location.  If the certificate for Branch A is compromised, we just revoke the certificate of the Policy CA for Branch A.  All other remote location are not affected.


image source: http://blogs.technet.com/blogfiles/askds/WindowsLiveWriter/DesigningandImplementingaPKIPartIDesigna_884F/image_6.png

There are a lot more to talk about PKI.  As I am interested in security, I will blog about this subject again in the near future.

Related Post:
Information Security Basics Part 1: Security Models
Information Security Basics Part 2: Defense in Depth 
Information Security Basics Part 3: Cryptography

Reference:
"Public Key Certificate." Wikipedia. Wikimedia Foundation, 15 Nov. 2014. Web. 24 Nov. 2014.
"Getting Started with Public Key Infrastructure." Networklore. N.p., n.d. Web. 24 Nov. 2014.

No comments:

Post a Comment