Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) is a popular encryption and authentication approach used by both small businesses and large enterprises. Here's how PKI is used today and how you can implement it in your organization.

Identity and authorization management (IAM) applications and encryption generally are considered two of the most important components of a layered security environment. Today it is not enough to assume that the person who has access to data is authorized, it is essential to confirm that authorization and make sure that the decryption protocols are followed in accordance with the company's information security policies and procedures.

In the Windows environment, IAM is an integral component of Microsoft Active Directory. While we've looked at numerous IAM tools enterprises can use, ranging from the Public Key Infrastructure (PKI) for small to midsize businesses to enterprise-class offerings that also include credential management, PKI is popular amongst companies of all sizes.

What Is Public Key Infrastructure (PKI)

The PKI environment is made up of five components:

Certification Authority (CA) -- serves as the root of trust that authenticates the identity of individuals, computers and other entities in the network.
Registration Authority (RA) -- is certified by a root CA to issue certificates for uses permitted by the CA. In a Microsoft PKI environment, the RA is normally called a subordinate CA.
Certificate Database -- saves certificate requests issued and revoked certificates from the RA or CA.
Certificate Store -- saves issued certificates and pending or rejected certificate requests from the local computer.
Key Archival Server -- saves encrypted private keys in a certificate database for disaster recovery purposes in case the Certificate Database is lost.

From an operational perspective, PKI is an encryption approach where a pair of cryptographic keys -- one public and one private -- are used to encrypt and decrypt data. A user can give someone their public key, which that sender uses to encrypt data. The owner then uses their private key to decrypt the data. This authentication and encryption approach originated in the British intelligence community in the early 1970s and has been used commercially for nearly 20 years.

Examples of how PKI technology is used today include sending authenticated email messages using technologies such as OpenPGP (Open Pretty Good Privacy) or S/MIME (Secure/Multipurpose Internet Mail Extensions), encryption of documents using the eXtended Markup Language (XML), and authentication of users using smart card logins or client authentication using SSL (secure socket layer) signatures or encryption.

How Public Key Infrastructure Is Used Today

PKI is used by companies that must meet security compliance regulations. Entrust, for example, offers PKI products that can be used to meet strong identity authentication for first responders, as well as healthcare authentication for Medicare and Medicaid providers. While consumers often think of massive medical centers and big medical insurance companies when they think of the healthcare industries, a large number of small medical, chiropractic, and naturopathic offices with 10 or fewer employees also have to meet the same Health Insurance Portability and Accountability Act (HIPAA) requirements as the Mayo Clinic or any other big hospital.

While it is possible to have self-signed certificates created by commercial software -- this article is being written in Microsoft Office 2007 that has the ability to encrypt this document and attach a digital signature -- a self-signed document generally does not carry the same security status of a document that has a third-party digital certificate from a verified certificate provider. Even Microsoft's own TechNet site states that self-signed documents generally are used between people whom already know each other and are confident that the sender actually created the signed document.

But what can a PKI actually do for a company? According to Microsoft, here are some the key reasons to deploy this infrastructure:

Control access to the network with 802.1x authentication;
Approve and authorize applications with Code Signing;
Protect user data with the Encryption File System (EFS);
Secure network traffic IPSec;
Protect LDAP (Lightweight Directory Access Protocol)-based directory queries - Secure LDAP;
Implement two-factor authentication with smart cards;
Protect traffic to internal web-sites with Secure Socket Layer (SSL) technology;
Implement secure email.

A number of applications also can use the PKI certificates. Aside from the aforementioned email and network access controls, PKI also can be used for enterprise- and SMB-class databases, electronic document and forms signing, secure instant messaging, mobile device security, securing USB storage devices, Windows Server Update Services, Active Directory and more.

Implementing PKI

The cost of implementing PKI obviously varies with each installation, but there are some common expenses that occur. On the hardware side, there can be costs relating to the servers themselves, hardware security modules (HSMs), backup devices and backup media. In a Windows environment, there also can be server licensing fees.

In addition, there also will be personnel expenses for hiring someone to design, implement and manage the PKI environment, as well as possible expenses for integration and automation of systems. There also will be on-going expenses for a staffer to manage the issuing and revoking of certificates, as well as normal systems maintenance such as applying patches and running backups.

Based on the complexity of the environment, it is possible to have a single server act as both the root and issuing CA. A two-tier hierarchy consists of the root CA with issuing CAs connecting up to the root. This is considered to be the most common design, although the architecture can be designed with a Policy or Intermediate CA sitting between the root and issuing CAs. In this design, the policy server could restrict the types of certificates an issuing CA could create.

Security best practices dictate that companies should avoid putting high-risk applications, such as a web server, on the same physical host as a high-value resource, such as the PKI server. If the high-risk applications are hosted on a virtual machine (VM), those VMs also should be on different physical systems than the PKI server.

Additionally, PKI is a very effective method for implementing multi-factor authentication. Some companies, such as Unisys, require that devices that are attached to the corporate network must be able to use PKI for the encrypted and authenticated exchange of information.

Safenet, a provider of authentication and encryption products, says that companies considering employing PKI for full-disk encryption, network logon, digital signatures and similar applications should look at context-based authentication to ensure that the user's access credentials are appropriate for the data being accessed.

For an organization that wants to adopt a PKI environment, says Abhijit Tannu, chief technology officer of Seclore Technology in Mumbai, India, the most important first step would be a security architect who would define the services and applications that need and will use the PKI service.

"PKI by itself does not provide security unless it is used in conjunction with other solutions (and) communication platforms like email (or) mobile device management (MDM)," he says. "Therefore it is important to have someone who will define the overall security architecture. The organization will also need someone to define and implement the policies that will be governing the generation and renewal and revocation of the PKI certificates."

For companies that want PKI capabilities but not the capital investment in hardware and software, PKI is also available from managed security services providers.

"To provide such a service," Tannu says, "the organization would need to have a very deep understanding of PKI infrastructure and how it gets integrated with various solutions like email, browsers, MDM, (and other applications). They will also need a rock-solid infrastructure and industry-grade security around the infrastructure hosting the service."

PKI In The Enterprise

In corporate environments, Public Key Infrastructure (PKI) is commonly used to authenticate users trying to access data, including validating transactions.

Security vendor SafeNet offers PKI services for USB and smart card authentication, cryptography as a service (CaaS), and protection of hardware security modules (HSMs). In addition to offering various multi-factor authentication hardware and software tokens, the company offers multiple data encryption and control products, ranging from network appliances to software-only encryption.

Like SafeNet, Certified Security Solutions (CSS) Inc. leverages PKI technology for authorization and encryption products. The CSS approach includes offering PKI as a Service (PKIaaS), allowing companies to take advantage of PKI managed services without building out their own corporate infrastructure for PKI. In addition, the company offers a Certificate Management System available as a software product, managed service or as part of its cloud offering.

While encryption and authorization are available for most any application, it still requires that the company first conduct a detailed analysis of its IT assets, applications and data. Without knowing what a company owns and where the data or device is located, implementing any security program will be problematic at best. That said, authorization and identity management, combined with encryption policies and procedures for the most sensitive data, will go a long way to protect a company's most precious information.

Remember that even if an attacker is in the network and trying to steal corporate data, encrypted data will do them no good if they successfully exfiltrate it from the network. Further, data that they steal but cannot access also is of no value to criminals.