A public key infrastructure (PKI) is a collection of methods, rules, policies, and roles that are required to generate, manage, provide, employ, and rescind digital certificates; it’s also responsible for the management of public key encryption. A PKI aids in securing the transfer of data over various network infrastructures, such as online banking, e-commerce, and other client-server architectures. With a PKI, a network engineer forms and ensures the maintenance of a credible networking territory by encrypting the traffic and by using digital certificates efficiently. Gone are the times when a simple password could perform adequate authentication and security; these days, a more concrete proof of identity is required before transfer of information can be allowed between two parties.

For an information security professional, the knowledge of PKI is absolutely essential. PKI security is hence a component of the CISSP credential that can’t be overlooked. The very basic concepts of PKI and cryptographic applications are a part of the CISSP CBK. Most of the CISSP guide books and reference material contain enough information regarding the pertinent topic to make an applicant substantially informed about it. The CISSP for Dummies book, for example, has a complete chapter on cryptography that elaborates the concepts in great detail.

PKI FOR CISSP

If you want to know all there is about PKI security in order to prepare for your CISSP exam, then you need to go through the following topics, at the very least:

The four basic components:

  1. Certification authority: The certification authority (CA) has all the software, hardware, and personnel required to administer the PKI. All the responsibilities including certificate issuance, maintaining certificate revocation lists (CRLs) and archives, etc., fall under the jurisdiction of the CA.
  2. Registration authority: Similarly, the registration authority(RA) has the personnel, hardware, and software required for PKI administration. The RA verifies the contents of the digital certificates for the certification authority.
  3. Repository: This system is responsible for receiving the certificate revocation lists and the certificates from the CA and distributing them to the pertinent parties.
  4. Archive: The archive stores the information that is archived by the CA.

Key management:

Awarding the keys and letting the encrypted data travel between two authorized parties isn’t enough. Managing and safeguarding the encryption keys is also substantially important. The most important key management functions are (but not entirely limited to):

  1. Key generation: The key generation process should take place on a secure system and the generation scheme should not give away any hints about the contents of the key.
  2. Key distribution: The key distribution process is also of paramount importance because, if not properly managed, it can lead to severe security loopholes.
  3. Key installation: Most of the time, key installation is a manual process. They key should not get compromised during the installation and should also not be entered incorrectly.
  4. Key storage: Salted hashes of keys are normally stored on a secure system.
  5. Key change: Keys should be changed periodically to ensure the security and sanctity of the system.
  6. Key disposal: When the keys are about to be replaced, they should be completely removed from the system to ensure that they are not used by any user ever again.

The concept of public and private keys:

However complex some people might want to make it sound, the concept of public and private keys is fairly simple. From the various PKI security components, these two keys are the most important. Each of them is a fairly long, randomly generated alphanumeric string. Below is an example of a public key:

3042 0241 00C9 18FA CF8D EB2D EFD5 FD37 89B9 E069 EB27 FC20 5E35 F577 EE31 C4FB C6E4 4811 7D86 BC8F BADA 362F 922I F01B 2F40 C734 2654 C0DD 2881 D673 CA2C 4003 C266 E2CD CB02 0701 0001

As the name suggests, a public key is available to the general public and, conversely, a private key is only available to the authorized party. The pair of random keys are normally related mathematically; some data encrypted via a public key can only be decrypted by its corresponding private key and vice versa. Let’s take an example to further elaborate the matter:

A person Alice wants to send a message to a person Bob. To ensure the security of the transfer, Alice encrypts the data using Bob’s public key. Now, even though everybody else knows Bob’s public key too, only Bob can read the message meant for him because only he possesses his own private key.

The RSA cryptosystem (more on this below).

The key escrow and key recovery process.

The concept of digital signatures (more on this below).

The various network security protocols (SSL, TLS, WTLS, etc.)

Various E-mail security applications (MOSS, PEMM, etc.)

THE RSA CRYPTOSYSTEM

RSA became one of the first public-key cryptosystem when it was introduced in 1978 by Ron Rivest, Adi Shamir, and Leonard Adelman (the initial letters of their last names led to the name RSA) and it has been in worldwide use ever since. The concept of public-private keys, as discussed above, is used in RSA. Many experts have made RSA a subject of their cryptanalysis but so far not many serious flaws have been found. RSA finds its asymmetry from the fact that it’s practically difficult to factor two huge prime numbers (also known as the factoring problem).

FINDING THE ENCRYPTION/DECRYPTION FUNCTIONS:

The encryption function E can be written as:

E(kPUB, P) = E(e, n, P) = P^e modn                               ——- (1)

The decryption function D can be written as:

D(kPRIV,C) = D(d, n, C) = C^d modn                            ——- (2)

Effectively D and E are the same here. We can write them formally as:

E(k, n, m) = D(k, n, m) = m^k modn

Here k is any key and m is any message. However, for the above equations (1) and (2) to hold, we have to find special d, e, and n values.

To find d, e, and n, we can use the following process:

  1. Choose two prime numbers (say p and q). Both the numbers should be large (100 digits at the very least).
  2. Find out n = p * q (this number should come out to be at-least 200 digits).
  3. Now compute N = (p-1) * (q-1).
  4. Now choose e such that e < N and e is relatively prime to N (i.e., (gcd(e,N)=1).
  5. Choose d as the inverse of e modulo N.
  6. Store the values of d, e, and n while discarding p, q and N.

Now to encode any given text, we can use the following relation: C= P^e mod n. To perform the decoding, P = C^d mod n can be used.

HASH FUNCTIONS

A hash function is used to ensure the authenticity and integrity of a message. It’s also one of the most important PKI security concepts that every network security professional should be completely well-versed in. By passing through a hash function, we achieve the mapping of arbitrary data (of arbitrary size) to a bit string (of a fixed size). Of the many hash functions in use these days, these are the ones that you need to know about while applying for CISSP:

  1. The MD family: A family of one-way hash functions (MD1, MD2, MD5, MD6 etc.)
  2. The SHA family: Similar to the MD family, the SHA family (SHA-1, SHA-2, SHA-3 etc.) also comprises one-way hash functions.
  3. HMAC (for hashed message authentication code): It is able to further extend the security provided by the SHA-1 and the MD5 algorithms.

CISSP Instant Pricing- Resources

DIGITAL SIGNATURES

Digital signatures form the core of PKI security services and are basically tools used to ascertain the sanctity and security of the whole network architecture. Via a correct digital signature, a recipient is able to believe that the message has actually been sent by a known sender; this aspect of it is called authentication. It also provides non-repudiation (ensuring the fact that the sender can’t deny sending the message) and integrity (the message didn’t get altered before reaching the recipient). If you are preparing for the CISSP exam, you need to know about the following additional concepts pertaining to digital signatures:

  1. Message digests
  2. One-way hashing functions
  3. Digital signature revocation
  4. Digital signature distribution
  5. Digital signature revocation

You can find more information on these topics in any CISSP preparation book. Take a look at some of our preparation guides for more information. (Add hyperlinks to the preparation articles here.)

PKI VULNERABILITIES:

There are also some PKI security vulnerabilities that need to be learned about. Here we mention some of the possible attacks that can take place on a PKI subsystem:

  1. Attack on the certification authority:

The certification authority is the backbone of the security enforcing system because it provides, maintains records of, and periodically updates the digital certificates of the entities in the network. Even though an attack on the CA is hard to conceive, yet it could be achieved by sophisticated man-in-the-middle intrusion.

  1. Theft of issued certificates:

There have been incidents where issued (and active) certificates have been stolen, leading to grave repercussions. To avoid this, multi-level authentication and authorization infrastructures should be implemented.

  1. Theft of issued code signing digital certificates:

Digital certificates are the keys that protect the important resources from being accessed by unauthorized personnel and their security needs to be ensured at all costs. However, if enough care is not taken, they too can be stolen.

  1. Denial of service (DOS) attacks:

DOS attacks prevent the authorized personnel from accessing the resources that are important for operating the system. More information can be obtained from here.

FINAL WORD

Ensuring the security of online transactions is becoming increasingly difficult and hence increasingly important. The knowledge of PKI for an information security professional is of great importance; hence it forms a vital part of the CISSP credential CBK. This article shares only basic information regarding the concepts that have to be further explored in order to be adequately acquainted with the PKI model. The various study guides and reference books share detailed information on the matter and it’s recommended for every aspirant to develop a deep understanding of the topic before attempting the exam. You can find the recommended study resources and material from our dedicated CISSP resources article.

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

Earn your CISSP the first time with InfoSec Institute and pass your exam, GUARANTEED!

Section Guide

Ryan
Fahey

View more articles from Ryan
[i]
[i]