Hem Knowledge Base PKI for secure login
Knowledge Base

Public Key Infrastructure- PKI

Knowledge base

Driving forces for PKI

A proper and secure login process starts with a unique adequate identity that neither can be tampered nor distorted. The identity should not be feasible to fake, to hack or in any way be replicated. Logon to all systems desired should be admitted and the identity needs to be sealable if deprived or misused. The unique identity should not solely function as logon credential to computers and crucial systems. Likewise it should allow logon to cloud based services as well as applications used on a tablet or a mobile phone. Last but not least, the login identity should be fast and effortless using.

Traditional login credentials as username and password do not accomplish the above described level of security at all. Hacking and theft is often possible without even thinking of using brute force. 

Usage of unique individual identities ties the user personally to resources used at every particular moment. Tracking down activities made on a group login credential to a single user can be complicated, or even not feasible. Hence, security is a significant driving force to ensure safe IT-systems in the future. Using PKI technology is one way to be on track.

What needs does PKI cover?

With PKI you achieve isolation and confidentiality by way of using encryption. A public key and a correlated personal key used in pair encrypt and decrypt the information. You need them both as much to carry it out.

A digital signature provides you authentication and identification. A certificate asserts the identity of the user to a Relying Party (RP) and if the signature is valid other services are available.

Information content shall not be changed, in other words the integrity of the data must be ensured. Digitally signed information must be possible to  verify by a recipient using the public part of the PKI key. If verification is successful, then the receiver knows that the content has remained unchanged since originally signed.

PKI integrates data confidentialityauthentication and the integrity of data by usage of certification authorities (CA), digital certificates and public key cryptography into one network solution, complete and secure as a whole.

Primary and most important, PKI is an authentication technology. By the use of a public and a secret key in combination it allows data integrity, data confidentiality and key management as described above.

 

What do you achieve using PKI?

Since your identity will be secure and unbreakable using PKI for authentication purposes the imaginable applications turns out to be infinite.

PKI certificates are very handy when used on smart cards and USB tokens. Like this you achieve secure connections and certificate based authentication to systems and servers. Encryption, decryption and digital signature of emails and forms using mobile clients, tablets, web and desktops are further possibilities. In micro segmented networks using Zero Trust "network" parts are indenpendent of each other and no traditional trust relationships exists. Then, communicating entities authenticate towards each other whilst the session is active. It can be done exchanging PKI certificates. The Internet of Things (IoT) is one emerging technology where micro segmentation according to the Zero Trust idea is applicable and to which access is frequently secured to by using PKI. 

Public Key Infrastructure (PKI) is today a very common way to encrypt, decrypt and secure communication on the public internet. It is implemented into many browsers used to navigate. In organizational networks it is also very commonly deployed to secure internal network communications and access to network devices. This thing, that PKI is used to secure local networks is frequent since PKI is supported by Microsoft Active Directory, widely spread, used and known. Software on web servers, operating systems, servers and lots of other network equipment have built in support for PKI.

The usage of certificates save time and accordingly money. With traditional user credentials as usernames and passwords follow that passwords have to be altered regularly, for example every 60 days, to keep up the level of security. With certificates the lifetime is up to 20 years, getting rid of resetting  passwords essentially reduces the work burden for IT support.

Security wise, if a key is lost or stolen, without the other half the stolen key is utterly worthless.

It is very convenient for people using a PKI key. At the end of the day you have saved a lot of time using it to fast and easy log on to your workstation and not have to repeatedly write your username and password over and over again.

Logging in to desktop computers using certificates has a very essential benefit as it fundamentally determines and identifies the particular user of the desktop. This means as well that users can not share certificates as easy as what happens when it comes to passwords and you achieve accountability excluding deniability.

 

SSL and PKI

A very large part of the encrypted communication over HTTP that have obtained a certificate from a CA is secured using TLS/SSL protocol. Yes indeed, SSL certificates is one of the most common type of PKI certificates used. More or less, all the digital certificates used with PKI are built from the X.509 protocol standard.

SSL and PKI work together, in short terms, first that the web browser receives from the web server a copy of its' asymmetric public key. Then, the web browser replies back after generating a symmetric session key that is encrypted using the asymmetric key received from the server. Third, the web server uses its' original unique asymmetric private key to utilize for decrypting the session key. Now a digital association has been established between the web server and the web browser and they can transfer encrypted information over a secure channel. The Public Key Infrastructure is hosting or is creating the foundation on which the web browser and the web server exchange information.

Possible downsides of using PKI

Incidents related to bad management and human carelessness are unfortunately causing outages and downtimes of networks and it is a rising problem. Failure to secure good management of certificates and keys weakens the trust for organizations operating PKI networks. Sloppy secured keys and certificates are misused by hackers meaning the "bad side" actually literally have infiltrated trusted networks and erode their security.

When Cerificate Authorities (CA) have been compromised due to bad key management they can be used by hackers for phishing attacks and to deliver malwares. The CA and RA must be carefully managed and well looked after for their capability to manage and authenticate public key information.  If not, the secure web communication relying on trusted entities is veritably just imaginary. 

New IT regulations and policies within companies are often met by adding more layers of encryption to secure particular network entities such as critical servers and even IoT devices. This fact increases cost for network management and management of keys and certificates.

A very common, a major and as well known problem is lack of staff procurement for supporting PKI. 

Some backbiters of the PKI technology questions, however not unfounded, why and for what reason a CA is trusted and who decided it should be trusted? Is the level of security on the verifying computer that uses the public not secret key good enough? The CA uses public keys and what if that CA is hacked and "the enemy" plants one of his own keys to the CA? That would conclude in the attacker is able to issue his own certificates and these would appear as OK and legitimate.

One setup used, a certain certification structure with a CA just issuing certificates working along with a Registration Authority (RA) is from a point of view less secure than using a single CA alone as an authority. In the RA and CA setup the CA is not the content and attribute authority but however it is possible for the CA to falsify a certificate with user content. Of course, the CA is not allowed to do like that since there surely exist a strong trust contract, but it is still a possibility. 

 

Parts necessary to make a PKI implementation work

To provide keys and certificates for an effective PKI solution there are a number of services and functions that have to be realised.

necessary parts for PKI implementation

The SecMaker way of PKI

SecMaker provides a complete range of products to offer enhanced security using the PKI technology.

One product is Net iD Portal which is a life cycle management application that simplifies the management of smart cards, devices, certificates, and users for an organization.

As well, the Net iD Portal application from SecMaker simplifies the lifecycle management of tokens containing PKI certificates and keys. The tokens may consist of smart cards, USB tokens and other devices. Net iD Portal is a management tool providing an overview of tokens used on different end entities like for example users and servers in terms of issuance and revocation of the tokens. The complete chain between users, tokens, keys, and certificates is managed using Net iD Portal. 

In the organizational infrastructure Net iD Portal interconnects the certificate service and the database service. Web GUIs are available for administrators, officers and end users who had been given access to the Net iD Portal features. The Net iD Portal Officer GUI is accessed to manage end user smart cards and certificates granting access and enabling logon authentication to the organizational network. Also, the signing and encryption of documents are functionalities that can be enabled through the Net iD Portal Officer GUI. 

Depending on the demands and requirements for high availability the Net iD Portal can be installed in different server architectures.

 

What SecMaker accomplishes

For the customers of SecMaker the information security is as important as in public healthcare. The information needs to guaranteed to reach only the intended recipient and combined with the integrated Single Sign On (SSO) service the information is reachable on any compatible device on the network. The amount of time and workload saved can not be underestimated in terms of flexibility and not being forced to repeat the login process infinitely.

 

How SecMaker's PKI fit into future networking emerging technologies

One of the foremost strengths of using PKI technology in networks is the flexibility and that access is delivered based on user identity, not an IP address as in traditional VPN networks. As cloud technology emerges technologies adapt to it and among the technologies adapted to the cloud mindset is Secure Access Service Edge (SASE) who is in its' turn adopting the Zero Trust approach. In Zero Trust access is granted after verifying successfully the user identity and for that reason a PKI certificate provides the flexibility to make this process possible.

In the area of Internet of Things (IoT) the PKI is arising as a vital technology for identity management. For IoT-devices operated and managed using a cloud based solution the data integrity, authentication and encryption are fundamentals that can be solved through PKI and combined with the use of the Zero Trust principle. However, the IoT area is not in full bloom yet and such lightweight solutions as enclosing a certificate are being adopted as the space hardware wise for memory and chip components is very limited. As well, the reversed question that customers need to know that the IoT devices themselves are authentic and not fraudulent devices. IoT devices need to be identified uniquely and a common view is that PKI certificates in particular work very well for such an ambition. A strong identification factor is achieved with a PKI certificate which as well has a good durability for the purpose of identifying a device. It is also possible to pack along information attributes of the device. For maintenance and lifecycle purposes in the event that the identity of the IoT device equipped with a PKI certificate needs to be refreshed, updated or replaced it can be done as needed.

Customers in the IoT area want security technologies that can be scaled up cost effectively and quick. Once you have the PKI platform implemented, the scaling up is a rather convenient process. PKI builds up a scalable architecture and security framework that can support IoT deployments very well in the time to come even when we are on path towards more composite and complex systems for provisioning and identity management.

Certainly no one knows for sure, but the algorithm upon which PKI is based would probably be capable to protect the security of an IoT device for 10 to 15 years and be resilient to breaches using highly advanced computers and technologies.

PKI as a long term solution

All infrastructure in IT should be considered long term as far as it is possible. PKI makes its' returns to profit as it enables a lot of business applications to perform their business electronically and in a safe manner. Making business is no longer only tradtional contract signing meeting your business partner face to face. The documents and contract signings are electronic and to make this possible it is very crucial that the identity of the entity with which the transaction is being piloted is possible to ensure doubtlessly.

One of PKI advantages using asymmetric cryptography is that it facilitates the delivery and dimishes the number of keys used as compared to symmetric cryptography. Using PKI, there must just be one key pair for each person using the system meanwhile symmetric cryptography uses a unique key for every person to be communicated with. The simplicity belongs to the future!

 

In the end it all comes down to....function and flexibility

PKI is always PKI. As you have read this text you have found out that it is not matter of where, when and how. It works more or less the same independent of geography, time and space. The flexibility seems incalculable and that is what gives PKI an enormous flexibility advantage. Healthcare, cloud, Zero Trust, traditional VPN-networks.....it does its' job everywhere.

Do you want to know more?

Don't hesitate to ask!