Unauthorized access, unsigned applications (malware) and unsecured email. What can help prevent these top three cyber threats impacting organizations today? Public key infrastructure (PKI). PKI enables a trusted environment by authenticating and ensuring the integrity of data and users. The word “authentication” is of Greek origin, authentikos, meaning “real, genuine.” Authentication is the process of proving something to be true, genuine or valid.
At the highest level, PKI is a set of software and hardware technologies designed to manage the creation, storage, transmission and authentication of digital certificates and their associated encryption keys. A real-world analogy to a digital certificate is a driver’s license. In the digital realm, a digital certificate serves as a way for people or devices to prove who or what they are, because a part of the PKI known as a certificate authority (CA) has issued and “signed” the certificate, vouching for the person/device.
PKI-enabled systems provide strong authentication and encryption of data by using cryptographic functions. Unlike traditional identity processes where users are identified by passwords, a PKI issues a certificate via known, trusted channels and binds the certificate to a cryptographic key pair. The key pair consists of a widely shared public key, and the holder of the certificate maintains a private key that is unknown to anyone else. A cryptographic function ties these 2 keys together so that actions performed by one can be verified or decrypted by the other.
Why Would an Organization Need PKI?
PKI-based networks have significantly stronger security than those that rely on passwords (and all of their known weaknesses) and have significantly better manageability properties than other encryption schemes such as pre-shared keys. Specifically:
- PKI-based systems enable authentication and encryption to occur without the need to share highly confidential private keys.
- The keys in PKI-based systems can be used for one-way encryption functions where only the designated owner of the key can decrypt data. This prevents man-in-the-middle (MitM) attacks without knowledge of the key pair.
- Certificates used in PKI-based systems can be easily revoked (i.e., in the event of a lost or stolen device).
As opposed to phase-shift keying (PSK)-based systems, PKI-based systems do not require unique sets of keys for all combinations of devices that must communicate with each other. Instead, a server stores only its own key pair and does not have to store all of its clients’ keys. This dramatically reduces the workload required to manage sets of keys and allows the number of network devices and users to scale to large numbers.
While PKI is not a brand-new technology, it is a highly effective solution for any organization facing the latest cybersecurity threats including ransomware, human factor, financial pretexting, phishing and outside attackers. By leveraging a PKI, virtual private network (VPN) environments can vastly improve their security posture. Cryptographic keys cannot be socially engineered or easily stolen, so by requiring a certificate to authenticate to a VPN, organizations have a much higher level of assurance of who or what is connecting to the network.
For applications such as HTTPS-protected websites or web applications, Transport Layer Security (TLS) uses certificates to identify hosts providing TLS services and to bootstrap the encryption process for clients and servers. TLS can also be used to support client-side authentication where clients must present a certificate to authenticate to a website rather than using password-based authentication. This mutual authentication ensures both parties are able to positively identify the other. Think of this process—in a very simplified form—as a virtual, encrypted handshake as a way of validating a connection.
This edited article was originally published in ISACA’s The Nexus.