Case Study On Public Key Infrastructure

Cryptography uses mathematical algorithms to convert plain text information into coded information or cipher. Unlike shared secret cryptography where the same shared key is used for encryption and decryption by the sender and receiver, public key cryptography uses a pair of keys – one publicly available key and the other, a private key known only by the owner of the key. A signatory signs a digital document using a combination of the public and private key, and this document can then be verified using the public key that is publicly available to everyone.

The organization will benefit immensely from the use of PKI owing to the services obtainable from it:

Authentication: the source of a digital document can be determined using the public key to send a challenge to the recipient. The recipient signs the challenge in addition to some other information and sends as a reply. If the reply can be validated using the public key, then it is confirmed to have come from the right source.
Integrity: the signature verification of a digitally signed document will fail if there are any changes to it. This ensures that the correct document is received.
Non-repudiation: Since only the owner or signatory can sign a digital document with the private key, any such digital document can only have originated from the owner and no one else.

Confidentiality: Information can be encrypted using the public key of the recipient and only the recipient can decrypt it.

The core components of a PKI are as follows:
Certificate Authority (CA) which is an entity that issues signed certificates in order to validate the identity of the entity making a request. It also revokes certificates as the need arises by including the certificate serial number on the Certificate Revocation List (CRL).
A management function to update, restore and archive keys. Updating keys is essential especially in situations where new keys are generated at intervals to reduce the incidence of key compromise. Likewise, keys need to be backed up in order to easily restore keys to users as a result of loss.

A repository for key storage for retrieval especially using a directory service.

Registration authority that registers a user after collecting the user’s information and verifying the identity.
Key recovery service used to recover data when the key is lost.
The cryptography needs of the organisation on the use of applications such as web services and browsers, emails and messaging and even software signing can be met using PKI to manage the digital certificates and keys used in these applications. Web services and browsers utilize encryption for user authentication and to ensure confidentiality especially with the use of Secure Socket Layer (SSL). Messaging and e-mail services use encryption to secure information transmitted using key pairs. The verification of the authenticity and source of programs from a software publisher uses digital signatures. All the scenarios painted above in the activities of this organization require the use certificates and keys which are managed by PKI.
2. The PKI is used to create digital signatures using the content of the software and the private key of the organization.
The software is first encrypted by creating a hash of the software also called a digest. This ensures that the original content cannot be recreated. The digest is then signed using the private key of the organization. The signature can then be included in the software package or packaged separately. A customer can then determine the authenticity of the software by using the organization’s public key, the digital signature and the software to verify the identity of the organization and the integrity of the software. The customer will know that the software originated from the organization since only software signed using digital certificates generated using the private key of the organization can be verified using the public key of the organization. And since the validation process fails if there is a change in the content of the software, the client can ascertain the integrity of the software if it passes validation.
3. The use of Certificate Authorities (CAs) is based on a trust relationship. Trusting a CA by extension translates to a trust of the all the certificates issues by the CA. Public certificates are issued by third-party authorities at a cost.
In-house certificate use entails creating own CA for digitally signing documents. Using in-house CAs puts management responsibility of the certificates on the organization and certificates are created at no cost to the company. On the other hand, public CAs issue certificates at a cost, and the responsibility of management of the certificates lies with them. They are thus liable for the certificates they issue.
Users of a service, especially one requiring a high level of trust such as using an e-commerce website will be comfortable using the website only if it is signed by an authority they are familiar with – a third party trusted CA. Using an in-house CA in this case will not encourage users to consume the service. As a result of the foregoing, I strongly recommend using a public CA since the organization will be signing her softwares with these certificates. Softwares signed with publicly known and trusted CAs will pose no security and trust concerns to users of the software as against those signed with in-house CAs

Bibliography

Al-Janabi, Sufyan T. Faraj et al. (2012). "Combining Mediated and Identity-Based Cryptography for Securing Email". In Ariwa, Ezendu et al. Digital Enterprise and Information Systems: International Conference, DEIS 2011, London, UK July 20 – 22, 2011, Proceedings. Springer. pp. 2–3, ISBN:3642226027.
De Ryck, P., Desmet, L., Piessens, F. and Johns, M, “Primer on Client-Side Web Security”, Springer, 2014, ISBN: 3319122266.
Durumeric, Z., Kasten, J., Bailey, M. and Halderman, J.A. (2013). "Analysis of the HTTPS Certificate Ecosystem". The Internet Measurement Conference. SIGCOMM, September 12, 2013.