Public Key Infrastructure - Securing your devices in an insecure world
Vivacity Technologies is a trusted technology partner, tailoring our services to your needs. This includes IT consulting, as well as designing, deploying and managing digital infrastructure. One specific area of focus for us is security infrastructure and making your end devices and machine identities secure. We do this by using public key infrastructure, or PKI, which plays a vital role in validating and securing communications between your devices and end points. If you’ve never heard of PKI, that’s okay. We will explain what it is and how it works.
What is Public Key Infrastructure (PKI)?
In simple terms, PKI is a set of tools, policies, and procedures used to authenticate devices and secure their communications over a network. In more technical terms, PKI is responsible for authenticating devices and their respective public keys by issuing digital certificates from a secure certification authority (CA). This environment allows devices to establish secure communications in zero-trust settings without sharing secret information over insecure channels, effectively providing transport-layer security (TLS). While running your business, you can’t see it, but PKI is always there, working for you, keeping your communications secure.
How Does PKI Work?
The main purpose of PKI is to enable the use of public key cryptography within a given network. The infrastructure works by implementing two different types of technologies – asymmetric keys (public and private) and certificates.
A key is basically a long number that is used for data encryption. Think about simple code breaking you may have done in elementary school. If the key shows that A=D, T=O and E=G, then anyone who has the key can work out that ATE actually means DOG. Now increase the complexity using advanced mathematical concepts and you have the basics of cryptography. Note that in this scheme, you would have to share the same key you used to create your coded message for someone to decipher it, which is not ideal in a zero-trust setting.
To overcome this, we break down keys into two components – public and private. The keys are connected, but that connection is secured by a complex mathematical equation that makes breaking the private key extremely difficult even if you have the information from the public key. The details of these mechanisms are fairly technical, but if you’re curious about how this relationship works we recommend reading more about RSA and ECC.
In practice, cryptographic keys are long binary values usually encoded in Base-64 format that are largely unintelligible to the average user, but contain all the information a computer needs to use them to perform operations. In the interest of keeping things simple, we're representing cryptographic keys in the following manner:
This is a private key. This key is a secret, and should be stored securely such that nobody but its legitimate owner can access it to perform cryptographic operations (such as signing or decrypting data). Signatures generated using this key can be verified by anyone using its corresponding public key.
This is a public key. This key is visible to anyone who wishes to communicate securely with this key’s owner, and is included in the key owner's certificate so that other devices can obtain it easily. Anything encrypted with this public key can only be decrypted with its corresponding private key.
But how do you know the public key of the person you’re trying to reach is in fact their public key, and not that of an impersonator trying to intercept your message? This concern is addressed with the next part of PKI: digital certificates. Certificates are issued by a trusted Certificate Authority (CA) that you control. In this manner, if a device has to be added to your network, you would first use your CA to issue a certificate to that device. The certificate is a digital document attesting that a device is the legitimate owner of a key pair. If other devices trust the CA, they will automatically trust this device’s keys, because their authenticity has been verified by the CA. By securely controlling and operating your CA, or relying on a trusted partner like Vivacity for these activities, you can ensure that your organization’s devices only trust legitimate devices, and address the risks of impersonation attacks seeking to steal the data travelling through your networks.
The PKI process
To get a play-by-play overview of how PKI works in practice, we'll use the following diagram. Here we have three entities: on the left and right sides, we have two devices A and B. In between the devices, we have Vivacity's trusted Certification Authority (CA).
Here's how these devices interact with the CA to authenticate each other and communicate securely:
In step #1, device B requests a certificate from the Certificate Authority (CA). This is done through the certificate signing request (CSR) that A will have generated, containing identity information about A (such as a silicon serial number) as well as A’s public key. Once A has sent the CSR to the CA, we move to the next step.
In step #2, the CA reviews the CSR submitted by A and if everything checks out the CA signs a certificate binding A’s identity to A’s public key (in the diagram, this is Signed-B.crt). B can then hold on to this certificate and share it with other devices in the network when requested.
In step #3, device A requests device B’s certificate to make sure it can be trusted before communicating.
In step #4, device B sends its certificate to device A so that they can verify that the certificate is authentic and determine whether or not device B can be trusted.
In steps #5 and #6, device A uses the CA’s public key to verify the signature on B’s certificate. Since the CA issued Signed-B.crt, the verification is successful and A determines that the certificate is legitimate. Because A trusts the CA, and B has an authentic certificate from the CA, A can now trust B.
Finally, in step #7, device A trusts device B and is able to establish a secure communication channel by encrypting messages with B’s public key. In this manner, only B is able to decrypt those messages thus preventing potential attackers from accessing protected information.
Why Do We Need PKI?
Data coursing through networks can easily be intercepted and read. Authenticating your device identities and encrypting data using PKI ensures that only legitimate users are accessing information in your network, and reduces the risk of security breaches resulting from impersonation attacks. With PKI you gain more visibility over the users of your network and enable secure and trusted communications between your devices.
To learn more about public key infrastructure and how it can benefit your organization, contact us today for a free consultation!
Overview of Vivacity Technologies
Vivacity Technologies supports organizations through IT consulting services, and the deployment of digital and security infrastructure. As a trusted technology partner we become an extension of your team bridging the gap between current IT environments and desired future states. Some of our key clients include private firms, municipalities and First Nation organizations. Based in Canada, the Viva Team are technologists, focused on long-term strategy, challenging the status quo and being incredibly client focused. For more information see www.vvctec.com or contact firstname.lastname@example.org.