Public Key Infrastructure: an e-business view

As e-business evolves, new business models are bringing about a plethora of

changes. Interconnectivity between vendors, suppliers, customers, and
employees has gained a new level of importance as a competitive edge.

The value of intellectual property has skyrocketed. Accompanying

these changes are e-business related risks. Business to business and
business to consumer e-business applications require information
security to develop new approaches in regards to infrastructure and
trust models.One of the primary concerns identified by both businesses
and consumers in establishing and participating in e-business is the
potential loss of assets due to security breaches of commercial
transactions and corporate computer systems. A security breach not
only erodes confidence in the business but also impacts the
organization’s reputation capital.

Case studies have discussed various risks ranging from breach of

privacy, breach of confidentiality, sabotage, vandalism, loss of data
integrity, theft and fraud. Do these concerns sound familiar? Fraud, un-
authorized access, observation, content alteration and denial of action
are the same primary concerns we face in the brick and mortar world.
However, when you move from physical world security to security in
the networked world, additional variables must be considered. The
requirements to manage these concerns remain the same and
respectively they are authentication, authorization, privacy, data
integrity and non-repudiation. The manner, in which the requirements
are met, however, changes significantly. Most communications today
are not private nor are they secure unless explicitly protected by
encryption mechanisms.

Digital media are susceptible to malicious attacks and random errors.

Data that is stored on a network, or that is passed from one user to
another, must be protected from these and other threats. As a result
network security is paramount to every corporation that stores
sensitive data digitally. To be sure that the data is secure, a security
policy, which ensures entity authentication, non-repudiation, data
integrity, data confidentiality, and access control, is an absolute
necessity. Data confidentiality plays a major role within the transaction
framework. Sensitive data, including, but not limited to, business plans,
financial transactions, etc. must be safeguarded from prying eyes.
Data integrity systems insure that the message sent and the message
received are the same. Non-repudiation gives a recipient the
confidence that the sender cannot successfully deny having sent a
particular message.

1
This is quite important in financial transactions where someone may
wish to refuse a bill claiming that they hadn’t requested the service in
the first place. Using a system that provides non-repudiation, the
service or data provider can produce irrefutable evidence that the
request was in fact made and therefore the bill is legitimate. In a
secure system, entity authentication is required so that each user can
be satisfied that they are communicating with only the person,
corporation, or server, they wish to be communicating with. For
example, users sending their credit card number across a network to
make a purchase want to be certain that they are dealing with a
trustworthy merchant rather than a fraud who wishes to steal their
credit card number for a private spending spree. If the user verifies the
identity of the merchant, they will send their credit information with
greater confidence. Sensitive data stored on a network requires
policies to administer access rights. Access control enables an
administrator to ascertain access privileges of an entity before allowing
them access to the data, or even before verifying the existence of the
data.

A public key infrastructure (PKI) can provide much greater assurances

than other methods to meet the collective requirements of digital
security for entity authentication, non-repudiation, data integrity, data
confidentiality, and access control. Cryptographic theory is the basis
upon which the PKI creates this secure environment. By meeting these
security needs, a PKI is a very effective tool to provide trust in
networks in both intranet, extranet and Internet environments, insuring
that sensitive data is protected.

Public-Key Infrastructure

A PKI is comprised of several components, policies, and users that

combine to perform the tasks required for digital security. The primary
components of a PKI are the Certification authority (CA), the
Registration Authority (RA), Certificate Repository, the applications that
use the PKI, the subscribers to the PKI, and the policies being
implemented by the components of any specific PKI.

The Certification authority (CA)

The Certification authority is at the very core of the PKI. It is the

responsibility of the CA to create, distribute, and possibly revoke the
certificates used in the PKI. The Certification authority is trusted to
perform the function of binding a public key pair to a given identity.
The CA certifies the key pair / identity binding by digitally signing a
data structure that contains some representation of the identity and a
corresponding public key. This data structure is called a public key

2
certificate. In the digital world of the PKI a certificate is a file that
contains a user’s public key and identifying information about that
user. This identifying information is usually data such as their name,
address, phone number, etc. The creation of the digital certificates is a
process of binding the identification data to the public key data. The
CA accomplishes this by digitally signing the information with its’
private key. Before signing the certificate, the CA verifies the
information contained in it, for example by meeting the applicant in
person. This verification process is known as vetting the certificate.
Vetting or verification processes will vary according to the security
policy of the organization. Since the CA is a fundamental part of the
PKI, its public key is widely known and trusted. Once the certificate is
created it is stored in a certificate repository, the CA then distributes
copies to authorized users as required. Although all certificates are
issued with a validity period, immediate certificate revocation may also
be a necessity. Should the information reflected in the certificate
change, or if the key pair should no longer be trusted, it is the
responsibility of the CA to rescind the authority granted by the
certificate through the process of certificate revocation. Many
implementations use a Certificate Revocation List (CRL) to control
certificate revocation. Periodically the CA publishes a list the CRL of
certificates that are no longer valid within the PKI. In some cases a CRL
may be an acceptable method for certificate revocation.

There are, however, difficulties inherent in the use of a CRL that must
be accepted or overcome in a secure implementation. The CRL can
grow large over the lifespan of a PKI, as many certificates may need to
be revoked. Publishing a large list may be a problem for some limited
bandwidth systems. Sending CRL updates saves bandwidth when
updating the CRLs. In this case a full CRL is sent out periodically,
during times of lower demand on the available resources. It is also
possible to distribute a list containing the certificates revoked since the
last full publication is published.

These smaller updates keep the CRL fresher while creating less
network traffic. Another technique is to use distributed CRLs, which
spread the entire CRL over several locations so that the lists are
smaller in each place. Unfortunately smaller lists create additional
management and synchronization problems. Another issue to be
considered when using a CRL is that the data contained in the list may
be out of date as soon as it is published. A certificate is revoked
moments after a CRL or CRL update is published will be considered
valid until the next publication.

The Online Certificate Status Protocol (OCSP) has been developed

to address the difficulties involved with using CRLs. OCSP allows direct

3
queries for up to date certificate revocation data. A particular response
to an OCSP query contains only the information about the certificates
in question, saving bandwidth. PKI security may also be increased
using OCSP as features may more easily applied which will ensure
strong access to the OCSP system. OCSP allows for real-time certificate
status checking supplying immediate revocation information on a given
certificate.

The Registration Authority (RA)

The Registration Authority provides an administrative role in the PKI.

One of the roles an RA plays in a PKI is that of a certificate vettor. Often
the RA function is a part of the responsibility of the CA organization.
The vetting of certificates can be quite a time intensive job and for
achieving trust, it must be taken care of as close to the holder of the
keys to be certified as possible. In the case of a global PKI it may be
inconvenient for all the members to travel to a particular centre to
have their identity verified. The RAs can be distributed so that personal
travel and inconvenience is minimized. The RA function also allows the
vetting and issuing process to be separated. The CA creates the
certificate and may either distribute the certificate directly to the end
user, or to the RA who then distributes the certificate to the requestor.

The Policy

In order to effectively implement a PKI, a series of policies to govern

the human element of the PKI must be in place. These are spelt out in
documents such as the Certification Practice Statement (CPS) and the
Certificate Policy (CP). A CPS describes the practices employed in
issuing and managing certificates. It may include a description of
service offerings, detailed procedures for life-cycle management
operational information, etc. Furthermore the CPS provides a legal
framework describing the obligations and liabilities of the CA. By
contrast, a CP generally consists of a set of rules that indicate the
applicability of the certificate to a particular community and/or class of
applications with common security requirements. The CP generally
addresses higher level policy requirements the CPS tends to be a fairly
detailed and comprehensive technical and procedural document
regarding the operation of the supporting infrastructure.

Conclusion
Generally speaking PKI usage can be put into three categories:

• Identification of who is accessing information or providing

information.

4
 • Securing communications between authenticated parties.
• Providing for authentication and data integrity in computerized
applications and making possible digital signatures, the strongest
form of electronic signature now available.

Increased use of digital technology in the business world is inevitable,

and PKI provides an integrated set of services which together make
possible digital business systems having extremely strong security
properties, including entity authentication, non-repudiation, data
integrity, data confidentiality, and access control. By meeting these
five basic needs of digital security, PKI technology provides a secure
foundation upon which a stable e-commerce can be built.