The ABCs of PKI

The concept of a public-key infrastructure is relatively straightforward, but actually setting up a PKI in your network can be a complex and daunting undertaking.

The basic idea is that sensitive data is protected through encryption. Each end-user device has encryption software and two keys: a public key for distribution to other users, and a private key, which is kept and protected by the owner.

A user encrypts a message using the recipient's public key. When the message is received, the user will decrypt it with his private key. Users may have multiple key pairs to maintain discrete communications with different groups.

With all these key pairs floating around, it's crucial to have some method of administering the keys and their usage. That's where a PKI comes in, enabling the centralized creation, distribution, tracking and revocation of keys.

It All Starts with Authentication

The first step in setting up a PKI is establishing a system for authentication, so users can be positively identified before receiving network rights.

Password-based logons provide one method of authentication, but a more secure method is digital certificates. Each certificate contains specific identifying information about a user, including his name, public key and a unique digital signature, which binds the user to the certificate.

To get a certificate, a user sends a request to a designated registration authority, which verifies the user's identity and tells the certificate authority to issue the certificate.

The certificate itself is a digital document, which is generally stored and administered in a central directory. For a user operating from home, the certificate would be stored on his system. In either case, the certificate is transmitted automatically when needed, and the user's work is not interrupted.

The certificate authority verifies a certificate's authenticity for the receiver. Again, for the user, this is generally transparent.

Of course, certificates should not last forever. Each certificate is issued with an expiration date and sometimes will need to be revoked early, such as when an employee quits. A certificate authority can revoke a certificate before its expiration date by identifying it in a regularly published certificate revocation list.

As with key pairs, there is a need to coordinate the issuing and revoking of certificates. That is another function of a PKI, acting as a comprehensive architecture encompassing key management, the registration authority, certificate authority and various administrative tool sets.

PKI software comes in different flavors depending on who you buy it from:

Entrust Technologies, Baltimore Technologies, RSA Security and VeriSign all offer PKI products. In each case, some form of certificate authority and registration authority, key and certificate management, and key backup and recovery tools will be required.

PKI Requires a Central Directory

Generally, a central directory is also implemented as part of a PKI, as a place to store and look up certificates, along with other relevant information. You may already have a directory for the support of existing applications, such as e-mail. If the existing directory is Lightweight Directory Access Protocol- or X.500-compliant, it is probably usable by PKI requirements.

However, directory systems do not always interoperate well and can frustrate your PKI efforts, especially if the directory is expected to handle diverse client applications in addition to a PKI. Lack of directory interoperability has prompted vendors to create the Directory Interoperability Forum to try and resolve the issue.

Another element of a PKI is the certificate policy, which outlines rules for the use of a PKI and certificate services. For example, if a user mistakenly shares his private key, he might be expected to notify security staff or the certificate authority.

Proactive determination of how that event would be handled is critical to the operation of a PKI and is addressed by a certificate practice statement (CPS).

The certificate policy and CPS are generally written in consultation among IT, various user groups and legal staff.

The CPS provides a detailed explanation of how the certificate authority manages the certificates it issues, along with associated services, such as key management. The CPS also acts as a contract between the certificate authority and users, describing the obligations and legal limitations, and setting the foundation for future audits. PKI vendors can provide you with a CPS template to work with.

As with any other IT infrastructure,a staff is needed to set up, administer, fix and manage a PKI. Finding those people is essential but may prove difficult, as demand for competent PKI support will likely outstrip supply in the coming year.

As a start, you will need to appoint a security officer, who will be responsible for setting and administering your shop's security policy. This individual does not need to be part of IT, but must understand the issues and will probably need a surety bond.

Next, appoint a PKI architect who will examine requirements and design your PKI. This person may also support implementation as project manager.

A PKI security administrator, who will use certificate authority management tools to add, enable and revoke users and their certificates, is essential for ongoing operations.

You will also need a directory administrator and someone to act as a registration authority, although it is possible to set up an automated registration authority to handle user requests made through their Web browsers.

In that case, you may be able to use current staff, such as a database administrator, to help set up and maintain the automated registration authority service.

Do You Need a PKI ?

Clearly, putting a PKI into place will take considerable effort, time and money. So is it worth the investment? Maybe. The real question you need to consider is, "What are our business requirements for increased security, and can a PKI help address them?"

Most of your users won't have an opinion, for now, but management might - especially if it is concerned about the impact a security breach could have on the bottom line. Getting management to buy into the idea of a PKI is crucial, so you will need to learn their thoughts early in the process.

Some services stand out as immediate candidates for PKI support: e-mail, secure file transfer, document management services, remote access, e-commerce and Web-based transaction services. Support for nonrepudiation, which ensures that transactions cannot be disowned, is also required and supplied through the use of digital signatures.

Then there are wireless networks and virtual private networks, in which encryption is pretty much essential as a guarantee of confidentiality.

For the corporate network and e-commerce, another PKI-enabled solution that should be of real benefit is single point sign-on.

(McKinley is president of Summit Communications, an IT consultancy based in Ottawa. He can be reached at barton@summit-com.com.)