Imagine a digital ecosystem powered by keys and certificates - that's essentially what Public Key Infrastructure (PKI) is! It's a vibrant mix of hardware, software, policies, and procedures that generate and handle digital certificates and public-keys. Just think of it as the backbone for digital signatures and encryption.
Remember our previous insights about digital security in the article titled "Demystifying Digital Certificates for Enhanced Trust and Security"? We discussed the central role of Public Key Infrastructure (PKI) and unveiled its integral component - the Certificate Authority (CA). Further into our exploration, we distinguished another vital component - the Validation Authority (VA) - in another informative piece, "Certificate Verification: Exploring OCSP, CRL, and Revocation".
This article will cover the key components of PKI and provide useful tips for setting up your system. It is suitable for both organizational and public use.
We won’t be discussing when to join a PKI, as most public website owners or S/MIME users are already members. Plenty of information on this topic is available online. Now, let's explore when and why to build your own PKI system!
When to Build Your Own PKI Infrastructure?
Building a Public Key Infrastructure (PKI) becomes essential when your organization heavily depends on digital certificates for secure communication and service authentication.
With a PKI, you gain complete control over certificate issuance, revocation, and management, providing a robust framework for deploying cryptography data security technologies.
These technologies include but are not limited to:
Digital certificates and signatures
Supporting secure socket layer (SSL) and transport layer security (TLS) for internet traffic protection
Application code signing and time-stamping
Furthermore, PKIs underpin online authentication machinery, are integral to a multitude of applications such as:
Desktop login
Citizen identification
Device credentialing in the Internet of Things (IoT) sector, which imparts identities to a range of internet-linked devices from smartphones to medical equipment
Server and client authentication
It’s important to note that building and maintaining a PKI system requires expertise in areas such as cryptography, certificate management, and security practices. It's crucial to implement proper security measures, including secure storage of private keys and regular audits, to safeguard the integrity and confidentiality of the PKI infrastructure.
Chain of Trust
Your organization needs a root Certificate Authority (RCA). Each root CA certificate is generated using the most stringent processes (using air-gapped servers, a secure room or facility with physical and data security mechanisms in place, etc.) and must adhere to certain compliance standards. The root CA issues intermediate CAs (ICA). Once established, all the organization's servers, services, databases, firewalls, and other technical components must trust the root certificates and inherently trust the intermediate CAs and the leaf certificates, this is called chain of trust.
A common analogy for the chain of trust is to consider a tree:
The tree’s roots represent a CA’s root certificates.
Its trunk and limbs represent an intermediate certificate authority (ICA).
Its leaves represent end-user and device certificates (hence why they’re sometimes called “leaf” certificates).
Root CA certificates’ private keys are used to digitally sign intermediate CA certificates. Likewise, ICA certificates’ private keys digitally sign end user/leaf certificates
Here’s a look at the chain of trust associated with Noratech.blog SSL certificate.
It is evident that the certificate for noratech.blog is a leaf certificate issued by "Sectigo RSA Domain Validation Secure Server CA," which, in turn, is issued by "USERTrust RSA Certification Authority" As browsers inherently trust "USERTrust RSA Certification Authority" all intermediate certification authorities (ICAs) it issues are also trusted. Therefore, when the browser encounters the noratech.blog certificate issued by one of these ICAs, it can be confident that noratech.blog is indeed the entity it claims to be.
The hierarchy of certificates proves where a certificate came from and how it links back to a trusted CA.
Root CA certificates demand significant time and resources to meet compliance and be incorporated into operating systems, browsers, and other platforms. Additionally, these certificates have longer lifespans compared to other digital certificates, as evident from the extensive expiration dates displayed in the screenshot below.
PKI Logical components
PKI (Public Key Infrastructure) includes various components like Certificate Authority (CA), Registration Authority (RA), Certificate Store, and Validation Authority (VA) to ensure secure communication and carry out cryptographic operations.
The Certificate Authority issues and manages digital certificates, verifies applicants' identities, signs certificates, and keeps a record of issued certificates.
The Registration Authority verifies certificate requests and makes sure the requester's identity matches the certificate info.
The Certificate Store is a secure place that saves and manages certificates. It acts as a hub for accessing certificates for validation, authentication, and other cryptographic tasks.
The Validation Authority (VA) is vital in the PKI ecosystem. It confirms the legitimacy of digital certificates. The VA verifies if a certificate is valid, hasn't been revoked, and comes from a trusted CA. This process helps parties trust the certificates they receive.
The following logical components collaborate to form the PKI system. The accompanying images depict the process of certificate enrollment, followed by certificate validation, and the seamless integration between various PKI components.
Cryptographic Security
PKIs leverage both asymmetric and symmetric cryptography to facilitate secure data exchanges, ensuring authenticity, confidentiality, and transaction integrity. Asymmetric cryptography provides users, devices, or services with a public and private key pair. The public key is accessible to the group for encryption or verifying digital signatures, while the private key remains confidential and is used exclusively by its owner for tasks like decryption and creating digital signatures. To delve deeper into this topic, I highly recommend reading our article titled "Essential Cryptography Concepts: A Practical Guide to Encryption, Decryption, Signing, and Verifying"
To maintain utmost security for the private keys of Certificate Authorities (CAs) and Validation Authorities (VAs), HSMs are employed. HSMs serve as key management and encryption devices that are tamper-resistant, securely store keys, restrict unauthorized access, and enable encryption, decryption, signing, and verification operations. For more comprehensive information, please refer to our article on this subject.
Trusted and Audited PKI Structure and Requirements
If you aim to establish a publicly trusted PKI or at least gain trust at a national level, it's important to understand that a PKI project encompasses more than just the PKI application, database, and hardware security modules (HSMs). There are numerous documents and policies that need to be addressed, and specific requirements for the data center where the PKI servers are hosted. To gain a deeper understanding of these requirements, I recommend visiting the WebTrust website.
If you intend to operate a Public SSL CA, Document Signing CA, Timestamping CA, or E-Passport CA, it's crucial to recognize that each type of CA has different auditors and distinct requirements. For example, if you wish to establish a Public SSL CA, you would need to earn the trust of most web browsers. This entails undergoing a WebTrust audit followed by individual audits conducted by each browser vendor. Similarly, if you plan to operate a document signing CA for PDF documents, you would need to undergo a WebTrust audit as well as an Adobe audit.
Ensuring compliance with these audited requirements is vital for establishing trust and credibility in your PKI. By adhering to the necessary guidelines and obtaining the appropriate audits, you can instill confidence in your PKI services and gain the trust of users and organizations relying on your certificates.
Now, let's outline the PKI Infrastructure zones and security areas that we strongly recommend every PKI team to implement:
Offline Root CA Area: Customer’s Roots will be allocated in dedicated infrastructure ,to be placed by the customer in an “Air gapped” offline room requiring dual access controls.
Online Private PKI Area: This zone has restricted connectivity and will contain all the sensitive services that require special protection, as the ICAs, Data Bases, and special appliances like the Network HSM used for Issuing CAs. The only allowed interaction to/from this network will be with the online public PKI area.
Online Public PKI Area: This zone contains the services that can be accessed externally outside the PKI network, including the RA, OCSP Server, CRL distribution point and other public services that require external connectivity.
Offline Root CA Area
The Root CAs must be allocated in an “air-gapped” room, with no internet connection:
No external network connections, all intervention must be done in person
5-level access control
Requires two persons to open the door (badge + biometry)
A single Server would host all Root Cas
A dedicated HSM is used only for the Roots. Requires “n of m“ access
On-Line PKI
The on-line Issuing CAs and supporting elements (Application, DB servers, OCSP, etc) should be hosted by the customer in two datacenters (Main and DR):
On-Line CA facilities compliant with Webtrust requirements
Dual CA setup (active – passive)
At least one HSM per site
Externally accessible systems are located in a DMZ
In summary, Public Key Infrastructure (PKI) is a system that manages digital certificates and encryption for secure communication and authentication. It consists of components like Certificate Authorities (CAs) and Validation Authorities (VAs) that issue and verify certificates. Building a PKI system provides control over security measures and enables the use of technologies like digital certificates and SSL/TLS for protection. It requires expertise in cryptography and security practices, with measures like secure key storage and regular audits. PKI ensures trust in certificates and plays a crucial role in data security.
I hope you enjoyed this article and found it informative ♡
Comments