IT@TT - Online

Secure In An Insecure World

Did you know that anyone could read your e-mail while these were in transit through the Web? Yes, the Web is not a very secure medium for sending confidential messages. And you need to be more careful when using the Web for business transactions. A hacker can track your communications. Or take over a session and masquerade as one of you. This may lead to exposure of confidential and sensitive information like credit card numbers. Or he could alter the data being transmitted. It is becoming necessary for two communicating parties to authenticate themselves to one other. And the data being communicated also to be shielded from others.

A technology called Public Key Infrastructure (PKI) resolves this problem. It is credited to Martin Hellman, a computer science professor from Stanford University. The PKI works through cryptography. This is the science used for encrypting and decrypting data. Encryption makes data unintelligible. Decryption reverses the process.

Symmetric-key encryption and public-key encryption are the two kinds of cryptography commonly used. A key is a string of bits that encrypts and/or decrypts data. In symmetric-key encryption only one key is used to encrypt and decrypt a message. You need to send this key along with the message. But the problem remains: how to send this key securely? Public-key encryption uses a pair of keys instead: a public key that is accessible to everyone and a private key that is possessed by a single party.

If I need to send you a private message, I will use your public key to encrypt the message. In turn, you will use your private key to decrypt the message. Since only the intended recipient holds the related private key, no other person can decrypt the message. This key pair is also used for authentication.

In effect PKI it a two-part digital signature. The private key is used to encrypt information. This encryption can be reversed by anyone holding the matching public key. PKI also helps authenticate (verify) if you are whom you claim to be. And are frequently used when sending e-mail.

Commonly used algorithms for public-key encryption are Rivest-Shamir-Adleman (RSA), Digital Signature Algorithm (DSA) and Diffie-Hellman. One-way hash algorithms can also be used in conjunction with public-key technology to create a digital signature. The most common hash functions are MD5 and SHA-1.

The sender creates a hash value by applying a hash algorithm to the data to be sent. This is a non-reversible fixed length number. The length of this hash value is long enough to match that of any other data. The sender encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash. He produces another hash from the received message and compares the two hashes. If they are the same the message is unaltered in transit.

Certificates are used for sending information through the Internet, intranets and extranets. They are issued and digitally signed by a certification authority (CA). One of the most common is VeriSign. The owner of the certificate is referred to as the subject. A certificate binds a public key to the subject (person, device or service) that holds the corresponding private key. In addition, a certificate contains the name of the subject, a serial number and the name of the CA. Certificates can be used for Web user authentication, Web server authentication, secure e-mail using Secure/Multipurpose Internet Mail Extensions (S/MIME), IP Security, Secure Sockets Layer/Transaction Layer Security (SSL/TLS), and code signing.

Let's see how PKI performs its functions. PKI is a system of policies, standards and software that regulates certificates. As well as public and private keys. Basically, it comprises of a CA, a Registration Authority (RA) and a certificate repository. The CA and RA are often merged together and referred as CA. This receives a request for a certificate from an individual or computer. It verifies the requester's information according to its policy. And applies its digital signature to the requested certificate using a private key before issuing it to the subject. This private key is used to verify the CA's identity. A CA can be a remote third party, such as VeriSign. Alternatively, it can be the one created by an organisation, for example, by installing Windows 2000 Certificate Services.

A security manager can cancel a certificate already issued using an administrative console. The cancelled certificate is put on a Certificate Revocation List (CRL). The CA when requested, gives a CRL and/or a specific entity's certificate. The CA also determines the validity of a certificate and the operations it supports. Additionally, a PKI may service end-user applications with data encryption and digital-signature.

The PKIX group (PKI for X.509 certificates) of the Internet Engineering Task Force (IETF) is the main group creating standards for PKI interoperability. PKIX standards allow interoperability of multiple PKIs. They also support interfacing of multiple applications with a single PKI. The standards like Secure Sockets Layer (SSL) and Internet Protocol Security Protocol (IPSEC) also assume PKI. IPSEC standard defines protocols for IP encryption. It is largely employed in Virtual Private Networks.

A PKI used within the SSL protocol, assures secure data transmission. Theoretically, SSL can provide client authentication. But it often fails in the real world. This is because any private key on an individual's computer can be stolen in the absence of physical security. Also large numbers of clients pose a scalability problem during key registration. No company in the PKI business manages this task on a large scale. Therefore, today PKI is mainly used to validate non-client computers like Web servers, messaging servers, routers and VPN gateways.

As e-business flourishes, organisations must ensure secure high-value transactions. Browsers, Web servers and commerce servers can employ PKI for authentication in such applications. Digital signatures also help in avoiding viruses when downloading content from the Internet. Thus, for providing authentication, confidentiality and data integrity, PKI is probably the best solution.

Aman Sihint
[email protected]

Top

Other Articles