Public Key Infrastructure - FAQ

Q.1 What is a Public Key Infrastructure?

Ans: Public-key infrastructure (PKI) is the combination of software, encryption technologies, and
services that enables enterprises to protect the security of their communications and business
transactions on networks. PKI integrates digital certificates, public-key cryptography, and certificate
authorities into a total, enterprise-wide network security architecture. A typical enterprise’s PKI
encompasses the issuance of digital certificates to individual users and servers; end-user enrollment
software; integration with certificate directories; tools for managing, renewing, and revoking certificates; and related services and support.
The DOD PKI is a portion of the security management infrastructure dedicated to the management of keys and certificates used by public key-based security services. PKI assures the trustworthiness of public key-based cryptographic security services. A common PKI infrastructure provides cost savings and operational benefits by avoiding service duplication and consolidating procurements. In addition, the need for interoperability requires commonality and standards coordination of implementations. PKI
leads to better services at lower cost through the ability to process more sensitive data in shared
networks, the automation of sensitive functions previously kept off-line, and the use of the Internet for
business purposes.
Uses of PKI include:
·        Remote access to systems and resources through identification and authentication vs. password
protection systems
·        Securing financial transactions
·        Secure messaging ensuring confidentiality and integrity of transmitted data
·        Enhanced client-server transaction security through PKI session keys.
·        Software (code) signing, ensuring the authenticity and integrity of publicly transmitted software

Q.2 What PKI services can I expect?

Ans: Non-repudiation Activities such as command and control, official release of procurement
documents, and travel reimbursement approvals are accompanied by legal requirements for
non-repudiation. The DOD PKI will satisfy these legal requirements for non-repudiation by deploying
digital signature technology.
Identification and Authentication Closely related to digital signatures is authentication: One way to
authenticate identity, if a public key is available, is to obtain a signed challenge. If the signature is
verified with a public key, it must have been signed by the holder of the private key (public private key
pair.) Authentication is useful for remote access to information on a server, protecting network
management from masqueraders, or for gaining physical access to a restricted area among other uses.
Confidentiality Various types of transactions that occur over networks require confidentiality, including
web-based access, file transfers, network management, Telnet, and payment transactions. Typically
PKI facilities are used to support the establishment of a session key using a key exchange algorithm.
The session key can be encrypted using recipients’ public keys to ensure that only valid recipients can
decrypt the session key and in turn, decrypt the transaction. Key exchange is the process of
establishing a secure communications channel. Prior to communications, a symmetric key (often called
a session key or message key) must be agreed upon by both parties. There are many variations, but in
the simplest form, a symmetric key known as a session key (or message key for messaging
applications) is generated and protected by the recipient’s public key. That way, only an intended
recipient can obtain the session key and decrypt the data. Public keys can be obtained from directories
or through an exchange between the communicating parties.
Integrity Integrity is a component of digital signatures. In contrast to handwritten signatures, a digital
signature proves that the data is unchanged (integrity) as well as the source (who signed the data.) A
digital signature is a message digest encrypted with the signer’s private key. A message digest is a
mathematical function and can be thought of as a fingerprint of the document. Anyone can compute a
message digest of a document. It is much smaller than the message itself, but it is computationally
infeasible to find an alternative message that would produce an identical digest. The signer’s private
key is then used to encrypt the message digest of signed document. A change to the document would
result in a different digest and therefore a different signature. Therefore, knowing the digest has not
changed is tantamount to knowing the message has not changed. The digital signature also verifies
that the originator was indeed the sender of the message, because only the originator’s public key
could be used to decrypt the signature into the correct message digest of the document.
Data and Key Recovery Reasons for data recovery may include an employee forgetting a password to
unlock an encrypted file, the death of an employee who has encrypted some information, or someone
attempting to hide criminal activity from law enforcement officials. Key recovery is a particular form of
data recovery. With key recovery, a protected copy of the key is generally made available. The
protection may involve a split key, where two organizations must both cooperate to decrypt the
message. In contrast, data recovery generally refers to any alternative that provides a copy of the data
to the authorized official.
Privilege/Authorization It is possible for certificates to vouch for a user’s identity and also specify
privileges the user has been granted. Privileges might include authority to view classified information or
permission to modify material on a Web server among other privileges. In the near term, however, the
DOD plans to provide only identity certificates via the PKI because identity would typically be long-lived
while privileges would vary more frequently.

Q.3 What is X.509 certificate?

Ans: The certificate is the International Telecommunications Union - Telecommunication
Standardization section (ITU-T_ recommendation that defines a framework for the provision of
authentication service that under a central control paradigm represented by a “Directory”. The
recommendation describes two levels: simple authentication, using password as verification of claimed
identity, and strong authentication involving credentials formed by using cryptographic techniques, the
“certificate”. The format of the certificate structure is defined along responsibilities of the Certification
Authority in regards to establishing and maintaining trust.

Q.4 What is a CPS (Certificate practice statement)?

Ans: The CPS or the Certificate Practice Statement is the key document in the Public key
infrastructure. It is a statement issued by a Certifying Authority to specify the practices that the
Certifying Authority employs in issuing Digital Signature Certificates.

Q.5 What is meant by Certificate policy ?

Ans: A specialized form of administrative policy tuned to electronic transactions performed during
Digital Signature Certificate management. A Certificate Policy addresses all aspects associated with the
generation, production, distribution, accounting, compromise recovery and administration of digital
certificates. Indirectly, a certificate policy can also govern the transactions conducted using a
communications system protected by a certificate-based security system. By controlling critical
certificate extensions, such policies and associated enforcement technology can support provision of
the security services required by particular applications.

Q.6 What is the relationship between a Certificate Policy and a Certification Practice Statement?

Ans: The Certification Practice Statement is a comprehensive description of the practices a
Certification Authority must follow in implementing its Certificate Policies. More detailed than Certificate
Policies, the Certificate Practice Statement addresses such issues as procedures relating to life-cycle
management of digital certificates, and precisely how service offerings are to be implemented. While a
Certification Authority may adopt the Certificate Policies of another organization, it must develop its own
unique Certification Practice Statement. The review of an organization’s Certificate Policies and
Certification Practice Statement is an critical element of the cross-certification process.
ACRONYMS
·        AES Advanced encryption Standard
·        ARL Authority Revocation List
·        CA Certification Authority
·        CP Certificate Policy
·        CPS Certification Practice Statement
·        CRL Certificate Revocation List
·        CSR Certificate Signing Request
·        DN Distinguished Name
·        DES Data Encryption Standards
·        e-mail Electronic Mail
·        FAQ Frequently Asked Querstions
·        FTP File Transfer Protocol
·        HTTP Hypertext Transfer Protocol
·        IEEE Institution of Electrical and Electronics Engineers
·        IETF Internet Engineering Task Force
·        ISDN Integrated Service Digital Network
·        ITU International Telecommunications Union
·        LAN Local Area Network
·        PIN Personal Identification Number
·        PKI Public Key Infrastructure
·        PKIX Public Key Infrastructure X.509
·        RSA Rivest Shamir Alderman
·        SHA Secure Hash Algorithm
·        SSL Secure Socket Layer
·        URL Uniform Resource Locator
·        WAN Wide Area Network