PKI: Public Key Infrastructure – The Bane of Many Systems Administrators

There are two kinds of system administrators in this world – those who love PKI and those that hate it. Why does one technical subject have more than its fair share of lovers and haters? Maybe it has to do with how incredibly left-brained based PKI is in the realm of math and logic. I don’t know about you but although I can dance circles around computer technical subjects, I could not stomach the math requirements of a computer science degree and elected for the liberal arts instead.

In reality, PKI is no more rocket science than any other computer skill you have mastered - it just takes a little bit of understanding before it eventually starts to grow on you.

Math It Is Then

Well, let’s start out with pure basics here. PKI is based on Public-Private key pairs - meaning there are two keys, the Public Key that can be shared with the world, and the Private Key that should be shared with no one.

The Private Key is itself a pair of randomly selected prime numbers. If you don’t remember your high school math, a prime number is a number that can only be divided by the number one and itself - for example the number 3 and the number 5. The Public key is the product of these two secret prime numbers. So if the Private Key’s prime numbers were 3 and 5, the Public key would be 15 (3 X 5). See what I meant about the Math?

Now keep in mind that each of the Private Key’s prime numbers is very long so that if anyone tried to factor from the Public Key which two prime numbers were multiplied to come up with that Public Key, it becomes an impossible task because of the infinite number of possible primes to choose from. In fact, your great-great-great-great- great-great-great-great grandchildren would be long dead before the two prime numbers could even be close to be found with a brute force effort using today’s computing power. Maybe the computers of that future generation will be able to handle the task much easier and then PKI as a security algorithm will have to be rethought but for now it is secure enough that the planet’s entire E-commerce depends on it.

How does PKI Perform Its Magic?

A Public-Private Key pair is just like a congenial married couple that cooperatively work on household tasks like cleaning the house where he agrees to scrub toilets while she agrees to wash the dishes or yard work where she mows while he bags leaves. What one partner does, the other partner cooperatively complements. PKI works the same way with the cooperative tasks broken down into just two basic operations: Data Encryption and Data Signing.

Data Encryption

PKI handles data encryption cooperatively by using a Public Key to encrypt data and the corresponding Private Key used to decrypt that same data. Encryption is necessary when you only want an intended recipient to be able to read the data, protecting it from other parties who are snooping around. In other words, Data Encryption ensures Data Confidentiality.

Data Signing

The same holds true for signing, except in this operation the signature is created with a Private Key and the corresponding Public Key is used to verify that the signature is valid. Signing data offers two benefits; if the recipient can validate the signature, they are assured that the data has not been modified since the signature was made (data integrity) and at the same time they are also able to verify who sent the data (data origination).

So let me illustrate for you how these two basic PKI operations of encrypting and signing can be used for securing email messages, although the same holds true for any data. First I would need a Public-Private Key pair in the form of a digital ID from any number of Public Certification Authorities (CAs). If you are on the cheap and don’t want to purchase one, you can request a free Digital ID from Comodo at http://www.comodo.com/.

To enable Outlook 2010 to secure email, you navigate to File | Options | Trust Center | Trust Center Settings | Email Security and are presented with this dialog:

Trust Center

If you already have a Digital ID, you could import it in or you could request one online by choosing the ‘Get Digital ID’ option. Notice that you can select the options to automatically have Outlook ‘encrypt contents and attachments for outgoing messages‘, and ‘add digital signature to outgoing messages’.

For example, here are two trial certificates (digital IDs) and have chosen the Comodo one in Outlook 2010 for encrypting/signing email messages. Note that in ‘Change Security Settings’ dialog there is an option to automatically ‘Send these Certificates with Signed Messages’. Why? If I sign my email with the Private Key, then the recipient needs my Public Key to verify the signature. My Public Key is embedded in the certificate and by attaching the certificate to the email, the recipient can readily use my Public Key to verify the digital signature.

Choose Certification

Change Security Settings

Now that my Digital ID is installed, I can now sign email. However, I can’t yet encrypt email because the originator’s Public Key is not used for encryption but instead the recipient’s Public Key. So if I wanted to send an encrypted email to my brother, I would first need to get a copy of his digital ID (certificate) and use his embedded Public Key to encrypt the message, confident that he would be the only one to decrypt the message as he is the only one who has access to the corresponding Private Key. If you can remember this simple rule: Sign with MY Private, Encrypt with YOUR Public, you will never forget which and whose key is used for an encryption/signing operation.

Also keep in mind that digitally signing an email has nothing to do with the normal ‘signature’ that Outlook can insert at the end of an email message with your contact information.

After sending myself an email from my Exchange account to another Exchange account with the auto-digital-signature option I mentioned earlier enabled, I can see on the right side of the received email header a ‘ribbon prize’ icon that indicates the message has been secured. When I click on this icon, the following dialog box shows up indicating that the signature is valid and trusted. This tells me two things, the person whose Digital ID was used to sign is indeed the person who sent it and that person’s email message body has not been altered – thereby providing Data Origination and Data Integrity.

Signed Message


Here’s another test email, except this one is meant to be encrypted so only Sue can read it.


Encrypt Email to Sue


When I try to send the email, I get this warning message:


Cant Encrypt

Why did I get this error? Remember the rule of thumb, Sign with MY Private Key, Encrypt with YOUR Public Key. Will in this example the ‘YOUR Public Key’ means Sue’s Public Key, so I would first have to ask Sue to send me her Digital ID which contains her embedded Public Key, so I can use it to encrypt the email I am trying to send to her.

Summary

PKI is not rocket science but it is math although you don’t need to take pre-calculus to understand it. The PKI operations boil down to two basic operations – encrypting data to ensure only the intended recipient can decrypt it and signing data so that the intended recipient can verify who the data came from and that the data has not been modified since the signature was made.

The cool thing about PKI is that once you understand these basics tenets of encryption and signing, the same rules hold true whether the data you are protecting is email, a file on a disk, or packets going across the network.

In Part 2 of this article I will explain what the role of the Certification Authority is in the PKI process and how your computer knows when a Digital Certificate is valid or not.

Discuss this Blog Entry 3

on Oct 17, 2012
Article is not really geared towards system administrators ....more geared towards savvy end-users.
on Oct 11, 2012
PKI is absolutely the bane of IT admins. Its also the bane of end users, IT operations, and of course anyone now trying to secure emails on a smartphone. The really big problem is as the article accurately portrays - PKI requires end users to manage keys, and IT operations to manage a complex and growing infrastructure to issue and manage certificate lifecycles. When issues like e-discovery, revocation, archiving and expiry come into play, the complexity goes up exponentially, and user happiness goes down correspondingly. Net net people just dont use it. However, given PKI's origins in the late 80's and early 90's its not a surprise. Todays dynamic, agile fully connected ecosystem demands something different. 90s PKI has been superseded by new innovations in public key technology Identity Based Encryption. IBE (IETF 5091, IEEE 1363.3). IBE allows public keys to be securely generated on the fly from existing identity data e.g. an email address. This eliminates pre-issuance of key pairs, and end user key management. Private keys are generated on the fly after strong authentication. IBE permits public key crypto for securing email, file or transactions without the pain and complexity of X509 certs and PKI. Also, with IBE based email encryption, recipients also dont need special software to read/reply so no need for the other end to have key/certs/software. Ideal for ad-hoc secure communications - including to smartphones. With its origins from the "S in RSA, Adi Shamir, and perfected by the worlds top crypto experts at Stanford 11 years ago, there are now millions of users world-wide. Many of the biggest we tried PKI organizations have standardized on IBE - Wells Fargo, JPMorganChase, Microsoft, Governments, healthcare providers - the list of Fortune 1000s goes on. Even individuals can use it from the cloud for less than the cost of a tank of gas - and try it for free - http://www.voltage.com/ Mark Bower VP Products Voltage Security
on Nov 29, 2012
This is a great reference as I recast our PKI and work orientation with new tech staff. It's difficult to balance layers of critical detail with clarity, but you pull that off nicely. We look forward to the series.

Please or Register to post comments.

What's The IT Pro's Guide to Microsoft Technology Blog?

Master complex Microsoft technolgies with help from James Carrion.

Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×