Cryptography and the Public Key Infrastructure (PKI) – Security on the Internet

This post summarizes some of the research I did over the summer of 2017 with Schneider Electric on internet certificates, online cryptography and the Public Key Infrastructure (PKI). Our primary goal was to create our own certificate authority (CA) (to be explained in detail later on) and use it to allow secure transmission of data for a fingerprint recognition system to access a certain room. The CA would be run on any type of computer, we decided to run it on a micro controller (Raspberry Pi 3) and used a smartphone as a fingerprint sensor. Public Key Cryptography and online certificates were the key focus of this project:

What is Cryptography?

With the world extending towards artificial intelligence, IoT and the cloud, security has been a major matter. For our future world to truly become wireless and dependent on AI powered servers, cryptography will be a key point of interest. And with the spark of the internet world in the beginning of the 21st century, security on the web has been

The study of securing data over transmission between users using a process called Encryption to encode plaintext into a separate text hierarchy called ciphertext. The primary goals are for confidentiality and authentication i.e allow for very private conversations over any platform while keeping individual identities available for authentication. Cryptosystems use mathematical functions or programs/protocols to encrypt and decrypt messages. While using any sort of browser on the internet, you may have noticed that almost all the URL’s begin with “https” i.e “Hyper Text Transfer Protocol” and as the name implies it is a protocol used for transmission of hyper text between computers. The ‘s’ at the end of “http” stands for “secure” meaning that the web server uses the SSL (Secure Sockets Layer) protocol during communication with a web client, SSL is just another method that is used for encrypting and decrypting data and is the most popular one used for the internet.

Secure Sockets Layer uses asymmetric cryptography as its basis for communication as compared to symmetric cryptography.

Symmetric

This form of cryptography uses a common key to encrypt and decrypt a message. A key is just a program or protocol suited to the ciphertext and in this case can be used on both ends of the spectrum as shown:

The key will be used by the sender to turn the message into ciphertext and then be used by the receiver to decode the message to legible plaintext. This system is very simple and comprehensive yet it is not the widely used method for encrypting data in today’s world. The problem with this method is that the key (algorithm) must be shared among the receiver and the sender but in most digital cases it is tough to exchange a key on its own through the web which defeats the purpose of having data encrypted in the first place (since the key will have to be itself encrypted).

Luckily though our fellow cryptographers have thought of this with something called asymmetric encryption:

Asymmetric

This is a form of encryption where two completely different keys are used in the same format as in symmetric, that would be why it is referred to as “asymmetric”. The first key, the one that will be used by the sender to store the message in ciphertext, will be a public key that will shared out to any possible sender i.e it will be available to any person on the planet who plans to contact you. On the other side of the spectrum to decrypt the message for the receiver, a private key will be used by him/her that , as the name suggests, is completely secret and only known by that specific receiving person.

The idea is that only the public key can only work with a specific private key in decrypting a message and vice versa. Or in other words, a message encrypted with a public key can only be decrypted with its respective private key owned by the receiver. This concept provides another major advantage for asymmetric cryptography: Authentication. Along with allowing for two different keys in the process, cryptographers use this process backwards (i.e the sender encrypting the data with the receivers public key and also his own private key and then the receiver retrieving the data by using his private key (as usual) and the senders public key) to provide the two users certification that the receiver/sender is who they expected it to be.

 

Public Key Infrastructure and Digital Certificates

After understanding the basic concept of the two types of encryption, we can now look at how they apply to the internet and communication among websites. A digital certificate is a digital document that ensures authentication and allows the user to access certain websites/servers. This certificate contains a public key assigned to the issuing party and also the following information:

  • Computer IP address or identification data
  • Organization name
  • Issue date and expiration date
  • Certificate serial number

The Public Key Infrastructure is basically a hierarchical system of policies and rules that manage a system of certificate creation on the web. The system consists of Certificate Authorities, Registration Authorities and revoking servers that create, register and update digital certificates issued to users.

The Certificate Authority (CA) has the job to issues a certificate to an organization and authenticates the entities background. The Registration Authority registers the certificate into a database and the revoking servers (Certificate Database) revokes expired certificates on the CA. The CA is the most important part of the system that it acts as a separate party to the web browser (where the computer stores certificates the user has visited) and the end user itself. It issues SSL (Secure Sockets Layer) certificates that are based on the X.509 format (shown above).

So, as a third party user when you access a website on the net for the first time, your web browser will store a certificate copy of the website org. (the issued) and that document will have a copy of their public key and the signature of the CA issuee. Some popular CA’s include Open SSL, Go Daddy and Semantic (VeriSign).

 

Image Sources for Asymmetric cryptography:

Thanks to: http://www.giuseppeurso.eu/