Public Key Infrastructure: where do you start?
The technology is well understood, but it’s really only a small part of the solution
There is an old joke (you probably know it) about a man who stops to ask someone for directions. “Is that where you’re going?” comes the reply. “Well, now, if I were you, I wouldn’t be starting from here.”
Not very helpful. Actually, not even very funny. But it contains, if you think about it, a certain kind of ‘foolish wisdom’.
With any journey, if you want to arrive at the right place at the right time, you need a clear idea of where you are starting from, what your destination is, how you’re going to get there, and all of the pitfalls to avoid en route.
Depending on where you’re going, it might be easiest to simply jump on a plane or a train and let other people take care of all the details.
Let’s extend the metaphor. If you are on a journey towards digital transformation - a state in which your organisation can fully exploit the mass of data which comes from being more connected to the outside world - the rules that can be inferred from ‘I wouldn’t be starting from here’ also apply.
The chances are, you’ve already bumped up against the issue of implementing a public key infrastructure, or ‘PKI’ as it is generally shortened to. If you have, you’ll know that getting this right is crucial. PKI, for reasons we’ll get to, is definitely an area best left to the experts.
The ABC of PKI
There’s a ton of information about public key infrastructure and public key encryption on the web if you want to delve deeper, but for the purposes of this article, here’s a quick, ‘bare bones’ description:
public key encryption makes use of pairs of ‘keys’ (essentially, very long numbers) which have a mathematical relationship with each other. There is a public key which people and programmes can use to encrypt information that they want to send to you, and a private key – which only you have - for decrypting the information.
An analogy that’s frequently used is that the public key is like a locked mailbox or the letterbox on your front door. Its location can be freely disclosed, and anyone can use it to send you letters. Only you, however, have a private key which will open it.
That’s all very simplistic. If you read up on the subject you will quickly immerse yourself in a world of asymmetric cryptography, hashing algorithms, certification authorities, X.509, Certificate Practice Statements, and a great deal else besides.
The good news, however, is that although public key encryption isn’t quite as old as the joke we started with, there is nothing particularly mysterious about it.
New uses for an old technology
The use of public and private keys was described in 1973 by mathematician Clifford Cocks, who was working for British intelligence services, and it was promptly classified as top-secret.
It was also discovered by mathematicians Diffie and Hellman in 1976 and again by Ron Rivest, Adi Shamir and Leornard Adleman in 1978.
Today, you use it every time your check your email, and whenever you use online banking or do a little online shopping. It is used by web servers, smartphones, tablets, chip and PIN machines, smart meters, surveillance systems and anything which is part of the Internet of Things.
If you’re reading this online, cast your eyes to the top of the page. If the address starts with https:// you’re using it right now.
Implementing PKI – starting from wherever you are
PKI can enable any application which calls for powerful encryption backed by proof of the sender’s identity. But if your private key is compromised the result can be absolute havoc.
Imagine a situation where customers simply can’t tell that their online bank is not the real bank but a fraudster.
Imagine one of the top software companies being unable to detect or prevent malicious code being distributed to its users. Now imagine those users unthinkingly accepting those updates because their PCs tell them they come from a trusted source.
Imagine disaster.
The real challenge of implementing PKI lies not in the encryption technology, which accounts for around 20% of the solution, but in the supporting infrastructure.
The infrastructure is a complete and trusted set of the policies and procedures that govern the creation, management, distribution, issue, storage and revocation of digital certificates and public-key encryption. Its purpose is to confirm the identity of the parties involved in the communication and to validate the information being transferred. It’s what adds trust to digital transformation.
A weak implementation of PKI is not much better (and probably a good deal more dangerous) than no implementation at all. It is an area which really does require experienced and highly qualified experts.
So where do you go from here?
PKI is answering a surge in demand for the secure transmission of all kinds of data. It answers the all-important questions raised by networks and remotely connected devices such as: ‘are the devices genuine?’ ‘Is the data being received from the devices genuine?’ ‘Are the web services legitimate?’ ‘Can I trust this web site or web service?’ ‘Will my data be received only by the intended recipient?’ ‘Is this software genuine?’
And it can do all of this this at high speed and on a very large scale.
But before you take the next step and team up with a PKI provider, there are some important questions to ask.
- Take a look at the client list. Does the provider have experience of projects of a similar scale and in your industry?
- Does the provider have the resources and skills to support you now and in the future?
- Does its staff have security clearance and, if so, to what level?
- What about the security of its facilities? Are they operating from a List X facility (approved to hold UK government protectively marked information marked as 'Secret' and above)? Has this been externally audited by the appropriate authorities?
- Does the company use CESG assured products?
- What measures are in place to guarantee continuity of service?
Can you start from here? With the right support, yes. But wherever you are on your journey towards digital transformation and wherever you’re starting from, it cannot be emphasised enough: implementing a strong public key infrastructure that you can bet your business on is something that’s best left to the experts.