Using a Public Key Infrastructure: An Overview

Using a Public Key Infrastructure:
An Overview

William A. Weems

Copyright Ó 1998, The University of Texas

What is a Public Key Infrastructure (PKI)

To learn and work comfortably and effectively in cyberspace, people must easily and definitively know

with whom or what they are communicating;
if messages being exchanged remain unaltered;
that confidential information is accessible only to intended confidants;
that users can effortlessly access hundreds of restricted resources to which they have legitimate rights; and
that users can easily control access to digital materials for which they are responsible.

To enable these functions, one must have a digital ID that authoritatively identifies an associated person or other entity whenever the digital id is "presented" within cyberspace. The digital ID in turn must be acceptable to multiple components of a trust infrastructure that is embedded in e-mail clients, Web browsers, and other applications distributed across the Internet and within intranets.

Traditionally, outside of cyberspace, personal IDs have been things like passports and drivers licenses issued by certifying authorities such as the United States Government or a state within the United States. The infrastructure existing within the certifying country or state allows these identifiers to be used to recognize people and to manage access. When a person appears without such identifiers or with an identifier from an "untrusted" authority, he or she is prohibited by the infrastructure from freely participating within the society or organization.

The trust infrastructure that has emerged within cyberspace consists of

private/public key sets
certified by trusted authorities to represent specific persons or other entities and
functioning within a widely accepted, public key infrastructure (PKI).

It is the certified public key of a key set that constitutes a digital ID which in turn identifies a person or entity such as a digital computer. The public key infrastructure issues and revokes digital IDs and has applications distributed throughout that understand and use the digital IDs to perform critical tasks. Such tasks include digitally signing electronic documents, validating signatures, granting access to restricted information resources and managing access rights to secured resources.

Obtaining a Digital ID (Certified Public Key)

An individual can obtain a digital ID in several different ways. The most common method is to use ones personal computer as follows:

Use a Web browser to access the desired certificate authority (CA) - e.g. a U. Texas CA.
Complete a Web form requesting certification of your public key by the authority.
Electronically submitting the form simultaneously

generates your private/public key set.
stores the key set as strongly encrypted files on your personal computer.
sends the public key to the certificate authority for certification.

Physically go to a Local Registration Authority (LRA) for identity verification.
Upon identity verification, you receive an e-mail message with a URL for downloading your certified public key into your personal computer.

Storage and Transfer of Digital IDs

Your digital IDs are stored on your personal computer in your "Personal Security Environment (PSE)" - sometimes called your "Security Wallet". Both Netscape Communicator and Microsoft Internet Explorer have export and important capabilities allowing you to export your certified key set onto a flexible disk or other storage device. This allows you to

backup your key set;
transfer or copy your key set on additional computers; and/or
install your key set on a smart card for easily using your digital ID on multiple computers.

Using Digital IDs

Digital Signatures

Digital IDs can be used to "digitally sign" e-mail messages that may or may not contain attachments. A digital signature provides the following:

Authenticates the identity of the entity signing a message.
Permits message recipients to determine if a message has been altered - i.e. assures message integrity.
Provides message recipient with a certified copy of the sender's public key which recipient can use to send confidential, i.e. encrypted, messages to the sender.
Certification of the public key by a trusted authority prevents anyone from denying that the signature belongs to the sender - i.e. nonrepudiation.
Since VeriSign is a Certificate Authority approved by the State of Texas, digital signatures certified by VeriSign are legal signatures and are acceptable for transacting State business.

Appropriately constructed Web forms can also be digitally signed. The digital signature submitted with the form

authenticates the sender,
guarantees integrity of the data submitted via the form, and
prevents denial of a certified signature - i.e. nonrepudiation.

When a form is hosted by a secure socket layer (SSL) server, the entire exchange between user and server is encrypted.

Access Management

Digital IDs used within a public key infrastructure

provides extremely strong user authentication,
facilitates access to restricted information resources for authorized users and
significantly reduces the difficulty of managing access to such resources.

A major problem currently restricting the use of the Internet in commerce and academic activities is the difficulty associated with accessing and managing access to restricted information resources. The most common access control mechanism in use today is the username/password challenge. There are multiple problems with this approach. They include the following:

The necessity to create a username for virtually every resource.
The need to create temporary passwords for every username.
Systems personnel knowing temporary passwords and being able to change passwords.
Requiring users to know numerous usernames and password.
Requiring passwords to be sent over the network.
No efficient way for users to manage access to their own resources.

When access management is implemented within a public key infrastructure, a user attempting to access a restricted resource provides the user's digital ID to the authentication process. The digital ID explicitly identifies the user and information contained within the certificate is used to begin the process of determining if the identified user is authorized to access the requested resource. This effectively implements a single, authentication solution for accessing restricted information resources distributed throughout the Internet and operated by multiple organizations.

Managers needing to grant access to restricted resources no longer have to

create multiple specialized usernames for each user for multiple resources
inform users of numerous usernames
assist users in creating secure, multiple passwords for different username/password challenges.

Access is granted simply by adding the identity of a user known to possess a digital ID to an access control list or data base for a given resource. Access is revoked by either removing the user identity from the access list or by revocation of the user's public key certification by the certification authority.

Usage Scenarios - Some Examples

Digitally Signing an Agreement

If an agreement is included within the body of an e-mail message or is attached to an e-mail message and the message is digitally signed, the message content including attachments, the integrity assessment of the message and the identity of the signer are bound to the digital signature. This then becomes a legal, digital document. Replacing IP Address Authentication with Digital ID Authentication The university currently uses network IP address authentication to determine if users can access resources such as the Encyclopedia Britannica. This authentication method assumes that users requesting access to the encyclopedia from computer systems connected to the university network are university students, faculty or staff. However, this method does not work if valid users attempt to access resources via non-university Internet providers such as American OnLine, AT&T, Warner RoadRunner Cable services, etc. This provides a significant limitation in that distance learners often cannot use university remote access facilities and thus do not have access to need library and other university resources. Also metropolitan residents cannot take advantage of increased bandwidth options being provided by commercial providers. The usage of digital IDs to authenticate users removes these difficulties. Digitally Signed and Encrypted Patient Information Pending federal regulations will require all patient information transmitted via public networks to be encrypted. Definitive Identification of Senders of E-mail It is an extremely trivial process to alter headers of e-mail messages such they appear to be sent by anyone. This "spoofing" of e-mail identities is often done for numerous, inappropriate and illegal reasons. Since e-mail usage continues to increasingly become the method choice for communicating all types of critical and sensitive information, it is imperative that the integrity, confidentiality and accountability of e-mail communications be secured. Signing Online Web Forms Improved efficiency, increased user satisfaction and cost savings can be accomplished by completing and signing online forms and storing the signed input in a database. An example is the student end user licensing agreement (EULA) that must be signed by all students acquiring software under the U. T. System agreement with Microsoft. Currently, paper forms must be created, handled and stored for several years. When all students have digital IDs, these forms can easily be completed and signed online.

W.A. Weems