This week, Partnet begins a five part series on PKI security in Large Scale Web Applications. We will cover the importance of PKI validation within the Federal Government, the limits of Off-the-Shelf PKI validation packages, a DOD case study for use of Partnet’s new eValidate software and a description of the solution and outcome.
Part 1: The Call for PKI Validation
Over the past decade, technology has enabled government agencies to provide more immediate services to citizens and greater flexibility in meeting their mission objectives. As a result, these agencies have become increasingly dependent on the integrity of their information systems. In recent years, attacks on these systems have grown in size and sophistication, with the Department of Defense (DOD) now suffering more than 5,000 attacks a day on its servers.1
Security breaches have plagued nearly every agency, whether through malicious code, stolen data, or compromised IDs and passwords. The government is now fighting back with a renewed focus on cyber security and access control. Chief among these tasks is the move towards a Public Key Infrastructure (PKI) for application and network security. Unlike traditional security models that rely on usernames and passwords, PKI is based on the issuance of public keys that bind digital certificates to a user’s identity and credentials.
Major advantages of PKI include:
Centralized x.509 certification – Specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm across government agencies.
Elimination of username and password management – Cryptographic public keys preclude problems associated with forgotten or shared login credentials.
Revocation of compromised certificates – Certificate Authorities (CA) help agencies to immediately identify and revoke compromised or invalid certificates.
As PKI has matured, so has the application of digital identification cards, known […]