This week, Partnet begins a five part series on PKI security in Large Scale Web Applications. We will cover the importance of PKI validation within the Federal Government, the limits of Off-the-Shelf PKI validation packages, a DOD case study for use of Partnet’s new eValidate software and a description of the solution and outcome.

Part 1:  The Call for PKI Validation

Over the past decade, technology has enabled government agencies to provide more immediate services to citizens and greater flexibility in meeting their mission objectives. As a result, these agencies have become increasingly dependent on the integrity of their information systems. In recent years, attacks on these systems have grown in size and sophistication, with the Department of Defense (DOD) now suffering more than 5,000 attacks a day on its servers.1

Security breaches have plagued nearly every agency, whether through malicious code, stolen data, or compromised IDs and passwords. The government is now fighting back with a renewed focus on cyber security and access control. Chief among these tasks is the move towards a Public Key Infrastructure (PKI) for application and network security. Unlike traditional security models that rely on usernames and passwords, PKI is based on the issuance of public keys that bind digital certificates to a user’s identity and credentials.

Major advantages of PKI include:

  • Centralized x.509 certification – Specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm across government agencies.
  • Elimination of username and password management – Cryptographic public keys preclude problems associated with forgotten or shared login credentials.
  • Revocation of compromised certificates – Certificate Authorities (CA) help agencies to immediately identify and revoke compromised or invalid certificates.

As PKI has matured, so has the application of digital identification cards, known as smart cards. Smart cards store an encrypted digital certificate issued from the CA along with any other relevant information about the card holder. Smart cards are quickly replacing traditional ID badges. A primary mission of PKI is to check whether a user’s digital certificate has been revoked. The certificate-revocation status is what determines whether an application or network grants or denies user access.

Our next installment examines some of the shortcomings of traditional PKI software packages.

1 Source: “Cyber Insecurity: U.S. Struggles to Confront Threat” by Tom Gijelten, NPR News, April 6, 2010