Oracle® Security Overview 10g Release 1 (10.1) Part Number B10777-01 |
|
|
View PDF |
Public key infrastructure (PKI) is a set of policies and procedures to establish a secure information exchange. This chapter describes the elements that make up PKI, and explains why it has become an industry standard approach to security implementation.
This section presents basic concepts of a public key infrastructure (PKI):
PKI is emerging as the foundation for secure electronic commerce and Internet security by providing the cornerstones of security:
Together, these elements combine to provide a secure, non-breakable environment for deploying e-commerce and a reliable environment for building virtually any type of electronic transactions, from corporate intranets to Internet-based eBusiness applications.
The main components of a public key infrastructure are:
Other important factors that enable the deployment of PKI include: secure storage of certificates and keys; management tools to request certificates, access wallets and administer users; and a directory service acting as a centralized repository for certificates.
The PKI approach to security does not take the place of all other security technologies; rather, it is an alternative means of achieving security. The following advantages of PKI have led to its emergence as an industry standard for securing Internet and e-commerce applications.
Public-key cryptography requires that entities that want to communicate in a secure manner, possess certain security credentials. This collection of security credentials is stored in a wallet. Security credentials consist of a public/private key pair, a "user" certificate, a certificate chain, and "trusted" certificates.
The secrecy of encrypted data generally depends on the existence of a secret key shared between the communicating parties. Providing and distributing such secret keys is one aspect of key management. In a multiuser environment, secure key distribution may be difficult; public key cryptography was invented to solve this problem.
Public key cryptography is based on a secure secret key pair. Each key (one half of the pair) can only decrypt information encrypted by its corresponding key (the other half of the pair). A key pair includes:
Use of the cryptographic key pair to set up a secure, encrypted channel ensures the privacy of a message and validates the authenticity of the sender of the message. It also provides an important benefit: the ability to widely distribute the public key on a server, or in a central directory, without jeopardizing the integrity of the private key component of the key pair. This eliminates the need to transmit the public key to every correspondent in the system.
Each entity that participates in a public key system must have a public/private key pair. The public key for an entity is published by a certificate authority (CA) in a user certificate. Then, other entities that want to send it secure information can encrypt the information with the recipient entity's public key. Another use for a public key is for an entity that receives a communication to validate the sender's organizational affiliation.
Establishing user identity is of primary concern in distributed environments; otherwise, there can be little confidence in limiting privileges by user. Passwords are the most common authentication method in use, but for particularly sensitive data, you need to employ stronger authentication services. This section describes:
Having a central facility authenticate all members of the network (clients to servers, servers to servers, users to both clients and servers) is one effective way to address the threat of nodes on a network falsifying their identities. This method involves certificates and certificate authorities.
A certificate authority (CA) is a trusted third party that certifies that other entities--users, databases, administrators, clients, servers--are who they say they are. When it certifies a user, the certificate authority verifies the user's identity and grants a certificate, signing it with the certificate authority's private key. The certificate authority has its own certificate and public key, which it publishes, as well as a private key, which is securely maintained. Servers and clients use the CA's root certificate to verify signatures that the certificate authority has made. A certificate authority might be an external company that offers certificate services, or an internal organization such as a corporate MIS department
A certificate is like an electronic passport that proves the identity of a user or device that seeks to access the network. The certificate ensures that the entity's information is correct and that the public key actually belongs to that entity. A certificate is created when an entity's public key is signed by a trusted identity (a certificate authority). It contains information such as the following:
A trusted certificate, sometimes known as a root key certificate, typically belongs to a third party entity that is trusted to issue certificates. It is obtained in a secure manner and, operationally, does not need to be validated for its authenticity each time it is accessed because it is self-signed. A client or a server can validate that an entity is who it claims to be by verifying that the entity's certificate was issued by a known and trusted certificate authority.
Typically, certificate authorities whom you trust issue the user certificates. Oracle provides several default trusted certificates, so users do not have to install their own. These trusted certificates also enable servers to perform SSL authentication to clients who have wallets containing only trusted certificates.
Clients and servers use these credentials to access secure services, such as SSL, using public key cryptography. A wallet also represents a storage facility that is location- and type-transparent once it is opened.
Popular authentication methods used with PKI include:
The Secure Sockets Layer (SSL) is an industry standard protocol that provides authentication, data encryption, and data integrity, in a public-key infrastructure. SSL is widely employed over the Internet to give users established digital identities and to prevent eavesdropping, tampering with, or forging messages.
SSL provides authentication through the exchange of certificates that are verified by trusted certificate authorities. SSL uses digital certificates (X.509 v3), and a public/private key pair to authenticate users and systems.
The most widely used public key certificates comply with the X.509 format, and the X.509 Version 3 certificate is the current industry standard format. A public key infrastructure relies on X.509 certificates, also called digital certificates, or public-key certificates, for public-key authentication.
X.509v3 digital certificates contain the following:
The SSL protocol has gained the confidence of users, and it is perhaps the most widely-deployed and well-understood encryption protocol in use today.
Entrust Technologies, Inc. is a market-leading provider of public key infrastructure solutions, through their Entrust/PKI software. Entrust/PKI includes many products, such as Entrust Profile, which secures users' PKI credentials, and Entrust Authority, Entrust's certificate authority product. Oracle Corporation has modified its SSL implementation to integrate with Entrust/PKI.
Note that Entrust/PKI is not fully compliant with all relevant PKI standards.
Many organizations manage users and authorizations separately in an LDAP-compliant directory. Now they can also store credentials securely in the directory, enhancing their ability to manage users.
With PKI, secure credentials such as digital certificates can be stored in containers called "wallets". A wallet is a transparent database used to manage authentication data such as keys, certificates, and trusted certificates needed by SSL. Wallets can be stored in an LDAP-compliant directory. This implementation enables you to centrally manage users.
Security administrators use a tool such as Oracle Wallet Manager to manage security credentials on the server. Wallet owners use it to manage security credentials on clients.
Public Key Certificate Standard #12 (PKCS#12) is the standard for secure credential storage.
See Also:
"Centralizing Shared Information with LDAP" "Components of Oracle Public Key Infrastructure-Based Authentication" |
Single sign-on enables users to access multiple accounts and applications with a single password. This feature eliminates the need for multiple passwords for users and simplifies management of user accounts and passwords for system administrators. Single sign-on enhances ease-of-use for users, and provides centralized management to security administrators.
Because all clients, application servers, and data servers can authenticate themselves to one another, PKI provides an important security infrastructure to a network.
In addition to centralized network authentication, a PKI implementation can provide encryption of network traffic as well as integrity checking. The Secure Sockets Layer provides strong, standards-based encryption and data integrity algorithms.