INFORMATION SECURITY ASSIGNEMENT

PUBLIC KEY INFRASTRUCTURE:

Public Key Infrastructure (PKI) is a technology for authenticating users and devices in the digital
world. The basic idea is to have one or more trusted parties digitally sign documents certifying
that a particular cryptographic key belongs to a particular user or device. The most distinct
feature of Public Key Infrastructure (PKI) is that it uses a pair of keys to achieve the underlying
security service. The key pair comprises of private key and public key.
A Public Key Infrastructure (PKI) provides users and applications with an underlying "trust" that
is essential for providing secure e-business and government services. PKI offers the following
security services:

a. Authentication is the process of proving or verifying certain information. Commonly

this is used in the confirmation of an individual’s identity to ensure they are who they say
they are. Authentication is also used to validate other attributes of an individual rather
than their identity – such as their age group, membership of certain groups, security
clearance status, etc. The object of authentication does not have to be an individual –
details of a document’s origin or the destination of an article in transit, are other attributes
that may need to be validated.
b. Integrity in this context refers to the process of ensuring that information cannot be
deleted or modified in any way. It is important to know that a message that has been
received is identical to the one that was originally sent. A PKI makes it possible for
documents to be published such that their integrity can be verified by a potentially
unlimited number of recipients.
c. Confidentiality (or privacy) is the process of preventing unauthorised users from reading
information. Confidentiality is achieved by encrypting the original information making it
unintelligible to anyone, other than authorised receivers, who can decrypt to restore the
original information.
d. Non-repudiation is the process of proving, beyond denial, to a neutral third party that an
event occurred.

Without PKI, sensitive information can still be encrypted, ensuring confidentiality, and exchanged
between two entities, but there would be no assurance of the identity of the other party. Any form
of sensitive data exchanged over the internet is reliant on the PKI for enabling the use of public
key cryptography because the PKI enables the authenticated exchange of public keys.
An anatomy of PKI comprises of the following components.
  Public Key Certificate, commonly referred to as ‘digital certificate’.
 Private Key tokens.
 Certification Authority.
 Registration Authority.
 Certificate Management System.
Digital Certificate
Like people use ID card such as driving license, passport to prove their identity a digital certificate
does the same thing in the same thing, but with one difference. Digital Certificates are not only
issued to people, but they can be issued to computers, software packages or anything else that need
to prove the identity in the electronic world.
 Digital certificates are based on the ITU standard X.509 which defines a standard
certificate format for public key certificates and certification validation. Hence digital
certificates are sometimes also referred to as X.509 certificates.
 Public key pertaining to the user client is stored in digital certificates by The Certification
Authority (CA) along with other relevant information such as client information, expiration
date, usage, issuer etc.
 CA digitally signs this entire information and includes digital signature in the certificate.
 Anyone who needs the assurance about the public key and associated information of client,
he carries out the signature validation process using CA’s public key. Successful validation
assures that the public key given in the certificate belongs to the person whose details are
given in the certificate.
The process of obtaining Digital Certificate by a person/entity is by CA accepts the application
from a client to certify his public key. The CA, after duly verifying identity of client, issues a
digital certificate to that client.
Certifying Authority (CA)
The CA takes responsibility for identifying correctly the identity of the client asking for a
certificate to be issued and ensures that the information contained within the certificate is correct
and digitally signs it.
Key Functions of CA
 Generating key pairs: The CA may generate a key pair independently or jointly with the
client.
 Issuing digital certificates: The CA could be thought of as the PKI equivalent of a passport
agency − the CA issues a certificate after client provides the credentials to confirm his
identity. The CA then signs the certificate to prevent modification of the details contained
in the certificate.
 Publishing Certificates: The CA need to publish certificates so that users can find them.
There are two ways of achieving this. One is to publish certificates in the equivalent of an
electronic telephone directory. The other is to send your certificate out to those people you
think might need it by one means or another.
 Verifying Certificates: The CA makes its public key available in environment to assist
verification of his signature on clients’ digital certificate.
  Revocation of Certificates: At times, CA revokes the certificate issued due to some reason
such as compromise of private key by user or loss of trust in the client. After revocation,
CA maintains the list of all revoked certificate that is available to the environment.
Registration Authority (RA)
CA may use a third-party Registration Authority (RA) to perform the necessary checks on the
person or company requesting the certificate to confirm their identity. The RA may appear to the
client as a CA, but they do not actually sign the certificate that is issued.
Certificate Management System (CMS)
It is the management system through which certificates are published, temporarily or permanently
suspended, renewed, or revoked. Certificate management systems do not normally delete
certificates because it may be necessary to prove their status at a point in time, perhaps for legal
reasons. A CA along with associated RA runs certificate management systems to be able to track
their responsibilities and liabilities.
Private Key Tokens
While the public key of a client is stored on the certificate, the associated secret private key can be
stored on the key owner’s computer. This method is generally not adopted. If an attacker gains
access to the computer, he can easily gain access to private key. For this reason, a private key is
stored on secure removable storage token access to which is protected through a password.
Different vendors often use different and sometimes proprietary storage formats for storing keys.
For example, Entrust uses the proprietary .epf format, while Verisign, GlobalSign, and Baltimore
use the standard .p12 format.
FEDERATED IDENTITY MANAGEMENT:

Federated Identity Management (FIM) is a model that enables companies with several different
technologies, standards and use-cases to share their applications by allowing individuals to use the
same login credentials or other personal identification information across security domains.
The main purpose of federated identity management is to allow registered users of a certain domain
to access information from other domains in a smooth way without having to provide any extra
administrative user information.

Single sign-on (SSO) is an important component of identity federation, but it is not the same as
identity federation. Identity federation involves a large set of user-to-user, user-to-application and
application-to-application use cases at the browser tier, as well as the service-oriented architecture
tier. For FIM to be effective, the partners must have a sense of mutual trust. Authorization
messages between partners in an FIM system can be transmitted using Security Assertion Markup
Language (SAML) or a similar XML standard that enables a user to log on once for affiliated but
separate websites or networks. Examples of FIM systems include OpenID and OAuth, as well as
Shibboleth, which is based on OASIS SAML.
How It works?
Under a federated identity management scheme, credentials are stored with the user's identity
provider usually the user's home organization. Then, when logging into a service such as a
software-as-a-service app, that user does not need to provide credentials to the service provider:
The service provider trusts the identity provider to validate the user's credentials. Consequently,
the user only must provide credentials directly to the identity provider, which is generally the user's
home domain. Under identity federation, the user authenticates once through the home domain;
when that user initiates sessions in other security domains, those domains trust the user's home
domain in order to authenticate the user.
Here is how FIM works:
1. Users log in to their home network, authenticating through the home security domain.
2. After they have authenticated to the home domain, users initiate an attempt to log in to a
remote application that uses identity federation.
3. Instead of authenticating directly with the remote application, that application requests the
user's authentication from their home authentication server.
4. The user's home authentication server authorizes the user to the remote application and the
user is permitted to access the app.
5. The user only needs to authenticate once, to the home domain; remote apps in other security
domains that have agreed to cooperate are then able to grant access to the user without
requiring an additional login process.
Benefits

 Identity federation offers economic benefits, as well as convenience, to companies and

their users. Organizations working together on a project can form an identity federation so
that all their users can access and share resources easily. Doing so authenticates users once
 to access resources across all the domains, while administrators at each organization can
still control the level of access in their own domains. This approach can save money, as
well as consolidate resources.
 In addition, identity federation aims to do away with the barriers that stop users from
accessing the resources they need when they need them securely and easily. Users of
systems in identity federations don't have to create new accounts for each domain, which
means they can securely access systems in different domains without having to remember
credentials for all of them. As they move from one domain to another, users don't have to
re-enter their credentials.
 Additionally, with identity federation, administrators can avoid some of the issues that go
along with balancing multi-domain access, such as developing a specific system to make
it easy to access the resources of an external organization. Identity federation can also be
useful when administering applications that need access to resources in multiple security
domains.
Advantages and disadvantages of FIM
The main advantage FIM offers to users is convenience: each user only needs to remember one
username and password to access websites and applications across multiple security domains. FIM
frees users from the burden of having to remember login credentials for each organization they
collaborate with regularly. FIM also benefits systems administrators, as it simplifies the process
of authenticating and authorizing users of their systems within the federation. With federated
identity management, a system administrator can set permissions and access levels across different
systems in different security domains for a user based on a single username. This reduces a system
admin's work, makes identity and access management easier, and streamlines access to resources.
There are also some disadvantages to using federated identity management, including the upfront
costs that organizations -- particularly smaller ones -- will incur to modify their existing systems
and applications. Another challenge when implementing federated identity management
frameworks is the necessity for participating members of the federation to create policies that
adhere to the security requirements of all the members -- an undertaking that can be complicated
by different requirements and rules set by each enterprise. Finally, because an organization can be
a member of different federations, its policies should accurately reflect the rules of each of the
federation members. Ensuring this is the case requires a commitment of time and effort that many
enterprises may not be prepared for.