2. WHAT IS PUBLIC KEY INFRASTRUCTURE (PKI)?
Symmetric Encryption: In this encryption methodology a file is encrypted with a
password [ for example ‘yyyy’ ] and decrypted with the same password.
Asymmetric Encryption: In this encryption methodology a file is encrypted with a
password [for example ‘yyyy’ and can be called as Private Key ] and it is decrypted with
the another password [that could be “zzzz” and can be called as Public Key ]. These two
numbers are derived on a mathematical algorithm where nobody can find “yyyy’ from
“zzzz” or vice versa.
Private Key is required to be kept confidential by the owner and the public key could be
left in the public domain. Assuming Mr. A wants to send a document to Mr. B, Mr. A can
encrypt the document using his private key and Mr. B can decrypt the same using the
public key by which the recipient Mr. B is assured that the document has come from only
Mr. A. Pair of private key and public key is called the Public Key infrastructure
3. COMPONENTS OF PKI
PKI infrastructure: PKI infrastructure will have the capability to receive any public key [ private key will
be in the token or mobile ] and sign the same with the Private key of the root stored in the HSM
PKI USB Token [ interface for signing ]: This component will give the facility to enroll the user into the
system by creating the public and private key in the USB device / Mobile phone and send the public key
alone for certification to the PKI infrastructure. Enrollment of the user will happen through the mobile
pki client software and the data will be passed along with pubic key of the user to the PKI core engine.
After verification of the KYC details of the user, the administrator will approve in open trust pki core
engine, which will result in the public key of the user sent to HSM for encryption using the private key
of the certificate issuing authority.
Mobile PKI : msign will generate the public/ private key pair. Store the private key in the device using
proprietary encryption key. Send the public key back to the PKI infrastructure for issuing digital
certificate.
Digital certificate of the user will comprise of the public key of the user plus the digital string which is the outcome
of encryption of the public key of the user with the private key of the certificate issuing authority.
4. ENDORSEMENT BY CERTIFYING AUTHORITY
Customers are expected to generate the private key and public key on
PKCS#11 enabled USB Token after protecting the token access by password.
Private Key never comes out the token. Submit the public key to Certificate
Issuing Authority along with the KYC information.
After verification of the KYC, the certifying authority will encrypt the public key
of the Customer and issue a digital certificate.
This digital certificate is an endorsement for the identity of the Customer
when he interacts with third party vendors/ Banks on the internet.
Electronic Signatures will be created for all transactions using the private key of customer
and with electronic signature bank can establish Non-repudiation in the court of law.
5. RISK IN PKI
Certifying authority’s Private Keys is one point of failure.
In case if the private key of the Certifying Authority is compromised, the intruder can
create a certificate pair and get the same endorsed in the name of any customer.
For example xyz Certifying authority’s private key gets compromised.
Intruder identifies that Mr. A holds the digital signature of xyz Ltd
Intruder creates another pair of private / Public Key and puts the signature for the new certificate
pair as Mr. A using the private Key of XYZ Ltd.
However the intruder cannot open any file that has been encrypted by the public key of Mr A.
The only thing that the intruder can do is to do Identity Theft of all the customer of XYZ Ltd.
6. HARDWARE VERSUS MOBILE PKI
Capabilities PKI Hardware Token Mobile PKI
On-board Asymmetric Key-Pair generation √ √
On-board only - Private key access control √ √
PIN protected √ √
Brute force PIN attack resilient √ √
Clone, Tamper resistant √ √
On-board Digital Signing & Encryption √ √
X.509 v3 certificate storage √ √
PKCS #11, Microsoft CryptoAPI (CAPI) 2.0 √ -
PKCS#1 Compliant Encryption and Signing √ √
Driver& Browser Independent √
Untethered, Mobile √
MITB, MITM Immune √
COMPLIANCE AND STANDARDS
Hardware PKI Mobile PKI
FIPS 140-2, RoHS, PC/SC compliant, CE & FCC Conformity certified On board 1024-bit key pair, PKCS#1
PKCS #11 v2.20 or above, Microsoft CryptoAPI (CAPI) 2.0, PC/SC OATH compliance
192-bit Triple DES