|
The Need For Online Security
|
In today's online world, email communication has joined telephone conversations and face-to-face meetings as the primary means of communicating. While email allows us to communicate with speed and effectiveness, it lacks the security of a phone call or a face-to-face meeting. Simply put, when you send or receive email, it is not possible for you to know with complete certainty that the sender or receiver is actually the person they claim to be.
Similarly, the act of logging on to an application using a username and password guarantees that you know a valid username and password but it does not guarantee that you are the person to whom the username/password combination was originally issued. Obviously, this situation can lead to serious security breaches while conducting Government business since it fails to provide you, the user, with a means of validating the true identity of the person or application with whom you are communicating.
In order to fully understand how the HHS PKI enhances digital security, we must first understand how PKI works.
|
Cryptography is the science of secret writing. The word itself is derived from Greek - kyptos (which means hidden) and graphen (which means to write). Simple ciphers have been with us for many hundreds of years. Simply put, cryptography involves two processes - encryption, which converts plaintext to cyphertext, and decryption, which converts the cyphertext back into readable form.
A simple form of encryption that is used is called Symmetric Encryption. Symmetric encryption works on a "shared secret" principle in which the creator of an encrypted message provides the recipient of the message with means to decode the message. The appeal of this approach lies in its simplicity, but symmetric encryption has a major security drawback. Any encryption scheme that relies on a shared secret is vulnerable the moment the secret key is discovered by third parties. The likelihood of the secret key being discovered increases each time you share your key with another party. Further, keeping track of the secret keys of all of the people you correspond with is no small challenge in and of itself.
|
Asymmetric Encryption avoids this problem by not relying upon a shared secret key. Instead, asymmetric encryption uses two mathematically related keys - a Public Key which is published for all to see and a Private Key which is a closely held secret of its owner. While it is not possible to derive one key from the other, the keys can in fact be used to together to encrypt and decrypt a message. This process is known as Public Key Cryptography.
As you can see in the illustration below, the sender of an encrypted email uses the recipient's public key to encrypt the email (ie. convert it into unreadable ciphertext) and the recipient decrypts the message using his or her private key.
Since public keys are published in a central repository, key management is greatly simplified over the symmetric model.
|
What Is a Digital Signature?
|
Encrypting the contents of your email ensures that only the designated recipient can read your message. How can you ensure, however, that the sender of the message really is who they claim to be? The answer lies in the use of a digital signature.
First, it is important to note that a digital signature and an electronic signature are not the same.
Electronic Signature
An electronic sound, symbol, or process that you and another individual have agreed represents your identification.
Digital Signature
Provides the recipient with a guarantee that
- you are indeed the sender of the message and
- the contents of the message have not been modified or otherwise tampered with
When the message is received, the recipient verifies that the message is indeed from you by making a hash of the received message. The recipient then uses the sender's public key to decrypt the message. If the hashes match, the received message is indeed valid and must have come from the sender since only the sender could have encrypted the hash in the first place.
|
Public Key Infrastructure
|
Public Key Infrastructure provides the means to bind public keys to their owners and helps in the reliable distribution of public keys.
Five Major Components to PKI
- Certification Authority (CA): A trusted third-party who issues digital certificates.
- Local Registration Authority (LRA): An individual who performs identity proofing on behalf of the Certification Authority.
- Directory: A centralized depository of all public keys.
- Archive: A permanent record maintained for the purpose of verifying the validity of records.
- Users: there are two types of PKI users:
- Subscriber: the owner of a digital certificate who uses it to send a digital signed message or receive an encrypted email
- Relying Party: a user who depends upon a senders certificate to verify their digital signature or a recipient's certificate to send them an encrypted email.
Information in Your Digital Signature
Your digital certificate contains information that uniquely identifies you. It contains your name, a serial number, expiration date, a copy of your Public Key, and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.
Over time, you may acquire many different digital certificates from many different sources. Your web browser keeps track of digital certificates that you have obtained and helps to make your digital certificates available to other applications that you use - Microsoft Outlook for example.
|
NIH IT Service Desk Contact Information
|
|
|