Criticality of Cyber, IT & OT Security, Privacy for Business and means to secure the same.: November 2017

Tuesday 14 November 2017

Digital Certificates

We do most of our transaction digitally right from our Banking transaction to our Mobile eCommerce transaction, or IOT based transaction etc., hence to do a secure digital transaction we use the digital certificate. Digital Certificate is a certificate issued by a Certification Authority validating the individual or organisation. The Certificates validates that a website or mobile transaction platform is trusted and safe.

Some of the important things to look out are:

- Who issued the certificate?

- Who the certificate is issued to.

- Valid to

- Public Key

- Digital Signature.

Certificate are used for identification and encryption which grants the right to access information or other services online. It includes ensuring the identity of all parties involved. They include public key that is used of encryption of data like email document, secure web transaction etc.

Public Key Infrastructure (PKI): As mentioned above PKI is also known as trusted hierarchy, public key infrastructure is a system of Digital certificates, Certification Authorities (CA’s) and other registration authorities (RA’s) used to verify and .authenticate the validity of parties involved in an internet transaction.

Digital Signature: A Digital Signature is based on asymmetric cryptography. Digital Signature has a Hash function which represents the digital signature which is mathematical value for that certificate. It’s a one-way process using a private key to generate a digital signature, the same can be checked by using a public key for Decryption which again is a mathematical value and outcome should be the original Hash value which would ascertain that the certificate is not altered or damaged. If the hash value is not correct, it would mean that the certificate is corrupt or is tampered with.

A private key is paired with the Public key; however, the private key is stored separately.

A certificate includes the certificate holder's public key, information about individual, computer, or organisation to which the certificate is issued, information about certification authority (CA), the date of issue and expiry of certificate and the serial number of certificate.

Certification Authority: Certificate is essentially a file with data in it. Hence the trust model work in certification to validate the data and Certification Authority role is important. The Certification Authority does the checks before issuing the certificate and that it’s trusted. The Certification authorities certify and create an electronic document that is a Digital certificate that verifies individuals and organization are who they say they are. Hence is also important that Certification Authority is also a Trusted Source. The organization can have an additional level of certification authority normally followed is Root SA and child SA trust model.

A CA essentially is a hierarchical system composed of software, hardware, procedures, policies and administrators who validate the request and generates certificates.

Now with sources of the transaction happening over Mobile & IOT apart from Web Digital Certificate has high importance for security while we do digital transactions.

Hardware Security Architecture.

Hardware security is an important aspect, firstly any one who is using machine today is getting some form of protection from hardware, secondly there are more security oriented properties that are coming in new chips in market in couple of years, and thirdly there are important properties that can only be build on hardware and software can build on those.

Machines today are connected and vulnerable to cyber threat. The type of threats we have are Memory corruption, data disclosure, code injection, control flow diversion, return oriented programming. The types of method attacker today can use are Type – Instruction, data, pointer, Extent – Base, Bounds and Ownership – component, access right. Architecture grantees that every thing would be right.

A lot of security issue we face today is because of the hardware security Architecture issues. Originally Multics was a machine designed for security, however machines that we have today security is an after thought. Multics was originally a project between MIT, which was designing things, General electric who was making hardware and Bell labs who was the user. However bell labs got little nervous and wanted some thing that work then and they designed a much simpler system on a less expensive piece of hardware and the system was called Unix, which was a trimmed down, lesser feature output of Multics. Unix was later widely used and is the predecessor of Linux and variety of system we used today.

In this transition what we lost was the idea of segmentation, we lost the idea of rings. What it carried forward was some ideas from Multics, ideas of permission and level of privileges, which in most machines that's just at the kernels as against user made distinction in Multics. Multics was programmed in a higher level language called PL/1, whereas Unix moved to a very low-level language called C, which is also the reason of lot of problem we face today.

Multics had some very important, very high leverage usage particularly in defense system. It work on fundamental three principles, first of these is of complete mediation, Secondly, separate privileges, and thirds principle is of least privileges. The fundamental principle was to do its job most of the time the Kernel does not need to read your data, segmentation at memory and use of access control rings.

Multics was much earlier a project in MIT, the idea of which was to develop a computer utility which could share its very expensive resources and people could access these resources. And the next leap today, which is now taking forward Multics is Cloud computing a network computing of all different kind of client server architecture.

The other things thats happening is at processor level it can make sure that only high users can access high data and thing that’s coming now is is fat pointer which means that every pointer to the memory is bounded above and below which bounds of the object which the pointer is pointing into and Intel has a feature MPX which helps enforce this property.