How to build your public critical infrastructure

How to build your public critical infrastructure

Yes. I can make the foundation.

A public infrastructure requires massive security layers, and defence mechanism will guarantee secure communication and reliable protocols within the system. This borrows the internal certificates authorities that are held by the organization owning the platform.

The security is done through the provision of a protection layer. Web services may contain various complex services that use a single application (Sullivan, 2015). The app is separated from offering multiple sections of the enterprise’s critical information on various computers. In a case where the services provided are service-service communications in a datacenter by use of internet connection, the network type to be used becomes the next question. This part is critical since a simple mistake in the configurations may result in leakage of data to other untrusted destinations through the internet (Sullivan, 2015). Therefore, designing the system should be done in a manner that ensures the security of messages is guaranteed. This process may require specific steps;

Application of TLS

One of the best ways of ensuring the safety of the words shared through the internet is through data encryption and authentication measures. The article applies this technique by using Transport Layer Security protocols, which will ensure that inter-service communications are secured (Sullivan, 2015). The choice was based on the fact that current de facto standardization of the encryption application layers which works flawlessly with RESTful services. To reinforce the encryption, authentication is used alongside it. Although authentication does not protect data when being sent, trust among the two parties must be ensured before the communication process. This process prefers PKI due to its ability to offer confidence in communication. The details provided under this section provides the reader with enough data to go on when creating encryption and the type of encryption to use in the process.

Various tools can be used in creating public key cryptography. First is the certificate, which allows the website to prove itself. A document can be defined as a file that carries identify data regarding its owner. A public key with each key containing a private key that is securely stored within the control of the certificate owner (Sullivan, 2015). The private key provided in the public key is used in creating a digital signature, which is verifiable through Associated Public Key. A certificate, on the other hand, contains such details as;

Data regarding the firm being issued with the certificate

A public key

Data of the certificate issuer

Rights are given to the issuer

The period under which the license will be valid

The Certificates hostnames

The uses of the receipt, for instance, authentication both for the server and the customer.

Lastly is the digital signatures of the issuer’s private key.

Creation of a CA

The creation of a CA is often an involving process. Certificates can be found in two types; obtaining beside the operating CA. There are various tools used in the creation of documents. In the article, universal SSL was used to create a CA. This is a PKI toolkit that can be found from an open-source and contains all the capabilities required for the certificate authority creation. Also, the software is fast enough when using a publicly trusted certificate authority.

Key protection

Running a CA requires both the CA certification besides the corresponding private key. The key used in this process is highly critical. This is because any person who knows or holds the key may act in the capacity of the CA as well as the issued certificate. Browser-trusted CA needs to store private keys within the particular hardware called the Hardware Security Modules. There are several mechanisms compatible with SSL which may be used in protecting the keys;

Hardware Security Modules. SSL enables Ca servers to apply HSM in computing digital signatures. Most HSM applies PKCS#11 interfaces in interacting with the SSL and supporting the interfaces. The use of HSM guarantees that private keys live outside memory, together with the provision of physical disasters.

Red October

A red October cannot be decrypted without various principal owners, thus guaranteeing essential protection (Sullivan, 2015). The software necessitates that the owners of the key authorize the private essential application. Also, the red October prevents the CA from being unencrypted on a disk, source control or by use of configuration management.

Plaintext

SSL can accept unencrypted private keys. This allows the use of a machine-generated private key that runs in SSL. In a case where the security is intensive, the model can easily compromise between security, costing as well as usability. This aspect can be applied during the development mode by enabling users to test any infrastructural design changes.

Generation of CA key and certificates

In the creation of CA keys, data regarding the type of metadata to be included should be acquired. This can be done through the creation of csr_ca.json that contains the necessary information.  The file will allow the creation of a CA using a single call.

The private key; ca-key.pem, the corresponding certificate ca. pem and lastly, the certification signings: ca.csr.

Certificate policies

Upon creation of CA besides the key, the CA software should understand the certificates to be issued. This will be based on the SSL configuration file signing policy unit.

Certificate issuance

Certificate authorities use not only need public keys in creating certificates but also the use of metadata in populating the certificates information faculties. The information, however, can only be communicated through the certificate’s signing requests (Sullivan, 2015).

Requesting certificates

Though the primary purpose of this paper was to explain why and how it is possible to create an organization’s public critical infrastructure, upon the creation of a certificate, a request should be made for the issuance of the same license.

The CA, upon receiving a request to issue the certificate, it applies two commands to simplify the process. The controls can be found on the JSON API command line. This process requires a binary configuration file. The first is the identification of the CA, together with the authentication request. The second is the CSR configuration, which is applied in populating the CSR.

Application of PKI for services

Upon completing the certificate creation that is compatible with TLS, the application process will kick-in. Two methods can be used in distributing PKI services (Sullivan, 2015). The first method is the centralized distribution. Under this method, the certificates are created at one point before forwarding them to every server for use. Under this approach, keys are retained and secured by the designer. This design is complex beside has a broader topology and thus is preferred only when the CA is stateless and can also generate a series of logs.

Through the explanation from the blog, the author provided a detailed guide oh how to develop and create a PKI. The information provides a detailed description of how the steps are followed and the necessary actions which ensure the security of the information on the platform. By following this criterion, I was able to understand how the security features, for instance, the certificates and public keys are used in ensuring security and data protection. Therefore, the answer to the question is yes, I was able to read and, based on the data, build a complete and secure PKI.

Reference

Sullivan, N. (2015). How to build your critical public infrastructure. Retrieved 17 March 2020, from https://blog.cloudflare.com/how-to-build-your-own-public-key-infrastructure/