As a system administrator, one of your main priorities should be keeping your company’s data secure. But, that data doesn’t just stay in one place. It’s always on the move -- whether someone is checking their email, accessing a document on their phone, or connecting in with a VPN, data is constantly flowing in and out of your network.
The key to keeping all of that data secure is by properly managing and configuring digital security certificates for these services. But what are certificates, and how do they keep your data secure?
To fully understand how digital certificates protect your data, it’s good to understand how public-key cryptography works.
Consider this problem: You want to send a message to a friend on the other side of the country. But, the message is secret, and it’s important that the message makes it to your friend without being tampered with. Further, you want your friend to know that the message is genuine and came directly from you.
Public-key cryptography solves all of these problems. First, you create a public-private key pair. The private key can decrypt things that were encrypted with your public key, and the private key can decrypt things that were encrypted with your public key. But it’s not possible to figure out what your private key is by using your public key. You publish the public key for anyone to look up, but you keep the private key secret. Your friend does the same.
Now you’re ready to send messages. When you send a message, you encrypt it with your private key and your friend’s public key. When they receive the message, they can decrypt it only with their private key, which keeps the message secure from anyone else who comes across it in transit. And then they decrypt it with your public key, which tells them that you were the one who sent the message, and it wasn’t changed in transit.
Public Key Infrastructure
But, then the question comes up: How do you find each other’s public keys? And how do you know that your friend’s public key is really his, and how does he know that yours is really yours?
This is where public key infrastructure, or PKI, comes in. PKI is a system for issuing, managing, verifying, and revoking certificates for public-key cryptography.
First, there’s the issue of trust. How do you know that a public key that says it belongs to John Doe is actually his, and that he’s the only one with a matching private key? A Certificate Authority is the entity that makes that possible. When a certificate is issued, the CA makes sure that the requestor is who they say they are, and then signs the certificate with their own private key. Then, you can verify that a trusted CA was the one who signed the key.
What if a private key gets compromised somehow? The CA also maintains a list of certificates that have been revoked. You can check that list to make sure that the certificate that you’ve been presented is still considered secure.
How it Works - TLS and PKI
If that sounds like a lot of checking, encrypting, and decrypting, it’s because it is. But, fortunately most of it happens transparently to the user. When you connect to an HTTPS-secured Web site, or your email client logs in to your mail server, it happens using Transport Layer Security (TLS). First, the server presents a certificate to the client that specifies the name of the server, and optionally, additional details about the owner of the server. The client uses a list of trusted CA’s, called root CAs, to check that the certificate is valid, issued to the right person, and not revoked. Then the server and client exchange keys that allow secure messages to be exchanged without being eavesdropped or modified in transit.
As a system administrator, you’ll need to make sure your Internet-facing services are properly secured with valid, trusted certificates. This will keep your users happy -- they won’t see warnings due to missing or invalid certificates. More importantly, it will keep your company’s data secure as it traverses the Internet.
Our next few Tech Thursday articles will focus on how to configure digital certificates for various services.
E-N Computers can help protect your business from data loss or downtime due to computer security threats. Contact us today to find out why businesses in Virginia, Maryland, and Washington, D.C. trust us for their IT needs.