Public Key Infrastructure (PKI) is the set of standards and methods required to manage the process of generating digital certificates and creating cryptographic methods of communication between parties. PKI allows for information to be securely moved through networks and is used in a vast array of network based activities. Essentially, a public key is provided by some entity or party (held on a server) to be verified against the private key, which is specific to an individual.

Fundamentally, PKI is about cryptography. An example of this type of infrastructure in use is during the process of a cryptomalware ransomware attack. In this case, the threat actor (who has encrypted the files of the victim) holds the private key. He makes available the public key, and upon payment of the ransom, hopefully he releases the private key to the victim for decryption.

PKI is also used in industries such as banking and generally in situations where a password would be insufficient to confirm the identity of the parties involved.

——————————————————————————————————

RFC and Internet Draft

 Internet Drafts (I-D) are essentially technical documents which are published by the IETF. They contain research related to networking and sometimes are intended to end up as an RFC (Request For Comments). This RFC, developed by computer scientists and network experts will then be submitted for peer review. Some RFCs will be adopted by the IETF as standards, though some are purely research or experimental in nature.

LDAPv2

Here we will take a look at one particular standard, LDAPv2. LDAP is an acronym for Lightweight Directory Access Protocol. LDAPv2 was developed as a vendor-neutral protocol for accessing X.500 directory standards, but being as it was developed in 1995, a number of vulnerabilities have emerged over time. According to the document, LDAPv2 does not support “modern authentication mechanisms” such as as Kerberos V.

One of its core features is its ability to maintain central storage of passwords and usernames, however in the document provided at datatracker.ietf.org/doc/rfc3494, LDAPv2 is being recommended for retirement, due in part to the fact that it fails to “provide any mechanism for data integrity or confidentiality”. The text goes on to talk about LDAPv3 and its support for stronger authentication and confidentiality, thereby more adequately fulfilling the “CIA” model of information security. The author recommends moving LDAPv2 to “Historic” status, meaning that developers should no longer use it and therefore consider it obsolete and vulnerable to exploitation.

——————————————————————————————————

The Pros and Cons of PKI

There is an argument to be made that in some cases, PKI can simply be unnecessary, especially when it is easier to implement two-factor authentication such as OTP (One Time Password) tokens or smart cards. Maintaining a PKI infrastructure can be complicated, time-consuming and expensive, and thus some organizations choose to outsource the job. However, the primary advantage of using PKI through SSH (Secure Shell) is its high degree of security. So long as the private-key is kept secret, a threat actor would not be able to execute a dictionary (brute-force) attack to crack a user’s password.

——————————————————————————————————

To sum up, the Advantages of PKI lie in the fact that it is vastly more secure than a simple password system, as a threat actor must obtain not only the cleartext or hashed password, but also the private key in order to impersonate a user.

The Disadvantages are primarily related to the lack of scalability, especially in larger environments. Furthermore, in some situations, the use of PKI could simply be considered overkill, and two-factor, OTP, or CAC may be the superior option.

Source: datatracker.ietf.org/doc/rfc3494rity.

——————————————————————————————————