Back
 JIS  Vol.11 No.4 , October 2020
Public Key Infrastructure: An Enhanced Validation Framework
Abstract: Public Key Infrastructure (PKI) is a comprehensive information security framework for providing secure information and communication over the internet. Its need and use has grown over the years and continually grows. This research work examines the current PKI framework’s validation process as operated by vendors and subscribers to identify the drawbacks and propose enhanced approaches to its validation mechanism. Using an approach of reviewing secondary data, critical weaknesses of integrity, proof of trust and single point-of-failure were identified with the current PKI framework. This study therefore advances proposed solutions to address the identified weaknesses by specifically introducing multiple Certificate Authorities, storage, visibility and searchability of subscriber information in public repository. A comprehensive detail of its implementation is proposed to address the identified weaknesses of uncertain integrity, trust for certificate authorities and prevent a single point of failure. Furthermore, the proposed enhancements are validated with the protection motivation theory and a framework for empirically testing the enhancements is suggested. Further research would be required to factor in multi-factor authentication without compromising performance.
Cite this paper: Danquah, P. and Kwabena-Adade, H. (2020) Public Key Infrastructure: An Enhanced Validation Framework. Journal of Information Security, 11, 241-260. doi: 10.4236/jis.2020.114016.
References

[1]   Lynch (2017) Hashed Out.
https://www.thesslstore.com/blog/wide-world-pki

[2]   Homeland Security, DISA Provides Public Key Infrastructure Security for the Mobile Environment.
https://www.hstoday.us/subject-matter-areas/infrastructure-security/disa-provides-public-key-infrastructure-security-for-the-mobile-environment

[3]   Ricks, M., Simakov, S. and Rabourn, S. (2014) Securing Public Key Infrastructure (PKI). Microsoft IT Information Security and Risk Management, 126.

[4]   Doowon, K., Kwon, B.J. and Dumitras, T. (2017) Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI.

[5]   Soltani, S.Z. (2013) Improving PKI Solution Analysis in Case of CA Compromisation.

[6]   Höglund, J., Lindemer, S., Furuhed, M. and Raza, S. (2020) PKI4IoT: Towards Public Key Infrastructure for the Internet of Things. Computers & Security, 89, Article ID: 101658. https://doi.org/10.1016/j.cose.2019.101658

[7]   Dudovskiy, J. (2018) The Ultimate Guide to Writing a Dissertation in Business Studies: A Step-by-Step Assistance. Sage Publications, New York.

[8]   Adams, C. and Lloyd, S. (2003) Understanding Public-Key Infrastructure. Macmillan Technical Pub., Indianapolis.

[9]   Choudhury, S., Bhatnagar, K. and Haque, W. (2002) Public Key Infrastructure Implementation and Design. M&T Books, New York.

[10]   Rastegari, P., Susilo, W. and Dakhilalian, M. (2019) Certificateless Designated Verifier Signature Revisited: Achieving a Concrete Scheme in the Standard Model. International Journal of Information Security, 18, 619-635.
https://doi.org/10.1007/s10207-019-00430-5

[11]   Kubilay, M.Y., Kiraz, M.S. and Mantar, H.A. (2019) CertLedger: A New PKI Model with Certificate Transparency Based on Blockchain. Computers and Security, 85, 333-352. https://doi.org/10.1016/j.cose.2019.05.013

[12]   Karatsiolis, E., Wiesmaier, A. and Buchmann, J. (2013) Introduction to Public Key Infrastructures. Springer-Verlag, New York.

[13]   Sinnott, R. (2011) Public Key Infrastructure.
https://www.researchgate.net/figure/A-public-key-infrastructure_fig1_220566584

[14]   Sheets, D. (2019) Trusted Computing.
https://www.militaryaerospace.com/trusted-computing/article/14035441/trusted-computing-algorithms-asymmetric

[15]   Kessler, G.C. (2019) An Overview of Cryptography.
https://www.garykessler.net/library/crypto.html#skc

[16]   Serrano, N., Hadan, H., et al. (2019) A Complete Study of P.K.I. (PKI’s Known Incidents). https://doi.org/10.2139/ssrn.3425554

[17]   Park, C. (2017) A Secure and Efficient ECQV Implicit Certificate Issuance Protocol for the Internet of Things Applications. IEEE Sensors Journal, 17, 2215-2223.
https://doi.org/10.1109/JSEN.2016.2625821

[18]   Johner, H., Fujiwara, S., Yeung, A.S., Stephanou, A. and Whitmore, J. (2000) Deploying a Public Key Infrastructure. Redbooks.

[19]   Meghdadshamsaei (2017) Trust Model Implementation with PKI.
http://shamsaei.com/author/meghdadshamsaei

[20]   Stock, A. (2005) Guide to Building Secure Web Applications and Web Services.
https://www.links.org/files/CertificateAuthorityTransparencyandAuditability.pdf

[21]   Fisher, D. (2012) Final Report on DigiNotar Hack Shows Total Compromise of CA Servers.
https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170

[22]   McMillan, B.R. (2011) Comodo Hacker Claims Another Certificate Authority.
https://www.pcworld.com/article/223760/article.html

[23]   Ellison, C. and Schneier, B. (2000) Ten Risks of PKI. Computer Security Journal, 16, 1-8.

[24]   Willeke, J. (2019) LdapWiki.
https://ldapwiki.com/wiki/Public%20Key%20Infrastructure%20Weaknesses

[25]   Bargav, J., Li, H. and Evans, D. (2017) Decentralized Certificate Authorities.
https://oblivc.org/dca

[26]   SSH (2019) Advantages and Disadvantages of Public-Key Authentication.
https://www.ssh.com/manuals/server-zos-product/55/ch06s02s02.html

[27]   Oracle (2002) The Public Key Infrastructure Approach to Security.
https://docs.oracle.com/cd/B10501_01/network.920/a96582/pki.htm

[28]   Cooper, M.B. (2018) PKI EXPLAINED.
https://cybersecurity.isaca.org/articles-details?articleId=pki-explained-why-it-is-necessary-and-relevant-now-more-than-ever

[29]   Fortinet (2019) How to Apply PKI Client Authentication.
https://help.fortinet.com/fweb/591/Content/FortiWeb/fortiweb-admin/apply_pki_client_auth.htm

[30]   Natalie, R. (2019).
https://greengarageblog.org/8-pros-and-cons-of-asymmetric-encryption
https://www.ssl.com/article/browsers-and-certificate-validation

[31]   Callan, T. (2019) Why CAs Charge More for Extended Validation SSL.
https://sectigo.com/blog/why-cas-charge-more-for-extended-validation-ssl

[32]   SSH Communications (2019) PKI-Public Key Infrastructure.
https://www.ssh.com/pki

[33]   Venafi (2019) How Does PKI Work.
https://www.venafi.com/education-center/pki/how-does-pki-work

[34]   Naziridis (2019) Browsers and Certificate Validation.
https://www.ssl.com/article/browsers-and-certificate-validation

[35]   Rogers, R.W. (1983) Cognitive and Physiological Processes in Fear-Based Attitude Change: A Revised Theory of Protection Motivation. In: Cacioppo, J. and Petty, R., Eds., Social Psychophysiology: A Source Book, Guilford Press, New York, 153-176.

 
 
Top