Published in Military Embedded Systems
Written by Dominic Perez
Digital keys are a core concept in establishing secure networks, one as relevant in a data center application as it is at the edge of the tactical battlefield. While cryptography (crypto) uses both symmetric and asymmetric keys for different functions, for this column we’ll focus on asymmetric cryptography in which different keys are used for locking and unlocking.
The asymmetric cryptography approach has many advantages, such as verifying exactly who sent a particular message. The most common use for asymmetric crypto is in public key infrastructure (PKI) applications. In asymmetric crypto, there are both public and private keys. The public key can be freely distributed and is used to verify the identity of an entity, such as a person or a server. The private key needs to be kept private to prevent that entity from being impersonated.
Public and private keys are provided by a certificate authority (CA). After the entity creates a certificate-signing request, they pass it to the CA. After verifying the identity of the requestor, the CA will issue the entity its public and private keys as an X.509 certificate.
The CA could be a major internet company, such as Verisign or GoDaddy, or a server managed by an organization. Every operating system has a certificate store where trusted CAs are recorded; Microsoft, Apple, RedHat, and others have vetted the major CAs, but an organization can add or remove CAs from this list. On a typical U.S. Army system, all the internet CAs are removed and replaced with a set of Department of Defense (DoD)-approved CAs.