A Complete Guide to Public Key Cryptography Standards (PKCS) – Spiceworks News and Insights

Public key cryptography standards are a set of protocols that facilitate the use of public key infrastructure in data exchange.

Public key cryptography standards (PKCS) are defined as a set of protocols that provide structure to the various aspects of using public key infrastructure to exchange information. This article explains PKCS in detail.
Public key cryptography standards (PKCS) are a set of protocols that provide structure to the various aspects of using public key infrastructure to exchange information. Currently, there are 15 PKCS standards, though some of them have been invalidated.
Public key cryptography standards provide a framework and structure for all communication via the public key infrastructure (PKI). They give abstract syntax and algorithm details that can be adapted across different technologies.
Public key infrastructure (PKI) is everything about implementing public key cryptography – the hardware and software required, the procedures, the standards, and the roles of the parties involved. 
Public key cryptography, also known as asymmetric cryptography, encodes plain-text data using public and private keys before sending it across a network. As with all other cryptography methods, the degree of security of public key encryption depends on the encryption algorithms used and the level of secrecy of the keys involved.
Let’s suppose that Liam and Jamila want to communicate using the PKI. Liam is the sender, and Jamila is the receiver. Both Liam and Jamila have a pair of public and private keys. Liam provides Jamila with his public key, which does not need to be a secret. 
Liam encrypts his message to Jamila using his private key and sends it over. The private key is a secret. Jamila decrypts it using Liam’s public key. It is to be noted that these keys work in tandem – only the coupled private key can decode a message encoded using a particular public key.
One can fortify the security of this communication by using the following:
Liam creates a hashed digest of his intended message using an algorithm that he and Jamila had already agreed on. He attaches it to the message before encrypting it with his private key. This is a signed message. 
Jamila decrypts this with Liam’s public key, creates her own digest of the message portion, and compares it with the one Liam sent. If they match, the message is from Liam and has not been altered in transit.
This type of communication requires a message-digest algorithm that reduces messages of any length to a fixed length. MD5 is an example of a message-digest algorithm invented by RSA.
2. Certificates
A digital certificate is an identity card issued by a recognized and trusted certificate authority. Each certificate contains the details of the sender along with the public key. The authority also provides the private key separately. Messages are ‘signed’ with these digital certificates.
3. Enveloping 
Liam generates a random secret key and encrypts it with Jamila’s public key. He encrypts the message with this secret key. He sends both along to Jamila. She decrypts the message, gets the secret key with her private key, and decodes the intended message. This encryption mode uses the secret key algorithm, also known as the content-encryption algorithm.
 4. Key agreement
Liam and Jamila agree on a secret key for all communication. They use this to envelope the messages instead of generating a key ad hoc. But they must ensure that the key itself is communicated and stored securely. Sometimes, the key is generated using a pre-set password as well. This also uses a content-encryption algorithm.
As mentioned above, the type and combination of algorithms used in public key cryptography vary based on the kind of communication. SSL/TLS protocols are examples of how each of these encryption modes is applied. SSL/TLS transfers information between users on devices through browsers and applications. 
Most implementations of PKI focus on encryption using digital certificates. A user or an organization can apply for a certificate from a certificate authority (CA). The registration authority (RA) verifies the authenticity of the applications. The issued certificates are securely stored in a central directory, and a certificate management system is in place to maintain them.
Some open-source public key infrastructure implementations include OpenSSL, Vault, DogTag, and CFSSL. The concept of encrypted communication no longer applies to only niche industries such as banking. Private and personal identifiable information (PII) is constantly in transit through multiple apps and websites. Most information is stored and accessed from the cloud.
This means that cryptography is used in every possible device at almost every level of communication. With this in mind, RSA laboratories developed a set of standards in the early 1990s. Today, the PKCS standards are reviewed and maintained globally, with involvement from established tech players such as Apple, Microsoft, and MIT.
The public key cryptography standards aim to standardize the algorithms, processes, and message formats so that communication flows smoothly across applications from varied vendors.
See More: What Is a Security Vulnerability? Definition, Types, and Best Practices for Prevention
Each PKCS standard deals with a specific aspect of the PKI. They are reviewed and maintained individually and updated as necessary. The 15 standards are:
Description: This is the base standard that defines the syntax of the public and private keys, the format of the messages and digital signatures, the different algorithms to be used for each level of encryption and decryption, and the format of the digital certificate.
Besides the syntax of the key, it also specifies which mathematical requirements the keys must satisfy to be unbreachable for brute-force attacks. Some libraries implementing PKCS#1 are BSAFE, cryptlib, OpenSSL, and Nettle.
Is this standard still maintained? Yes. It was also republished as RFC 8017 in 2012. RFC is a formal document maintained by the Internet engineering task force (IETF) that contains specifications and notes for everything related to computing and networking.
Current version: 2.2
Description: The PKCS #2 standard defines how message digests must be created and encrypted.
Is this standard still maintained? No, this standard was withdrawn in 2010 and merged with PKCS #1.
Current version: Nil
Description: This standard is named after Diffie and Helman, who first developed the public/private key mode of encryption and decryption. It defines how the receiver and sender can establish a secret key to envelope private communication. 
This key is assumed to be created and shared in a non-secure network. Many key establishment schemes, such as ANSI X9.63 and IEEE 1363a, come into play here. Organizations such as Oracle have their own implementation of this standard.
Is this standard still maintained? Yes, it is still being used.
Current version: 1.4
Description: This standard covers the key syntax to be used by RSA.
Is this standard still maintained? No. PKCS #4 was withdrawn in 2010 and merged with the first standard.
Current version: Nil
Description: PKCS #5 explores the usage of passwords in the key agreement phase. It specifies how one should apply pseudo-random functions such as HMAC to the password along with a salt value. This text derived from the password now forms the secret key. This additional layer of encryption makes up for the pitfalls of using plain, user-fed passwords during communication.
Password-Based Key Derivation Function 2 (PBKDF2) is the recommended implementation by PKCS #5’s version 2.1. It involves hashing the password repeatedly to derive the key. The number of repetitions is based on the CPU speed. The more repetitions, the harder it is to break. However, newer and more robust implementations such as Argon2 and SCrypt are being used today.
Is this standard still maintained? Yes, this standard still plays a crucial role in encrypted communication. It has also been published as Internet Engineering Task Force’s RFC 2898.
Current version: 2.1
Description: PKCS #6 was meant to provide the syntax for extending and modifying the attributes established in a digital certificate.
Is this standard still maintained? No, this standard was made obsolete by the third version of X.509. X.509 is a different standard that defines the format of public key certificates.
Current version: Nil
Description: Cryptographic message syntax (CMS) standard specifies the syntax of stored, encrypted data. PKCS#7 is used by certificate authorities to store digital certificates that they’ve issued.
It also specifies how to handle certificates that have been invalidated for reasons other than expiry. Any storage of digital signatures should also adhere to PKCS #7. One implementation of this standard can be seen in Single sign-on applications.
Is this standard still maintained? This standard forms the basis for RFC 5652, and while still being implemented, it is being taken over by RFC 3369.
Current version: 1.5
See More: What Is Vulnerability Management? Definition, Lifecycle, Policy, and Best Practices
Description: As the name suggests, this standard defines the syntax for private keys. It explains which algorithms and attributes suit the best to create a private key. It also looks into how users must store private keys.
Usually, this standard is used in conjecture with PKCS #5, using a passcode and a salt to store private keys.
Is this standard still maintained? This standard is maintained and available as RFC 5208.
Current version: 1.2
Description: PKCS #9 defines the data type, length, and other details of attributes necessary for certificates, signatures, and private keys. It does not give the format of the certificate or the key itself. It deals with the attributes or details necessary to create one. 
For example, a business name and URL are necessary attributes for certain digital certificates.
Is this standard still maintained? PKCS #9 is still being supported.
Current version: 2.0
Description: PKCS #10 specifies the format of the messages sent to a certificate authority (CA) to request a digital certificate. This is called a certificate signing request. 
These messages usually contain the public key chosen by a business, domain name or other identifying details, and proof of authenticity.
Is this standard still maintained? Yes, this standard is still being maintained.
Current version: 1.7
Description: The cryptographic token interface standard is also known as Cyrptoki. It describes a platform-independent application programming interface (API) that can be used by cryptography token generators such as smart cards and key fobs. 
The API is a generic interface that allows the generation, modification, and deletion of the different types of keys and certificates used by security hardware. 
This standard ensures that encryption is platform-agnostic and allows various devices to communicate without extensive workarounds. 
Cryptoki serves well in scenarios that require single sign-on and disk encryption systems. Certificate authorities use it to access the CA’s signing key and to generate new certificates. Organizations such as Oracle Solaris and Red Hat have their own implementations for proprietary use.
Is this standard still maintained? PKCS #11 is still being supported, with RSA Security turning it over to the OASIS PKCS 11 technical committee for all further work.
Current version: 3.0
Description: PKCS #12 defines the file format in which the private key issued with the public key is stored. It also specifies how to store various other private information, such as the digital certificate.
More often than not, all the private encryption information is bundled and stored in internal containers called SafeBags. Some SafeBags have a predefined structure that enables the storage of certificate requests, X.509 certificates, and private keys. Some SafeBags are more flexible and allow the storage of custom, private information.
Besides storage, PKCS #12 also provides the mechanism for transferring this data across a network, along with the necessary syntax. PKCS #12 is built on PKCS #8 which only deals with private keys. It adds an extra layer to check for the integrity of this data both in transit and storage.
Is this standard still maintained? Yes, PKCS #12 is still being maintained.
Current version: 1.1
Description: The elliptic curve cryptography (ECC) standard was a type of cryptography that used modified mathematical methods in encryption. 
The current public key algorithm is the RSA algorithm, created by Rivest, Shamir, and Adleman. It involves the modular exponentiation of the product of two large prime numbers. 
ECC tries to find a distinct logarithm within a random elliptic curve. This yields more secure keys than RSA but is still in the exploration phase.
Is this standard still maintained? While proposed initially in 1998, there is no documentation of this standard available. 
Current version: Nil
Description: Random number generation plays a significant role in PKI, particularly with enveloping and hashing. It makes sense to standardize this aspect of encrypted communication. However, progress has yet to be made on this front.
Is this standard still maintained? No, there is no documentation of PKCS #14 that is available as of today.
Current version: Nil
Description: While all these standards have been established keeping interoperability in mind, it also makes sense to specify a standard that will allow for customization of certain aspects of encryption.
For example, integrated circuit cards are cryptographic tokens used across various devices. PKCS #15 specified the format of the credentials required by these tokens to identify themselves to the user. This is akin to digital certificates but at a token level.
Is this standard still maintained? PKCS #15 is still supported, though some nuances have been handed over to ISO/IEC 7816-15.
Current version: 1.1
See More: Top 10 Single Sign-On (SSO) Software Platforms in 2021
Public key cryptography standards may not be in the everyday lexicon of a business, but every business in every industry runs on it. Large technology companies make a concerted effort to integrate these standards into their infrastructure. Companies in sectors such as healthcare, education, and even government unwittingly subscribe to these standards when they incorporate various SaaS solutions and cloud-based infrastructure decisions into their systems. 
At an individual level, every website and application accessed from a personal device is also subject to PKCS standards. It makes sense, considering how much personal information flows into an online shopping or dating app.
The reasons that PKCS are so essential are:
There isn’t a single business in any industry today that is not connected to the internet. Even basic mailing software is subject to cyber-attacks. According to the Cost of a Data Breach 2022 Report by IBM, the average cost of a data breach in the United States is $9.44 million. 
The PKCS standards ensure no gaps while implementing encryption across these different applications consumed. They provide an encryption checklist for cybersecurity personnel. 
2. Compliance
With so much private and sensitive data doing the rounds, governing bodies across all industries have created regulations to control how this data is transmitted and stored. Encrypted data is usually the first mandate in all these regulations. 
For example, HIPAA regulations in the healthcare industry require that patients’ protected health information (PHI) and electronic PHI (ePHI) must be encrypted while stored and in transit. Failing to comply with HIPAA can cost around $50,000 per violation.
3. Versatility 
New devices and exceptional hardware capabilities are surfacing every day. The concept of stand-alone hardware is moot now, with every device recording, transmitting, or transmitting some form of data.
The Internet-of-things (IoT) has caught on, with data constantly being uploaded and used to make operations more efficient. An architecture that complies with the PKCS standards makes it easier to adapt these new technologies without necessarily uprooting the sections of the existing system.
4. Interoperability
The most significant advantage of using PKCS is the ability to securely allow various hardware and software forms to communicate without many development overheads. This makes it easier to explore different solutions and vendors. It also works well in the current cloud-driven infrastructure models.
See More: Top 10 Vulnerability Management Tools for 2021
The public key cryptography standards enable organizations to figure out what to look for from a security point of view while choosing vendors. These vendors can provide anything from collaboration suites like Google Workspace to customer relationship management solutions like Salesforce. Being aware of these standards also makes organizations less vulnerable to cyber attacks. 
Did this article help you understand public key cryptography standards in detail? Tell us on LinkedIn, Twitter, or Facebook. We’d love to hear from you!

IT Specialist



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page