WonderCrypt - VPN vs PKI

“Private” facility is one where access is restricted to a defined set of entities, and third parties cannot gain access. This is in contrast to a "public" facility which is openly accessible, and is managed within the terms and constraints of a common public resource, often via a public administrative entity.

A “network” is a collection of devices that can communicate in some fashion, and can successfully transmit and receive data amongst themselves.

The purpose of VPN is to “ virtualize” some portion of an organization’s communications – in other words, make some portion (or perhaps all) of the communications essentially “ invisible” to external observers, while taking advantage of the efficiencies of a common communications infrastructure.

Thus a Virtual Private Network means that the network being described is required to perform the defined set of functions of a “Private” facility though the network is not truly private. Wired Magazine described VPN as a technology that “works about as well as sticking cotton in your ears in Times Square and pretending nobody else is around."

Why VPN?

The first reason for implementing a VPN is communications privacy. The level of privacy depends greatly on the risk assessment performed by the subscriber organization.

The second reason is cost factor. Due to high cost of network and communication components, creating a truly “Private” network may cost a fortune. Hence by deploying a smaller number of variable cost components, which vary with the transport capacity and bandwidth of the system, a private discreet network is created within a public network.

PDN to VPN
Public Data Network (PDN) permits any connected network entity to exchange data with any other connected entity. The familiar instance of the PDN is the global Internet.The public data network has no inherent policy of traffic segregation, and any modification to this network policy of permitting ubiquitous connectivity is the responsibility of the connecting entity to define and enforce. The network environment is constructed using a single addressing scheme and a common routing hierarchy, which allows the switching elements of the network to determine the location of all the connected entities. All of these connected entities also share access to a common infrastructure of circuits and switching.

Organizations that use PDN (e.g. Internet) for private purposes for a closed set of participants (e.g. for connecting a set of geographically separated offices), must address several issues that includes:

              quality of service (QoS)
              availability and reliability
              use of public addressing schemes
              use of public protocols
              site security
              data privacy & integrity
              hacking i.e. the possibility of traffic interception etc.

Additionally, a corporate network application may desire more stringent levels of performance management than is available within a PDN.

What is VPN?

When “Virtual” word is added to anything it simply describes that the thing does not exist but seems to be “existing and performing some required set of functions”.

Above is the most common type of VPN – one in which there are geographically diverse subnetworks that each belong to a common administrative domain, interconnected by a shared infrastructure such as Internet that is outside of their administrative control or out of the administrative control of a single service provider. The PDN users are unaware of the existence of the VPN network.

It is worth mentioning that the level of privacy a VPN may enjoy depends greatly on the technology used to construct the VPN.

How VPNs Work

Depending on the functional requirements, there are several different types of VPN’s, and several different methods of constructing each type of VPN. These implementations are based on several considerations, such as

              The problem being solved
              Risk analysis of the security provided by a particular implementation
              Issues of scale in growing the size of the VPN
              Complexity involved in implementing the VPN
              Complexity involved in maintenance and troubleshooting.

A VPN can be built using

·         tunnels or

·         encryption (at any layer of the TCP/IP network protocol stack),

·         or both,

·         Alternatively constructed using Multi-Protocol Label Switching or one of the “virtual router” methods.

A VPN can consist of networks connected to a service provider’s network by

·         leased lines,

·         Frame Relay

·         ATM

It can also consist of dial-up subscribers connecting to centralized services, or other dial-up subscribers.

What is PKI?

Public Key Infrastructure (PKI) is a “comprehensive system of technologies” working to enable users of the Internet or any other network to exchange information securely, authenticated and confidentially. PKI brings to the electronic world the security and confidentiality features provided by the physical documents, hand-written signatures, sealed envelopes and established trust relationships of traditional, paper-based transactions.

The term “Public” denotes that PKI uses a public facility. A "public" facility is that which is openly accessible, and is managed within the terms and constraints of a common public resource, often via a public administrative entity such as Internet. However, the word “Public” here does not point to “Internet” but to a security “Key” that is accessible, and is managed within the terms and constraints of a common public resource.

A “Key” is a digital representation of a large number that is used in cryptography for encryption and digital signatures to achieve the intended goals of security. In PKI every user has a Private Key and a Public Key. The user keeps the Private Key securely and does not reveal it to anyone, but makes the Public Key accessible as a common public resource.

The “Infrastructure” is a collection of several parts of a comprehensive system. The most important part of this infrastructure is a Certificate Authority that may futher delegate its responsibilities to a registration and or a verifying authority.

Why PKI?

PKI provides its users, communicating over a network, with

              Confidentiality: Ensures that only intended recipients can read message or files.

              Data Integrity: Ensures that messages or files cannot be changed without detection.

              Authentication: Ensures that participants in an electronic transaction are who they claim to be.

              Non-repudiation: Prevents participants from denying involvement in an electronic transaction.

What constitutes PKI?

              1. User’s Key pair: Mathematically related key pairs, for each entity, an individual or an organization, a different key pair, each
                  comprising a private key and a public key.

              2. Digital certificates: Public Key of an entity signed by a certificate authority. The IETF (Internet Engineering Task Force)
                  standard for this certificate is named X.509.

              3. A Certificate Authority: A party that is trusted by the public to verify the public keys of others. The Certificate Authority may
                  further delegate its responsibilities to some sub-authorities such as Registration Authority and Verifying Authority etc.

How PKI Works?

A PKI user will use the following steps to become an authorized user and then communicate with security and authenticity. When an user Bob wishes to communicate with Alice:

              1. Bob generates a key pair containing a public and private component
              2. Bob registers at the CA or RA, possibly physically signing a registration form
              3. Bob gives the CA or RA his proof of identity and a copy of the public key
              4. After verifying the identity of Bob, the RA tells the CA to issue the digital certificate binding Bob’s public key to his identity
              5. The CA places the certificate in a public database, called a repository, which may hold certificates issued by many CAs and
                   also possibly publish the same in a directory, something similar to web version of a telephone directory.

Use 1- Sign: When Bob needs to communicate with Alice he simply signs a document using his private key. Alice can verify that the document truly came from Bob by obtaining Bob’s public key from the CA’s repository. When applied to the received document, Bob’s public key will verify that the document was signed by him.

Use 2- Encrypt: If Alice is also using PKI then Bob can even send her encrypted messages. To do this Bob obtains Alice’s certificate containing her public key from the CA’s repository. Alice’s certificate is signed using the private key of the CA. Bob then verifies the CA’s signature on Alice’s digital certificate using the CA’s public key, and recovers Alice’s public key. Bob then uses Alice’s Public Key to encrypt the message he sends to her that can only be decrypted by Alice using her Private Key.

Use 3- Sign And Encrypt: Both the above functions, sign and encrypt, can be applied to a document to-gether.

Criteria of Comparison

We shall compare these technologies against the following criteria of communication security:

Criteria

PKI

VPN

Non-Repudiation - The ability to Prevent participants from denying involvement in an electronic transaction.

PKI exhibits non-repudiation on transactions through the use of Digital Signatures. PKI’s digital signatures provide a way to certify a transaction, which has legal standing.

A VPN system can date stamp a transaction through an application, but there is no legal standing for such a system.

Authentication - The ability to ensure that participants in an electronic transaction are who they claim to be.

PKI provides a more reliable method. PKI uses two-factor authentication. It requires possession of a physical object, such a usb token or a smart card that stores the user's private key and knowledge of a password. These requirements make PKI more secure.

VPN uses a simple username and password.

Data Integrity - The reliability of data passing through the system. Concerns include data tampering or inconsistent availability.

Provides data encryption. Because of encryption, a third party cannot modify the data without the tamperer recognizing the result immediately. Therefore encryption is very useful in making data secure.

VPN also uses encryption.

Confidentiality - Ensures that information (e.g., customer data and intellectual property) is not disclosed to unauthorized persons, processes, or devices. Confidentiality is especially important when considering medical data or financial information.

Provides data encryption using public key of the recipient that makes the data unreadable by any third party. Thus anyone trying to intercept a data transmission would not be able to read it. Therefore, sensitive data such as customer data and intellectual property cannot be read without access to the token, the private key of the recipient and its password.

VPN also uses encryption but once the data is at the receiving end anyone can read the data, starting from the network administrator to anyone who can lay hands on it.

PKIs’ ability to provide Non-repudiation, Authentication, Data integrity, and Confidentiality not only enables an organization to defend against outside attackers but also against inside attackers.

VPN not only fails to provide Non-repudiation but also does not offer any additional protection against unauthorized insider access. Moreover, as VPN uses username and passwords, it is vulnerable to misuses of valid users within the system itself.

Conclusion:

Because transmission of data using PKI is encrypted using the public key of the final recipient and user access is controlled through private key on tokens or smart cards, proprietary information enjoys a greater degree of security that also provides authenticity and non-repudiation. Hence, PKI emerges as the preferred technology.











		© 2003 Wonder Software Technologies Private Limted. All rights reserved.
Privacy Statement	Site Map

Criteria	PKI	VPN
Non-Repudiation - The ability to Prevent participants from denying involvement in an electronic transaction.	PKI exhibits non-repudiation on transactions through the use of Digital Signatures. PKI’s digital signatures provide a way to certify a transaction, which has legal standing.	A VPN system can date stamp a transaction through an application, but there is no legal standing for such a system.
Authentication - The ability to ensure that participants in an electronic transaction are who they claim to be.	PKI provides a more reliable method. PKI uses two-factor authentication. It requires possession of a physical object, such a usb token or a smart card that stores the user's private key and knowledge of a password. These requirements make PKI more secure.	VPN uses a simple username and password.
Data Integrity - The reliability of data passing through the system. Concerns include data tampering or inconsistent availability.	Provides data encryption. Because of encryption, a third party cannot modify the data without the tamperer recognizing the result immediately. Therefore encryption is very useful in making data secure.	VPN also uses encryption.
Confidentiality - Ensures that information (e.g., customer data and intellectual property) is not disclosed to unauthorized persons, processes, or devices. Confidentiality is especially important when considering medical data or financial information.	Provides data encryption using public key of the recipient that makes the data unreadable by any third party. Thus anyone trying to intercept a data transmission would not be able to read it. Therefore, sensitive data such as customer data and intellectual property cannot be read without access to the token, the private key of the recipient and its password.	VPN also uses encryption but once the data is at the receiving end anyone can read the data, starting from the network administrator to anyone who can lay hands on it.