In the real world…
In the real world, physical documents, hand-written signatures, sealed envelopes, photo identifications and established relationships are measures against fraud.
Public Key Infrastructure (PKI) translates the trust conventions in the real world and makes them work online.
PKI has many uses, but its primary use is providing data integrity through encrypting information. Encrypting information makes it unreadable to everyone except those authorised to see it.
Here is everything that plays a part in PKI:
- A certificate authority that issues and verifies digital certificates
- A registration authority that acts as the verifier for the certificate authority before a digital certificate is issued to a requestor
- One or more directories where the certificates or public keys are held
- A certificate management system
Authentication ensures users are who they claim they are, which enables resource access control decisions to be made. PKI provides identification and authentication through digital signatures.
- A challenge is created
- The challenge is signed by the holder of the private key the digital certificate
- The registration authority verifies the digital certificate
- The registration authority now knows that the holder of the key is the entity named in the certificate
- The holder the public key can view the digital certificate
Confidentiality encodes information in to a format which is incomprehensible to attackers.
When a public key in a digital certificate is used to encrypt information, only the holder of public key can decrypt the information.
Data integrity ensures that information cannot be changed without detection.
When the recipient of digitally signed information can verify the signature on the information, then the recipient knows the content has not changed since it was signed.
Non-repudiation prevents users from denying involvement an electronic transaction.
When information has been digitally signed, only the entity named in the digital certificate has access to the private key used to sign the information, and can therefore be assumed to some level of assurance to have been the entity that generated the information.
Here are the key areas where PKI assists organisations:
- Encryption and authentication for internal and external web pages (e.g. Internet banking)
- Logical access control by provide logon using strong authentication (e.g. smart card logon)
- Allowing single sign on to resources
- Authentication to different environments (e.g. Windows to Unix)
- External access to corporate network services
- Messaging solutions (e.g. email) for encryption and message integrity
- Code Signing
- Document signing of forms and formal correspondence
- Transaction Signing of critical services such as Databases and of financial transactions
- Resource Communications validation and/or encryption between devices
- Encrypted File System
- Secure File Transfer
- Remote secure administration of ICT assets
- Virtual Private Network
- Remote access for mobile devices
- Timestamp Services
- Identity Management
- Physical Access to facilities and equipment
PKI is important as it provides the building blocks to allow security solutions to be realised – it is not the end solution, but it is essential in enabling other solutions to create a tangible outcome.