| A PKI
(public key infrastructure) enables users of a basically unsecure public
network such as the Internet to securely and privately exchange data and
money through the use of a public and a private cryptographic key pair that
is obtained and shared through a trusted authority. The
public key infrastructure provides for a
digital certificate that can identify an individual or an organization
and directory services that can store and, when necessary, revoke the
certificates. Although the components of a PKI are generally understood, a
number of different vendor approaches and services are emerging. Meanwhile,
an Internet standard for PKI is being worked on. |
| |
| The
public key infrastructure assumes the use of public key cryptography,
which is the most common method on the Internet for authenticating a message
sender or encrypting a message. Traditional
cryptography has usually involved the creation and sharing of a
secret key for the
encryption and decryption of messages. This secret or private key system
has the significant flaw that if the key is discovered or intercepted by
someone else, messages can easily be decrypted. For this reason, public key
cryptography and the public key infrastructure is the preferred approach on
the Internet. (The private key system is sometimes known as symmetric
cryptography and the public key system as asymmetric cryptography.)
|
| |
| A public
key infrastructure consists of: |
| |
| 1: A
certificate authority (CA)
that issues and verifies
digital certificate. A certificate includes the public key or
information about the public key |
| 2: A
registration authority (RA)
that acts as the verifier for the certificate authority before a digital
certificate is issued to a requestor |
| 3: One or
more directories where the certificates (with their public keys) are held |
| 4: A
certificate management system |
| |
| How
Public and Private Key Cryptography Works |
| |
| In public
key cryptography, a public and private key are created simultaneously using
the same
algorithm (a popular one is known as
RSA) by a certificate authority (CA). The private key is given only to
the requesting party and the public key is made publicly available (as part
of a digital certificate) in a directory that all parties can access. The
private key is never shared with anyone or sent across the Internet. You use
the private key to decrypt text that has been encrypted with your public key
by someone else (who can find out what your public key is from a public
directory). Thus, if I send you a message, I can find out your public key
(but not your private key) from a central administrator and encrypt a
message to you using your public key. When you receive it, you decrypt it
with your private key. In addition to encrypting messages (which ensures
privacy), you can authenticate yourself to me (so I know that it is really
you who sent the message) by using your private key to encrypt a
digital certificate. When I receive it, I can use your public key to
decrypt it. Here's a table that restates it: |
| |
| To do this |
Use whose |
Kind of key |
| Send an encrypted message |
Use the receiver's |
Public key |
| Send an encrypted signature |
Use the sender's |
Private key |
| Decrypt an encrypted message |
Use the receiver's |
Private key |
| Decrypt an encrypted signature (and
authenticate the sender) |
Use the sender's |
Public key |
|
| |
| Who
Provides the Infrastructure |
| |
| A number
of products are offered that enable a company or group of companies to
implement a PKI. The acceleration of
e-commerce and business-to-business commerce over the Internet has
increased the demand for PKI solutions. Related ideas are the virtual
private network (VPN)
and the IP Security (IPsec)
standard. Among PKI leaders are: |
| |
| 1: RSA,
which has developed the main algorithms used by PKI vendors |
| 2:
Verisign, which acts as a certificate authority and sells software that
allows a company to create its own certificate authorities |
| 3: GTE
CyberTrust, which provides a PKI implementation methodology and consultation
service that it plans to vend to other companies for a fixed price |
| 4: Xcert,
whose Web Sentry product that checks the revocation status of certificates
on a server, using the Online Certificate Status Protocol (OCSP) |
| 5:
Netscape, whose Directory Server product is said to support 50 million
objects and process 5,000 queries a second; Secure E-Commerce, which allows
a company or
extranet manager to manage digital certificates; and Meta-Directory,
which can connect all corporate directories into a single directory for
security management |
| |
| Pretty
Good Privacy |
| |
| For
e-mail, the Pretty Good Privacy (PGP)
product lets you encrypt a message to anyone who has a public key. You
encrypt it with their public key and they then decrypt it with their private
key. PGP users share a directory of public keys that is called a key ring.
(If you are sending a message to someone that doesn't have access to the key
ring, you can't send them an encrypted message.) As another option, PGP lets
you "sign" your note with a
digital signature using your private key. The recipient can then get
your public key (if they get access to the key ring) and decrypt your
signature to see whether it was really you who sent the message. |
| |