member sign-in
Forgot password? Create new account Close

PKI / Digital Certificate Solutions

Definition

Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to provide and implement certificate services and other services related to the infrastructure. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA, or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA). For each user, the user identity, the public key, their binding, validity conditions and other attributes are made unforgettable in public key certificates issued by the CA.

User Benefits

Complex business systems, e-commerce and automated business transactions require robust and rigorous security measures. Today’s Internet clientele demand stringent security protocols to protect their interests, privacy, communication, value exchange, and information assets. The public key cryptography supports these risk management requirements and solves e-commerce security problems in heterogeneous network environments. PKI allow to an organization to secure online transactions and communications.

A public key infrastructure can be implemented to satisfy security needs such as confidentiality, integrity, authentication, and non-repudiation. A public key infrastructure (PKI) is a foundation on which other applications, system, and network components are built:access control, web  and, e-mail  security, digital signatures. A PKI is an essential component of an overall security strategy that must work in concert with other security mechanisms, business practices, and risk management efforts.

Business Impact

A PKI can provide a comprehensive security umbrella for a range of crucial business applications and services such as Web security, secure e-mail, remote access, electronic forms, workflow, and other e-business applications. Administration of business applications can be made relatively simple and seamless. With a PKI, organizations can administer security once for all business applications, rather than separately for each one.


Products supporting this technology

Organizations are increasingly recognizing the benefits of doing business on the Internet. Compared to conventional operations, the Internet offers a low-cost, open, real-time alternative to conducting business transactions and communications. However, whether an organization uses the Web, e-mail, remote access, or other applications, all e-business transactions are vulnerable to a variety of computer attacks.

As people continue to rely on the Internet, intranets, and extranets for mission-critical transactions, easy-to-use, yet sophisticated security tools are essential. It is now clear that the economic and social benefits of the "information highway" can never be fully realized without the underpinnings of a security infrastructure such as a Public Key Infrastructure (PKI).

Security is a fundamental requirement for e-business applications such as private e-mail, purchase orders, transmission of credit card information, and workflow automation using signature-based forms. Given the growing importance of public key cryptography to many applications from encryption and secure e-mail to electronic commerce, a Public Key Infrastructure (PKI) is probably the most critical enterprise security investment a company will make.

A PKI is emerging as the cornerstone of e-business. It can improve the operational effectiveness of an organization, while providing an attractive return on its security investment. For example, organizations are increasingly recognizing the competitive advantages of using a PKI for trusted Web-based transactions. Such solutions can improve customer service, while decreasing costs by quickly and securely distributing information, products, and services.

Public key technology is a combination of algorithms, protocols, and derived tools designed for secure communications. A PKI is a comprehensive infrastructure supported by a common set of security services that enables seamless and trustworthy e-business transactions in a manner that is almost transparent to the users involved in the transaction. In addition to user transparency, a PKI must include the following features to provide the required key and certificate management services:

  • a Certification Authority (CA) to issue public key certificates;
  • a certificate repository, which maintains an organization’s directory of certificate users (whether they are customers, business partners, or employees);
  • an effective certificate revocation system, which ensures ongoing trust and validity by automatically and transparently checking the appropriate certificate revocation list (CRL) each time a certificate is used;
  • a key backup and recovery mechanism to allow the organization to recover encrypted information and validate digital signatures even if the user leaves the organization or simply forgets his or her password;
  • support for non-repudiation of digital signatures through the use of separate key pairs for encryption and digital signatures;
  • automatic update of key pairs and certificates prior to expiration to ensure that service is not disrupted;
  • management of key histories to transparently retrieve historical encrypted data;
  • support for cross-certification to allow organizations to extend their domain of trust to include other organizations; and
  • application software interacting with all of the above features in a secure, consistent, and trustworthy manner.

In addition, to provide an effective solution that is feasible in real-world implementations, a PKI must be effectively managed. A managed PKI enables the organization to administer security only once for all e-business transactions including Web, e-mail, remote access, enterprise resource planning (ERP), and so on. For the end user, this means only one password for all applications and policies that are automatically and consistently enforced across all transactions.

The basic security elements that are generally addressed by a PKI:

Security: Confidentiality

Description: Ensures that information is not disclosed to unauthorized parties

Analogy in a Non-Electronic World: A sealed envelope in a diplomatic pouch, personally hand-delivered by a governmental courier, provides reasonable assurance that the information conveyed is not disclosed to anyone and the confidentiality of the message is maintained.

Security: User Authentication

Description: Ensures that the parties involved in the transaction are who they say they are

Analogy in a Non-Electronic World: A person's passport is a secure document issued by a Passport Office, certifying that the person is who he or she claims to be. This provides a moderate degree of user authentication when a traveler is asked to present his or her passport upon entering a foreign country.

Security: Access Control

Description: Ensures that only authorized persons can access certain electronic information

Analogy in a Non-Electronic World: The security clearances issued to certain government officials and consultants working in government departments allow the individuals to access certain levels of information, thereby controlling access to sensitive information. 

Security: Data Integrity

Description: Ensures that data has not been modified or tampered with during transit, from the time it left the originator to the time it reached the recipient

Analogy in a Non-Electronic World: A traditional signed message enclosed in a sealed envelope supports a moderate degree of integrity. Provided that the envelope does not have obvious signs of tampering, the recipient can be reasonably confident that the message inside is that which the sender actually enclosed.

Security: Non-Repudiation (User Accountability)

Description: Ensures that neither party can revoke or deny their role in a transaction, or make false claims about posing or accepting an offer

Analogy in a Non-Electronic World: A handwritten, signed message in a sealed envelope, delivered by registered mail, supports a moderate degree of non-repudiation. Handwritten signatures contain attributes that permit moderately strong authentication. They are difficult to forge, and permit verification of the signer's identity. The sealed envelope retains the integrity of the message, and a return receipt generated on delivery can confirm its delivery to the intended recipient. Thus, neither party can deny their participation in the transaction, since the existence of a clear audit trail makes it very difficult for either party to state any false claims about sending or receiving the letter.

The benefits of implementing a comprehensive and managed PKI solution have yielded other tangible returns for many organizations. The applications range from extending personalized banking services to reducing the turnaround time for application forms. For example, banks are using PKI technology for a secure and cost-effective means of communicating with customers.

The Internet is growing in popularity and an increasing number of organizations and individuals see the Web as an efficient, inexpensive means of distributing information, products, and services. However, organizations that wish to share information with business partners, clients, and employees over the Internet must implement security infrastructures, such as a PKI, to prevent electronic fraud such as data tampering, eavesdropping, and masquerading.

The ideal PKI solution should provide ease of use, a flexible and scalable architecture, low administrative overhead, and simplicity in enforcing and auditing a security policy. Such a solution allows an organization to leverage its existing network and realize tangible benefits from adopting a security infrastructure that effectively manages the communication and storage of confidential and proprietary information.

Integral metrics in purchasing a PKI are the return on investment (ROI) and the total cost of ownership (TCO) of the solution. Further focusing on particular business applications and the potential cost savings will enable organizations to identify any additional return on their PKI investments. This could include the cost savings realized by replacing a paper-based transaction with a more effective electronic transaction. In addition, organizations can generate new revenues with applications that deliver new services to partners and customers.

Administration of business applications can be made relatively simple and seamless. With a PKI, organizations can administer security once for all business applications, rather than separately for each one.

The business benefits of reduced costs, streamlined business processes, and improved customer service provide tangible returns on an investment in PKI. Only a comprehensive, managed PKI can achieve the goal of enabling trust in e-business transactions and communication, while providing a solution that is both automatic and transparent for end users.