4. Clarify the basic concepts of PKI (Public Key Infrastructure).
A PKI (public key infrastructure) enables users of a basically unsecured public network
such as the Internet to securely and privately exchange data and money through the use of a
nd a private cryptographic key pair that is obtained and shared through a trusted
authority. The public key infrastructure provides for a digital certificate that can identify an
individual or an organization and directory service that can store and, when
necessary, revoke the
certificates. Although the components of a PKI are generally understood, a number of different
vendor approaches and services are emerging. Meanwhile, an Internet standard for PKI is being
The public key infrastructure as
sumes the use of public key cryptography, which is the
most common method on the Internet for authenticating a message sender or encrypting a
message. Traditional cryptography has usually involved the creation and sharing of a secret key
for the encryption
and decryption of messages. This secret or private key system has the
significant flaw that if the key is discovered or intercepted by someone else, messages can easily
be decrypted. For this reason, public key cryptography and the public key infrastructu
re is the
preferred approach on the Internet. (The private key system is sometimes known as symmetric
cryptography and the public key system as asymmetric cryptography.)
A public key infrastructure consists of:
A certificate authority (CA) that issues
and verifies digital certificate. A certificate includes
the public key or information about the public key.
A registration authority (RA) that acts as the verifier for the certificate authority before a
digital certificate is issued to a requestor.
or more directories where the certificates (with their public keys) are held
A certificate management system
PKI provides three primary services:
The assurance to the recipient that the sender is who the sender claims to be.
This is achi
eved by means of digital signature.
The assurance to the recipient that data has not been altered during Internet
communication. This is achieved by means of digital signature.
The assurance to a sender and recipient that no
one can read a particular
piece of data except the intended recipient. This is achieved by means of encryption.
Who Provides the Infrastructure?
A number of products are offered that enable a company or group of companies to implement
a PKI. The acceler
ation of e
commerce and business
business commerce over the Internet has
increased the demand for PKI solutions. Related ideas are the virtual private network (VPN) and
the IP Security (IPsec) standard. Among PKI leaders are:
RSA, which has developed
the main algorithms used by PKI vendors
Verisign, which acts as a certificate authority and sells software that allows a company to
create its own certificate authorities
GTE CyberTrust, which provides a PKI implementation methodology and consultation
rvice that it plans to vend to other companies for a fixed price
Xcert, whose Web Sentry product that checks the revocation status of certificates on a server,
using the Online Certificate Status Protocol (OCSP)
Netscape, whose Directory Server product i
s said to support 50 million objects and process
5,000 queries a second; Secure E
Commerce, which allows a company or extranet manager
to manage digital certificates; and Meta
Directory, which can connect all corporate
directories into a single directory f
or security management.