What is Public Key Infrastructure?

Public Key InfrastructureUsing the technology of asymmetric or public key cryptography, a digital certificate is used to verify a user’s public key.  In other words, digital certificates ensure that a user is who he says he is and a website is who they say they are.  Verifying identities with digital certificates is important because many phishing and spoofing attacks involve criminals creating bogus sites and tricking unknowing victims into entering personal information such as user names, passwords, and account numbers.  Public key infrastructure (PKI) is procedures and technology, such as specialized software and hardware, which are used to manage digital certificates.

PKI is needed because of the complexity associated with managing digital certificates.  For instance, a Certificate Authority (CA) is a third-party entity that vouches for the authenticity of public keys.  In performing this task they must investigate the background of applicants before issuing a digital certificate.  In addition to distributing certificates, a CA must also revoke and place expired certificates on Certificate Revocation Lists (CRL).

Public key infrastructure helps to ensure effective and efficient certificate management by following set of 15 Public-Key Cryptographic Standards (PKCS).  PKCS covers a wide variety of topics including digital signature formats, key exchange protocols, certificate syntax, file formats, technologies, and storage procedures.

Certificate administration is not the sole focus of PKI; it also must manage the public keys which are the backbone of the public key system.  A major part of key management in the PKI framework is key storage. For example, it is important to encrypt the folder or directory where public keys are stored.  It is also preferable to store them using a hardware-based system as opposed to software-based because of the numerous vulnerabilities in operating systems and applications.  Private keys are stored on the client’s system.

Another important aspect of key management is how they are handled.  Specific procedures must be in place throughout the useful life of a public key.  It must be clearly define how keys are issued, revoked, and terminated.

Some of the systems that rely on PKI security mechanisms are email, ecommerce, and online banking.  No matter the application, PKI’s purpose is to make the secure exchange of data possible.  Keep in mind that PKI covers a wide range of topics and the standards that define its procedures continually evolve to meet the needs of a changing computing environment.

Bookmark and Share

This entry was posted on Wednesday, July 14th, 2010 at 12:32 pm and is filed under Computer Security, Cryptography. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply