Introduction to PKI

The comprehensive system required to provide public-key encryption and digital signature services is known as a public-key infrastructure. The purpose of a public-key infrastructure is to manage keys and certificates. By managing keys and certificates through a PKI, an organization establishes and maintains a trustworthy networking environment. A PKI enables the use of encryption and digital signature services across a wide variety of applications.

There are a number of requirements that businesses have with respect to implementing effective public-key infrastructures. First and foremost, if users cannot take advantage of encryption and digital signatures in applications, a PKI is not valuable. Consequently, the most important constraint on a PKI is transparency. The term transparency means that users do not have to understand how the PKI manages keys and certificates to take advantage of encryption and digital signature services. An effective PKI is transparent.

In addition to user transparency, a business must implement the following items in a PKI to provide the required key and certificate management services:

  • public key certificates
  • a certificate repository
  • certificate revocation
  • key backup and recovery
  • support for non-repudiation of digital signatures
  • automatic update of key pairs and certificates
  • management of key histories
  • support for cross-certification
  • client-side software interacting with all of the above in a secure, consistent, and trustworthy manner.

For public-key cryptography to be valuable, users must be assured that the other parties with whom they communicate are "safe", that is, their identities and keys are valid and trustworthy. To provide this assurance, all users of a PKI must have a registered identity. These identities are stored in a digital format known as a public key certificate. Certification Authorities (CAs) represent the people, processes, and tools to create digital certificates that securely bind the names of users to their public keys.

In creating certificates, CAs act as agents of trust in a PKI. As long as users trust a CA and its business policies for issuing and managing certificates, they can trust certificates issued by the CA. This is known as third-party trust.

CAs create certificates for users by digitally signing a set of data that includes the following information (and additional items):

  1. the user's name in the format of a distinguished name (DN). The DN specifies the user's name and any additional attributes required to uniquely identify the user (for example, the DN could contain the user's employee number).
  2. a public key of the user. The public key is required so that others can encrypt for the user or verify the user's digital signature.
  3. the validity period (or lifetime) of the certificate (a start date and an end date).
  4. the specific operations for which the public key is to be used (whether for encrypting data, verifying digital signatures, or both).

The CAs signature on a certificate allows any tampering with the contents of the certificate to be easily detected. (The CA's signature on a certificate is like a tamper-detection seal on a bottle of pills, any tampering with the contents of a certificate is easily detected) As long as the CA's signature on a certificate can be verified, the certificate has integrity. Since the integrity of a certificate can be determined by verifying the CA's signature, certificates are inherently secure and can be distributed in a completely public manner (for example, through publicly-accessible directory systems).

Users retrieving a public key from a certificate can be assured that the public key is valid. That is, users can trust that the certificate and its associated public key belong to the entity specified by the distinguished name. Users also trust that the public key is still within its defined validity period. In addition, users are assured that the public key may be used safely in the manner for which it was certified by the CA.

Last modified 11 years ago Last modified on Jul 5, 2007, 11:59:45 PM