A PKI (public
key infrastructure) enables users of a basically unsecure public network such
as the Internet to securely and privately exchange data and money through the
use of a public and a private cryptographic key pair that is obtained and
shared through a trusted authority. The public key infrastructure provides for
a digital certificate that can identify an individual or an organization and
directory services that can store and, when necessary, revoke the certificates.
Although the components of a PKI are generally understood, a number of
different vendor approaches and services are emerging. Meanwhile, an Internet
standard for PKI is being worked on.
The public key
infrastructure assumes the use of public key cryptography, which is the most
common method on the Internet for authenticating a message sender or encrypting
a message. Traditional cryptography has usually involved the creation and
sharing of a secret key for the encryption and decryption of messages. This
secret or private key system has the significant flaw that if the key is
discovered or intercepted by someone else, messages can easily be decrypted.
For this reason, public key cryptography and the public key infrastructure is
the preferred approach on the Internet. (The private key system is sometimes
known as symmetric cryptography and the public key system as asymmetric
cryptography.)
A public key infrastructure consists of:
• A certificate authority (CA) that issues and verifies digital
certificate. A certificate includes the public key or information about the
public key
• A registration authority (RA) that acts as the verifier for the
certificate authority before a digital certificate is issued to a requestor
• One or more directories where the certificates (with their
public keys) are held
• A certificate management system
How Public and Private Key Cryptography Works
To do
this
|
Use
whose
|
Kind
of key
|
Send
an encrypted message
|
Use
the receiver's
|
Public
key
|
Send
an encrypted signature
|
Use
the sender's
|
Private
key
|
Decrypt
an encrypted message
|
Use
the receiver's
|
Private
key
|
Decrypt
an encrypted signature (and authenticate the sender)
|
Use
the sender's
|
Public
key
|
In public key cryptography, a public and private key are created simultaneously using the same algorithm (a popular one is known as RSA) by a certificate authority (CA). The private key is given only to the requesting party and the public key is made publicly available (as part of a digital certificate) in a directory that all parties can access. The private key is never shared with anyone or sent across the Internet. You use the private key to decrypt text that has been encrypted with your public key by someone else (who can find out what your public key is from a public directory). Thus, if I send you a message, I can find out your public key (but not your private key) from a central administrator and encrypt a message to you using your public key. When you receive it, you decrypt it with your private key. In addition to encrypting messages (which ensures privacy), you can authenticate yourself to me (so I know that it is really you who sent the message) by using your private key to encrypt a digital certificate. When I receive it, I can use your public key to decrypt it. Here's a table that restates it:
Who Provides the Infrastructure
A number of
products are offered that enable a company or group of companies to implement a
PKI. The acceleration of e-commerce and business-to-business commerce over the
Internet has increased the demand for PKI solutions. Related ideas are the
virtual private network (VPN) and the IP Security (IPsec) standard. Among PKI
leaders are:
1. RSA, which has developed the main algorithms used by PKI vendors
2. Verisign, which acts as a certificate authority and sells
software that allows a company to create its own certificate authorities
3. GTE CyberTrust, which provides a PKI implementation methodology
and consultation service that it plans to vend to other companies for a fixed
price
4. Xcert, whose Web Sentry product that checks the revocation
status of certificates on a server, using the Online Certificate Status
Protocol (OCSP)
Netscape,
whose Directory Server product is said to support 50 million objects and
process 5,000 queries a second; Secure E-Commerce, which allows a company or
extranet manager to manage digital certificates; and Meta-Directory, which can
connect all corporate directories into a single directory for security
management
Pretty Good Privacy
For e-mail,
the Pretty Good Privacy (PGP) product lets you encrypt a message to anyone who
has a public key. You encrypt it with their public key and they then decrypt it
with their private key. PGP users share a directory of public keys that is
called a key ring. (If you are sending a message to someone that doesn't have
access to the key ring, you can't send them an encrypted message.) As another
option, PGP lets you "sign" your note with a digital signature using
your private key. The recipient can then get your public key (if they get
access to the key ring) and decrypt your signature to see whether it was really
you who sent the message.