Public Key Infrastructures

The sections below cover the fundamentals of PKI and offer explanations of how they should be deployed. To go directly to a section, click on one of the links:

What is a Public Key Infrastructure

Internet security is essential, right? Well – wrong, if the current state of Web-based applications is anything to go by. Despite the existence of data encryption since 1900 BC (according to the article here), not to mention the obvious threats of fraud or privacy, companies and individuals still appear to a pretty relaxed attitude to the security of the Web. At the same time, the lack of a comprehensive security framework for the Web is cited as one of the main factors why companies are slow to adopt the Internet as part of their infrastructures.

Enter the Public Key Infrastructure. It would be needless repetition to do more than point you at the Network World Fusion article Public Key Encryption for Dummies. There is also a reasonable explanation at IBM’s Web site here. The best pictures are to be found on the first couple of pages of the Linux Journal biometrics article, however.

For PKIs to work, there is a need for a trusted third party to generate and manage the encryption keys (what are they – see the articles above). This third party is known as the Certification Authority or CA. A technical overview of PKIs and how they are used, in this case with the Netscape Navigator, may be found here – this article also provides a reasonable explanation of CAs.

Business Benefits of PKIs

Why use a PKI? Security, of course! For a start, encryption protects the privacy of information, and the PKI simplifies the encryption/decryption process by managing the keys. Second, public key encryption yields digital signatures and hence “non-repudiation,” i.e. if you receive a digitally signed message, you can be sure where it came from (click here for lots more detail)

There is a knock-on benefit of PKIs to business, namely confidence. If companies are wary of the Web, PKIs may well prove to give them the confidence they need.

Deploying PKIs in the Corporate Environment

There are two ways to deploy PKI facilities – build or buy:

A PKI can be constructed and deployed for a company or a group of companies. This is expensive but enables the specific requirements of the organisation(s) to be taken into account. Infosec Engineering provides a description of the components of a PKI here, though it is unlikely you would build a PKI from scratch without outside help.
PKI services can be bought in from an external organisation, as a kind of ASP-delivered service. We discuss ASPs here.

Issues with PKIs

PKIs are currently expensive to implement, not to mention the fact that both sender and recipient need to have agreed to use public key encryption in their communications. As PKIs are not yet ubiquitous, this leads to a catch-22 where everybody waits for everyone else to start using public key encryption first.

PKIs remain expensive despite several initiatives (such as Identrus for the financial industry, discussed here.)

In addition, the interoperability of PKI implementations is flaky. Again, initiatives (such as the PKI Forum interoperability framework , and the Asia-Pacific telecommunications working group initiative, here) exist to counter the problems.

Finally, the security of the Certificate Authorities may be at risk. Organisations such as ECAF in Europe are building policy frameworks to which CAs will heve to comply, but at the moment many countries do not have trust policies for CAs.

There is a decidedly good expose of PKIs to be found at Counterpane.com, entitled Ten Risks of PKI: What you're Not Being Told about Public Key Infrastructure. Also at Counterpane is the excellent article Why Cryptography is Harder than it Looks.

The Future of PKIs

The technologies required for PKIs already exist, but the world is not yet using them. Given the fact that there is a problem to be solved by PKIs and that they are an adequate basis to solve it, it looks likely that PKIs will achieve more mainstream notoriety, once the remaining issues are addressed.

PKIs with everything? This looks likely, once interoperability issues are ironed out. There are few applications in the future that will not require the Internet as a backbone, and hence few that will not need to leverage the enhance security that a PKI can support.

Additional technologies will also enhance the potential of PKIs , as described in the Linux Journal article on Smart Cards and Biometrics.

Further Resources on the PKIs

The PKI Forum resources page includes a comprehensive set of links to all kinds of information about PKIs

HYPERLINK "http://www.eema.org/ecaf/linkES.asp" ECAF’s resources page is shorter and more succinct than the above.