A public key infrastructure is a framework used by certificate authorities to distribute and manage digital certificates. But while the term has been used about in security circles for quite some time, only now are descriptions of implementation coming to light.

A number of critical functions for doing business on the Internet may depend on a key technology many people have never heard of: the public-key infrastructure (PKI). A public key infrastructure, or PKI, is a collection of services that enables the use of public key encryption techniques. It is a framework used by certificate authorities (CAs) to distribute and manage digital certificates. In short, PKIs will be the foundation for a new generation of remote access, virtual private networking (VPN), and business-critical applications.

But while the term has been used about in security circles for quite some time, only now are descriptions of implementation coming to light.

The PKI framework

One of the key PKI components is a digital certificate, which identifies a person or a computer. PKI employs asymmetric cryptography, which consists of public and private keys that enable users to encrypt and to digitally "sign" messages or documents. When such an electronic signature is applied, it can be proven mathematically that the signed data wasn''t tampered with when it reaches the recipient. This provides for positive identification of the sender and integrity of the message. This is an important element of PKI that provides for non-repudiation, which essentially is the ability to prove that a specific individual has executed a particular transaction.

In practice, PKI requires a complex system to be established for distributing and managing certificates. Certificates are issued by a certificate authority (CA), which acts as a repository of trust from which digital certificates derive legitimacy. It functions as the guarantor by signing an individual''s digital certificate and taking responsibility of a person’s identity. A CA may be a company that issues certificates directly to employees or business partners, or it may be an independent organization, acting as a trusted third party, which issues certificates on behalf of other parties.

One would debate as to why such an elaborate system is required for normal communication. Many falsely assume that an e-mail transmission is private. However, one cannot deny the fact that e-mail can be scanned, read and changed at many points en route from one mailbox to another. Companies and individuals are increasingly considering the transmission of business information over standard e-mail as a poor business practice.

When ideally implemented, PKI can enable secure online transactions between entities that don''t know each other. If each entity in the transaction has a certificate from a CA that is trusted by the other entity, they can complete the transaction by verifying each other''s identity and have a secure data exchange. Similarly, a company could use PKI to give its customers and business partners restricted and secure access to specific resources in its internal computer systems, such as product databases and other supply chain information.

PKI applications:

Some of the areas where PKI can be applied are:

• Secure data communications including e-mail and web based transactions: PKI can provide security for any application using a web browser.
• Virtual Private Networks: PKI serves as the key component in the establishment of a VPN allowing secure network access to authorized mobile employees.
• In networks where users might be compelled to remember a number of passwords for different applications, a Single Sign-ON solution coupled withPKI enabled resources using digital certificates will be capable of providing adequate user authentication.
• PKI may be used enhance desktop security by encrypting files as they are saved to disk.
• PKI can be used for effective privilege management wherein one can define which users have access to what secured network resources.

Considerations for PKI implementations:

Though organizations take a step towards securing the movement and access of data, it is true that most PKI solutions struggle to get past the pilot stage of deployment. Some of the key points that need to be considered when implementing a PKI are:

• Study your e-security requirements. Determine applications and services that would benefit from the use of PKI technology and decide if investments of resources for enabling PKI are worthy enough.
• Identify and evaluate your Certificate Authority (CA). Determine if this role should be outsourced or deployed in-house. Adequate skill sets to manage the PKI system and hence ensure security on an ongoing basis should influence such a decision.

Evaluation should be based on the basic services a PKI can provide:

• Certificate registration - Ability to issue new certificates that contain, minimally, the user''s name and new public key.
• Certificate revocation - Ability to cancel certificates previously issued.
• Trusted revaluation - Determining both the validity of the certificate and the operation it authorizes.
• Key selection - Ability to obtain the public key or another party.
• Key recovery - Ability to recover data encrypted by a key that has since been lost or destroyed.
• Define policies that will outline the way your PKI would operate. Identify which entities will be allowed access to what resources?
• Determine which of the applications that would make use of your new infrastructure are PKI-enabled and which of them would require development? Strike an SLA with the PKI vendor for his role in day-to-day operations of the system.
• Determine the complexity of your digital signatures or customizations that you would require especially if the need is to interact with an existing PKI (like one maintained by a business partner).
• Finally, before going live, start off with a pilot setup. Use standard PKI-enabled technology wherever applicable. During the pilot, try and involve all the different entities of your organization: Operations, IT, security, end users and all likely stakeholders in the PKI infrastructure.
  

However, one needs to remember that having just a PKI infrastructure in place does not ensure complete security of a network. PKI forms just a component of the entire security gamut of an organization, which should include entities like security policy, regular vulnerability and risk assessments, firewalls, intrusion detection systems, ongoing security management and monitoring to name a few.

Surveys indicate that the PKI business would grow to a staggering $2.5 billion market by 2004.With public key infrastructure (PKI) technology growing in popularity in India, mainly from the banking and finance sector and licenses for CAs now being issued in India, PKIs could be a powerful tool for enabling secure communications and data processing. However, the responsibility largely rests with network managers and their organizations to forge strategies and educate themselves about their goals for PKI, products they will use to build it, and how to use and deploy PKI-enabled applications.