/vnd/media/agency_attachments/bGjnvN2ncYDdhj74yP9p.png)
What is PKI?
Public Key Infrastructure (PKI) is a combination of software, encryption
technologies, and services, which enables enterprises to protect the security of
their communications and business transactions on the Internet.
PKIs integrate digital certificates, public key cryptography, and certificate
authorities into a total enterprise-wide network security architecture. A
typical enterprises’ PKI encompasses the issuance of digital
certificates to individual users and servers, end-user enrollment software;
integration with corporate certificate directories; tools for managing, renewing
and revoking certificates; and related services and support.
How it all works?
The PKI uses asymmetric algorithm and requires two different keys. A party
may have two keys, one for encryption and another for decryption. He can make
one key publicly available, which can be used by the customer, the supplier or
anyone, for the purpose of encrypting a sensitive communication to be sent to
him or her. Therefore, it is called the public key. Once such encrypted message
is received from outside, the person can use his second key called the private
key for decrypting the message. The second key is kept under security.
The PKI can operate on a number of algorithms of which RSA is popular.
However, only the person holding the corresponding key can decrypt the encrypted
message by using a public key. This is so because the two keys are
mathematically inter-related. Here, the level of security also depends on the
length of the key.
Why is PKI needed?
PKI protects your information assets in several essential ways:
l Authenticate identity:
Digital certificates issued as part of your PKI allow individual users,
organizations, and web site operators to confidently validate the identity of
each party in an Internet transaction
l Verify integrity: A digital
certificate ensures that the message or document the certificate ‘signs’ has
not been changed or corrupted in transit online
l Ensure privacy: Digital
certificates protect information from interception during Internet transmission
l Authorize access: PKI
digital certificates replace easily guessed and frequently lost user IDs and
passwords to streamline intranet log-in security and reduce the MIS overhead
l Authorize transactions: With
PKI solutions, your enterprise can control access privileges for specified
online transactions
l Support for non-repudiation:
Digital certificates validate their users’ identities, making it nearly
impossible to repudiate a digitally ‘signed’ transaction later, such as a
purchase made on a website.
What does the PKI security solution comprises of?
PKI is a vital element of e-commerce, as it ensures the security of electronic
transactions and the exchange of sensitive information between parties that do
not have a prior established business relationship through digital certificates.
As the stage is set for large scale PKI implementation in India, it is important
to analyze what pportunities and challenges lie ahead for PKI solution
providers, especially in the context of distribution of digital certificates.
A complete PKI security solution comprises the following components, elements
and functions that are vital to achieve the final state of robust security.
l Security Policy: A security
policy is essential, as it defines the organization’s direction on information
security and the principles involved in cryptography.
l Certificate Authority: A
Certificate Authority (CA) forms a very integral part of a PKI as it manages the
entire life cycle for public certificates. Some of its functions are issuing
certificates to the user and binding the user’s identity with a digital
signature, time stamping the certificate with an expiry date, storing and
retrieving certificates using a directory service, etc.
l Registration Authority: A
registration authority performs a critical function and is dedicated to user
registration and accepting requests for certificates. The RA can be a function
of the CA or a separate identity.
l Applications: PKI-enabled
applications include e-mail and messaging, Web browsers and servers, secure
electronic transactions (SET), electronic data interchange (EDI), etc.
What can you do with a PKI?
A PKI lets your enterprise take advantage of the speed and immediacy of the
Internet while protecting business-critical information from interception,
tampering, and unauthorized access.
PKI provides the following capabilities:
l Communicate securely with
employees around the world: PKI offers users controlled access to your Intranet
for all your corporate information, such as HR data, secure e-mail, and
applications
l Exchange confidential data
with business partners: PKI lets you create secure extranets and virtual private
networks that give selected partners easy access to business-critical
information stored on your internal network
l Safely, seamlessly integrate
your supply chain: PKI provides a protected environment for safe information
exchange at every stage of your manufacturing processes
l Take advantage of secure
e-commerce: PKI lets you offer customers the confidence to purchase your goods
and services on the web
Swapan Johri, head (security) HCL
Comnet