|
|
|
|
|
|
| Public key infrastructure (PKI) refers to
a comprehensive system required to provide public key encryption, digital
certificates, and digital signatures. Certificate Authorities (CA) and other
registration authorities verify and authenticate the validity of each party
using a key and any related data involved in a data transfer. PKIs are designed
to solve the key management problem in public key cryptography, a data encryption
method involving a public key, which is made available to anyone, and a
private key, the "secret" key made available only to a single owner or a
chosen few. By managing keys and certificates through a PKI, an organization
established and maintains a trustworthy networking environment. |
| PKI technology has been struggling and continues
to evolve. Currently there is no single PKI standard, nor even a single
agreed-upon standard for setting up a PKI infrastructure. However, everyone
today agrees that reliable PKIs are necessary to make electronic commerce
widely accepted. An integration with biometric authentication may be the
path that will lead to increased spread and acceptance of PKI technology.
|
Return to Top 
|
|
| A certificate authority (CA) is a trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs. The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be. Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company, which provides it with information to confirm an individual's claimed identity. CAs are a critical component in data security and electronic commerce because they guarantee that the two parties exchanging information are really who they claim to be.
|
Return to Top
|
|
| A digital certificate can act as an electronic "credit card" that establishes your credentials when doing business or other transactions on the Web. It is issued by a trusted certificate authority (CA). It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Most of today's digital certificates conform to a standard, X.509. Digital certificates can be kept in registries so that authenticating users can look up other users' public keys. A digital certificate often comes as an attachment to an electronic message and is used for security purposes. The most common use of a digital certificate is to verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply.
|
| An individual wishing to send an encrypted message for example applies for a digital certificate from a Certificate Authority (CA). The CA issues an encrypted digital certificate containing the applicant's public key and a variety of other identification information. The CA makes its own public key readily available through print publicity or perhaps on the Internet. The recipient of an encrypted message uses the CA's public key to decode the digital certificate attached to the message, verifies it as issued by the CA and then obtains the sender's public key and identification information held within the certificate. With this information, the recipient can then send an encrypted reply.
|
| The certificate authority will specify the
level of trust that can be accorded to the certificate. For example, a simple
certificate might only affirm that the user's name is indeed associated
with this key. A higher level might affirm the owner's age, etc. In the
event of a sudden change in the user's status, a certificate can be revoked.
The idea is that an organization to whom a certificate has been tendered
as part of a transaction will verify that certificate with the appropriate
CA to make sure it has not been revoked or that the user's status has not
changed since the certificate was issued. How merchants can quickly contact
the CA for such verification is the problem the PKI is attempting to solve.
Not all digital certificates rely on an external CA for issuance or validation.
Large companies might issue their own certificates to their employees, in
which they would specify access privileges, signing limits, and other information
in addition to the public encryption keys. Certificates of this type are
stored in an enterprise directory, where they are generally accessed using
the lightweight directory-access protocol (LDAP). |
| Digital certificates can also be used to ensure the integrity of stored data, such as a user profile on a smart card. The certificate is then validated each time the user data is accessed and prior to retrieving the information. |
Return to Top
|
|
