PUBLIC-KEY INFRASTRUCTURE.
PUBLIC-KEY INFRASTRUCTURE.
What is PKI?
Public-key infrastructure (PKI) is the combination of software, encryption technologies, and services that enables enterprises to protect the security of their communications and business transactions on the Internet.
PKIs integrate digital certificates, public-key cryptography, and certificate authorities into a total, enterprise-wide network security architecture. A typical enterprise's PKI encompasses the issuance of digital certificates to individual users and servers; end-user enrollment software; integration with corporate certificate directories; tools for managing, renewing, and revoking certificates; and related services and support.
Why we Need PKI
PKI protects information assets in several essential ways:
* Authenticate identity. Digital certificates issued as part of your PKI allow individual users, organizations, and web site operators to confidently validate the identity of each party in an Internet transaction.
* Verify integrity. A digital certificate ensures that the message or document the certificate "signs" has not been changed or corrupted in transit online.
* Ensure privacy. Digital certificates protect information from interception during Internet transmission.
* Authorize access. PKI digital certificates replace easily guessed and frequently lost user IDs and passwords to streamline intranet log-in security - and reduce the MIS overhead.
* Authorize transactions. With PKI solutions, your enterprises can control access privileges for specified online transactions.
* Support for nonrepudiation. Digital certificates validate their users' identities, making it nearly impossible to later repudiate a digitally "signed" transaction, such as a purchase made on a web site.
Benefits of PKI
A public-key infrastructure lets enterprise take advantage of the speed and immediacy of the Internet while protecting business-critical information from interception, tampering, and unauthorized access.
A PKI gives these capabilities:
Communicate securely with employees around the world. A PKI offers users controlled access to intranet for all corporate information, such as HR data, secure email, and applications.
Exchange confidential data with business partners. A PKI lets us create secure extranets and Virtual Private Networks that give select partners easy access to business-critical information stored on internal network.
Safely, seamlessly integrate your supply chain. A PKI provides a protected environment for safe information exchange at every stage of manufacturing processes.
Take advantage of secure e-commerce. PKI offer a world of customers the confidence to purchase goods and services on the web.
Drawbacks of PKI
Public key infrastructure (PKI) was invented more than 20 years ago. Today, it is used in many important standards and protocols (such as SSL/TLS, IPSEC, etc.). Millions of times each day, someone visits a secure web site for shopping or banking and PKI is used to secure the connection.
Yet PKI has not reached its full potential. PKI can be used to authenticate people, avoiding the need to remember dozens of PINs and passwords. It can be used to secure commercial transactions and protect the privacy of emails and telephone conversations. But a number of barriers, including lack of applications, high costs, poor understanding of PKI, and interoperability problems have contributed to the limited use of PKI.
PKI's privacy and authentication measures work well for any two-way communication. Authentication also works well for one-to-many communication, such as signing a document or an email that many people ...
This is a preview of the whole essay
Yet PKI has not reached its full potential. PKI can be used to authenticate people, avoiding the need to remember dozens of PINs and passwords. It can be used to secure commercial transactions and protect the privacy of emails and telephone conversations. But a number of barriers, including lack of applications, high costs, poor understanding of PKI, and interoperability problems have contributed to the limited use of PKI.
PKI's privacy and authentication measures work well for any two-way communication. Authentication also works well for one-to-many communication, such as signing a document or an email that many people will read. However, privacy is another matter. Remember that privacy works by having the sender encrypt the information with the recipient's public key. What if there are multiple recipients on an email message that should be kept private? There is no simple answer for this.
Another drawback to encrypted email or any information is the possibility of losing someone's private key, which is required for decryption of information that is sent to that person. The problem is worse with PKI than with symmetric encryption, because the person is the only one who has his private key. A simple method to protect a private key is to back it up on a floppy. Then if one loses his hard drive, he has another way to get at his private key.
On the other hand, if someone else got access to the floppy, then your private key would be compromised. You would have to have your certificates revoked and get new ones issued, along with a new private key -- a major hassle. And what about documents that might have been forged before you discovered the problem?
Some systems offer stronger methods to back up keys. For example, a private key can be split into several pieces, called shares. The shares can then be given to different trusted people, or encrypted with each of their public keys and stored (perhaps on a floppy!) by the key's owner. In either case, it is impossible for one person alone to reconstruct the private key. If you plan to use PKI on a large scale or to protect information over a significant period of time, the ability to recover or reconstitute lost keys should be on your product requirements checklist.
The top five obstacles to PKI deployment and usage identified by the surveys are:
. Software Applications Don't Support It
2. Costs Too High
3. PKI Poorly Understood
4. Too Much Focus on Technology, Not Enough On Need
5. Poor Interoperability
INTEROPERABILITY OF PKI
Interoperability is the major shortcoming of PKI than the drawbacks described above.
Interoperability of existing and future Public Key Infrastructure is a key issue for e-commerce to flourish in a trusted, secure and predictable environment. That is why Governments are investing time and resources in building PKIs. This construction is a challenging task to be carried out by a multidisciplinary group composed by IT professionals, lawyers, policy makers, private sector entities, etc. The issue of interoperability has different sides
A Public Key Infrastructure (PKI) is defined as a system of hardware, software, procedures and trained personnel that provides security assurances to electronic documents with the purpose of creating, managing, storing, distributing, and revoking public key certificates.
PKIs are considered the most mature and integrated electronic authentication scheme, Offering authentication, non-repudiation, and integrity, and the only the best technology to support legal validity of electronic documents. From a technical stand-point PKIs can be organized in a hierarchical or non-hierarchical schemes.
There are mainly five alternatives for achieving inter domain (CA-CA) interoperability:
Cross-certification
Cross-certification is the act of one CA issuing a certificate to another CA. Cross-certification may be mutual or unilateral. In the case of mutual cross certification, a reciprocal relationship is established between the CAs - one CA issues a cross-certificate for the other, and vice versa. Unilateral cross-certification simply means that one CA generates a cross certificate for another CA, but not inversely. Unilateral cross-certification would typically apply within a strict hierarchy where a superior CA issues a certificate to a subordinate CA
Bridge CA
The Bridge CA essentially acts as a facilitator or introducer of one organization or enterprise to another. As a non hierarchical hub allows relying party agencies to create a certificate trust path from its domain back to the domain of the agency that issued the certificate. The General Services Administration under the auspices of the Federal Chief Information Officers´ Council is developing a Federal Bridge Certification Authority. The Government of Canada uses a Cross Certification Scheme.
Certificate Trust Lists
A Certificate Trust List (CTL) is a signed document that can contain, among other things, a list of "trusted Cas", identified by a hash of the public key certificate of the subject A.
Accreditation Certificate
An accreditation certificate is used to indicate that a given CA is accredited by a given institution such as the government. Each accredited CA would have their public key signed by the Government and this signing process provides assurance to the relying party that the subject CA has met the accreditation criteria. Although this scheme seems similar to a rooted hierarchy concept, there are two very important distinctions. First, each CA accredited by the Australian government could have a unique CP and CPS. Second, nothing prevents each CA from having their own self-signed public key certificate. This makes accredited CAs autonomous entities that have been accredited by the same authority.
Strict hierarchy
In this scheme all "trust" comes from a common root CA. Relying parties will not rely on any certificates issued by a subordinate CA unless a valid certificate path can be traced back to the root CA. A strict hierarchy is also characterized by the fact that a subordinate CA will have one, and only one, superior. Further, subordinate CAs are not permitted to have their own self-signed certificates.
Achieving Cross-certification is a complex process that involves technical interoperability and harmonization of Certification Policies and Certificate Practice Statements. Its objective is to ensure that both PKI domains are compatible in terms of their certificate management operations and issues such as operational and security requirements, and the
amount of liability coverage are also taken into consideration.
Effects of Interoperability
Interoperability, or more specifically, multi vendor Interoperability is viewed by the customers and industry analysts alike as a critically important issue for Public Key Infrastructure (PKI). Interoperability helps to support transactions between parties that do not use technology supplied by the same vendors, offers greater flexibility and freedom of choice between vendors, and lowers the risk of deploying a PKI based solution. To some, lack of Interoperability is perceived as the leading barrier to wide scale deployments of PKIs. Indeed, one of the fundamental reasons for the formation of the PKI Forum in December 1999 was to identify and resolve existing barriers to multi vendor Interoperability
In many cases, Interoperability is used to describe the ability for one application to communicate seamlessly with another. Other aspects of Interoperability include the ability to mix and match various PKI components from one vendor with those of another. Interoperability can also refer to the interaction between one enterprise domain and another (eg: in order to conduct secure business-to-business transactions)
Approaches Taken to Address This Issue.
International technical standards are essential in order to assure technical interoperability across different PKIs. However, these technical standards are not mature yet and technology market is still characterized by a number of proprietary players that adopt technologies that do not interoperate with each another. The IETF-PKIX Working Group
and RSA (in their PKCS Standards) are leading the work in this area and there has been growing awareness of the importance of achieving technical interoperability through the use of open internationally accepted standards.
The future is quite exciting and promising. Digital certificates and signatures are being accepted by the organizations and the general public. New technologies, such as smart cards, PKI enabled applications and WAP technology, are under constant development.
Below are some applications under study, based on a fully operational PKI by government sectors:
* Developing an Electronic Government Procurement System, implemented such that bidders from small and large companies will have equal access to competitive tendering.
* Establishing a Paperless Administration with better access to information and improved services for citizens.
* Filing electronic tax return at any time, any day of the year and from anywhere in the world.
* Allowing Electronic Democracy, using digital certificates to validate voters.
* Enabling citizens and the Government itself, to publicly and securely monitor and
report the activities of the Administration contributing to transparency.
Followings are the some of organizations which carrying out various activities on the developing solutions the interoperability of PKI.
Followings are some of action plans taken by the OASIS Public Key Infrastructure Technical Committee (the PKI TC) , a group of PKI users, vendors, and experts with a common missions to address issues related to the successful deployment of digital certificates
Name: Develop Application Guidelines for PKI Use
What:
For the three most popular applications (Document Signing, Secure Email, and Electronic Commerce), specific guidelines should be developed describing how the standards should be used for this application. These guidelines should be simple and clear enough that if vendors and customers implement them properly, PKI interoperability can be achieved. PKI TC members will contact application vendors, industry groups, and standards groups to determine whether such guidelines already exist and if not who could/should work on creating them. In some cases, standards may need to be created, merged or improved. If application guidelines already exist, the PKI TC will simply point them out.
Who:
PKI TC Guidelines Subcommittee, Application Vendors, and Industry and Standards Groups
When:
Spring 2004 for initial work
Name: Increase Testing to Improve Interoperability
What:
Provide conformance test suites, interoperability tests, and testing events for the three most popular applications (Document Signing, Secure Email, and Electronic Commerce) to improve interoperability. Certificate management protocols and smart card compatibility are also a concern. Branding and certification may be desirable. The PKI TC will work with organizations that have demonstrated involvement in or conduct of PKI interoperability testing or conformance testing to identify and encourage existing or new efforts in this area.
Who:
PKI TC Testing Subcommittee with Industry and Standards Groups
When:
Spring 2004 for initial work
