The essence of PKI is that it's a repository for public keys, the open half of asymmetric encryption. Asymmetric encryption consists of two keys, a private key and a public key. The two keys are mathematically related, but can't be derived from each other. The private key is held only by the user, while the public key is available to anyone who wants to encrypt a message for the user. The user then decrypts the message with their private key. The PKI system also stores digital certificates used to verify the authenticity of public keys.
The biggest hurdle for users is getting used to the complexities of using PKI. Today, a simple e-mail message now needs extra steps to encrypt. Users should receive security awareness training to explain the reason for additional security measures.
PKI's can be used in conjunction with other hardware authentication devices, like smart cards. These systems are harder to use than simple user IDs and passwords and require extensive user education, training and acceptance.
Teaching users to protect the private key is also necessary. They may be stored on the user's desktop, workstation or laptop and if they are not secure, they are vulnerable to theft, like any other client-side credential. Users also need to be educated in proper information security procedures, such as protecting their laptops from theft while on the road, using strong passwords to log on to their systems and how to keep malware off their desktops. If they don't understand, or think it's not worthwhile, they won't buy into it or use it.
This was first published in March 2006