PKI systems can be expensive and complex. But in the past two years, they've had a bit of a renaissance, as prices have come down and they've become easier to deploy. They still aren't for the faint of heart, but they're also more flexible and can integrate mobile devices like PDAs and laptops.
First, let's briefly review what PKI entails. PKI is a way to store public keys and their certificates when using asymmetric, or public-private key encryption. Unlike symmetric encryption, which uses a single secret -- or private -- key, asymmetric encryption uses two keys, one public and one private. The idea behind asymmetric encryption is to solve the problem of securely transporting an encryption key over a public network like the Internet. Obviously, a private key moving across the Web could be easily compromised.
In asymmetric encryption, the two keys are mathematically related but one can't be used to generate the other. So, if the public portion of the key is captured or sniffed off the wire, it can't be used to generate the private key. Someone wanting to encrypt a message uses the receiver's public key, freely available from a public key store, like PKI, and the receiver decrypts the message with his or her private key. The private key always remains on the sender's and receiver's individual systems and is never sent over a public network.
PKI provides a neat and clean way to manage this whole process by storing the public keys and the digital certificates that verify their authenticity.
If the idea is to prevent the loss of data from a stolen laptop, a full-disk encryption product, like those offered by SafeBoot Technology or Entrust Inc., might fit the bill. These products encrypt the hard drive and require a user ID and password before the machine boots up.
If the idea is just secure communication from the laptop to the office, then VPN solutions like Citrix Systems Inc. and Cisco Systems Inc. might be the way to go.
But you may want to integrate laptops into an overall PKI architecture if the laptops are accessing high-risk systems, such as those holding sensitive customer data.
Microsoft Windows Server 2003 uses Windows PKI that can be extended to laptops on the network. Another interesting product is eToken from Aladdin Knowledge Systems. The eToken is a USB client that securely generates and stores keys and their certificates. The token can be plugged into a laptop and then removed when done, keeping keys off the laptop, where they could be compromised.
Other PKI vendors include RSA Security (now owned by EMC Corp.), VeriSign Inc. and eTrust from CA Inc.
For more information:
- In this tip, Noah Schiffman discusses the pros and cons of IP-based and signature-based authentication systems.
- Joel Dubin discusses the best ways to compare PKI products and vendors for enterprise implementation of PKI.
This was first published in November 2007