Ask the Expert

Will the costliness of PKI architectures prevent their growth?

Because of the many resources needed to implement a PKI architecture, do you think PKI technologies will continue to grow?

    Requires Free Membership to View

    Login

Common beliefs about a public key infrastructure (PKI) is that it's costly, hard to implement, requires lots of extra hardware and isn't interoperable with other systems. These points are valid to some degree, but PKI growth hasn't been hindered and probably won't be in the future either, as it stacks up well against other enterprise encryption options.

A PKI consists of a server that stores public keys used for encryption. Public keys are one half of the public-private key pair used in what is called asymmetric encryption. The two keys are mathematically related but can't be derived from each other. The private key never leaves the system where it's stored, so it is never exposed to possible malicious capture and use.

To send a message to someone, the user encrypts the message with the receiver's public key, which is openly available from a public key store. If the key is captured, the message can't be decrypted without the private key, which is inaccessible. When the legitimate receiver gets the message, he or she can easily decrypt it with their private key, which remains hidden from the world.

A PKI is a complete key management system that creates, manages, stores, deletes and revokes outdated keys. The system also does the same for digital certificates associated with the keys. The digital certificates verify the public key and have a set lifetime, which the PKI keeps close tabs on.

Implementing a PKI architecture can be costly, and it doesn't always operate well with other systems. If the PKI is going to be used for encrypting communications outside of the company, it has to have publicly available digital certificates from an established certificate authority (CA) like Verisign -- and that isn't cheap.

But a PKI can be more cost effective with internal systems. If used within the company, digital certificates can be self-signed at low cost, since they don't have to come from a well-known CA. Their own PKI can generate home certificates for the company systems. The public key infrastructure can, for example, issue keys and certificates that verify an enterprise's mobile devices and prevent malicious access by those that don't have the right keys or certificates.

Another growth area for PKI technologies is in managed security service providers (MSSP). An MSSP can host all the complexities of hardware and key storage, saving a company the headache and cost of doing everything itself. Rather than building a PKI system themselves, subscribers pay an MSSP to manage their enterprise's PKI and its public keys and digital certificates.

More information:

  • See how a certificate's lifetime can affect the security of your public key infrastructure.
  • Learn more about the weaknesses of PGP and PKI systems.

    • This was first published in March 2007

    Join the conversationComment

    Share
    Comments

      Results

      Contribute to the conversation

      All fields are required. Comments will appear at the bottom of the article.
      Back to top