The strengths and weaknesses of PKI and PGP systems

BROWSE BY TAG Application Security,   PKI and Digital Certificates,   Enterprise Identity and Access Management,   User Authentication Services,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Do Facebook URL security concerns justify blocking social networks? Is there a way to block iPhone widgets that bypass Web filters? Should enterprises be concerned with Twitter in the workplace? Are there still Google Desktop security problems? Can an IP spoofing tool be used to spam SPF servers? Will an application usage policy best control network bandwidth? How can URL-shortening services be manipulated? Is my security program ready for Web application firewall deployment? How to ensure the security of a shopping cart application When to use the service features of the Metasploit hacking tool PKI and Digital Certificates Best Authentication Products DoD urges less network anonymity, more PKI use Researchers to demonstrate new EV SSL man-in-the-middle hacks Portable security storage device could replace OTP devices What is most misunderstood about EV SSL certificates? VeriSign addresses MD5 flaw Rogue digital certificates strike blow to Internet security Can any firm or organization get a digital signature certificate? How to obtain a digital certificate for a server PKI and digital certificates: Security, authentication and implementation PKI and Digital Certificates Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary authentication server  (SearchSecurity.com) Certificate Revocation List  (SearchSecurity.com) Digital Signature Standard  (SearchSecurity.com) HDCP  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com) nonrepudiation  (SearchSecurity.com) PKI  (SearchSecurity.com) public key  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Before I answer this question, let's review some definitions so that we're clear about what weaknesses we're looking at. PKI, or public key infrastructure, is a framework for services that provide for the generation, distribution, control and accounting of public key certificates. This public key system ensures secure user authentication, network traffic encryption, data integrity and non-repudiation. PGP meanwhile is an application actually derived from the IETF open standard OpenPGP. Like PKI systems, OpenPGP uses both public-key cryptography and symmetric key cryptography, but the program differs in how it vets and binds public keys to user identities. Unlike PKI arrangements, OpenPGP is based on a web of trust rather than certificate authorities (CA). OpenPGP allows users to choose who they trust, whereas users in a PKI system defer to a trusted CA. Commercial CAs, however, need to ensure that their own certificate is incorporated into the major browsers and messaging applications in order to provide this chain of trust. Finally the definition of logistics is the activity of supplying or providing something, and in the case of OpenPGP and PKI, this would be considered the efficient management, distribution and validation of a public key contained within a user's certificate.

So what are the weaknesses of these two systems in terms of managing, distributing and validating digital certificates? Well, while PKI can identify Web servers and allow transactions over SSL, it lacks large-scale acceptance because the cost and registration process involved with "supplying and providing" client-side certificates is burdensome. Additionally, the management and revocation of certificates requires a highly complicated structure, not to mention scalability brings additional costs of computer resources and help desk support. On the other hand, PGP has flourished for many years without the need to establish a centralized CA because OpenPGP makes use of the concept of trusted introducers, allowing anyone to sign anyone else's public key. This decentralized approach removes the cost of CAs from the delivery process, but still requires key servers to act as public repositories so that everyone can reference users' public keys.

Most modern applications well-manage X.509 digital certificates used by PKI systems, even when it comes to the less experienced user. Non-interoperability is becoming less of a problem, too. There are plug-ins implementing PGP functionality for the more popular email applications, such as Microsoft Outlook, but a plug-in is always susceptible to implementation errors.

Although neither PKI nor OpenPGP are perfect, (neither arrangement has economically solved the problem of user certificate mobility and security, for example), the programs provide defense to original Internet protocols that don't have built-in security. They also ensure secure data and message sharing. When it comes to sensitive data, not using either is always going to be a risk.