PKI
Home > Security Definitions - PKI
SearchSecurity.com Definitions (Powered by WhatIs.com)
EMAIL THIS
LOOK UP TECH TERMS Powered by: WhatIs.com
Search listings for thousands of IT terms:
Browse tech terms alphabetically:
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z #

PKI

Show me everything on PKI and Digital Certificates


Word of the Day


DEFINITION - A PKI (public key infrastructure) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. Although the components of a PKI are generally understood, a number of different vendor approaches and services are emerging. Meanwhile, an Internet standard for PKI is being worked on.

The public key infrastructure assumes the use of public key cryptography, which is the most common method on the Internet for authenticating a message sender or encrypting a message. Traditional cryptography has usually involved the creation and sharing of a secret key for the encryption and decryption of messages. This secret or private key system has the significant flaw that if the key is discovered or intercepted by someone else, messages can easily be decrypted. For this reason, public key cryptography and the public key infrastructure is the preferred approach on the Internet. (The private key system is sometimes known as symmetric cryptography and the public key system as asymmetric cryptography.)

A public key infrastructure consists of:

  • A certificate authority (CA) that issues and verifies digital certificate. A certificate includes the public key or information about the public key
  • A registration authority (RA) that acts as the verifier for the certificate authority before a digital certificate is issued to a requestor
  • One or more directories where the certificates (with their public keys) are held
  • A certificate management system

How Public and Private Key Cryptography Works

In public key cryptography, a public and private key are created simultaneously using the same algorithm (a popular one is known as RSA) by a certificate authority (CA). The private key is given only to the requesting party and the public key is made publicly available (as part of a digital certificate) in a directory that all parties can access. The private key is never shared with anyone or sent across the Internet. You use the private key to decrypt text that has been encrypted with your public key by someone else (who can find out what your public key is from a public directory). Thus, if I send you a message, I can find out your public key (but not your private key) from a central administrator and encrypt a message to you using your public key. When you receive it, you decrypt it with your private key. In addition to encrypting messages (which ensures privacy), you can authenticate yourself to me (so I know that it is really you who sent the message) by using your private key to encrypt a digital certificate. When I receive it, I can use your public key to decrypt it. Here's a table that restates it:

To do thisUse whoseKind of key
Send an encrypted messageUse the receiver'sPublic key
Send an encrypted signatureUse the sender'sPrivate key
Decrypt an encrypted messageUse the receiver'sPrivate key
Decrypt an encrypted signature (and authenticate the sender)Use the sender'sPublic key

Who Provides the Infrastructure

A number of products are offered that enable a company or group of companies to implement a PKI. The acceleration of e-commerce and business-to-business commerce over the Internet has increased the demand for PKI solutions. Related ideas are the virtual private network (VPN) and the IP Security (IPsec) standard. Among PKI leaders are:
  • RSA, which has developed the main algorithms used by PKI vendors
  • Verisign, which acts as a certificate authority and sells software that allows a company to create its own certificate authorities
  • GTE CyberTrust, which provides a PKI implementation methodology and consultation service that it plans to vend to other companies for a fixed price
  • Xcert, whose Web Sentry product that checks the revocation status of certificates on a server, using the Online Certificate Status Protocol (OCSP)
  • Netscape, whose Directory Server product is said to support 50 million objects and process 5,000 queries a second; Secure E-Commerce, which allows a company or extranet manager to manage digital certificates; and Meta-Directory, which can connect all corporate directories into a single directory for security management

Pretty Good Privacy

For e-mail, the Pretty Good Privacy (PGP) product lets you encrypt a message to anyone who has a public key. You encrypt it with their public key and they then decrypt it with their private key. PGP users share a directory of public keys that is called a key ring. (If you are sending a message to someone that doesn't have access to the key ring, you can't send them an encrypted message.) As another option, PGP lets you "sign" your note with a digital signature using your private key. The recipient can then get your public key (if they get access to the key ring) and decrypt your signature to see whether it was really you who sent the message.

Learn more about PKI and Digital Certificates
Identity and Access Management Services, Systems and Technologies: This Security School explores critical topics related to helping security practitioners establish and maintain an effective identity and access management plan.
Can any firm or organization get a digital signature certificate?: Can any firm or organization obtain a digital signature? How is a digital signature obtained?
Securing VoIP Networks: Threats, Vulnerabilities and Countermeasures: In an excerpt from Securing VoIP Networks: Threats, Vulnerabilities and Countermeasures, authors Peter Thermos and Ari Takanen discuss the strengths and weaknesses of SRTP.
Secure user authentication: Regulations, implementation and methods: Learn about the FFIEC's mandate, how to choose the right authentication option for diverse user communities and how to implement an authentication strategy.
XML Security Learning Guide: Securing XML is an essential element in keeping Web services secure. This SearchSecurity.com Learning Guide is a compilation of resources that review different types of XML security standards and ...
Spy vs. Spy: Excerpt from Chapter 6 of Spies Among Us: How to Stop the Spies, Terrorists, Hackers, and Criminals You Don't Even Know You Encounter Every Day.
Best practices in Internet security: The Access Certificates for Electronic Services Program: The Access Certificates for Electronic Services Program (ACES) brings multiple PKI service providers together into an interoperable public key infrastructure (PKI) for use by government entitites and ...

CONTRIBUTORS: Jim Brayton, Andrea Finneman, Nathan Turajski, and Scott Wiltsey
LAST UPDATED: 10 Oct 2006

Do you have something to add to this definition? Let us know.
Send your comments to techterms@whatis.com

More resources from around the web:
- VeriSign's Global Affiliate Services lets a company act as its own certificate authority (CA) with VeriSign's help..
- RSA Security is the home of the system and encryption algorithms that underlie most PKI approaches.
- The IETF's Request for Comments 2693 describes SPKI Certificate Theory .
- The Open Group offers Postscript and Portable Document Format (Portable Document Format) versions of proposals for various PKI standards.





FILE EXTENSION AND FILE FORMAT LIST
File Extension and File Format List:
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z #


RELATED CONTENT
How to encrypt passwords using network security certificates
Learn the most secure way to transfer passwords to applications using network security, identity management, and application security certificates.
Best Authentication Products
Readers vote on the best digital identity verification products, services, and management systems, including PKI, hardware and software tokens, smart...
DoD urges less network anonymity, more PKI use
At Black Hat USA 2009, DoD CISO Robert Lentz says more technology is needed to protect both private and government networks from cybercriminals.

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
authentication server  (SearchSecurity.com)
An authentication server is an application that facilitates authentication of an entity that attempts to access a network...(Continued)
Certificate Revocation List  (SearchSecurity.com)




Get More PKI Answers
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2010, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts