A public key infrastructure (PKI) is a group of servers that handle the creation of public keys for digital certificates. PKI systems maintain digital certificates, creating and deleting them as needed.
When a user wants to enter into a secure communication with another user or system, he or she simply sends his or her certificate to that user or system, which will then use the CA's public key to authenticate the CA's private key signature. This process validates that the sender's public key is authentic, and the recipient can then use that public key to engage in a secure communication with the certificate sender.
Although the sender's private key isn't used for authentication, it is required to decrypt the sender's message. Communication is only completed when the initiation message is decrypted; this can only be done with the private key, which only the user has access to.
Before implementing a digital certificate, it is important to choose an expiration period for the organization's policy. Two factors that should be considered when choosing an expiration period are cost and security. The longer an expiration subscription is, the more expensive it is, but that shouldn't be the sole decision-making factor. A certificate's expiration period can also affect the security of the PKI infrastructure, and it's important to be aware of that.
The longer the certificates lifetime is, the longer its public and private key is in use, which increases the likelihood of an attack. If an organization is using a certificate with a longer lifetime, let's say two years, they will need to change the public and private key before the certificate expires.
PKI implementation and management
Some of the biggest disadvantages of PKI systems are that they are complicated and expensive, require considerable planning and can be difficult to maintain, install and deploy.
The implementation process can be extensive for IT staff members, considering PKI systems require personal dedicated hardware and servers to work to their full potential. Users will struggle mostly with the system's complicated security measures. Security awareness training should be required to smooth out any user questions or concerns and ensure that the system is being used properly. Such training should instruct users on how to protect their private keys through several security best practices, such as secure storage, offsite laptop protection, how to choose a strong logon password and antimalware procedures.
PKIs can also be used as a form of two-factor authentication. The technology will work in unison with other authentication devices and bulk up security more then a single method of authentication would.
Personal digital certificates
In order to ease the financial burden of implementing PKI, some corporations deploy the technology among internal systems, instead of externally, for inside access. External implementation requires the corporation to obtain a public digital certificate from a CA, which is costly. When PKI is deployed internally, digital certificates don't need to come from an established CA; they can be self-signed through the organization's PKI, a much more cost-effective method.
For those who do decide to obtain a digital certificate through a company, it should only be for internal access. Personal digital certificates will not be recognized by external parties, since they are not registered by a CA. In a large organization, personal certificates can be used to verify network access among employees or for file or system authentication of users in distant departments.
EXPLORING AUTHENTICATION METHODS
What is authentication?
ID and password authentication
Biometric authentication devices, systems and implementation
Enterprise single sign-on: Easing the authentication process
PKI and digital certificate authentication and implementation
Security token and smart card authentication
This was first published in November 2008