Tip

PKI and digital certificates: Security, authentication and implementation

A public key infrastructure (PKI) is a group of servers that handle the creation of public keys for digital certificates. PKI systems maintain digital certificates, creating and deleting them as needed.

    Requires Free Membership to View

    Login

The system allows users to swap information securely across a public network through a pair of public and private cryptographic keys, which is obtained and accessed through a certificate authority (CA). The public key infrastructure provides a digital certificate, which is an electronic "credit card" that contains the name of the certificate authority, the name of the user, and the effective and expiration dates and the user's public key. Digital certificates are used to establish user credentials during online transactions. All certificates are issued by a certification authority and contain the digital signature of the certificate-issuing authority to verify authentication to the recipient.

When a user wants to enter into a secure communication with another user or system, he or she simply sends his or her certificate to that user or system, which will then use the CA's public key to authenticate the CA's private key signature. This process validates that the sender's public key is authentic, and the recipient can then use that public key to engage in a secure communication with the certificate sender.

Although the sender's private key isn't used for authentication, it is required to decrypt the sender's message. Communication is only completed when the initiation message is decrypted; this can only be done with the private key, which only the user has access to.

Before implementing a digital certificate, it is important to choose an expiration period for the organization's policy. Two factors that should be considered when choosing an expiration period are cost and security. The longer an expiration subscription is, the more expensive it is, but that shouldn't be the sole decision-making factor. A certificate's expiration period can also affect the security of the PKI infrastructure, and it's important to be aware of that.

The longer the certificates lifetime is, the longer its public and private key is in use, which increases the likelihood of an attack. If an organization is using a certificate with a longer lifetime, let's say two years, they will need to change the public and private key before the certificate expires.

PKI implementation and management
Some of the biggest disadvantages of PKI systems are that they are complicated and expensive, require considerable planning and can be difficult to maintain, install and deploy.

The implementation process can be extensive for IT staff members, considering PKI systems require personal dedicated hardware and servers to work to their full potential. Users will struggle mostly with the system's complicated security measures. Security awareness training should be required to smooth out any user questions or concerns and ensure that the system is being used properly. Such training should instruct users on how to protect their private keys through several security best practices, such as secure storage, offsite laptop protection, how to choose a strong logon password and antimalware procedures.

PKIs can also be used as a form of two-factor authentication. The technology will work in unison with other authentication devices and bulk up security more then a single method of authentication would.

Personal digital certificates
In order to ease the financial burden of implementing PKI, some corporations deploy the technology among internal systems, instead of externally, for inside access. External implementation requires the corporation to obtain a public digital certificate from a CA, which is costly. When PKI is deployed internally, digital certificates don't need to come from an established CA; they can be self-signed through the organization's PKI, a much more cost-effective method.

For those who do decide to obtain a digital certificate through a company, it should only be for internal access. Personal digital certificates will not be recognized by external parties, since they are not registered by a CA. In a large organization, personal certificates can be used to verify network access among employees or for file or system authentication of users in distant departments.


EXPLORING AUTHENTICATION METHODS

  What is authentication?
  ID and password authentication
  Biometric authentication devices, systems and implementation
  Enterprise single sign-on: Easing the authentication process
  PKI and digital certificate authentication and implementation
  Security token and smart card authentication


 

This was first published in November 2008

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top