I am in the process of implementing a PKI system for my organization of more than 5,000 staff members. I am considering...
a number of top vendors. What are the key technological differences among the top products available?
Public Key Infrastructure (PKI) seems to be making a quiet comeback after being dismissed as being too costly, difficult to implement and requiring large investments in hardware. Touted back in the 1990s as the ultimate security technology, it fell on hard times partly because of its complexity and partly because it didn't deliver on its promise as a secure system. At the time, digital certificates were costly and difficult to obtain and maintain.
Though the basic technology behind PKI hasn't changed since then, some of the kinks and issues have been worked out, making it easier to implement and deploy. It still isn't for the faint of heart, but it's better than it used to be.
Basically, PKI is a public repository for the public keys of the public-private key pairs in asymmetric encryption. It also houses the digital certificates used for verifying the authenticity of public keys, a perennial problem for keys transported over an anonymous medium like the Internet.
PKI can also be used for digital signatures when sending documents via the Internet, securing emails with public keys and allowing systems to authenticate each other without prior contact.
The crux of the technological differences among the top vendors is in how certificates are created, deployed, maintained and revoked. The certificate life cycle is at the heart of PKI.
Three popular PKI vendors are Entrust Inc., VeriSign Inc. and RSA Security, now owned by EMC Corp. Entrust Authority PKI comes with a software suite for automatically enrolling users and computers into the PKI system. The Web-based software allows for remote administration of the system, even from outside a company's firewall, and for delegation and distribution of administration. Entrust can be set up for authenticating Web sites, VPN or mobile devices, such as cell phones and laptops.
VeriSign Managed PKI has toolkits for rapidly hooking up to existing systems and deploying PKI throughout an enterprise. It can also scale up to hundreds of thousands of users. VeriSign has an Enterprise Certificate Manager for ease of creation, deployment and retirement of certificates.
RSA offers a similar line of software packages for certificate registration, management and key recovery.
The key areas to compare when looking at different PKI products are the ability to painlessly integrate with your existing architecture and scale for a rapidly growing enterprise, ease of remote management (Web-based, for example) and the ability to add new devices, such smart cards, USB tokens and PDAs.
The main area where the technology has advanced is the sophistication of the software for implementing PKI and the ability to integrate new devices and technologies.
For more information:
- In this Q&A, security expert Joel Dubin explains how to choose between RSA and Diffie-Hellman public key encryption algorithms.
- Learn whether or not the costliness of PKI technologies will prevent them from growing.
Dig Deeper on PKI and digital certificates
Related Q&A from Joel Dubin
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ... Continue Reading