Problem solve Get help with specific problems with your technologies, process and projects.

PKI and digital certificates: Security, authentication and implementation

Get more information about PKI and digital certificates, such as how to implement PKI, how to ensure security and available implementation. Also learn about digital certificates, signatures and achieving authentication through a certificate authority (CA).

A public key infrastructure (PKI) is a group of servers that handle the of public keys for digital certificates....

PKI systems maintain digital certificates, creating and deleting them as needed. The system allows users to swap information securely across a public network through a pair of public and private cryptographic keys, which is obtained and accessed through a certificate authority (CA). The public key infrastructure provides a digital certificate, which is an electronic "credit card" that contains the name of the certificate authority, the name of the user, and the effective and expiration dates and the user's public key. Digital certificates are used to establish user credentials during online transactions. All certificates are issued by a certification authority and contain the digital signature of the certificate-issuing authority to verify authentication to the recipient.

When a user wants to enter into a secure communication with another user or system, he or she simply sends his or her certificate to that user or system, which will then use the CA's public key to authenticate the CA's private key signature. This process validates that the sender's public key is authentic, and the recipient can then use that public key to engage in a secure communication with the certificate sender.

Although the sender's private key isn't used for authentication, it is required to decrypt the sender's message. Communication is only completed when the initiation message is decrypted; this can only be done with the private key, which only the user has access to.

Before implementing a digital certificate, it is important to choose an expiration period for the organization's policy. Two factors that should be considered when choosing an expiration period are cost and security. The longer an expiration subscription is, the more expensive it is, but that shouldn't be the sole decision-making factor. A certificate's expiration period can also affect the security of the PKI infrastructure, and it's important to be aware of that.

The longer the certificates lifetime is, the longer its public and private key is in use, which increases the likelihood of an attack. If an organization is using a certificate with a longer lifetime, let's say two years, they will need to change the public and private key before the certificate expires.

PKI implementation and management

Some of the biggest disadvantages of PKI systems are that they are complicated and expensive, require considerable and can be difficult to maintain, install and deploy.

The implementation process can be extensive for IT staff members, considering PKI systems require personal dedicated hardware and servers to work to their full potential. Users will struggle mostly with the system's complicated security measures. Security awareness training should be required to smooth out any user questions or concerns and ensure that the system is being used properly. Such training should instruct users on how to protect their private keys through several security best practices, such as secure storage, offsite laptop protection, how to choose a strong logon password and antimalware procedures.

PKIs can also be used as a form of two-factor authentication. The technology will work in unison with other authentication devices and bulk up security more then a single method of authentication would.

Personal digital certificates

In order to ease the financial burden of implementing PKI, some corporations deploy the technology among internal systems, instead of externally, for inside access. External implementation requires the corporation to obtain a public digital certificate from a CA, which is costly. When PKI is deployed internally, digital certificates don't need to come from an established CA; they can be self-signed through the organization's PKI, a much more cost-effective method.

For those who do decide to obtain a digital certificate through a company, it should only be for internal access. Personal digital certificates will not be recognized by external parties, since they are not registered by a CA. In a large organization, personal certificates can be used to verify network access among employees or for file or system authentication of users in distant departments.

   What is authentication?
   ID and password authentication
   Biometric authentication devices, systems and implementation
   Enterprise single sign-on: Easing the authentication process
   PKI and digital certificate authentication and implementation
   Security token and smart card authentication

This was last published in November 2008

Dig Deeper on PKI and digital certificates