Digital Security

Home | Site Map | Disclaimer | Archive| Search Google This Site

Secure Gateway to DOEACC Community

Digital Certificate will be Activated Soon!!!!

What is a PKI?

A PKI is not an authentication method; rather it is an infrastructure that uses digital certificates as an authentication mechanism and is built to better manage certificates and their associated keys. A digital certificate is itself a way to reliably identify the user or computer claiming to be the owner of a specific public key.
Public key encryption, also called asymmetric encryption, is popular because it is more secure than secret key (symmetric) encryption. Two mathematically related keys, a public key and a private key, work together, with one used for encrypting and the other for decrypting (which one is used for which purpose depends on whether your goal is confidentiality of the data or authentication of the sender). The public key is made known to everyone who wants to engage in encrypted communications with the owner of the key pair. The private key never has to be shared with anyone; it is known only to its owner. This makes for a more secure system than the secret key method in which the same key is used for encrypting and decrypting and thus must be shared between the two communicating parties.
The problem with public key encryption is the difficulty of knowing whether a public key is really owned by the person it is claimed to belong to. A user could advertise that a public key belongs to Joe Jones when in fact it doesn't; that user could then intercept messages intended for Joe Jones and decrypt them with the private key belonging to the key pair. Thus, a method was needed for verifying the identity of the holder of key pairs.
That's where digital certificates come in. A trusted third party, called a certification authority, issues a certificate associated with a key pair to a user (or computer) whose identity it has already verified. Then other users and computers can rely on the veracity of the key holder's identity. This works somewhat like the issuance of identification cards by governmental entities or employers. The issuer has already checked out the identity of the person to whom the card is issued, so others (for example, stores to which the card holder writes checks) depend on the issuer's certification that the card holder is really whomever he/she claims to be.
Digital certificates contain information about the holder, the holder's public key, an expiration date, and the digital signature of the issuer (the certification authority). Managing digital certificates and their associated keys is complex, so the PKI was created to provide a framework for the issuance, renewal, revocation and management of certificates. Industry standard PKIs and their certificates are built on the X.509 specifications of the ISO.

The Certification Authority

The certification authority is the primary component of a PKI. Most PKIs will have more than one CA. A CA is simply a server that runs some sort of certificate services software. An example is the Microsoft Windows 2000 certificate services, which is included with the Windows 2000 server operating systems. The PKI will generally have a root CA, which is at the top of the CA hierarchy. This CA issues certificates to other CAs, but best practices dictate that it not issue certificates directly to users. Lower level CAs, called subordinate CAs, perform the daily task of issuing user and computer certificates. The root CA is the most trusted, so it should be kept in a very secure physical location or even taken off line when it is not in use. All CAs should be backed up regularly, because they store the private keys that are at the heart of the PKI's authentication system.
Microsoft's certificate services also distinguish between enterprise CAs (which require Active Directory and thus can only function in a Windows 2000 or 2003 domain) and standalone CAs, which can utilize the Active Directory database but do not require it.
Administrators can assign policies to the CA(s) that will be used in verifying the identity of users and computers that request certificates. In a Microsoft domain, users can request certificates for various uses (for example, email security) by logging on to the certificate server's web page or by adding the Certificates snap-in to an MMC (only the web page is used for requesting a certificate from a standalone CA). In some cases, certificates are requested by the system without user action; for example, the first time a user attempts to encrypt data on the disk using EFS, an EFS certificate is transparently requested and issued.

Home | Site Map | Disclaimer | Archive