A public key infrastructure (PKI) includes all the policies and procedures for sending information privately and securely across an insecure network like the Internet. PKI employs public key encryption, which uses two keys to encrypt and decrypt data-a public key and a private key. Data encrypted with the public key is decrypted with the private key. A user keeps the private key and distributes the public key-that means that data sent to Bob using his public key can only be read by Bob with his private key.

Two items essential to a PKI are digital certificates and a certificate authority (CA). Digital certificates are issued by a trusted third party, called a certificate authority. The CA also has the authority to revoke digital certificates. The digital certificates are sent with encrypted messages to verify the sender's identity. Then, the recipient must use the CA's public key, which is readily available, to decrypt the sender's public key-this is how the CA verifies that that a public key belongs to a specific owner. The digital certificate also verifies that the data is not tampered with in transit.

A digital certificate contains the following information:

• owner name, company and address
• owner public key
• owner certificate serial number
• validity dates of digital certificate
• CA company ID
• CA digital signature

How does a PKI work?

Sending:

1. Digital signature software creates a message hash (unique mathematical representation) of the sender's data, uniquely identifying the data.
2. The sender uses his/her private key to encrypt the hash. This encrypted hash is the digital signature of the message.
3. The message is encrypted using the recipient's public key (unless a secure connection like a VPN is used, in which case this step is skipped).
4. The data, digital signature, and certificate (from the CA) are sent to the recipient.

Receiving:

1. The recipient uses his/her private key to decrypt the data.
2. The recipient uses the sender's public key (obtained from the CA) to decrypt the signature and the hash.
3. If the hashes match, the data is intact and unaltered. (Any modification to the data in the message invalidates the digital signature.)
4. The recipient can check the sender's identity by verifying the digital certificate through the CA.

Simply put: I can send you a message encrypted using your public key, which I can easily obtain from the CA. Then, only you can decrypt the message, using your private key. I use my private key to attach my digital signature, which you can decrypt with my public key.

A PKI encapsulates all the elements described above: the public key encryption system, a CA, the digital certificate system, and the hashing algorithms. Many PKIs today use the X.509 standard developed by the IETF.

PKIs have emerged as an industry standard for secure e-commerce transactions. Using a PKI, customers can be assured that data they send is unaltered before or after transit, and companies can verify the identities of customers sending data. A PKI is especially important in light of the E-Signing Law, which allows e-signatures to be legally binding.

Click below for more developments and tutorial articles:

[ Home ] [ Up ]

Send mail to webmaster@infomatek.com with questions or comments about this web site.
Copyright © 2001 Infomatek Consulting and Marketing Services