Home | Press | Contact Us | Site Map
ecfirst Home
 
.
 

 

A PKI Primer:
An E-Security Solution for E-Business Today

By: Uday O. Ali Pabrai CEO, ecfirst.com

September 18, 2000

Published in Des Moines Business Record, Des Moines, Iowa

A Public Key Infrastructure, or PKI, is a collection of services that enables the use of public key encryption techniques. Over the next few years, all businesses, large or small, will be dependent on digital signatures and digital certificates.

PKI is about securing the movement and access to data. Any commercially viable PKI will support public key management through the use of digital certificates issued by a Certification Authority (CA) to users of the system. In addition, a commercial PKI must allow a central the requirements for certificate acquisition and revocation, as well as determining which certificates grant access to which protected resources.

Benefits of PKI

  • Authentication - Assurance to both parties of a data transaction that the other entity is who he/she/it claim to be.
  • Integrity - Assurance that the data in a transaction has not been altered in transit, intentionally or unintentionally.
  • Confidentiality - The data can only be read by the intended recipient, ant may not be read by a third party from denying involvement at a later date.

PKI Services

  • Secure Communications - Any data exchange may be secured using a PKI, including e-mail, web-based transactions, and EDI transactions.
  • Secure Web Applications - PKI may provide security for any application using a web browser as its interface.
  • VPN Establishment - A PKI can be a key component to establishing a Virtual Private Network (VPN), allowing authorized off-side personnel secure access to your network.
  • Local Data Storage - If desktop security is a concern, the PKI may be used to encrypt any sort of file as it is saved to disk. This has the beneficial side effect of providing automatic data compression for the encrypted files.
  • Single Sign-On - A network making extensive use of PKI-enabled resources may alleviate the need for users to remember a wide variety of passwords, as the digital certificates are capable of providing adequate user authentication.
  • Privilege Management - A PKI can be used to define which users have access to what secured network resources.
  • Secure Time Stamping - A PKI may be used to implement a trusted time-stamping service. A central authority may be use to provide time stamps for files.
  • Notarization - A PKI may certify the validity of data, though the definition of "valid" will depend on the nature of the data in question.

    A PKI also should provide the following features:
    • Certificate Registration - Ability to issue new certificates that contain, minimally, the user's name and new public key.
    • Certificate Revocation - Ability to cancel certificates previously issued.
    • Trusted Evaluation - Determining both the validity of the certificate and the operation it authorizes.
    • Key Selection - Ability to obtain the public key or another party.
    • Key Recovery - Ability to recover data encrypted by a key that has since been lost or destroyed

PKI Planning Recommendations

Keeping in mind that most PKI solutions struggle to get past pilot deployment within organizations, the following is a plan of action for any company intending to implement a PKI:

  1. Research and analyze your core e-security requirements. Determine precisely which applications and services would benefit from the use of PKI technology, and decide whether or not you wish to invest the resources required to enable them.
  2. Evaluate key PKI vendor products and determine now they relate to your business objectives. The identity of the Certification Authority is of particular importance. Will this role be outsourced or will an in-house solution be used instead? Or is a mix of the two more appropriate for your needs?
  3. Develop your PKI strategy and objectives. Begin to develop the policies that will define the way your PKI operates. Which users will be allowed access to what resources?
  4. Define your digital certificates. Determine which customizations your organization will need in order to enable the desired level of functionality. Also, if you explicitly intend for your infrastructure to interact with that of an existing PKI (one maintained by a business partner, for example), make the effort to provide maximum certificate compatibility between the two systems.
  5. Determine the additional resources required to implement the desired PKI solution. Of the applications you have slated to make use of the new infrastructure, which of them may be PKI-enabled with off-the-shelf software solutions and which will require a more active development effort? If a significant number of applications require custom modifications, which ones will be given top priority? Some newer applications may have some degree of PKI functionality built into them-do they have enough functionality to meet your needs? And how active a role will the vendor of the PKI products take in the day-to-day operation of the system? Do you want a system that, once installed, will be almost completed under you exclusive control or do you wish to outsource the installation and maintenance of the infrastructure?
  6. Start with a small, focused pilot project. Use off-the-shelf technology wherever possible, select a non-mission-critical project and restrict the scope of the initial application. Keep time to completion of pilot to no more than 100 days. Involve different parts of the organization on the pilot project. Legal, operations, IT, security, users and business management all will be likely stakeholders in the enterprise-level PKI infrastructure, and they should be involved in the project as early as possible.

Within the next few years, digital signatures will be the norm, PKI enabled applications will more readily available, and with Microsoft's Windows 2000 providing built-in support for PKI, it is likely that this will accelerate support for PKI deployment.

Last updated: April 29, 2005