In the new digital environment, Public Key Infrastructure (PKI) ensures that sensitive electronic communications are private and protected from tampering. It provides assurances of the identities of the participants in those transactions, and prevents them from later denying participation in the transaction.
PKI does the following:
■ Protects privacy by ensuring that the data is not read, but it can't stop someone from intercepting it. (If you can't read something, what's the use of that data?)
■ Assures the integrity of electronic communications by ensuring that they are not altered during transmission.
■ Verifies the identity of the parties involved in an electronic transmission.
■ Ensures that no party involved in an electronic transaction can deny involvement in the transaction. (Collectively these last three bulleted points are known as nonrepudiation.)
Before you send data over the public Internet, you want to make sure that the data, no matter how sensitive, won't be read by the wrong source. PKI enables data to be sent encrypted by use of a public key, cryptography, and digital signatures.
Public key cryptography ensures the confidentiality of sensitive information or messages using a mathematical algorithm, or key, to scramble (encrypt) data, and a related mathematical key to unscramble (decrypt) it. In public key cryptography, authorized users receive special encryption software and a pair of keys, one an accessible public key, and the other a private key, which the user must keep secret.
A digital signature standard (DSS) is an electronic identifier comparable to a traditional, paper-based signature—it is unique and verifiable, and only the signer can initiate it.
Before any communication can take place, both parties involved in the data communication must obtain a digital certificate from a Certificate Authority (CA), a trusted third party responsible for issuing digital certificates and managing them throughout their lifetime.
Consider the following example: a user named Simon wants to communicate with a user named Sharon. Simon already has his digital certificate but Sharon has yet to obtain one. Sharon must identify herself to the CA to obtain a certificate. This is analogous to a passport when you travel internationally. When Sharon obtains her digital certificate, it contains a copy of her public key, the certificate's expiration date, and the CA's digital signature. Each of these details is public.
Sharon creates a private key, which is not shared with anyone. If Sharon wants to create an asymmetric key pair, she would generate the pair, keep the private key locked via password, and send the public key to the CA for its signature. Now that both parties have a DSS, they can communicate and encrypt data using their public key, but they can decrypt only the data using their respective private keys. Pretty Good Privacy (application layer tool) is an excellent example of this type of communication. I suggest that you install the software (free demonstration version) and try PKI for yourself. You can find the free software at http://www.pgp.com.
Was this article helpful?