Public Key Infrastructure
Secure communications is an essential requirement for any modern organization. Inpractical terms, this often means sending encrypted information across the Internet—through electronic mails, file transfers, secure web transactions, or telephony. Public keyinfrastructure, or PKI, addresses the problem of managing encryption and decryptionkeys for groups of users to assure the confidentiality of information. PKI also providesfor the use of digital signatures, which allows for verification of the integrity of digitalinformation. A final benefit of PKI is non-repudiation, which verifies that a particularauthor sent a given message.PKI is based upon three principle technologies: public key cryptography, digitalsignatures, and digital certificates. These key components are discussed in the nextsections. This is followed by an explanation of how PKI is implemented in the enterprise,and the problems that it must address.
Public Key Cryptography
Any discussion of public key infrastructure must begin with public key cryptography.Public key cryptography, also known as asymmetric cryptography, allows users tocommunicate secretly without having a shared secret key. The trick is that each user hasboth a public and a private key. Anyone can access the public key, but only the user hasaccess to the private key. The true magic of public key systems is that when a particularpublic key is used to encrypt information, only the corresponding private key can decryptit (because the keys are mathematically related). To send you a secret message, I use yourpublic key to encrypt my message. I can then send you the message via public means,because no one can read the message without your private key.Mathematicians Whitfield Diffie and Martin Hellman developed the first publishedpractical application of public key cryptography in 1976 (although classified systemswere probably already in use at this time). Their method of jointly establishing a secretkey is now known as Diffie-Hellman key exchange.In 1978, the team of Rivest, Shapiro, and Adelman published a method of using two largeprimes for encryption and decryption that combined public key encryption and digitalsignatures. The method, still used today, is known as RSA, and it is based on thecomputational difficulty of factoring large prime integers. Other well known public keyalgorithms include El Gamal, which is based on discrete logarithms, and ECC (ellipticcurve cryptography), which is based on the algebraic structure of elliptic curves overfinite fields.
A second crucial application of public key cryptography is digital signing. A digitalsignature allows verification that a given private key signed a particular message, whichprovides the benefits of integrity and non-repudiation. An author can sign a document by