A PKI (Public Key Infrastructure) is the set of
components, people, policies and procedures which provide the foundation
for the management of keys and certificates used by public key-based
security services.
A complete PKI is much more than technology. It is a
careful blending of business processes, technology, policies and
procedures.
Through the use of encryption and digital signatures,
an enterprise PKI can enable the following important security benefits:
Authentication
is the process of confirming the identity of
an individual or entity. PKI can provide assurance beyond simple user
name and password authentication by requiring that a user or entity
possess a valid digital certificate and corresponding private key to
successfully authenticate. This provides a higher degree of assurance,
since the user or entity must not only
have something, the private key, they
must also know the pass phrase associated with that private key.
Without both pieces of information, authentication will fail.
Confidentiality
is the concept of protecting the privacy of
information so that only authorized parties can access that information.
PKI enables confidentiality through a combination of public key and
secret key encryption. Encrypting data in such a manner provides
protection for the data. It also allows for this data to be securely
exchanged among entities with no prior relationship, as data encrypted
with a given entity's public key can only be decrypted by the
corresponding private key.
Integrity provides a mechanism for ensuring that data has not
been altered. PKI provides integrity through digital signatures, a
mechanism for the detection of tampering. If verification of a digital
signature fails, the verifier knows that the data has been altered and
that it likely cannot be trusted.
Non-repudiation
establishes provides proof-of-participation in
an action or transaction. PKI provides technical non-repudiation by
establishing that an entity's private key was used to digitally sign a
transaction. This digital signature can provide a stronger chain of
evidence establishing the parties involved in an action, and when that
action occurred. Note that the presence of a ¡°valid¡± digital signature
does not guarantee that the legitimate owner of a private key was an
actual and willing participant in a transaction. Compromise of an
entity's private key, compromise of the CA, malfunctioning software, or
computer virus infection can also lead to a valid digital signature
without the actual authorization or knowledge of the private key's
owner.
These paragraphs come from
An Introduction to Enterprise Public Key Infrastructure (PKI), METASeS
Inc.. [PDF][360K]
