PKI

What is Public Key Infrastructure?

In order to overcome online security threats, al large four cornerstones are noted for web security. These are

Authentication: When you visit a web site and in particular when you intend to do online business transaction you need to be sure that the host (the server) is actually who it claims to be. In particular if you are divulging credit card details, username and password, or any other sensitive information, you need to be sure of the identity of the recipient. The recipient or the host web site therefore needs to present credentials as to its identity. These credentials are referred to as digital certificates.
Integrity: When communicating online, both the client and the server need to ensure that sensitive information is not altered in transition either maliciously or by accident. How can one ensure that the received information is actually what the sender intended to send? This is ensured through a scheme referred to as the message digest.
Privacy: When communicating online, one needs to ensure that sensitive and private information remains confidential to both the sender and the receiver and that no other but the two parties to communication know of the content of message. How can you ensure that only you and the host are the only parties that can read the sensitive information? Encryption is used to ensure privacy.
Non-repudiation: When communicating online and in particular when doing business online or during any other activity that sensitive documents or monitory fund may be exchanged, how can the parties to the communication ensure that their counterpart will not repudiate. The action of repudiation is the act of refusal to admit having been party to the transaction. For example if you make an online purchase, how can the server ensure that at later stage you do not deny having made that purchase? This can be done through the use of digital signature.

Public Key Infrastructure or PKI comprises of a set of standards, protocols, schemes, and services that is designed to ensure the four cornerstones of online security. There are different perceptions as to what PKI is. Some refer to it as simply a trust hierarchy that comprises of highly trusted authorities (certificate authorities) that certify parties to transaction (usually the merchant). For our purpose and as it is generally conceived, PKI includes a number of various other schemes and protocols that are designed to ensure comprehensive authentication, integrity, privacy and non-repudiation when communicating online. It is believed that in order to ensure success and ubiquity of Electronic Commerce, parties to transactions need to feel that the four cornerstones of security are adhered to and as such PKI becomes the enabler of Electronic Commerce.

There is no single definition of PKI at the present time although efforts are being made to ensure a cohesive definition, and interoperability of the various schemes and definitions. The protocol that brings all the above together to ensure all the security requirements is SSL. SSL is considered to be the implementation of security. There is also another suite of protocols that are developed and proposed by financial institutions to enable secure payment. This suite is referred to as SET.

For more information also see:

http://webopedia.internet.com/TERM/P/PKI.html

http://csrc.ncsl.nist.gov/pki/

http://www.opengroup.org/public/tech/security/pki/cki/

http://www.opengroup.org/security/pki/

http://www.rsasecurity.com/rsalabs/faq/4-1-3-1.html

http://www.pki-page.org/

http://www.ficora.fi/englanti/tietoturva/julkinen.htm

http://www.bbs.no/engelske_nettsider/tillitstjenester/bankid_faq.htm

Why do we need a framework for public key security?