_ All About PKI Public Key Infrastructure - Security Information for Electronic Sign and Biometrics for Authentication and Autorization

RemoteIdentification.Com - Information for Digital Certificates

Security
Authentication
Authorization
Biometrics
Cryptography
Kerberos
Digital Certificate
Public Keys
Certificate Authority
LDAP
Smart Cards
X.500
X.509
Digital Identity
Digital Signature
SSL
CiberCrime
DES - AES - PGP - RSA
PKI

PKI - Public Key Infrastructure

What is PKI?
PKI (Public Key Infrastructure) is an arrangement in cryptography that facilitates third party examination of, and vouching for, user identities. PKI allows the binding of public keys to users. These public keys are most frequently stored in cartificates. This binding of public keys to users is usually carried out by software in a central location, in coordination with other associated software components installed in distributed locations. The term Public Key Infrastructure is sometimes used in a broader sense to mean both the Certificate Authority (CA) and related arrangements as well, and in some other times, confusingly or wrongly, to denote public key algorithms used in electronic communications. In the latter case, it should be kept in mind that public key algorithms do not require PKI.
Working with PKI
Public Key Infrastructure arrangements help users to authenticate each other and to use the information in identity certificates (public keys of each person) to encrypt and decrypt messages between each other. Here is the way PKI works: The public key infrastructure architecture consists of client software, server software such as a certificate authority, hardware (e.g., smart cards) and operational procedures. Using his/her private key, a user may sign messages digitally, and another person can verify this signature using the public key embedded in that user's certificate issued by a certificate authority within the Public Key Infrastructure, thereby enabling two or more parties to establish confidentiality, message integrity and user authentication without having to compromise any secret information in advance or during the process. Most enterprise PKI systems depend upon certificate chains to establish a party's identity. That is, while the certificate for any party may be issued by a certificate authority computer, it becomes mandatory that the legitimacy of that computer in turn need to be certified, and that is done by a higher certification authority and the chain goes on. This certification hierarchy, at a minimum level, will consists of many computers, often more than an organization, and an assortment of interoperating software packages from different systems across different sources. This hierarchical structure is in fact inevitable as standards are critical to PKI operation. Many of the operating standards in this area are formulated by the IETF PKIX workgroup. Enterprise-scale public key infrastructure systems are sometimes tied closely with the enterprise's directory schema by combining the employee's public key - embedded in a certificate - with other personal details such as name, designation, and department. X509 is the most commonly used certificate format alongside the directory schema LDAP.
PKI APplications
Public Key Infrastructures, irrespective of the vendors, have many uses. These include providing public keys and bindings to user identities which are used for: Encryption or authentication of documents. For example, XML signature standards if the document concerned is encoded in XML. The same, but in case of email messages (using S/MIME or OpenPGP). Verification and authentication of users to applications such as in smart card login and client validation using SSL. Bootstrapping secure communication protocols such as SSL and Internet Key Exchange IKE). PKI Alternatives Newer techniques for the authentication of public key information have been introduced and some of them are already in use by various enterprises. Most popular amongst them include the Web of Trust, Simple Public Key Infrastructure (SPKI) and Robot Certificate Authorities or Robot CAs.
PKI Authorities
PKI Authorities consists of three different authorities that essentially make up a PKI system. These are the Registration Authority, Certification Authority and Certificate Directory. Registration Authority The jobs of the Registration Authority are to processes user requests, confirm their identities, and induct them into the user database. Certification Authority The tasks of a Certification Authority are to issue public key certificates and to attest that the public key embedded in it indeed belongs to the particular entity as stated in the certificate. The Certification Authority also has the right to cancel a certificate if required, and verify it at any point of time depending on the registration conditions. Certificate Directory The Certificate Directory manages and stores the user's registration information and certificates for future references. From the above mentioned logical structuring of the different authorities, it is quite clear that the success of any public key infrastructure system depends entirely upon the efficiency, coordination, and performance of its public key infrastructure system authorities. Alternatives to PKI Authorities Alternatives to PKI authorities include: Web of Trust, Simple Public Key Infrastructure (SPKI) and Robot Certificate Authorities.
PKI Certificate
A PKI certificate, which stands for Public Key Infrastructure certificate, allows someone to combine their digital signature with a public key and something that identifies them, an example being their real life name. This certificate is used to allow computer users to show that they do own the public keys they claim to. In other words, it is a security mechanism for public keys. As mentioned before, a digital signature is required for the PKI certificate. This signature can either be made by an authority figure who assigns the certificates, the person whose identity is being confirmed, or even endorsers of the public key. As with credit cards, a digital signature is a way for other parties and people to verify that a person is in fact the owner of the public key they claim is their own.
Applications of PKI Certificates
PKI certificates are most commonly used to authenticate cryptographic public keys. In small networks, giving public keys to others may be safe. This is often untrue for larger networks, however, and a solution must be found. This solution is public-key cryptography. To give an example of why having an unsecured public key may become troublesome, let us take the example that a person needs to communicate with another person in order to establish a business relationship. By publishing his public key, the first person is able to receive and send messages to his companion through a secure and safe method. A problem arises, however, in the fact that someone else can pose as the first person and send messages that person did not want to send. I am sure it becomes obvious why a person pretending to be another can be a huge problem during any sort of communication effort. The PKI certificate is a way to stop this problem. This certificate allows other people to verify that they are indeed communicating with the right person and using the right public key. It is a clear answer to the problem of the third party problems that may arise without it. Multiple Certificate Authorities A problem can occur when two different people or parties meet each other and both are using certification authorities the other does not recognize. Because they do not recognize the respective authorities, the certificates may not seem real. To help combat this, many certificate authorities now keep their own personal public keys in the certificates to help guide new finders of their services to them. This public key is signed by yet another certification authority, allowing a complicated hierarchy of trust to be created. To keep this simple, it basically means that all certificates are linked together by one source in an ideal situation and this source is a trustworthy one. It is important for users who are given PKI certificates to ensure that his or her certification authority is indeed a legitimate provider of that service. It can obviously lead to problems if someone is using a certificate that really has no use as it was given out by someone lacking the authority to. Use the Certificate Revocation List or the Online Certificate Status Protocol to check this information. PKI Certificate Revokation There are times when a certificate must be revoked by an authority. A common example of this occurring is if a person's identity information changes, for instance if they decide to change their name for some reason or another. PKI Certificate Standards The PKI certificate usually includes personal information such as name, employment status and company's name, and how long the certificate is valid. The most popular standard for PKI certificates is ITU-T X.509.
What is a Certificate Authority?
Certificate Authority or Certification Authority (CA) is an entity, which is core to many PKI (Public Key Infrastructure) schemes, whose purpose is to issue digital certificates to use by other parties. It exemplifies a trusted third party. Some certification authorities may charge a fee for their service while some other CAs are free. It is also not uncommon for government and institutions to have their own CAs.
Issuing a Certificate
The certification authority issues a Public Key Certificate (PKC), which attests that the public key embedded in it indeed belongs to a particular person, server, organization or any other entity as said in the certificate. In such schemes, the obligation or duty of CAs is to verify the credentials of the applicants before issuing the certificate so that the users can trust the information in the CA certificates of a particular entity without any second thoughts. But this model is not fool proof, at least in a theoretical point of view. For example, if a person (say A) could manage to get a certification authority to issue a false certificate tying another person (say B) to a wrong public key, whose corresponding private key is available to A, then this could lead to some serious security problems. That is, if a third person (say C) eventually obtains and uses the public key in this certificate, then with the private key, it is possible for A to break into the security contours of C's communication. In such a way, on a practical level, C's messages could be decrypted and the person could be duped to accept forged signatures.

Security As mentioned above, while the correctness of a certificate is taken for granted, it is to be accepted that assuring the correctness of data presented by companies, person or programs seeking a certificate is rather difficult and has glaring loop holes. That is, it is not an impossible task for an applicant to dupe the certification authority. In order to plug these chinks in the armor, certification authorities usually use a combination of authentication techniques which include leveraging government bureaus, third parties databases and services, the payment infrastructure, and custom heuristics to analyze the trust worthiness of the applicant. In few enterprise systems, local types of authentication like Kerberos can be used to obtain the certificate, which in turn can be used by relying third parties. Notaries may be required in some cases to personally verify the party whose sign is being notarized.
Protocols Supporting X.509 Certificates
Transport Layer Security (SSL/TLS) IPSec Secure Multipurpose Internet Mail Extensions (S/MIME) Smartcard SSH HTTPS LDAPv3 EAP

Information
Add a Site
Add to Favorites
Invite a friend
Set your Home Page
Contactenos

Links
Registro Nacional
Tecnologia
Costa Rica
Bio Fertilizer
Real Estate
World and Commerce

© RemoteIdentification .Com - Certification	Created by Tecni.Com