The word that defines the essence of business.
Some of you may be aware that even today it is a general practice of diamond merchants in Antwerp to close millions worth deals / trading of diamonds just by a handshake and Verbiage without any written documents/ agreements. Still millions of traditional business runs over both parties completing agreements over phone calls.
In the world of business, trust had and will plays the essential part and in a typical business relationship either parties has a level of trust built upon on face to face interactions, meetings, word of mouth etc. But with the internet exploding and the ecommerce becoming a major driver in the last 3 decades and the regular set of business activities moved to cyber domain, there was an ever increasing need to have business run over internet. End to End lifecycle of a Products or services are now transacted over internet. B2B and B2C type of business including Marketing, Sales, and Finance etc are handled through Internet.
Building and maintaining considering Security aspects and particularly Trust over Internet is always a challenge. How can an organization conduct business with someone or some organization over cyber world where it is possible that the data's confidentiality, integrity, authenticity and non-repudiation of either could not be guaranteed?
This is where the Public Key Infrastructure came into play and we have a trusted 3rd party would secure the above security essentials of the information / business transactions carried over an Internet.
In series of blog, I would be covering on the Basics of PKI, Components of PKI and then the Design, Implementation / Deployment and Technology Guidelines / Considerations for PKI.
In this 1st blog let me try to bring about the Basics of PKI and its different Components.
Basics of PKI:
Simply put, Public Key Infrastructure or PKI is not just a technology consisting of Software and supporting hardwares but is a framework covering people, process, policies and services to ensure Confidentiality, Integrity, Authenticity and Non-repudiation of electronic transactions using Public Key Cryptographic technology.
Before we move further it would be apt to understand how Public Key cryptography works and the basis of the PKI.
Public Key Cryptography -
Cryptography is technique uses keys for encrypting or decrypting data. Cryptography is being used for many thousands of years and in principal uses a single or private key to encrypt or decrypt the data. The challenge in this private key technique is the distribution of keys. The Keys essentially need to be sent to the receiver before or separately and is always prone to compromises.
This challenge of key management was addressed in 1976 with the introduction of Public Key cryptography by Diffie & Hellman. This technique involves use of a Key pair - Public and Private Key which are mathematically related but very much impossible to compute. The Private Key is held secret by the User and the Public Key is published and available to anyone who needs to communicate with the user. For e.g., if User A want to send a confidential data to User B, he uses the private key of User B which is publicly available. This message can only be decrypted by User B as he is the one who possess the related Private Key. Similarly Integrity and Non-repudiation can be addressed by using the key pair accordingly. This is a breakthrough technique which enabled secure communications over public network which was not feasible earlier.
The Service of securing communication over public network using Public Key Cryptography is the basic of PKI
Generally speaking PKI contains Policies for Key and certificate management, Operational procedures, Supporting Software & Hardware for Key and certificate generation, distribution, management and storage etc.
Following are the Components of PKI -
Certification Authority (CA): Trusted 3rd party for Management and Issuance of certificates
Registration Authority (RA): Help Certification Authority with the management and signing of the certificates, registration process
Certificates: A digital certificate issued by the CA or RA essentially validates the identity of the User for electronic transactions. It contains Serial no, Name and Signature of the CA, Name and Public Key of the Owner/User, Expiry date of the certificate etc.
Repository / Stores: Storage for Certificates and Public Keys including Distribution mechanism.
In my next blog, I will cover the Design, Implementation and Technology considerations for PKI