PKI Architectures: How to Choose One (
Page 1 of 4 )
In the Internet’s world of insecurities, many actions should be taken to
enhance the defense of each and every network. Many solutions exist that provide
a level of security, none however being bulletproof. The best approach is to
combine a variety of mechanisms that will supplement one another. In this
article I will discuss a technology that is considered to be the new trend and a
favored option among network implementers, that is Public Key Infrastructure
(PKI).Introduction
Deciding to implement a PKI architecture is not an easy task to do. There are many factors which must be taken into consideration if we want to benefit from PKI technology.
Before moving into explaining various PKI architectures and the criterion we use to choose the one that best suits our needs, I will make a brief overview about PKI technology so we all know what I'm talking about.
What is Public Key Infrastructure (PKI)?
PKI ensures a secure method for exchanging sensitive information over unsecured networks. In addition, PKI provides authenticated, private and non-reputable communications.
PKI makes use of the technology known as public key cryptography. Public key cryptography uses a pair of keys to scramble and decipher messages, a public key and a private key. The public key is widely distributed, whereas the private key is held secretly by an individual. Messages are protected from malicious people by scrambling them with the public key of the recipient. Only the recipient can decrypt the message by using his / her private key, thus retaining the privacy of the message. The public key is distributed with a digital certificate that contains information that uniquely identifies an individual (for example name, email address, the date the certificate was issued, and the name of the certificate authority which issued it). Also, by using digital certificates we can digitally sign messages to protect the integrity of the information itself and achieve non-repudiation (digitally signing a transaction is legally binding and no party can deny his /her participation).
Components of PKI
In a PKI system, digital certificates are issued by organizations called Certification Authorities (CAs) i.e. Verisign. Requests for certificates are usually processed by organizations called Registration Authorities (RAs). An RA's responsibility is to evaluate each request, investigate the profile of each applicant and inform the appropriate CA about the trusting level of the client. After the trust verification of the applicant, CA issues the certificate. I have to mention that it is common for RA to be included within the CA environment as one component.
The operation of CAs and RAs are governed by appropriate policies, the Certificate Policy (CP) and the Certificate Practice Statement (CPS). The first provides rules for naming certificate holders, the cryptographic algorithms that will be used, the minimum allowable length of encryption keys, etc. The latter details how the Certification Authority will implement the Certificate Policy (CP) into its procedures.
/ 18 
