-
What
do you mean by the Public Key Infrastructure (PKI)?
The PKI is the overall system of identifying parties on the Internet
using their certificates. It is headed by a Certifying Authority that
is responsible for issuing and verifying the validity of the digital
certificates. It has evolved with the objective to provide security
services like authentication, confidentiality, integrity &
non-repudiation (binding customers and business to their transactions)
across network and to provide means of identifying with whom one is
communicating or doing business
-
What
is data confidentiality?
Data confidentiality refers to a situation in which a message is
inaccessible to others except the intended recipient(s). Encryption
and decryption ensure confidentiality.
-
What
is data integrity?
If a message received is the same as that which was sent - i.e. it is
unaltered during transmission - data integrity is said to have been
achieved. This can be verified using a message digest attached to the
message, which acts as the digital fingerprint of the message.
-
What
is sender authentication?
It's a process to ensure that a message does not originate from
someone other than its purported sender. Sender authentication is
achieved through two related mechanisms: digital signature and digital
certificate.
-
What
is non-repudiation of origin/data accountability?
Data accountability refers to the availability of proof that message
exchange actually took place. The sender would not be able to deny it.
This is also accomplished through digital signatures.
-
What
are the elements of PKI?
The elements of PKI are:
Certification
Authority
Certification
Authority issues and revokes certificates. It provides assurance that the
certified information is correct and that the key used in signing
certificates and CRLs is not compromised. CAs are bound by regulations. As
the issuing authority, the CA plays a vital role in operation of
certificate management system and delivery of CRLs at scheduled intervals.
It also provides for audit-capabilities without risk of exposure.
Certificate
Repository
The
Certificate Repository is used to store the certificates and CRL
information. It is used for obtaining latest status information about
certificates. The CRL is a list of revoked certificates. The issuing CA
digitally signs each list (this allows for the requestor to verify data
integrity). This is used by users to search for certificates and CRLs.
End-user
The
end-user is typically someone who uses PKI enabled services over the
internet from a PC. The service includes secure e-mail among others. Mails
may be encrypted by using the receiver's public key. The receiver can then
verify the sender's signature. The mail having been exchanged and the
important objective of non-repudiation, authentication, integrity, and
confidentiality have been realized in the transaction, a legally binding
contract between the end-user and the service provider and vice versa is
made possible.
Service
Provider
Service
Provider refers to any application service provider like email services or
any PKI based services. The service provider hosts the end entity which
comprises the application server complete with security measures in place
like firewalls to prevent unwanted attempts to access the server.
Confidentiality security services are initiated between the end user and
end entity after they have authenticated themselves. All data transport
between the two entities takes place in an encrypted format from then on,
thus assuring both parties of the confidentiality of the data
transmission.
NEXT
|
