(Public Key Infrastructure) A framework for creating a secure method for exchanging information based on public key cryptography. The foundation of a PKI is the certificate authority (CA), which issues digital certificates that authenticate the identity of organizations and individuals over a public system such as the Internet. The certificates are also used to sign messages (see code signing), which ensures that messages have not been tampered with. For more on how certificates and public keys are used, see digital certificate.
Inhouse PKIs
A PKI can also be implemented by an enterprise for internal use to authenticate employees accessing the network. In this case, the enterprise is its own certificate authority (CA). For details on the public key system, see cryptography.
Managing the Root Key
The root key is the public/private key pair of the certificate authority. If the private part of that root key is ever discovered, all the certificates issued under that key pair are compromised. Creating and keeping the private key very private is critical.
All Encompassing
The PKI establishes the encryption algorithms, levels of security and distribution policy to users. The PKI embraces all the software (browsers, e-mail programs, etc.) used to support the process by examining and validating the certificates and signed messages. See digital certificate, digital signature, root key, web of trust and DST.
Generating the Root Key
SafeNet's Luna CA3 is a hardware security module (HSM) that is used to generate the root key in a PKI system and keep the private key secure. It uses a pin entry device (PED), EEPROM-based data keys and a PC Card reader that attaches to the server via an LVDS cable and PCI adapter. Containing a processor, firewall, flash memory and RAM, the PC Card is built with extra epoxy and secured with triple DES encryption. The card will destroy its contents if compromised.
The PED combines and transfers information from the data keys to the PC Card. The blue key is inserted into the PED by the security officer who sets up administrative rights, configures the HSM and determines how many people must use green keys. All parties must insert their green keys to activate the system. The black keys are used by administrators to generate and delete key pairs, and the red keys are used for grouping HSMs in domains. (Image courtesy of SafeNet, Inc., www.safenet-inc.com)
Inhouse PKIs
A PKI can also be implemented by an enterprise for internal use to authenticate employees accessing the network. In this case, the enterprise is its own certificate authority (CA). For details on the public key system, see cryptography.
Managing the Root Key
The root key is the public/private key pair of the certificate authority. If the private part of that root key is ever discovered, all the certificates issued under that key pair are compromised. Creating and keeping the private key very private is critical.
All Encompassing
The PKI establishes the encryption algorithms, levels of security and distribution policy to users. The PKI embraces all the software (browsers, e-mail programs, etc.) used to support the process by examining and validating the certificates and signed messages. See digital certificate, digital signature, root key, web of trust and DST.
Generating the Root Key
SafeNet's Luna CA3 is a hardware security module (HSM) that is used to generate the root key in a PKI system and keep the private key secure. It uses a pin entry device (PED), EEPROM-based data keys and a PC Card reader that attaches to the server via an LVDS cable and PCI adapter. Containing a processor, firewall, flash memory and RAM, the PC Card is built with extra epoxy and secured with triple DES encryption. The card will destroy its contents if compromised.
The PED combines and transfers information from the data keys to the PC Card. The blue key is inserted into the PED by the security officer who sets up administrative rights, configures the HSM and determines how many people must use green keys. All parties must insert their green keys to activate the system. The black keys are used by administrators to generate and delete key pairs, and the red keys are used for grouping HSMs in domains. (Image courtesy of SafeNet, Inc., www.safenet-inc.com)
 | Reproduced with permission from Computer Desktop Encyclopedia. Copyright (c) 1981-2008 The Computer Language Company Inc. All rights reserved. |
Additional Resources
- Apple releases Mac OS X Leopard Security Guide
- Apple offers sys-admins almost 250 pages of security best-practices and tips to protect Mac OS X Leopard clients. Released on Monday, the guide document is a 3.4MB PDF. The guide is aimed at experienced users, Apple says, familiar with the Terminal application and its command-line interface. ...
- Blog posts 2008-06-02
- What is the U.S. doing about security?
- What is the U.S. doing about security?NateI enjoy your posts and the obvious expertise you bring to them. Even though these cards are a bad security idea, this is but a small piece of the border security pie. The total budgets you are referencing cover a lot more...
- Discussion threads 2008-05-21
- SimpleAuthority (dmg)
- SimpleAuthority is a Certification Authority CA that is designed to be very easy to use. It generates and manages keys and certificates for people and/or computer servers that can be used for secure email, VPN access, client/server SSL authentication and other uses. Unlike most CA products, SimpleAuthority is very easy...
- Software downloads 2008-05-07
- TechNet Webcast: 24 Hours of Windows Server 2008 (Part 20 of 24): Windows Server 2008 Public Key Infrastructure (Level 200)
- The presenter of this webcast covers new functionalities and enhancements for certificate services and Public Key Infrastructure PKI in the Windows Server 2008 operating system. The presenter explains how certificate services in Windows Server 2008 include auto-enrollment and credential roaming, in addition to the Active Directory certificate server role and...
- Webcasts 2008-05-07
- SimpleAuthority (exe)
- SimpleAuthority is a Certification Authority CA that is designed to be very easy to use. It generates and manages keys and certificates for people and/or computer servers that can be used for secure email, VPN access, client/server SSL authentication and other uses. Unlike most CA products, SimpleAuthority is very easy...
- Software downloads 2008-05-07
- Large Polish Bank Gains Advanced Public Key Infrastructure With New Server Solution
- One of the largest banks in Poland wanted to build a Public Key Infrastructure PKI to centralize the authentication of users, devices, and applications. The bank also wanted a mechanism to electronically sign and encrypt documents and e-mail messages. After a thorough evaluation, the bank deployed Windows Server 2008 -...
- Case studies 2008-05-01
- ArchiCrypt Live (exe)
- ArchiCrypt Live offers real-time encryption and protection for sensitive private or business data. ArchiCrypt Live lets you encrypt all file types on your PC, laptop or any data carrier. That way only you will be able to access your confidential information. ArchiCrypt Live is the perfect tool to safeguard your...
- Software downloads 2008-04-18
- Advanced Encryption Package 2008 Professional (exe)
- AEP2008 PRO most noteworthy feature may be its flexibility and military grade encryption: program includes 17 encryption algorithms (AES, TWOFISH, MARS, etc). 18 secure files erasure algorithms including: U.S. DoD 5200.28, GOST P50739-95 and others. Symmetric and RSA encryption using PKI infrastructure. USB Flash Drives as protected Passwords Storage support....
- Software downloads 2008-01-23
- Key Manager (xpi)
- KeyManager is a stand alone PKI tool for key generation and certificate enrollment. The KeyManager tool is packaged as chrome based Firefox extension. We have extended the Certificate Manager wizard in Mozilla PSM and added the capability for key generation and SCEP based certificate enrollment. Currently, PSM allows import and...
- Software downloads 2008-01-22
- SOAPSonar Personal Edition (exe)
- SOAPSonar provides code-free point-and-click Web Services testing. Supports SOAP, XML, REST, and WS-Trust testing types. Simple to complex test scenarios are managed through the test suite interface. SOAP data generation for Web Services is automated through the Schema Fields generator engine. Functional, Performance, Compliance, and Vulnerability modes are provided. Command-Line...
- Software downloads 2008-01-18
- News to know: Microsoft revolving door; QuickTime flaw; NetSuite; CES; Online ads
- Notable headlines: Larry Dignan: Why Google, Yahoo and Microsoft should worry about Countrywide's takeunder Mary Jo Foley: Juniper Networks exec to succeed Microsoft Business Division President Raikes. Another of the Microsoft old guard moves on. Dennis Howlett: Netsuite nightmares: part deux...
- Blog posts 2008-01-11
- Unbreakable: PKI is alive and kicking
- Unbreakable: PKI is alive and kickingNOTHING is unbreakable!PKI is dead if you are looking for unbreakable!The truth if you can handle it!!The Secret Diark of Steve Ballmer and my band BalmRE: Unbreakable: PKI is alive and kickingPKI is meaningless unless the credentials presented are authenticated for revocation status. Not only...
- Discussion threads 2008-01-10
- Ruckus wireless LAN security method solves usability versus security dilemma
- One of the biggest problems with wireless LAN security standards is the lack of an intermediate solution. Your only choices in securing a wireless LAN were to deploy enterprise grade WPA wireless LAN security which requires RADIUS Remote Authentication Dial In User Service servers in addition to a PKI (Public...
- Blog posts 2008-01-04
- SNRS - Securing Networks with Cisco Routers and Switches
- View Available Dates and Locations In this recently updated, lab-intensive course, you'll get the knowledge and skills needed to secure Cisco IOS router and switch networks. Get in-depth training on IOS-based VPN configurations, including traditional IPSec Site-to-Site VPN, PKI/Digital Certificates for authentication, and Cisco Easy ...
- Training 2008-01-01
- New Solution Helps City Strengthen IT Security, Automate Software Distribution
- As part of an ongoing effort to operate more efficiently, the City of Tampere wants to make more information and services available online while strengthening IT security. Additionally, the city wants to better manage its systems using limited IT resources. In 2007, Tampere made plans to upgrade 6,500 client computers...
- Case studies 2008-01-01
- Laminarnet: A Simple, Secure and Practical Network Structure Based on VPN
- This paper shows a novel network structure called laminarnet, which is constructed by building virtual networks over existing physical or virtual networks using VPN Virtual Private Network technology. This structure can provide a simple and practical infrastructure for single and multiple levels of security assurance based on cryptography, PKI (Public...
- White papers 2008-01-01
- Thru Desktop For Lotus Notes (zip)
- Thru Desktop for Lotus Notes provides endpoint message protection before critical business information leaves your desktop. It has no file-size limitations and seamlessly adds encryption, expiration, and password-protection functionality. Users can control access to messages in motion, revoke access on-demand, and track who is receiving and reading them. It can...
- Software downloads 2007-12-14
- TechNet Webcast: Deploying and Upgrading to System Center Configuration Manager (Part 2 of 2) (Level 300)
- This webcast covers the process of deploying and upgrading to Microsoft System Center Configuration Manager 2007. It examines client deployment changes since Microsoft Systems Management Server 2003. It also describes new and improved client deployment methods. System Center Configuration Manager native mode provides greater security, but public key infrastructure PKI...
- Webcasts 2007-12-04
- PKI: Ten Years Later
- This paper examines the history and evolution of so-called Public Key Infrastructure PKI. It compares the original definition of PKI with a broader and more flexible definition that better reflects the variety of implementation philosophies available today. This current definition shows how the understanding of this technology has matured (although...
- White papers 2007-12-01
- Role Sharing in Password-Enabled PKI
- Password-enabled PKI schemes simplify the management of end users' private keys by storing them in password-protected form on a centralized on-line server. Under such schemes an end user needs only remember his password and can access his private key from anywhere the centralized server is available. Existing password-enabled PKI schemes...
- White papers 2007-12-01
Neighboring Terms
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- BNET Industries
- Check out BNET's newest resource for managers and executives. Need to do research on your competitors? Don't have time to read every trade pub? BNET Industries is the new source for daily news, insights, and research on 11 major industries and 9,000 public companies.
-
- The technology industry from a different angle
-
- See what's hot in the auto industry
-
- Stay on top of the energy industry
