What is PKI

Public key infrastructure (PKI) systems offer authentication in transactions.. PKI provides an electronic identity to a person through the issuance of a digital certificate and a private cryptographic key, usually stored in a secure media such as a smart card or an i-key or even a floppy disk. The person could make use of the identity to digitally sign documents or transactions.

• To reduce risk of fraud in electronic fund transfers and other treasury activities.

• To Use of a low-cost public network infrastructure and eliminates the need for dedicated leased lines or VPNs.

• To facilitate real-time cash management with strategic banking partners

• To ensure that only specific users can access and execute high-value transactions

• To Integrate the software easily with legacy systems

The greatest obstacle to e-business in the financial service sector is the lack of trust and security over existing and evolving infrastructures. For e-business transactions to flourish, all parties involved in transactions and communications must be able to confirm the unique and irrefutable digital identity of each participant before relying on that information to make a commercial transaction.

But when it comes to making high-value transactions, such as setting up an online cash management system, even for the so called online banking systems or procuring supplies through the Internet, there is too much at stake in simply trusting someone just because he gave the correct PIN or the correct username and password. Developing systems that are able to provide firm authentication of customers, suppliers and other parties has therefore become a major challenge. Public key infrastructure (PKI) systems have surfaced as the solution to provide trustworthy identities.

In the case of online banking for users, banks need to have a proper system for authentication of the user. Even though banks have a secure network system for encrypted data transfer, still the user is identified using the typical username/id verification process that is vulnerable to hacking. So implementation of PKI makes sure that the party performing a transaction over the Internet is who he claims to be. Later he cannot deny that he has not done a particular transaction, if he had used his digital certificate.

Through the use of PKI and digital signature, one can prove to a third party or the court that a particular piece of electronic document is authentic and can be traced to the person who has digitally signed the document or transaction. This works because the cryptography and mathematics underlying a PKI system ensure that digitally signed documents cannot be forged. The digital certificate can be thought of as the electronic equivalent of the identification card. Thus, the authority which issues the digital certificates (known as Certificate Authority) must be highly trusted and secure.

Besides security, there are other issues related to PKI - technology, legal framework and standards. The technology for PKI has been around for more than a decade and is relatively mature and a number of countries have introduced legislation to recognize the validity of digital signature.

After introduction of IT Laws by many countries has enabled a standard for business transactions. Forums like Asia Pacific PKI Forum allows inter-operability to its digital certifying authority licencees with their counterparts in the member countries of that region. As financial institutions sign on to these policies and business practices, their customers will create an extensive global system of known and trusted businesses. Once certified by a Certification Authority, a trading partner can authenticate any other party with assurance. Even if a trading partner is from another part of the world, the fact that he is a certified member (through the trust relationship with his bank) makes trading viable and reduces the risk of transacting in the global system. By virtue of commonly accepted standards, trading partners will know that:

• Their transactions are legally binding;

• They have recourse in the event of a dispute or a potential fraud situation; and

• They can place legal and practical trust on the electronic identity issued by any Certification Authority

It is necessary to understand some of the basics of encryption, digital certificates and digital signatures before examining the components of a PKI.

• "Encryption" is the term used to describe the process of taking legible data, and scrambling it into a form that is non-intelligible to anyone who doesn't know how to unscramble (or "decrypt") it again.

• Encryption processes usually involve a method for encrypting the data and one or more "keys". The keys are usually a very long number, and are used during the encryption or decryption process.

• In most cases, the method (or "algorithm") that is used by an application to encrypt data is common knowledge and the key that is used is kept private.

• There are two main types of encryption - "symmetric encryption" (the same encryption key is used for encryption and decryption), and "asymmetric encryption" (different keys are used for encryption and decryption).

• Asymmetric encryption algorithms use two keys - a "public key" and a "private key". The algorithm usually involves a mathematical step that is very easy to do one way, but very difficult to do in reverse.

Algorithm is designed such that:

• Anything that is encrypted using the public key can be decrypted with the private key.

• Anything that is encrypted with the private key can be decrypted with the public key.

• The keys are generated in such a way that it is not possible to determine one key if you know the other.

This method of encrypting data using a widely publicized public key and separate private key is also called "Public Key Cryptography" and is the type of encryption that is utilized by digital certificates.

A meaning for "certificate" is "A document testifying to the truth of something". A digital certificate is an electronic "certificate" that contains information about a user and is used (among other things) to verify whom the user is. Digital certificates make use of Public Key Cryptography. The public key is stored as part of the digital certificate. The private key is kept on the user's computer, or in some hardware such as smart cards, i-keys etc.

Digital certificates are based on the IETF X.509 series of documents.

The main uses of digital certificates are:

• Proving the identity of the sender of a transaction, non-repudiation and checking the integrity of transmitted data (via the use of digital signatures).

• Encryption

• Single sign-on (the digital certificate can be used as an authorization key to connect to computer systems.)

If digital certificates are to be used for security and identification purposes, all of the following conditions must be met:

• Every certificate is unique.

• The owner of a certificate has been fully identified. All digital certificates are signed by the Certificate Authority (CA) that issues it. In issuing a certificate, the CA is basically saying that they have identified the user, and the user really is who they claim to be. To be able to trust a digital certificate, the CA needs to have fully identified the customer before issuing the certificate (or be satisfied that some other entity has adequately performed such identification).

• A private key can only be used by the owner of the certificate. As with all authentication schemes, the onus is on the user to keep the private key private. Usually a password, a smart card or biometric device is used to lock the private key and prevent others from using it.

A digital signature is used to verify the integrity of a block of data. Digital signatures are also used to verify the identity of the person who sent the transmission.

A digital signature is created as follows:

• A "digest" of the data is created. The digest is a short length of binary information and is based entirely on the contents of the data. A hashing algorithm such as MD4 or SHA is used to create the "hash" or digest. Hashing algorithms are designed such that changing just one character in the message would result in a different hashed value.

• The hash is then encrypted using the private key of the person who is sending the message.

• The encrypted digest is known as a "digital signature" and is attached to the message when it is sent.

When the message is received:

• A hash of the message is again created, using the same hashing algorithm.

• The sender's public key is used to decrypt the digital signature, and this is compared to the digest of the message that has been generated by the receiver's software.

• If both hashes are the same, then the data in the message has not been altered during transmission.

Given that only the owner of the digital certificate can create the digital signature (because they are the only person who has access to their private key), attaching a digital signature to a transmission also proves the identity of the person who sent it.

A Public Key Infrastructure (PKI) is made up of various software based services and encryption technologies that are used to facilitate trusted and encrypted transactions over an insecure network.

Digital Certificates are used in most practical implementations of a Public Key Infrastructure.

The PKI for an organization typically includes the following components:

• Digital certificates - one for each user and server.

• A Certificate Authority (CA) responsible for issuing certificates.

• One or more Registration Authorities (RA) that are responsible for identifying users during the digital certificate registration process.

• A Directory service - used to store information about users, including their public key.

• The Directory service is usually based on the LDAP or X.500 protocols.

• Software that is capable of using digital certificates

A Certificate Authority (CA) is a third party that is responsible for issuing digital certificates to users. Each digital certificate that the CA issues, is digitally signed by the CA's private key.

This is to ensure that the digital certificate has not been tampered with.

Each CA has its own procedure for identifying users. The procedure is usually listed in the CA's Certificate Practice Statement (CPS). Identification procedures range from little or no identification, through to a user having to provide 100 points worth of ID before being issued with a digital certificate.

Ideally, a CA is trusted, and always follows their advertised Certificate Practice Statement.

Typically, browser software (for example, Niyamas Tyootelery) gives users the option of marking a given CA as trusted or not trusted. A Certificate Authority also runs and maintains the server that contains the certificate database, maintains a list of any certificates that have been revoked, and publishes public keys and the revocation list into a publicly accessible directory service. The CA is also responsible for making sure that the server itself is physically secure, and that the CA's private key is not compromised. Certificate Authorities are usually arranged in a "chain" where any given CA has its root key signed by the next CA up the chain. The CA at the root or the top of the chain signs its own root key. If a given CA is trusted by a user's software, every subordinate CA below it in the CA chain is automatically trusted since the trusted CA has vouched for the trustworthiness of all Certificate Authorities below it.

Before a user can be issued with a digital certificate, they need to be identified according to the procedures of the Certificate Authority that is issuing the certificate. This registration process is often handled by a separate Registration Authority (RA).

A Registration Authority is responsible for identifying users and notifying the Certificate Authority that the user is allowed to be issued with a digital certificate. The RA does not sign or issue digital certificates directly.