Está en la página 1de 2

Winter 2009 40

ORIGINAL
MESSAGE
ENCRYPTED
MESSAGE
DECRYPTED
MESSAGE
PUBLIC KEY PRIVATE KEY
Joe encrypts a message using his private key and sends it to Sue. She
accesses his freely-available public key and decrypts the message. The
message will only be legible if Joe indeed encrypted the original mes-
sage. Thus Sue can be certain that Joe sent the message and Joe can-
not deny he sent it (a concept called non-repudiation).
u u u u
In discussions of identity, Public Key Infrastructure (PKI) is often men-
tioned in the same breath as smart cards and biometrics. While the lat-
ter two are widely known and becoming familiar to their many users,
PKI can still be confusing.
PKI stands behind the smart card and provides the platform for it to
be successful. So with more digital identity documents being issued
and PKI becoming more prevalent its important to get a handle on the
technology. PKI can be expensive and could be hard to deploy when
it was a new technique, but now its become mainstream and is com-
monly deployed in identity projects.
So what is a PKI and how does it work?
Lets break down the term into two pieces Public Key and infrastruc-
ture. The term public key represents one technology that can be used
to encrypt and decrypt information. The term infrastructure repre-
sents the notion that there is a wide-spread network of connected
items. Thus Public Key Infrastructure, or PKI, is a wide network of con-
nected technologies that are specifcally Public Key related.
So lets understand what Public Key technology is, but frst a little back-
ground and scene setting.
In todays world, individuals, corporations and governments are using
the Internet as the primary method for communicating information
and conducting business. As we all know, it can be difcult to deter-
mine, with any amount of certainty, who you are dealing with at the
other end of the connection.
Specifcally, there are three basic concerns.
Is the information being exchanged private and secure? Can I rest 1.
assured that nobody has tampered with the data?
Is the person with whom I am dealing with really the person I think 2.
it is?
Once I conduct a transaction, can anyone deny participation after 3.
the fact?
In dealing with people face-to-face, there is an element of trust backed
up with receipts and signatures that give us a degree of comfort in
conducting business. There is also the assurance we receive simply by
looking at a person and recognizing them. If we require additional lev-
els of assurance, we employ the services of notaries, or bring witnesses
to bear. In dealing with people electronically, those assurances are lost,
so how do we establish this type of trust in an online environment?
First, we must establish the true identity of an individual to some rea-
sonable level of certainty. Driver licenses, birth certifcates, witnesses
and passports all may be used, depending on the level to which we will
need to trust future interactions and transactions, e.g., the department
of motor vehicles might require a lower assurance for registering an
automobile than a central bank would for transferring a huge sum of
money to another central bank.
Second, having completed our identity proofng we give the individ-
ual something very special, a secret and personal Private Key estab-
lished with Public Key technology. Thats right, Public Key technology
generates a Private and Public key set for an individual and the two
keys ft the same lock. Lets look at this further!
Public Key Infrastructure Primer: Why is PKI important?
Bryan Ichikawa
Unisys Corp.
Winter 2009 40
Sue encrypts a message using Joes freely-available public key
and sends it to Joe. Using his private key, Joe is able to encrypt
the message but only he can do so. Both parties can be confdent
that no other person else can decrypt the message as only Joe is in
possession of his private key.
u u u u
Public Key technology is based on Public Key cryptography, a technolo-
gy that itself is mathematically complex. Essentially, it is a cryptograph-
ic technique that enables one person to encrypt some data with one
key and this data can only be decrypted with another, related, key. You
can also encrypt data with the related key and it can only be decrypted
with the original one key. These key pairs are related and no other key
or key pair can encrypt or decrypt data outside of this pair. This is the
notion that two keys can ft the same lock, as mentioned above.
This basic concept is transformed into a powerful utility once a basic
premise is applied. And this premise is make one key of the key pair
a secret and make the other key publicly available. The secret key is
only known to the holder of that key, and the public key is known to
all, and is known by all as belonging to holder of the corresponding
secret key.
This truly amazing technology can now be applied to accomplish all of
the three concerns mentioned above. How?
Consider the diagram below. Any data encrypted using Key A, the pri-
vate key can only be decrypted with Key B, the public key. Since Key
B is public, anything encrypted by Key A can be decrypted using Key
B. The point in encrypting here is not to make anything a secret (if you
think that the only reason to encrypt something is to make it a secret
not so!).
Since Key B is a public key, anyone in the world has access to it and any-
one in the world can decrypt the data encrypted by Key A. So what? So
that means by virtue of being able to decrypt the message, you know
2 things it was encrypted by Key A (any message encrypted by any
other key would result in junk data), and the message was not tam-
pered with (had anyone messed around with the encrypted data, the
result would also have been junk data).
This is the same thing the medieval king did when he put his signet
ring into a gob of wax on a proclamation to be posted in the castle. It
was guaranteed authentic and unchanged. (Well, a clever fellow might
be able to scrape the parchment and change the message, so PKI sig-
natures are better!)
Conversely, if anyone were to encrypt data using the Public Key B
which, remember, everyone has then only the corresponding Key A
would be able to decrypt it. In this case, we are keeping secrets and
only the holder of Key A could see the message. Now the king has put
the parchment into a secure envelope and put a seal on the fap!
So the notion of Public Key technology the ability to have related
key pairs that only work with one another where one of which is kept
secret and the other made public, makes for a powerful utility that can
protect data, provide knowledge about the other party, and secure
transactions.
The other part of PKI, the I or infrastructure component, is what makes
Public Key technology work in a global arena, enabling individuals and
organizations to trust one another.
Key to this infrastructure are the concept of certifcates and authori-
ties.
The Public Key pairs and identities mentioned above are of little value
without something to guarantee their authenticity. One must be able
to associate a person, or entity, with their keys. This is accomplished via
something called certifcates. A certifcate is basically a container that
holds the Public Key (of the public/private key pair) and data associ-
ated with that key such as the individuals name, the keys expiration
date and other pertinent data elements. The certifcate becomes the
essential component that relates a key to its owner.
Certifcates are issued by authorities. Authorities are high-level entities
that establish the notion of a trust center. All certifcates issued by an
authority can be trusted if one trusts the authority. All certifcates is-
sued by an authority are all a part of the family of that authority.
Winter 2009 41
ORIGINAL
MESSAGE
ENCRYPTED
MESSAGE
DECRYPTED
MESSAGE
PUBLIC KEY PRIVATE KEY

También podría gustarte