In Chapter 6, we briefly covered Public Key Infrastructure (PKI). This chapter is devoted to this topic. We have discussed SSL, encryption, and certificates. Now we are going to focus on Public Key Infrastructure. PKI is slowly immersing itself into the business enterprise. Lotus Notes has had a PKI since Release 1.0. For an effective PKI to be implemented, however, you will need to have some idea of what this beast is. As you might guess, public key cryptography requires a public key infrastructure. What is driving this use of PKI are applications and access to those applications. Businesses around the world are deploying new generations of business-critical applications, and in many cases, these are distributed applications. These applications are serving the following types of environments: customer to business; business to business; and employees to business.
This environment is one in which the customer will use the Internet to interact with a business. Customer-to-business access is not only to "buy" something. Following are a few examples of other uses this type of access provides. It can:
Look up information on a product or service
Inquire or make a change to an order
Place an order
Send an e-mail with a question regarding the company's offerings
There are a lot of reasons for a customer to use the Internet. Do you have to authenticate with each of these reasons? No, you only need to authenticate in those areas where you need to identify the user. Interestingly enough, implementing a PKI for the general public is somewhat difficult. You will see why a bit later.
This environment is where PKI can really shine. You will see that by using some type of PKI, you can determine whom you are doing business with and use that information to track and verify transactions. PKI can be very useful in the high-volume transaction and mobile world of Internet commerce. It provides risk management control for business systems.
This environment is another example of how PKI can help an organization. PKI can provide a secure mechanism to transfer mail not only inside the organization but also outside the organization. Also, there are the benefits of being able to have a secure transaction and access based on a certificate. You could even set up a central certificate database (LDAP) and authenticate using it as your authoritative source.
With all that said, let's review: PKI is the use of public key cryptography via some type of network (for our discussion the Internet). In most cases, a standard public-private key system will be used. This PKI will include several components.
The CA issues, verifies, renews, and revokes digital certificates. A certificate includes the public key or information about the public key and may even offer a directory to store the public key.
There are many different implementations of PKI in the marketplace. Many of these systems are shipped with a web server or are offered as a stand-alone program. The keys are typically created simultaneously using the same algorithm by a certificate authority.
Following are some of the features that we will be working with when using a PKI.
Certification Remember when we talked about binding a user to a certificate? This is certification, the process of binding a public key value to a person or system.
Authentication Again, we already talked about this. This is the process of allowing access into a system based on a set of credentials. This does not guarantee authorization. Once we know who you are, then we can authorize you. Do you see the relationship between the certificate and binding? We bind you to a certificate via certification, then we authorize into the subsystem. Then you are authorized to perform a function (access, read, write, etc.).
Validation and Expiration This is the process of verifying that a certificate is valid. We used the analogy of a driver's license that has an expiration date. The CA and the "stamps" that have been placed on the certificate by the CA verify the certificate.
Nonrepudiation This is a scheme in which there is proof of who sent a message, the recipient can show this proof to a third party, and the third party can independently verify the source.
Digital Signatures When a public-private key is issued, the CA generates two separate pairs of public and private keys for each user or server. One pair is used for encrypting and decrypting information, and the other is used by client applications to create a digital signature on a document or transmission.
Encryption of e-mail Using PKI, we can encrypt documents, files, and e-mail. S/MIME can be used to send encrypted e-mail.