Public key infrastructure, or PKI, allows two or more users of the Internet or an unsecure public network to privately and securely exchange information through the use of a public and private key pair. This cryptographic key pair or set is shared through a TA (trusted authority). In the currently employed scheme throughout industry, public key infrastructure lets a digital certificate be created which can identify either an organization or individual. Additionally, it can reference a directory service which is capable of storing or when required, revoke certificates.
Why is Public Key Infrastructure (PKI) used on the Internet?
PKI, or public key infrastructure, leverages public key cryptography for authenticating a message sender is valid (or who they say they are) as well as for encrypting information. Classic studies of cryptography have relied on the creation and subsequent sharing of a secret key for the encryption of and decryption of information. The primary flaw in this system, is that if the key is intercepted, discovered, guessed, or “cracked” by a third party, the information or messages being sent can be decrypted and read or used. As a result, public key cryptography and PKI are the preferred manner on the Internet by avoiding the pitfalls of classic cryptography.
What Makes up a Public Key Infrastructure?
PKI consists of the following elements:
– A CA (certificate authority) that is responsible for issuing and verifying the authenticity of digital certificates. A certificate will contain the public key or information regarding the public key being used.
– A RA (registration authority) which performs the role as the verifying authority for the CA prior to a digital certificate being issued to a requestor (in charge of preventing any consumer from purchasing a Microsoft certificate as an example).
– One or many directories that store all valid digital certifications (i.e. all of the public keys currently valid).
– A certificate management scheme or system able to scale to the number of certificates being managed.
How Does Public and Private Key Cryptography Work?
Both a public and private key are created at the same time using the same encryption algorithm in public key cryptography by a CA (certificate authority). The CA will use the same encryption algorithm for producing each key (RSA is a popular choice at the time of this writing). The private key will only be provided to the requesting individual or organization. The public key will then be made available to the public through its inclusion in a digital certificate. Once created, the digital certificate will be stored in a public key directory run by the CA.
Once a private key is given to a requestor, it should never be sent across an unsecure network such as the Internet and not shared with anyone else. The private key’s primary purpose is to decrypt text that has been encrypted by someone else using your public key. For example, if person A wants to send person B an encrypted message, he or she would first download the public key of the intended recipient. Then, the message would be encrypted using the key before transmitting via email, instant messenger, or other means. As a result of the private key not being divulged publicly, individuals can encrypt data intended for one recipient with only the knowledge of the public key.
Once an encrypted message is received, the “receiver” can then decrypt the information using the private key. Additionally, the sender’s identity can be authenticated through sending an encrypted digital certificate along with the message. Once received, the “receiver” can then decrypt the certificate with the public key of the sender to ensure the message was not transmitted by a “spoofer.” For those who prefer to see the requirements in table form:
|Required Action||Key to Use||Type of Key|
|Transmit an encrypted message||Receiver’s||Public Key|
|Transmit an encrypted signature||Sender’s||Private Key|
|Decrypt an encrypted message||Receiver’s||Private Key|
|Decrypt an encrypted signature (authenticates the sender)||Sender’s||Public Key|
Organizations that Provide Public Key Infrastructure (PKI)
There are a number of applications or products that allow organizations or a group of companies to implement PKI. Due to the significant growth and acceptance of conducting eCommerce by both individuals and in a B2B (business-to-business) setting, the demand for both scaleable and secure PKI solutions has significantly increased. Some of the major infrastructure and solution providers include:
Enterprise Java Bean Certificate Authority (EJBCA): – EJBCA is a free PKI certificate authority software package. The software is sponsored by PrimeKey Solutions AB (a for-profit Swedish company) that holds the copyright to the majority of the codebase. The code can be obtained under the Lesser GNU General Public License.
RSA – RSA is the security division of EMC and is responsible for creating the RSA algorithm in use by a number of the PKI vendors on the market. The RSA Access Manager application allows small to large organizations to centrally manage both authorization and authentication policies for large number of end-users, application resources, and online websites while supporting single sign-on (SSO) technology.
Verisign – Verisign has significant experience as one of the major certificate authorities in industry. The company sells software that permits other large companies or businesses to create their own certificate authorities.
SECUDE Secure Login – SECUDE gives individuals and organizations the ability to create one login for all needs. The applications organizes information into encrypted data sets and associated PKI systems and is able to handle an extremely large number of passwords. This functionality helps to reduce overall customer service costs for those implementing the security solution.
History of PKI
Modern day use of PKi dates to the publication in 1976 by Diffie, Hellman, Rivest, Shamir, and Adleman where the group discussed secure key exchange and asymmetric key algorithms. After this publication, the methodology of security communications would change in its entirety. Combined with the development of the predecessors to and eventually the Internet, the need for end-users to security communicate with each other grew. An additional “need” that became evident in this same timeframe, was the requirement for end-users to be able to confirm the identity of the person or individual sending messages.
Later, Taher Elgamal and other researchers at Netscape would develop the Secure Socket Layer (SSL) protocol. This work would provide the means for key establishment, server authentication, and the genesis for an entire PKI structure. The resulting PKI would provide the basis that web sites or end-users could use to realize secure communications.
As a result, of the economic impact of being able to conduct business online, various companies would lobby for legal protection from liability and recognition of these new technologies and the associated commerce for online transactions. The American Bar Association technology project published an analysis of the legal aspects of PKI operations in the early 1990s. In 1995, Utah would be the first state in the U.S. to enact laws and regulations for PKI. Utah would quickly be followed by other states and countries throughout the world.
Although the various laws and/or regulations that were passed would differ, there were a number of technical problems in converting the various PKI operations into successful commercial operations. Although the environment has improved while moving into the 21st century, the PKI market has not exploded to the point originally envisioned by the pioneers of the PKI market in the 1990s. The most successful deployment of PKI has been in government circles with the United States Defense Information Systems Agency (DISA) deploying one of the largest PKI infrastructures in world with the Common Access Card program.
Examples of PKI Use
There are a number of uses for a public key infrastructure depending on what the purpose of one’s organization, company, or group is. The common example uses of PKI include:
Encryption and / or authentication of a document.
Encryption and / or sender authentication of an email message.
Authentication of a user to an application. This can include a smart card logon with PIN number or a client authentication using SSL (or both).
Mobile signatures. These are electronic signatures which rely on a certification or signature service in a location independent environment.
Bootstrapping secure communication protocols such as SSL or Internet key exchange (IKE). For each of these cases, the initial setup of a “security association” makes use of a public key (i.e. an asymmetric key), where the actual communication relies on the faster (private) or symmetric key.
What is PGP?
PGP (Pretty Good Privacy) is one of the best-known applications on the market that allow an individual to encrypt an email or message to anyone who already has a private key. The message must be encrypted with the recipient’s public key and they decode the message with the private key when read or received depending on email client setup. All PGP users share a directory of known public keys which is referred to as a key ring. If sending email to someone not on the key ring, the email client will not permit an encrypted message to be sent since the receiver won’t be able to read it! It will let you sign an email with a digital signature encrypted using your private key. This can then be decrypted by the recipient to confirm your identity.
Steps to Encrypt Email in Mozilla Thunderbird
The Mozilla email program, Thunderbird, is one of the most straight-forward applications for encrypting email using PGP via the Enigmail extension.
Step 1 – Download and install Mozilla Thunderbird onto your computer if you are not already a user of the application.
Step 2 – Launch the Mozilla Thunderbird application by double clicking the icon on your computer’s desktop.
Step 3 – Select the “Tools” and “Account Settings” menu button to launch the account wizard.
Step 4 – Enter the relevant email information for the account you are going to use with Thunderbird. You will have to enter your name and email address at a minimum. Then, click the “Next” menu button.
Step 5 – Input the applicable email server information.
Step 6 – Click the “POP” menu option and enter the incoming server name. If you do not know the name, you will have to locate in the FAQ or help menu of your email service. As an example, Gmail uses “pop.gmail.com.” Then, remove the check from the “Use Global Inbox” check box and choose the “Next” menu button.
Step 7 – Input the user and account name for your email account. Then, choose the “Next” menu button and input an account name for use in Thunderbird and select the “Next” menu button.
Step 8 – Verify the information entered into Thunderbird and click the “Finish” menu button to go back to the “Account Settings” window.
Step 9 – Complete the outgoing server information. Input the server information provided from your email provided. For Gmail, the entry is: “smtp.gmail.com” and the port setting will need to be modified to “955.” Then, click the “Ok” menu button. Thunderbird will require you enter your user name and password on first use for the email account.
Step 10 – Download the Enigmail extension to your computer (Select the “Save Link As” menu option).
Step 11 – Download the GNUPGP software for Windows (Enigmail does not do this for you).
Step 12 – Execute or run the GPGP installer on the computer. GNUPGP will then be installed under the “Program Files” directory on a Windows computer.
Step 13 – Open Thunderbird if the program is not currently running.
Step 14 – Select the “Tools,” “Options,” “Extensions,” and “Install New Extension” menu options.
Step 15 – Select the “Enigmail” extension file.
Step 16 – Restart Thunderbird. “OpenPGP” will now display as a menu option.
Step 17 – Choose the OpenPGP menu item and then select the “Preferences” menu choice.
Step 18 – Select the dialog that points to the GnuPGP binary file and choose the “Browser” menu option. The GPG plugin is normally installed under the “Program Files” sub-directory on a Windows computer.
Step 19 – Generate a public and private key pair from within the OpenPGP menu. To do this, select the “Key Management” menu choice. The, from the “Generate” menu and select the “New Key Pair” menu option.
Step 20 – Select the email address that you desire to create a key for and input a “passphrase.”
Step 21 – Choose the “Generate Key” menu button and wait for several minutes.
Step 22 – Once the application has generated the “keys,” you will need to create a “revocation certificate” and save it in the case your private key is ever compromised.
Step 23 – Thunderbird is now configured to send encrypted email. To locate another person’s PGP key, select the “Key Management” menu option from OpenPGP.
Step 24 – Select the “Search” menu option from the “Keyserver” menu. Then, locate another PGP user by email address or name and then add his or her key to the local key manager. Once saved, the person can now be sent encrypted email.
Step 25 – Compose an email as you would normally do so.
Step 26 – Encrypt the message by selecting the key underneath the lower, right-hand corner of the new email window. Additionally, you can sign the message by selecting the “pencil” button and then click the “Send” menu option to transmit your message.