- Internet & the Web
Public Key Infrastructure
The first thing we look for in an official letter to establish trust in its validity is a signature. Similarly, we seal documents to prevent others from knowing what's inside, and also to ensure that no one alters the contents without being detected. But the most important reason to seal or sign an envelope is to make the other person trust the identity of the actual sender. Can we achieve this mechanism electronically over the Internet?The answer to this problem -- of bringing trust over exchange of information through emails and web etc. -- can be answered through Public Key Infrastructure (PKI).
Why PKI Is Necessary?
Without delving into the details of PKI, let's first evaluate what can go wrong without a secure mechanism in place. There can be interruption - emails from the authentic source can be prevented from reaching you; interception - when you actually bank online, a trespasser may sniff your username and password; modification - someone may change the web pages displayed on your browser to steal information; impersonation - fake emails could be sent with a fake website address to unsuspecting users, this practice is also called phishing. All of these illegal activities pose a real threat in the online world as detecting digital trespassing is a sophisticated and complex procedure.To understand how this affects the society as a whole and not just the IT industry, imagine you receive an email saying that your Internet banking has been enabled and can be instantly accessed at online.bank.com. Would you visit this link? If yes, how can you be sure if it is in fact the real address and not a phony site set up by someone to steal user names and passwords? And how do you know that the email you received - apparently from the correct address - has been sent by your bank? Again, the answer to these questions lies in implementation of PKI which provides a trust mechanism.For some, PKI might sound like a pure tech domain oriented word, only relevant for IT gurus and their disciples. However, this is not the case; PKI affects all areas of business activity in the global village. It can be implemented through services of an established authority technically called Certification Authority (CA). In layman terms, CA certifies a user by issuing a certificate. Other users of the same network also trust the same CA. That's why showing a digital certificate to a user establishes a proof of identity - a credential that says yes, the person who claims to be Areez is in fact Areez, not an impersonator because a trusted third party - the CA - has issued Areez a certificate.This concept is not new and is already prevalent in non-digital world. Take a very simple analogy of financial transactions: a cheque is only valid after it has been signed; the signature is verified by the cashier at bank with an already stored image to prove its authenticity before making a payment. The fact behind this practice is manifestation of trust that is attached with the signature and existence and ability of some established authority to verify these signatures. This helps tremendously as the need of physical presence for building trust or demonstrating authenticity is substituted by a signature - or for that matter, some other identity that can be cross verified.
Imporance And Benefits Of PKI
PKI is needed because the information superhighway is full of highway-men and con artists who are ready to rob unsuspecting people of their hard-earned money. And even if they are not there, we can't simply do business without being sure that the other party is in fact what it claims to be.
Digital certificates are provided to businesses after a thorough background check. These certificates are then used over websites as proof of legitimacy and identity, and for creating digital signatures to digitally sign documents and email.
This whole process involves management of 'keys' - digital information one part of which is saved at CA (called Public) and other part with the user (called Private). The infrastructure of key management is called PKI. This involves networks, long range connectivity, implementation of encryption algorithms through different applications, policies and procedures governing issuance, revocation and professional supervision.
Many countries around the world have developed their national PKIs. Businesses in a country without a national PKI have to get digital certificates from abroad. But if there is a PKI in place, then the government becomes the top level authority by regulating certification service providers, who in turn issue certificates to businesses in liaison with international CAs. This translates into the following benefits:
- Providing legal status to the communication, including emails, carried out through the use of PKI.
- Allowing e-commerce to grow as it becomes easier for transaction stakeholders to identify each other and make the other person lawfully liable for digital commitments. It may also mean reduced cost and higher availability of certificates.
- Emergence of new products and services on the lines of e-tax return filing. This would mean easier people-to-government access and reduced travel costs.
- B2B or person-to-person communication over email could be trusted on a wider scale for the first time. Right now, very few people are known to digitally sign their documents or emails for authenticity; neither companies ask employees to do so when they communicate between themselves within a department or outside a department, largely due to the absence of a common CA.
The Electronic Transaction Ordinance 2002 (ETO 2002) provides details on how legal recognition for electronic documents and electronic signature would work. Thus, the basic legal framework for PKI has been published. The very first lines of ETO present its purpose - 'to recognise and facilitate documents, records, information, communications and transactions in electronic form, and to provide for the accreditation of certification service providers'. Chapter 5 provides details of a Certification Council which would '...grant and renew accreditation certificates to certification service providers, recognise or accredit foreign certification service providers, encourage uniformity of standards and practices...' among other functions.
Features of PKI - CAIN
The main e-security features required for e-security and e-trust include Confidentiality (only the intended recipient gets the information), Authentication (identifying correctly who is who), Integrity (information must not be changed in transit) and Non-Repudiation (the sender can not deny it didn't send the information).
Public Key Infrastructure (PKI) provides all of these features and is considered to be one of the main solutions for providing e-trust, e-security and e-payment services for e-business