PKI / Public Key Infrastructure for Not Yet Techies

PKI stands for Public Key Infrastructure and is part of business's effort to increase public confidence in using the Internet to buy and sell. PKI allows secure information to be transmitted along public Internet lines.

Security is the biggest concern of the public at large when it comes to doing business online. PKI should go a long way toward increasing confidence and trust that online ordering information is secure.

PKI supports CPS, certification practice statements. It provides for:

Confidentiality
User Authentication
Integrity of transmitted data -- using MAC (Message Authentication Codes) or digital signatures

Nonrepudiation means that someone who sent an email could not repudiate it or hide that they sent it. This obviously affects spammers, stalkers, virus spreaders etc.

1. Knowledge -- of PINs and passwords

2. Possession -- something you have, such as a private cryptographic key

3. Biometrics -- using a biometric template of your fingerprints, eye retinas or DNA patterns etc.

There're two types of crytographic methods: symmetric and asymmetric.

Symmetric means that both the sender and receiver have the same key to code and uncode documents. When I was a kid, I experimented with simple codes such as moving each letter ahead by one, so if I wrote A it really meant B, etc. The kind of codes I read about in all adventure novels. To decipher and read such a note, the receiver has to know the process you used to encrypt it. However, there are few to none such codes that cannot be easily deciphered by modern supercomputers, so privacy experts came up with another idea for PKI.

Asymmetric cryptography involves the use of two different code keys -- a public one accessible to everyone who wants to communicate with you, and a private one that you must keep secret from everyone but the most trusted employees.

When someone wants to send you a secure email, for example, they code it with your public key. However, it cannot be decoded without your private code, which only you possess. This type of cryptography is only possible through particular mathematical algorithms that can be applied by computers. PKI uses modular arithmetic -- which involves remainder values from long division.

The weakness is, if someone wants to communicate with you, how do they know that the public key is actually yours? Maybe it belongs to some hacker or con artist who possesses the private key to decode it and thereby steal their credit card number information.

Therefore, businesses doing business online have digital certificates issued by trusted third party Certification Authorities (CAs) that have verified the identity of the public key owner. This is essential to PKI, and AES - Advanced Encryption Standards.

Support for leading CAs is built into both Netscape and Internet Explorer browsers. This is enabled by SSL / Secure Socket Layers technology. PKI.

The current standard for length of public and private keys is 128 bits, or a string of number 2 to the 128th power long. That is LONG. Earlier standards were shorter and, although they were secure against the ordinary computing power available to most hackers, could be broken by supercomputers, given a little time and a lot of determination. The current standard cannot be broken without supercomputers operating nonstop for years. Even Bill Gates's credit cards are not worth that much time and expense.

Also, it uses time stamps to record the time of every transaction.

RSA developed the main algorithms used by PKI vendors. One of the first well known implementations of it was the software program Pretty Good Privacy (PG), at various times banned by the USA and other governments.

Next: PostgreSQL