• slide-1
  • slide-2
  • slide-3
  • slide-4
  • slide-5
PKI Components
Public Key Infrastructure (PKI) provides security features and is the foundation for providing trust and security for e-business (and other services). A PKI consists of more than just technology. It includes a security policy, certification authority, registration authority, certificate distribution system and PKI-enabled applications. Detailed description PKI and the policy issues related to its implementation are not covered in this paper. PKI is used in this discussion as a solution for e-business in developing countries. Some of the components of PKI include:

Digital Certificate: This is an electronic document issued by a trusted party that binds the physical identity of an entity (user, organisation or computer) to their public key. In security systems (especially in a public key cryptographic system), a digital certificate is used to authenticate the parties involved in a transaction, to electronically sign documents used to ensure the integrity of contents and the non-deniability of transactions conducted electronically. ITU-T X.509 Recommendation defines the format for a certificate.
Digital Certificate: This is an electronic document issued by a trusted party that binds the physical identity of an entity (user, organisation or computer) to their public key. In security systems (especially in a public key cryptographic system), a digital certificate is used to authenticate the parties involved in a transaction, to electronically sign documents used to ensure the integrity of contents and the non-deniability of transactions conducted electronically. ITU-T X.509 Recommendation defines the format for a certificate.

Attribute Certificates: Attribute certificates are short-lived certificates that can be issued locally where the user is known but can have a global scope. They contain information about the roles and the privileges of the user. Several attribute certificates issued by different organisations can be linked to a single digital certificate. A financial institution can issue an attribute certificate to a business enabling that business to perform transactions up to a certain amount. Industry attributes can also be issued to link the business credibility and credentials to the business’s identity.

Security Policy: The security policy defines the direction that an organisation has decided to take in implementing its information security. This includes the use of encryption technology and how security matters are handled. If the organisation also operates as a certification authority, the security procedures and how security policies are enforced will be part of what is called a Certificate Practice Statement (CPS). A CPS includes (but is not limited to) procedures on how certificates are issued and revoked and how the keys for encryption (public key) are stored.

Certificate Authority (CA): Typically, a CA is a network organisation that issues certificates by using a digital signature to bind the physical identity of the entity (user, application or host) to the public key. |

Registration Authority (RA): An RA authenticates the identities of entities and requests the CA to issue a certificate for that entity. An RA operates hierarchically under a CA and acts as the user interface of the CA.

Validation Authority (VA): A VA could be part of the services offered by a CA or by a third party. It validates digital certificates, provides digital receipts and Trusted Third Party notarisation services as proof that an e-transaction took place.

Attribute Authority (AA): A digital certificate could be linked to attributes that define the privileges of the certificate holder. An AA normally stores and manages attribute certificate independently from the CA.

Certificate Distribution System (CDS): Digital certificates issued by CAs need to be made available to other network users. A CDS is normally implemented as an ITU-T X.500 directory database or a Lightweight Directory Access Protocol (LDAP). It is a public database system that stores certificates and maintains a list of revoked certificates. Depending on the PKI implementation, a CDS could also store certificate attributes. The CDS enables network entities (users, organisations or hosts) to verify that the public key of a network entity really belongs to them before accepting the transaction.

PKI-enabled Applications: Applications that use the PKI technology are referred to as PKI-enabled applications. These include Web, email, electronic data interchange (EDI), Virtual Private Networks (VPN) and e-payment systems. PKI applications provide the necessary security to run on a public network such as the Internet.

PKI Tokens: A hardware device in the form of a smart card or a key usually with limited memory capacity used to store the entity’s certificate and private key. Some tokens also store the cryptographic algorithm used for encryption and other relevant data. When the user inserts the token into the reader, they are requested to enter a Personal Identification Number (PIN) or a password. Tokens could be read by the smartcard reader on the keyboard or through the Universal Serial Bus (USB) port of the computer.

Go to top