Public Key Infrastructure: Invisibly Protecting Your Digital Assets
Public Key Infrastructure (PKI) offers the opportunity to streamline your procedures for protecting and sharing sensitive and valuable information. As Beth Cohen and Debbie Deutsch report, when it comes to protecting your company's valuable digital assets, you owe it to yourself to investigate what doors PKI can open for you and your organization.
Your company is negotiating a big deal with a partner, making you a bit nervous about the security of exchanging documents via email. There is a non-disclosure agreement in place, but you'd like to be absolutely certain that only the recipients can see the plans for your company's new product initiative. When the partner emails their agreement to the final version of the proposed deal, you also want to be able to prove absolutely that the email really is from them. Is there a proven technology that can fulfill both needs?
Public Key Infrastructure (PKI) can handle these requirements and more. You may already be using PKI without knowing it if you have relied on certificates or "certs" to identify a web server or to confirm the identity of external websites. It is a critical technology for the Internet and is used in applications as diverse as e-commerce and VPNs. Let's explore the world of PKI cryptography to learn about keys, signatures, and certificates, and to see how PKI can benefit you and protect your company's valuable digital assets.
You don't need to be an expert in encryption to deploy PKI in your operation, but there are a few key concepts and components to understand. PKI is a powerful technology that employs cryptography to provide two important capabilities, privacy and authentication. The cryptographic procedures, or algorithms, use two keys to encrypt information. This is called asymmetric cryptography. Compared with conventional (symmetric) cryptography, which uses only one key, it is easier to distribute keys, making PKI much simpler and more practical to deploy.
Keys are digital values used to encrypt and decrypt information. A PKI system uses keys in pairs. One key is private and kept secret by its owner. The other key is public and can be freely shared. When you encrypt a document with someone else's public key, only that person can decrypt it, since only he or she has the corresponding private key. This is how PKI provides privacy.
PKI keys are chosen and stored differently than computer passwords. First, a private key is created. The private key is a random binary number that is generated and used inside a computer or specialized hardware device. A private key is never chosen, seen, or created by its owner. Once the private key is determined, the corresponding public key is computed based on the value of the private key. PKI works because it is extraordinarily difficult -- impractical by any currently available means -- to go back the other way.
Keys can be as short or as long as needed. The length of keys is measured in bits. Long keys take more time to process, but offer correspondingly more protection. The most important considerations in choosing the length of the key are the overall value of the information to be protected and how long that information will have value. The greater the length of the key, the more computation would be required to determine the private key from the public key. A key should be long enough that the information would be worthless by the time the private key could be computed. As time goes by, and as computers become increasingly faster, it will be necessary to use correspondingly longer keys.
June 10, 2003
Exposing any system, no matter how briefly, to an untrusted network is suicidal. A firewall is absolutely vital, and fortunately, the Linux world offers an excellent free firewall utility in netfilter/iptables. Carla Schroder takes a deeper look at iptables with additional rules and scripts for basic firewalling and sharing Internet connections.