What is Public Key Infrastructure (PKI)?
Public key infrastructure (PKI) systems offer authentication in transactions. PKI is an information technology infrastructure that enables internet users to securely and privately exchange information through the use of a public and a private key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. A certificate is a digital document (i.e. a formatted file) that binds a public key to a person, application, or service. A trusted Certificate Authority (CA) creates the certificate and digitally signs it using the CA’s private key. Because of its role in creating certificates, the CA is the central component of the PKI. Using the CA’s public key, applications verify the issuing CA’s digital signature, and hence, the integrity of the contents of the certificate (most importantly, the public key and the identity of the person, application, or server).
There are different types of systems in a Public Key Infrastructure (PKI):
- Private and Public Key Systems: Private systems are symmetric cryptography and a public systems are asymmetric cryptography. Currently, public key systems are the most common.
- Symmetric Encryption Systems: The same key is used for both the processes of encryption and decryption.
- Asymmetric Encryption Systems: A different key is used for each process. One key is the public key and the other key is the private key. If something is encrypted with the public key, then decryption can only be done with the private key. Alternatively, if something is encrypted with the private key, then decryption must be done only with the public key.
A certificate authority (CA) is the entity providing the keys. The private key will be given to the person requesting the key. The public key is made public in a directory for users. No one can ever find out what someone’s private key is, never being available on the Internet. The private key is used for proving user identity and encrypting the digital certificate. The digital certificate will be decrypted by the public key, which is used by the message receiver.
Objectives of Public Key Infrastructure (PKI)
- To reduce risk of fraud in electronic fund transfers and other treasury activities.
- To Use of a low-cost public network infrastructure and eliminates the need for dedicated leased lines or VPNs.
- To facilitate real-time cash management with strategic banking partners
- To ensure that only specific users can access and execute high-value transactions
- To Integrate the software easily with legacy systems
Why Public Key Infrastructure (PKI)
The greatest obstacle to e-business in the financial service sector is the lack of trust and security over existing and evolving infrastructures. For e-business transactions to flourish, all parties involved in transactions and communications must be able to confirm the unique and irrefutable digital identity of each participant before relying on that information to make a commercial transaction.
But when it comes to making high-value transactions, such as setting up an online cash management system, even for the so called online banking systems or procuring supplies through the Internet, there is too much at stake in simply trusting someone just because he gave the correct PIN or the correct username and password. Developing systems that are able to provide firm authentication of customers, suppliers and other parties has therefore become a major challenge. Public Key Infrastructure systems have surfaced as the solution to provide trustworthy identities.
In the case of online banking for users, banks need to have a proper system for authentication of the user. Even though banks have a secure network system for encrypted data transfer, still the user is identified using the typical username/id verification process that is vulnerable to hacking. So implementation of Public Key Infrastructure makes sure that the party performing a transaction over the Internet is who he claims to be. Later he cannot deny that he has not done a particular transaction, if he had used his digital certificate.
Benefits of the Use of Public Key Infrastructure (PKI)
Through the use of Public Key Infrastructure and digital signature, one can prove to a third party or the court that a particular piece of electronic document is authentic and can be traced to the person who has digitally signed the document or transaction. This works because the cryptography and mathematics underlying a PKI system ensure that digitally signed documents cannot be forged. The digital certificate can be thought of as the electronic equivalent of the identification card. Thus, the authority which issues the digital certificates (known as Certificate Authority) must be highly trusted and secure.
Besides security, there are other issues related to Public Key Infrastructure – technology, legal framework and standards. The technology for PKI has been around for more than a decade and is relatively mature and a number of countries have introduced legislation to recognize the validity of digital signature.
After introduction of IT Laws by many countries has enabled a standard for business transactions. Forums like Asia Pacific PKI Forum allows inter-operability to its digital certifying authority licencees with their counterparts in the member countries of that region. As financial institutions sign on to these policies and business practices, their customers will create an extensive global system of known and trusted businesses. Once certified by a Certification Authority, a trading partner can authenticate any other party with assurance. Even if a trading partner is from another part of the world, the fact that he is a certified member (through the trust relationship with his bank) makes trading viable and reduces the risk of transacting in the global system. By virtue of commonly accepted standards, trading partners will know that:
- Their transactions are legally binding;
- They have recourse in the event of a dispute or a potential fraud situation; and
- They can place legal and practical trust on the electronic identity issued by any Certification Authority
- What is a PKI? (Entrust)