As the world increasingly turns to electronic business, electronic credentials that prove identity are becoming a critical necessity. Much like a passport proves identity in the offline world, public-key infrastructure (PKI) delivers a way to prove identity in the online world.PKI is fast becoming the cornerstone of information security technology for a large number of companies. PKI ensures that people are who they say they are and also proves that documents haven't been tampered with, which is critical when conducting online transactions, such as placing orders or transferring money. Here's a simplified look at these state-of-the-art passports to the online world. The magic of PKI occurs through the use of extremely long prime numbers, called keys. Two keys are involved - a private key, which only you have access to, and a public key, which can be accessed by anyone. The two keys work together, so a message scrambled with the private key can only be unscrambled with the public key and vice versa. The more digits in these keys, the more secure the process. Just as you prove your identity through a handwritten signature offline, you use a digital signature to prove your identity online. But without seeing a person sign the document, how can you prove it's the right person? This is where public-key cryptography comes in. A large piece of data set to be encoded - for instance, a document - is run through a complicated mathematical computation to generate a single large number, called a hash. The original data and the hash are inextricably linked. If either changes, the hash won't match and the message cannot be decoded. To digitally sign a document, a hash is taken of the document and then signed with a user's (let's call him Bob) private key. Data scrambled with Bob's private key can only be unscrambled with Bob's public key. Any entity can verify the validity of the document by unscrambling the hash with Bob's public key and checking that against another hash computed from the received data. If the hashes match, the data was not tampered with and Bob's digital signature is on it. But because I didn't watch Bob sign the document, I don't know that it wasn't signed by an imposter. This issue is solved because only Bob has his private key, and so he is the only one who could have signed the document. How do I know I have the correct key to verify the signature? This is where the concept of trust enters the system, creating the need for a certificate authority to verify online identity. The certificate authority is like an online passport bureau - a trusted entity that makes the PKI system work. The private key is securely generated by Bob, and after verifying Bob's identity, the certificate authority signs Bob's public key with its own private root key. The combination of Bob's public key and the signature of the certificate authority completes Bob's digital certificate.Bob's digital certificate is his online passport, validated by the certificate authority's watermark. Let's look at how all this works together in a simple transaction. Bob wants to send Alice a confidential e-mail. Bob would use Alice's public key, stored in her certificate, to scramble the message. When Alice receives the message, she uses her private key to unscramble it. Because no one else possess Alice's private key, only she can unscramble the message. The process is similar in complex transactions. Let's say Bob wants to let Alice order products from his Web site. When Alice is ready to buy, Bob requests that she prove her identity. Alice signs the order with her private key, which was issued by a certificate authority we'll call TrustCo. She then sends the package consisting of the order and the digital signature to Bob. Bob needs to get Alice's and TrustCo's digital certificate to verify the signature. He validates Alice's certificate by verifying TrustCo's signature (remember TrustCo signs Alice's public key, thus forming the certificate), and then uses Alice's certificate to validate the signature on the order. If all those tests pass, Alice is actually Alice. Like any security technology, digital signatures used in the PKI model aren't perfect. If the certificate authority's root key is stolen, then anyone can create digital certificates, which compromises the trust level of the certificate authority and makes all the certificates from that certificate authority null and void. Certificate authorities go to great lengths to keep their keys secure, including armored bunkers. Additionally, if Bob loses his private key, or if it's stolen, then anyone possessing the private key can pose as Bob. More importantly, thousands of applications used throughout businesses need to be PKI-ready. Applications need to know how to ask Bob to sign data and how to validate the data using certificates. For PKI to become a widely used technology, it must become a transparent part of everyday software, so end users don't need to understand all the complexity behind keys, hashes and digital certificates. Rothman is executive vice president of SHYM Technology, a software company that makes PKI wares. He can be reached at firstname.lastname@example.org or www.shym.com.
Tell us your thoughts on this article or the issues it raises.