Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
While Heartbleed distracts, hackers hit US universities
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Apple kicks off public OS X beta testing
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
BlackBerry Releases BES 10 Security Update to Address 'Heartbleed' Flaw
Verizon: Web apps are the security punching bag of the Internet
Cisco announces security service linked with new operations centers
Dell launches virtual storage accelerator, aims to boost SAN performance
Free OS X Mavericks now powers half of all Macs
Even the most secure cloud storage may not be so secure, study finds  
3D printing will transform these five industries
Most but not all sites have fixed Heartbleed flaw
NEC launches face-recognition protection for PCs
Hundreds of medical professionals targeted in multi-state tax scam
Super-high frequencies could one day deliver your mobile video
Americans cool with lab-grown organs, but not designer babies
IT Departments Not Losing Ground to Managed Service Providers (Yet)
Where's my gigabit Internet, anyway?
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report

The ABCs of PKI

Decrypting the complex task of setting up a public-key infrastructure.

Related linksToday's breaking news
Send to a friendFeedback

The concept of a public-key infrastructure is relatively straightforward, but actually setting up a PKI in your network can be a complex and daunting undertaking.

The basic idea is that sensitive data is protected through encryption. Each end-user device has encryption software and two keys: a public key for distribution to other users, and a private key, which is kept and protected by the owner.

A user encrypts a message using the recipient's public key. When the message is received, the user will decrypt it with his private key. Users may have multiple key pairs to maintain discrete communications with different groups.

With all these key pairs floating around, it's crucial to have some method of administering the keys and their usage. That's where a PKI comes in, enabling the centralized creation, distribution, tracking and revocation of keys.

It all starts with authentication

The first step in setting up a PKI is establishing a system for authentication, so users can be positively identified before receiving network rights.

Password-based logons provide one method of authentication, but a more secure method is digital certificates. Each certificate contains specific identifying information about a user, including his name, public key and a unique digital signature, which binds the user to the certificate.

To get a certificate, a user sends a request to a designated registration authority, which verifies the user's identity and tells the certificate authority to issue the certificate.

The certificate itself is a digital document, which is generally stored and administered in a central directory. For a user operating from home, the certificate would be stored on his system. In either case, the certificate is transmitted automatically when needed, and the user's work is not interrupted.

The certificate authority verifies a certificate's authenticity for the receiver. Again, for the user, this is generally transparent.

Of course, certificates should not last forever. Each certificate is issued with an expiration date and sometimes will need to be revoked early, such as when an employee quits. A certificate authority can revoke a certificate before its expiration date by identifying it in a regularly published certificate revocation list.

As with key pairs, there is a need to coordinate the issuing and revoking of certificates. That is another function of a PKI, acting as a comprehensive architecture encompassing key management, the registration authority, certificate authority and various administrative tool sets.

PKI software comes in different flavors depending on who you buy it from: Entrust Technologies, Baltimore Technologies, RSA Security and VeriSign all offer PKI products. In each case, some form of certificate authority and registration authority, key and certificate management, and key backup and recovery tools will be required.

PKI requires a central directory

Generally, a central directory is also implemented as part of a PKI, as a place to store and look up certificates, along with other relevant information. You may already have a directory for the support of existing applications, such as e-mail. If the existing directory is Lightweight Directory Access Protocol- or X.500-compliant, it is probably usable by PKI requirements.

However, directory systems do not always interoperate well and can frustrate your PKI efforts, especially if the directory is expected to handle diverse client applications in addition to a PKI. Lack of directory interoperability has prompted vendors to create the Directory Interoperability Forum to try and resolve the issue.

Another element of a PKI is the certificate policy, which outlines rules for the use of a PKI and certificate services. For example, if a user mistakenly shares his private key, he might be expected to notify security staff or the certificate authority.

Proactive determination of how that event would be handled is critical to the operation of a PKI and is addressed by a certificate practice statement (CPS). The certificate policy and CPS are generally written in consultation among IT, various user groups and legal staff.

The CPS provides a detailed explanation of how the certificate authority manages the certificates it issues, along with associated services, such as key management. The CPS also acts as a contract between the certificate authority and users, describing the obligations and legal limitations, and setting the foundation for future audits. PKI vendors can provide you with a CPS template to work with.

As with any other IT infrastructure,a staff is needed to set up, administer, fix and manage a PKI. Finding those people is essential but may prove difficult, as demand for competent PKI support will likely outstrip supply in the coming year.

As a start, you will need to appoint a security officer, who will be responsible for setting and administering your shop's security policy. This individual does not need to be part of IT, but must understand the issues and will probably need a surety bond.

Next, appoint a PKI architect who will examine requirements and design your PKI. This person may also support implementation as project manager.

A PKI security administrator, who will use certificate authority management tools to add, enable and revoke users and their certificates, is essential for ongoing operations.

You will also need a directory administrator and someone to act as a registration authority, although it is possible to set up an automated registration authority to handle user requests made through their Web browsers. In that case, you may be able to use current staff, such as a database administrator, to help set up and maintain the automated registration authority service.

Do you need a PKI ?

Clearly, putting a PKI into place will take considerable effort, time and money. So is it worth the investment? Maybe. The real question you need to consider is, "What are our business requirements for increased security, and can a PKI help address them?"

Most of your users won't have an opinion, for now, but management might - especially if it is concerned about the impact a security breach could have on the bottom line. Getting management to buy into the idea of a PKI is crucial, so you will need to learn their thoughts early in the process.

Some services stand out as immediate candidates for PKI support: e-mail, secure file transfer, document management services, remote access, e-commerce and Web-based transaction services. Support for nonrepudiation, which ensures that transactions cannot be disowned, is also required and supplied through the use of digital signatures.

Then there are wireless networks and virtual private networks, in which encryption is pretty much essential as a guarantee of confidentiality.

For the corporate network and e-commerce, another PKI-enabled solution that should be of real benefit is single point sign-on.


McKinley is president of Summit Communications, an IT consultancy based in Ottawa. He can be reached at barton@

IETF PKI working group

PKI projects
Brief technology overview and looks at specific PKI projects.

A Survey of Public Key Infrastructures

Some vendors:


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.