Public Key Infrastructure (PKI) allows for trusted electronic business by establishing trust through the generation and distribution of public keys and certificates. A PKI consists of components that work together to publish, manage, and use public keys seamlessly. It provides capabilities for authentication, authorization, confidentiality, integrity, non-repudiation, and audit controls through the use of public key cryptography and digital signatures. The PKI market has grown significantly since the late 1990s as PKI enables new e-business processes and transactions. Common cryptographic algorithms used in PKI include symmetric algorithms like DES and public key algorithms like RSA.

1. Public Key Infrastructure
in Brief
January 31, 2002

2. What is a PKI?
• A common misperception is that a PKI is a thing. In
fact, it’s a capability—the capability to easily
publish, manage, and use public keys.
• a PKI consists of a group of discrete components
that work together to allow you to use public keys,
and public-key cryptography, seamlessly and trans
parently
• A system that establishes and maintains
trustworthy e-business environments through the
generation and distribution of keys and certificates.

3. Value-Add of PKI
Feature Benefit
Authentication Allows your e-business to engage
trusted customers, partners and
employees
Authorization/ Allows business rules to dictate
Access Control who uses what resources, under
what conditions
Confidentiality Data is obscured and protected from
view or access by unauthorized
individuals

4. Value-Add of PKI
Feature Benefit
Integrity Prevents any transaction
from being tampered with
Non-repudiation Prevents any party from
denying an e-business
transaction after the fact
Audit controls Provides audit trails and
recourse for e-business
transactions

5. PKI: e-Business Enabler
• Makes trusted e-business possible
• Enables new e-business processes
• Provides integrated,comprehensive:
- Authorization
}
- Confidentiality Encryption
}
- Authentication
- Integrity
Digital Signature
- Non-repudiation
- Audit controls
...Transparently to users across
applications and platforms

6. ALL OF THESE REQUIRE A PKI
CONFIDENTIALITY & INTEGRITY AUTHENTICATION &
ACCESS CONTROL NON-REPUDIATION
Encryption Digital Signature Digital Signature
Public Private Keys
Certificates
PUBLIC KEY INFRASTRUCTURE
PUBLIC KEY INFRASTRUCTURE

7. Created Market for PKI
Products and Services
Revenue
1400
$1,200M
1200
1000
$800M
800
600
$400M
400
$200M
200 $100M
0
1998 1999 2000 2001 2002
*Source: NationsBank Montgomery/Gartner Group

8. PKI Market
Secure Transactions & Communications
Total Mkt
Internal 02 $500 $540 $100 $60 $1,200M
Enterprise
01 $350 $350 $60 $40 $800M
B2B 00 $400M
$200 $154 $30 $16
B2C $128 $50 $16 $6
99 $200M
G2C
98 $79 $22 $6 $3 $110M
Other
Source: NationsBank Montgomery/Soundview/Entrust

9. General PKI Requirements
Certification Authority
Cross-certification Key Histories
Support for
Key Backup
non-repudiation
& Recovery
Timestamping
Certificate
Revocation
Certificate
Automatic
Repository Application
Key Update
software

10. PKIX Standards Participation
PKIX-1: Chaired and edited by Entrust staff
PKIX-2: LDAP portion authored by Sharon Boeyen
PKIX-3: CMP portion authored by Carlisle Adams
PKIX-4: participation by Sharon Boeyen & others
PKIX-5: authored by Carlisle Adams, Robert Zuccherato
PKIX-6: authored by Carlisle Adams, Robert Zuccherato
PKIX Overview for IEEE: authored by
Carlisle Adams and Steve Lloyd

11. Internet Security Models
Strong
Security
Secure Session with Managed User and Server Digital ID
Support for non-repudiation of transactions Level 6
Managed Trust
Unmanaged Trust Level 5
Secure Session with Managed User Digital ID authentication
Managed Digital IDs
Unmanaged Digital IDs
Secure Session with user Digital ID authentication Level 4
Secure Session with user name and password Level 3
Secure Session with server Digital ID authentication only Level 2
Unsecured session with user name and password Level 1
Minimal
Security

12. Internet Security Models
Strong
Security
Entrust/Direct™
Level 6
Managed Trust
Unmanaged Trust Level 5
Entrust/Unity™, Entrust/TruePass™
Managed Digital IDs
Unmanaged Digital IDs
Level 4
Entrust/Web Connector
Level 3
Entrust.net™
Level 2
Unsecured session with user name and password Level 1
Minimal
Security

13. Acrobat Document

14. Cryptography in Brief
September 12, 2000

15. Cryptographic Algorithms
• Two types of cryptographic
algorithms:
• Symmetric algorithms
• Public-key algorithms
• Two types of algorithms are highly
complementary

16. Symmetric Cryptography
• Also called secret-key cryptography
• Single key used to encrypt and decrypt
• Examples: CAST, DES, T-DES
Alice Bob

17. Public-key Cryptography
• Keys come in pairs (public + private)
• Public key is available to anyone
– like a phone number in the telephone
book
• Private key is kept secret by the owner
– like ATM PIN
• Examples: RSA, DSA, Diffie-Hellman

18. Public-key Encryption
• Alice encrypting a file for Bob
• Encryption provides:
– confidentiality
– access control
Directory of Public Keys
Bob’s Public Key Bob’s Private Key
Alice
Ciphertext Bob
ENCRYPT DECRYPT

19. How Public-key Encryption
Works
Encryption Process Decryption Process
encrypt file using extract symmetric
symmetric key key using
private key
decrypt file using
encrypt symmetric key symmetric key
for recipients using
their public keys
+ recover
original file
combine header with
protected data in one file

20. Public-key Digital Signature
• Alice signing a file
– Bob verifying Alice’s signature
• Digital signature provides:
– integrity
– authenticity
– non-repudiation
Alice’s Public
Alice’s Key
Private Key
Alice Signed Plaintext Bob
SIGN VERIFY

21. How Digital Signature Works
Signing Process Verification Process
calculate fresh
calculate hash hash
sign hash
with private key verify original hash
with public key
=
compare verified hash
with fresh hash
signed plaintext

22. D ig ita l S ig n a tu r e
A lic e Bob
D a ta D a ta
P u b lic K e y o f
A lic e
Algorithm
Hashing
f(h)
f(d)
f(h)
D a ta D ig e s t D ig e s t
P r iv a t e K e y o f
D ig e s t
A lic e
(E x p e c te d ) ( A c t u a l)
f(e)
C O M PAR E
E n c r y p te d D ig e s t o r A c tu a l = E x p e c te d
H ash of M essage
I f Y e s , in t e g r it y o f t h e m e s s a g e is r e s t o r e d a n d n o n -
r e p u d ia t io n is e s t a b lis h e d

23. Putting it all Together ...
ENCRYPT
BOB’S
PUBLIC KEY
SIGN
ALICE’S
PRIVATE KEY
e-mail file transfer floppy
DECRYPT
BOB’S
PRIVATE KEY
VERIFY
ALICE’S
PUBLIC KEY

24. Signing & Sending

25. Receiving & Verification