PKI (Public Key Infrastructure) is a framework of security services that allow groups of users to use secure communications through the use of public key security mechanisms. Those mechanisms fall into 3 main categories which are secure key exchange, authentication and encryption.
Any organization that decides to implement PKI must first create an organization wide security policy listing the assets to be protected, the level of security to be afforded to which assets, the security protocols to be adopted and who was responsible for the implementation and monitoring of such security actions. The policy document will highlight which mechanisms should be implemented and where. Secure storage needs to be identified for the purpose of storing any Public Key information and a security certification authority must be selected, or an internal certification authority must be identified. IPSec itself identifies the protocols for the secure exchange of data but PKI identifies all aspects of the security mechanisms.
The trust for the secure communication exchanges is enabled through the use of a third party who will normally be required to provide digital signatures to certify that the two parties taking part in the exchange of data are bona fide. This requires that both parties must be agreed on the use of the certification authority and recognize the use of the digital signatures. There are many CAs (Certification Authorities) to choose from and the two parties must agree on the use of a particular CA.
The CAs will register and certify the digital signatures of their client subscribers through the use of a private key used to sign the digital certificate..
An originator starts the life of a certificate by taking a list of personal details and signing it with his private key. This is sent to the certification authority that adds details of its validity date/time, lifetime and a serial number all of which it then signs with its own private key. The certified certificate is then returned to the originator who can use it to append to transactions to verify his authentication. If at any time an originator of information to be exchanged suspects that a digital certificate has been compromised, the originator will normally select a new set of keys to produce a new certificate, but must first revoke the first set of keys by requesting that the CA adds the compromised certificate to the revocation list.
There are numerous proprietary security systems available that offer a good secure service, but it may be worth considering the use of Open PKI which are standards that are vendor independent and so do not tie an organization to a single vendor.
A common set of standards for the storage and retrieval of PKI certificates is the X.500 series of ITU standards, X.509 being the particular standard for digital certificate directory services. This set of standards was originally designed to operate with OSI directory services but can also be accessed via IP (Internet Protocol).
The following items are required within an X.509 digital certificate:
- Version Number of X.509 in use
- zero = version 1 (default)
- Serial Number of Certificate
- Signature Algorithm Identifier
- Issuer Name,
- Validity Validity,
- Subject Name,
- Subject Public Key Information
- Algorithm and public key
- Issuer Unique Identifier OPTIONAL,