Public Key Infrastructure (PKI)
Public Key Infrastructure is a collection of components used to enable the management of X.509 certificates. The following are the components of a PKI:
A certificate authority (CA) issues and validates digital certificates. The CA has a digital certificate with its public key that must be trusted by the client software.
A registration authority (RA) verifies information for the CA before any digital certificates are issued. Most RAs are operated by your corporate security so they can validate the identity of the requesting individual.
A directory, usually Lightweight Directory Access Protocol (LDAP) enabled, is used to store the certificates.
A certificate revocation list (CRL) lists certificates that have been revoked for one reason or another. Revocation can be requested, for example, if your private key has been compromised and you need to get a new certificate. Additionally, if an employee leaves the company, her certificate can be placed on the CRL.
PGP does not use PKI, rather PGP users have key rings. A key ring is a collection of public PGP keys. There are public and private PGP key servers available that provide public PGP key information via HTTP or FTP protocols.
One common design between PGP and X.509 certificates is that there is a private key that needs to be kept secret. If you use multiple computers, this becomes problematic in that you must take your private key with you. How to move your key with you without leaving copies of it on multiple computers is an issue. One solution to this is as old as the lock on your front door: a hardware key.
Most token-based cards, such as SecurID from SecurityDynamics, Inc., use a technique called two-factor authentication. Two-factor authentication requires some personal, unique information from the user, plus some data generated by the hardware, to authenticate the user. In the SecurID example, it uses a time-based token plus personal pin combined to form a passcode. The passcode combined with the username authenticates the user.
Because the time-based token expires every 60 seconds, intruders are prevented from using the passcode in replay attacks. Additionally, because both a username and a PIN are required, if a hardware token is lost or stolen, it does not automatically grant access to your network.
There are a few drawbacks to the hardware-based token mechanism. First, each user must have his own token. Although not wildly expensive, large numbers of cards can be costly. Secondly, the user must always have the token with them. If the user forgets the token, or loses it, he has no other means to access the system.
Smart cards are credit-card sized with a computer chip built in. Usually there is some memory, allowing for a flash filesystem to store information on. X.509 certificates can then be stored on the smart card. Some smart cards even have a Java Virtual Machine built in to run applications.
The smart card solves the problem of having to distribute your private key to every machine you use. Unfortunately, that problem is replaced with the hardware need to have a smart card reader on every machine you want to use your smart card. This can get to be quite expensive. There are many interesting ideas for easily getting card readers into machines. Products that use disk drives, PCMCIA slots, keyboard connectors, and USB connections are all available. If smart card readers ever become standard, this will be a very convenient method of authenticating your identity.