How do PKI systems work and are there any potential user problems we should be aware of?

Requires Free Membership to View

PKI (public key infrastructure), is a system for storing and maintaining encryption keys. It supposedly solves the eternal problem in encryption of keeping keys secure while in transit over a network. A secure key exchange keeps secret keys out of the hands of malicious users who might be sniffing around a network. PKI systems are both complex and costly. They handle everything from key and certificate creation and storage, to maintenance, distribution and, eventually, revocation. As a result, they require a tremendous amount of energy to plan, install and deploy, let alone keep maintained. They also require their own dedicated hardware and servers to be truly effective. So, the bulk of the aggravation in PKI is during implementation -- the burden being more on your staff than on your users.

The essence of PKI is that it's a repository for public keys, the open half of asymmetric encryption. Asymmetric encryption consists of two keys, a private key and a public key. The two keys are mathematically related, but can't be derived from each other. The private key is held only by the user, while the public key is available to anyone who wants to encrypt a message for the user. The user then decrypts the message with their private key. The PKI system also stores digital certificates used to verify the authenticity of public keys.

The biggest hurdle for users is getting used to the complexities of using PKI. Today, a simple e-mail message now needs extra steps to encrypt. Users should receive security awareness training to explain the reason for additional security measures.

PKI's can be used in conjunction with other hardware authentication devices, like smart cards. These systems are harder to use than simple user IDs and passwords and require extensive user education, training and acceptance.

Teaching users to protect the private key is also necessary. They may be stored on the user's desktop, workstation or laptop and if they are not secure, they are vulnerable to theft, like any other client-side credential. Users also need to be educated in proper information security procedures, such as protecting their laptops from theft while on the road, using strong passwords to log on to their systems and how to keep malware off their desktops. If they don't understand, or think it's not worthwhile, they won't buy into it or use it.

This was first published in March 2006