#REDIRECT Public key infrastructure
In cryptography, a public key infrastructure (PKI) is an arrangement which provides for trusted third party vetting of, and vouching for, user identities. It also allows binding of public keys to users. This is usually carried by software at a central location together with other coordinated software at distributed locations. The public keys are typically in public key certificate. The term is used to mean both the certificate authority and related arrangements as well as, more broadly and somewhat confusingly, to mean use of public key algorithms in electronic communications. The later sense is erroneous since PKI methods are not required to use public key algorithms. ==Purpose and function== PKI arrangements enable users to be authentication to each other, and to use the information in public key certificates (i.e., each other's public keys) to encrypt and decrypt messages travelling to and fro. In general, a PKI consists of client software, server software such as a certificate authority, hardware (e.g., smart cards) and operational procedures. A user may digital signature messages using his private key, and another user can check that signature (using the public key contained in that user's certificate issued by a certificate authority within the PKI). This enables two (or more) communicating parties to establish confidentiality, message integrity and user authentication without having to exchange any secret information in advance. ==Typical use== Most enterprise scale PKI systems rely on certificate chains to establish a party's identity, as a certificate may have been issued by a certificate authority computer whose 'legitimacy' is established for such purposes by a certificate issued by a higher-level certificate authority, and so on. This produces a certificate hierarchy composed of, at a minimum, several computers, often more than one organization, and often assorted interoperating software packages from several sources. Standards are critical to PKI operation, and public standards are critical to PKIs intended for extensive operation. Much of the standardization in this area is done by the IETF PKIX workgroup. Enterprise PKI systems are often closely tied to an enterprise's directory scheme, in which each employee's public key is often stored (embedded in a certificate), together with other personal details (phone number, email address, location, department, ...). Today's leading directory technology is LDAP and in fact, the most common certificate format (X.509) stems from its use in LDAP's predecessor, the X.500 directory schema. ==Alternatives== ===Web Of Trust=== An alternative approach to the problem of authentication of public key information across time and space is the web of trust scheme, which uses self-signed public key certificate and third party attestations of those certificates. Examples implementations of this approach are GPG (The GNU Privacy Guard), and PGP (Pretty Good Privacy). Because of PGP's (and clones') extensive use in email, the Web of Trust originally implemented by PGP is the most widely deployed bidirectional PKI extant at this writing (2004). ===Simple Public Key Infrastructure=== An even newer and rapidly growing alternative is the simple public key infrastructure (SPKI) that grew out of 3 independent efforts to overcome the complexities of X.509 and the anarchy of PGP's web of trust. SPKI binds people/systems directly to keys using a local trust model, similar to PGPs web of trust, with the addition of authorisation integral to its design. ===Robot Certification Authorities=== Robot certificate authoritys are unattended programs that automatically validate certain aspects of a public key's validity and sign it to attest that those aspects are valid. They can eliminate or greatly reduce certain types of attacks in public key systems, particularly those that involve an attacker temporarily diverting all network traffic from a legitimate site. Aspects typically validates include (a) that the key is published with the knowledge of the holder of the email address it purports to be for (b) that holder of the email address is in possession of the secret key corresponding to the public key and (b) the currency of use of the key. ==History== The public disclosure of both secure key exchange and asymmetric key algorithms in 1976 by Whitfield Diffie, Martin Hellman, and Ron Rivest, Adi Shamir, and Leonard Adleman changed secure communications entirely. With the further development of high speed digital electronic communications (the Internet and its predecessors), a need became evident for ways in which users could securely communicate with each other, and as a further consequence of that, for ways in which users could be sure with whom they were actually interacting. The idea of cryptographically protected certificates binding user identities to public keys was eagerly developed. Assorted cryptographic engineering were invented and analyzed within which the new cryptographic primitives could be effectively used. With the invention of the World Wide Web and its rapid spread, the need for authentication and secure communication became still more acute. Commercial reasons alone (e.g., e-commerce, on-line access to proprietary databases from Web browsers, etc.) were sufficient. Taher ElGamal and others at Netscape Communications Corporation developed the Transport_Layer_Security protocol ('https' in Web URLs); it included key establishment, server authentication (prior to v3, one-way only), and so on. A PKI structure was thus created for Web users/sites wishing secure (or more secure) communications. Vendors and entrepreneurs saw the possibility of a large market, started companies (or new projects at existing companies), and began to agitate for legal recognition and protection from liability. An American Bar Association technology project published an extensive analysis of some of the foreseeable legal aspects of PKI operations (see ABA digital signature guidelines), and shortly thereafter, several US states (Utah being the first in 1995) and other jurisdictions throughout the world, began to enact laws and adopt regulations. Consumer groups and others raised questions of privacy, access, and liability considerations which were more taken into consideration in some jurisdictions than in others. The enacted laws and regulations differed, there were technical and operational problems in converting PKI schemes into successful commercial operation, and progress has been far slower than pioneers had imagined it would be. By the first few years of the 21st century, it had become clear that the underlying cryptographic engineering was not easy to deploy correctly, that operating procedures (manual or automatic) were not easy to correctly design (nor even if so designed, to execute ''perfectly'', which the engineering required), and that such standards as existed were in some respects inadequate to the purposes to which they were being put. PKI vendors have found a market, but it is not quite the market envisioned in the mid-90s, and it has grown both more slowly and in somewhat different ways than were anticipated. PKIs have not solved some of the problems they were expected to, and several major vendors have gone out of business or been acquired by others. ==Usage examples== PKIs of one type or another, and from any of several vendors, have many uses, including, providing public keys and bindings to user identities which are used for: * Encryption and/or sender authentication of Email messages, (e.g., using OpenPGP or S/MIME). * Encryption and/or authentication of documents, (e.g., the XML Signature [http://www.w3.org/TR/xmldsig-core/ *] or XML Encryption [http://www.w3.org/TR/xmlenc-core/ *] standards if documents are encoded as XML). * Authentication of users to applications, (e.g., smart card logon, client authentication with Secure Sockets Layer). * Bootstrapping secure communication protocols, such as Internet key exchange and Secure Sockets Layer. In both of these, initial set-up of a secure channel (a "security association") uses asymmetric key (a.k.a. public key) methods, whereas actual communication uses faster secret key (a.k.a. symmetric key) methods. == A few PKI implementations == Some leading certificate authorities, e.g. VeriSign, are not listed, since their software is not available to others. * Computer Associates eTrust PKI * Entrust * Microsoft * [http://enterprise.netscape.com/products/identsvcs/certmgmt.html Netscape CMS] * [http://www.openca.org OpenCA] (an Open Source movement publicly available PKI scheme including server software) * RSA Security * [http://phpki.sourceforge.net phpki] * [https://open.datacore.ch/DCwiki.open/Wiki.jsp?page=GenCerti GenCerti] * [http://ejbca.sourceforge.net/ ejbca] * [http://www.newpki.org/ newpki] * [http://papyrus.gatech.edu/ Papyrus CA Software] * [http://www.pyca.de/ pyCA] * [http://idx-pki.idealx.org IDX-PKI] * [http://www.europepki.org EuropePKI (not available)] * [http://tinyca.sm-zone.net/ TinyCA] * [http://elyca.eurodev.net/ ElyCA] * [http://www.vpnc.org/SimpleCA/ SimpleCA] * [http://www.seguridata.com SeguriData] ==See also== * Public key cryptography * Key authentication * Certificate revocation list == External links == *[http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf PKI tutorial] by Peter Gutmann *[http://www.ietf.org/html.charters/pkix-charter.html PKIX workgroup] *http://www.pk3i.com/ *http://www.newpki.org/ A detailed explanation of PKI Privacy, Authentication, Integrity and Non-repudiation (PAIN) can be found at: [http://www-106.ibm.com/developerworks/library/s-pain.html PAIN] *[http://www.conclusive.com/index.jsp Conclusive Logic] (A standards based "website security infrastructure".) *[http://www.betrusted.com Betrusted] (acquired the Baltimore UniCERT product in early 2004) *[http://csrc.nist.gov/pki/ NIST PKI Program], in which the National Institute of Standards and Technology (NIST) is attempting to develop a public key infrastructure *http://www.mozilla.org/projects/security/pki - Open Source PKI Projects *[http://www.pkiforum.com PKI Public Key Infrastructure news, information and education from the PKI Forum (pkiforum.com)] Robot Certification Authorities: *[http://www.cacert.org/ CACert Inc.] *[https://box.cardboard.net/crypto/robotca cardboard.net llc] *[http://www.imperialviolet.org/keyverify.html Imperial Violet (Adam Langley)] *[https://jameshoward.us/Robot_Certificate_Authority JamesHoward.us] *[http://www.toehold.com/robotca/ Toehold (Kyle Hasselbacher)] Cryptography
It occurs to me that some vendor references might be pertinent, i.e., PKI Innovations Inc. (http://www.pk3i.com). --- Matt, The use of computing that you cut was the result of some cogitation. I was trying to make clear in the wording that there are multiple uses, not merely in overt crypto or overt computer security. PKIs are hidden from view in many contexts and not all of them are either. For instance, copyright protection is commercial and would use squirrels if there were any prospect of it working. That it uses (or misuses, misapplies, goofs badly, ...) crypto, and claims to be a computer security issue is another thing altogether. The point was worth making, though perhaps it was made too covertly. Have you a suggestion? User:Ww 19:50, 14 Jul 2004 (UTC) : The real purpose of putting "In field F, ..." at the start of articles is to provide the reader with some context about what general domain he's reading about. If the clause is too wordy, then I think it lessens the usefulness. User:Matt Crypto 20:04, 14 Jul 2004 (UTC)
See other meanings of words starting from letter:
Words begining with Public_key_infrastructure:
Public_Key_Infrastructure
Public_key_infrastructure
Public_key_infrastructure
Public_key_infrastructure/to_do
Public Key Infrastructure
#REDIRECT Public key infrastructure
Public key infrastructure
In cryptography, a public key infrastructure (PKI) is an arrangement which provides for trusted third party vetting of, and vouching for, user identities. It also allows binding of public keys to users. This is usually carried by software at a central location together with other coordinated software at distributed locations. The public keys are typically in public key certificate. The term is used to mean both the certificate authority and related arrangements as well as, more broadly and somewhat confusingly, to mean use of public key algorithms in electronic communications. The later sense is erroneous since PKI methods are not required to use public key algorithms. ==Purpose and function== PKI arrangements enable users to be authentication to each other, and to use the information in public key certificates (i.e., each other's public keys) to encrypt and decrypt messages travelling to and fro. In general, a PKI consists of client software, server software such as a certificate authority, hardware (e.g., smart cards) and operational procedures. A user may digital signature messages using his private key, and another user can check that signature (using the public key contained in that user's certificate issued by a certificate authority within the PKI). This enables two (or more) communicating parties to establish confidentiality, message integrity and user authentication without having to exchange any secret information in advance. ==Typical use== Most enterprise scale PKI systems rely on certificate chains to establish a party's identity, as a certificate may have been issued by a certificate authority computer whose 'legitimacy' is established for such purposes by a certificate issued by a higher-level certificate authority, and so on. This produces a certificate hierarchy composed of, at a minimum, several computers, often more than one organization, and often assorted interoperating software packages from several sources. Standards are critical to PKI operation, and public standards are critical to PKIs intended for extensive operation. Much of the standardization in this area is done by the IETF PKIX workgroup. Enterprise PKI systems are often closely tied to an enterprise's directory scheme, in which each employee's public key is often stored (embedded in a certificate), together with other personal details (phone number, email address, location, department, ...). Today's leading directory technology is LDAP and in fact, the most common certificate format (X.509) stems from its use in LDAP's predecessor, the X.500 directory schema. ==Alternatives== ===Web Of Trust=== An alternative approach to the problem of authentication of public key information across time and space is the web of trust scheme, which uses self-signed public key certificate and third party attestations of those certificates. Examples implementations of this approach are GPG (The GNU Privacy Guard), and PGP (Pretty Good Privacy). Because of PGP's (and clones') extensive use in email, the Web of Trust originally implemented by PGP is the most widely deployed bidirectional PKI extant at this writing (2004). ===Simple Public Key Infrastructure=== An even newer and rapidly growing alternative is the simple public key infrastructure (SPKI) that grew out of 3 independent efforts to overcome the complexities of X.509 and the anarchy of PGP's web of trust. SPKI binds people/systems directly to keys using a local trust model, similar to PGPs web of trust, with the addition of authorisation integral to its design. ===Robot Certification Authorities=== Robot certificate authoritys are unattended programs that automatically validate certain aspects of a public key's validity and sign it to attest that those aspects are valid. They can eliminate or greatly reduce certain types of attacks in public key systems, particularly those that involve an attacker temporarily diverting all network traffic from a legitimate site. Aspects typically validates include (a) that the key is published with the knowledge of the holder of the email address it purports to be for (b) that holder of the email address is in possession of the secret key corresponding to the public key and (b) the currency of use of the key. ==History== The public disclosure of both secure key exchange and asymmetric key algorithms in 1976 by Whitfield Diffie, Martin Hellman, and Ron Rivest, Adi Shamir, and Leonard Adleman changed secure communications entirely. With the further development of high speed digital electronic communications (the Internet and its predecessors), a need became evident for ways in which users could securely communicate with each other, and as a further consequence of that, for ways in which users could be sure with whom they were actually interacting. The idea of cryptographically protected certificates binding user identities to public keys was eagerly developed. Assorted cryptographic engineering were invented and analyzed within which the new cryptographic primitives could be effectively used. With the invention of the World Wide Web and its rapid spread, the need for authentication and secure communication became still more acute. Commercial reasons alone (e.g., e-commerce, on-line access to proprietary databases from Web browsers, etc.) were sufficient. Taher ElGamal and others at Netscape Communications Corporation developed the Transport_Layer_Security protocol ('https' in Web URLs); it included key establishment, server authentication (prior to v3, one-way only), and so on. A PKI structure was thus created for Web users/sites wishing secure (or more secure) communications. Vendors and entrepreneurs saw the possibility of a large market, started companies (or new projects at existing companies), and began to agitate for legal recognition and protection from liability. An American Bar Association technology project published an extensive analysis of some of the foreseeable legal aspects of PKI operations (see ABA digital signature guidelines), and shortly thereafter, several US states (Utah being the first in 1995) and other jurisdictions throughout the world, began to enact laws and adopt regulations. Consumer groups and others raised questions of privacy, access, and liability considerations which were more taken into consideration in some jurisdictions than in others. The enacted laws and regulations differed, there were technical and operational problems in converting PKI schemes into successful commercial operation, and progress has been far slower than pioneers had imagined it would be. By the first few years of the 21st century, it had become clear that the underlying cryptographic engineering was not easy to deploy correctly, that operating procedures (manual or automatic) were not easy to correctly design (nor even if so designed, to execute ''perfectly'', which the engineering required), and that such standards as existed were in some respects inadequate to the purposes to which they were being put. PKI vendors have found a market, but it is not quite the market envisioned in the mid-90s, and it has grown both more slowly and in somewhat different ways than were anticipated. PKIs have not solved some of the problems they were expected to, and several major vendors have gone out of business or been acquired by others. ==Usage examples== PKIs of one type or another, and from any of several vendors, have many uses, including, providing public keys and bindings to user identities which are used for: * Encryption and/or sender authentication of Email messages, (e.g., using OpenPGP or S/MIME). * Encryption and/or authentication of documents, (e.g., the XML Signature [http://www.w3.org/TR/xmldsig-core/ *] or XML Encryption [http://www.w3.org/TR/xmlenc-core/ *] standards if documents are encoded as XML). * Authentication of users to applications, (e.g., smart card logon, client authentication with Secure Sockets Layer). * Bootstrapping secure communication protocols, such as Internet key exchange and Secure Sockets Layer. In both of these, initial set-up of a secure channel (a "security association") uses asymmetric key (a.k.a. public key) methods, whereas actual communication uses faster secret key (a.k.a. symmetric key) methods. == A few PKI implementations == Some leading certificate authorities, e.g. VeriSign, are not listed, since their software is not available to others. * Computer Associates eTrust PKI * Entrust * Microsoft * [http://enterprise.netscape.com/products/identsvcs/certmgmt.html Netscape CMS] * [http://www.openca.org OpenCA] (an Open Source movement publicly available PKI scheme including server software) * RSA Security * [http://phpki.sourceforge.net phpki] * [https://open.datacore.ch/DCwiki.open/Wiki.jsp?page=GenCerti GenCerti] * [http://ejbca.sourceforge.net/ ejbca] * [http://www.newpki.org/ newpki] * [http://papyrus.gatech.edu/ Papyrus CA Software] * [http://www.pyca.de/ pyCA] * [http://idx-pki.idealx.org IDX-PKI] * [http://www.europepki.org EuropePKI (not available)] * [http://tinyca.sm-zone.net/ TinyCA] * [http://elyca.eurodev.net/ ElyCA] * [http://www.vpnc.org/SimpleCA/ SimpleCA] * [http://www.seguridata.com SeguriData] ==See also== * Public key cryptography * Key authentication * Certificate revocation list == External links == *[http://www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf PKI tutorial] by Peter Gutmann *[http://www.ietf.org/html.charters/pkix-charter.html PKIX workgroup] *http://www.pk3i.com/ *http://www.newpki.org/ A detailed explanation of PKI Privacy, Authentication, Integrity and Non-repudiation (PAIN) can be found at: [http://www-106.ibm.com/developerworks/library/s-pain.html PAIN] *[http://www.conclusive.com/index.jsp Conclusive Logic] (A standards based "website security infrastructure".) *[http://www.betrusted.com Betrusted] (acquired the Baltimore UniCERT product in early 2004) *[http://csrc.nist.gov/pki/ NIST PKI Program], in which the National Institute of Standards and Technology (NIST) is attempting to develop a public key infrastructure *http://www.mozilla.org/projects/security/pki - Open Source PKI Projects *[http://www.pkiforum.com PKI Public Key Infrastructure news, information and education from the PKI Forum (pkiforum.com)] Robot Certification Authorities: *[http://www.cacert.org/ CACert Inc.] *[https://box.cardboard.net/crypto/robotca cardboard.net llc] *[http://www.imperialviolet.org/keyverify.html Imperial Violet (Adam Langley)] *[https://jameshoward.us/Robot_Certificate_Authority JamesHoward.us] *[http://www.toehold.com/robotca/ Toehold (Kyle Hasselbacher)] Cryptography
Public key infrastructure
It occurs to me that some vendor references might be pertinent, i.e., PKI Innovations Inc. (http://www.pk3i.com). --- Matt, The use of computing that you cut was the result of some cogitation. I was trying to make clear in the wording that there are multiple uses, not merely in overt crypto or overt computer security. PKIs are hidden from view in many contexts and not all of them are either. For instance, copyright protection is commercial and would use squirrels if there were any prospect of it working. That it uses (or misuses, misapplies, goofs badly, ...) crypto, and claims to be a computer security issue is another thing altogether. The point was worth making, though perhaps it was made too covertly. Have you a suggestion? User:Ww 19:50, 14 Jul 2004 (UTC) : The real purpose of putting "In field F, ..." at the start of articles is to provide the reader with some context about what general domain he's reading about. If the clause is too wordy, then I think it lessens the usefulness. User:Matt Crypto 20:04, 14 Jul 2004 (UTC)
See other meanings of words starting from letter:
P
PA | PB | PC | PD | PE | PF | PG | PH | PI | PJ | PK | PL | PM | PN | PO | PR | PS | PT | PU | PW | PX | PY | PZ |Words begining with Public_key_infrastructure:
Public_Key_Infrastructure
Public_key_infrastructure
Public_key_infrastructure
Public_key_infrastructure/to_do
These materials are based on Wikipedia and licensed under the GNU FDL
YouTube.com videos better site than Turbo Tax 2007
