Public Key Infrastructure Case Study
Fundamentals of PKI
The public key infrastructure (PKI) sets up and upholds dependable networking environment by offering key and certificate management services that permits encryption together with digital signature facilities for many applications. The services are permitted in such a way that it is transparent and usable. The user authentication employs the PKI technology of the password in the electronic bidding system. In considering the password based PKI technology, given that protection is carried out by means of password which is simpler for the user to memorize the private key it brings about another issue of password exposure. The fingerprint information can also be employed. In this case, the user authentication in which the security is strengthened as compared to other existing authentication technology can be done. As a result, the finger print information and the certificate can be stored in the finger print security token. (Park et al., 2012).
As at present, public key infrastructure is employed for the exchange of public keys. This is defined by International Telecommunication Union and Telegraph (ITU-T) standard X.509. In this case, a user or node publishes its public key on a key server of some sort from which it can be downloaded by other peers after when the encrypted and signed messages can be exchanged. This requires every participating node to trust the key server within the PKI. The certificate revocation list (CRL) is used for the keeping of invalid keys and certificates ( Hanka et al., 2011).
Ways in which PKI features and functions could benefit the organization and its information security department.
The features and functions of PKI can benefit the information and security department of an organization in a number of ways. PKI ensures that information transmitted by the organization is maximally protected through confidentiality, integrity, authenticity and nonrepudiation. If PKI is integrated into the mapping system for the HiiMap architecture, it gives the benefit of sharing resources between functionalities. As a result, maintenance can be kept significantly lower compared to operating services that are separate ( Hanka et al., 2011). In addition, the elaborate design and efficient management of public key infrastructure along with harmonizing techniques for PKI can be used to obtain security and privacy preservation (Wasef, 2011).
Way in which the PKI could assist in the process of signing the company’s software
Public key infrastructure (PKI) can help in application of code signing where an authority (the developer of an application of operating system vendor) can digitally sign an application which is very significant in signature verification at a later time. The verification is used to validate that the application was not interfered with and that the application comes from the intended author. The customer will then believe that the software is authentic when the software ensures confidentiality and integrity of data and the availability of information. Confidentiality is where the software will prevent the disclosure to unauthorized persons(s). Integrity on the other hand is the ability of the software to accurately preserve information and validity of the source while availability refers to the information being available at the time of need. If the software meets all these security criteria, then the customer will know that it is authentic. (Barrera & Van, 2011).
Comparison between public and in-house Certificate Authorities
In-house certification authority certifies private keys while public certificate authority certifies or authenticates public keys. The public certification authority is also responsible for generating the required certificates while registering the physical infrastructure servers, virtual servers, environment users and the network devices within the cloud. This implies that public certification sets up the suitable strong credentials for every physical or virtual entity involved in the cloud by building security domain with particular boundaries in the set of entities of the cloud. Public certification authority also acts as a trust center for the global web environment while in-house certification authority can use digital certificates to sign software developed internally by the company in order to demonstrate software authenticity to the customer. Nevertheless, both public and in-house certification authorities use special container (certificate) to store the keys ( Hanka et al., 2011, Agrawal, 2012).
Therefore, one disadvantage of in-house certification authority can only be used to authenticate software developed by a specific company, that is, private. Public certification authority has the advantage in that they can authenticate or certify arrange of software that can be used by several companies. However, the software authenticated by public certification authority cannot be customized by the customer that buys it. On the other hand, if accompany develops and certifies a software, it has full authority over the control of the software which it can decide to customize at will.
I would recommend the organization to use public certification authority. The rationale of this is to permit both public and private keys for information transmission to achieve secure transmission of information. The public key will be used for encryption while private keys used for decryption. The organization also uses Microsoft Server 2012 Active Directory and other Microsoft products which are not in-house software. Therefore, the use of public certification authority will be more beneficial in ensuring that other internationally certified software can be used by the organization. In considering BYOD, it will also be difficult and costly for the organization to certify all computers and devices owned by employees that uses various software and operating system if in-house certification authority is used. The cost of certification and/or authentication is thus transferred to the individual employees. In addition, E-mail systems and web browsers can easily be used by the organization to verify the legitimacy of the keys from these certificate authorities (Agrawal, 2012).
Agrawal, M. (2012). Nation Technologies. Journal of Information Technology Education: Discussion Cases, 1(1), 1-19.
Barrera, D., & Van Oorschot, P. (2011). Secure software installation on smartphones. IEEE Security & Privacy, 9(3), 42-48.
Hanka, O., Eichhorn, M., Pfannenstein, M., Eberspächer, J., & Steinbach, E. (2011). A distributed public key infrastructure based on threshold cryptography for the HiiMap next generation Internet architecture. Future Internet, 3(1), 14-30.
Park, S. A., Oh, Y. C., Kim, Y. H., Lim, I. K., & Lee, J. K. (2012). Public Key Infrastructure of Using the Fingerprint Information in Electronic Bidding System. In Future Information Technology, Application, and Service (pp. 467-476). Springer Netherlands.
Wasef, A. (2011). Managing and Complementing PKI for Securing Vehicular Ad Hoc Networks: Comprehensive Public Key Infrastructure (PKI) Security Schemes for Vehicular Ad Hoc Networks (VANETs).