The term Public Key Infrastructure (PKI) is often
loosely thrown around, but is not often thoroughly explained. PKI, in a
nutshell, is the collection of digital certificates, registration
authorities, and certificate authorities that verify the validity of
each participant in an encrypted network. Effectively, a PKI itself is
simply a concept that defines the mechanisms that ensure that the user
who is communicating with another user or computer on a network is who
he says he is. PKI implementations are widespread and are becoming a
critical component of modern network implementations. Windows Server
2008 R2 fully supports the deployment of multiple PKI configurations, as
defined in the following sections.
PKI deployments can range
from simple to complex, with some PKI implementations utilizing an array
of smart cards and certificates to verify the identity of all users
with a great degree of certainty. Understanding the capabilities of PKI
and choosing the proper deployment for an organization are subsequently a
must.
Defining Private Key versus Public Key Encryption
Encryption techniques can
primarily be classified as either symmetrical or asymmetrical.
Symmetrical encryption requires that each party in an encryption scheme
hold a copy of a private key, which is used to encrypt and decrypt
information sent between the two parties. The problem with private key
encryption is that the private key must somehow be transmitted to the
other party without it being intercepted and used to decrypt the
information.
Public key, or
asymmetrical, encryption uses a combination of two keys, which are
mathematically related to each other. The first key, the private key, is
kept closely guarded and is used to encrypt the information. The second
key, the public key, can be used to decrypt the information. The
integrity of the public key is ensured through certificates, which will
be explained in depth in the following sections of this article. The
asymmetric approach to encryption ensures that the private key does not
fall into the wrong hands and only the intended recipient will be able
to decrypt the data.
Exploring Digital Certificates
A
certificate is essentially a digital document that is issued by a
trusted central authority and is used by the authority to validate a
user’s identity. Central, trusted authorities such as VeriSign are
widely used on the Internet to ensure that software from Microsoft, for
example, is really from Microsoft, and not a virus in disguise.
Certificates are used for multiple functions, such as the following:
Certificates are signed
using information from the subject’s public key, along with identifying
information, such as name, email address, and so on, and a digital
signature of the certificate issuer, known as the Certificate Authority
(CA).
