Public Key Infrastructure Overview By Joel Weise - SunPSSM Global Security Practice Sun BluePrints™ OnLine - August 2001 http://www.sun.com/blueprints Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, CA 94303 USA 650 960-1300 fax 650 969-9131 Part No.: 816-1279-10 Revision 01, August 2001 Copyright 1999 Sun Microsystems, Inc. 901 San Antonio Road, Palo Alto, California 94303 U.S.A. All rights reserved. This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any. Third-party software, including font technology, is copyrighted and licensed from Sun suppliers. Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd. Sun, Sun Microsystems, the Sun logo, Sun BluePrints OnLine, SunPS, and Solaris are trademarks, registered trademarks, or service marks of Sun Microsystems, Inc. in the U.S. and other countries. The OPEN LOOK and Sun™ Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun’s licensees who implement OPEN LOOK GUIs and otherwise comply with Sun’s written license agreements. RESTRICTED RIGHTS: Use, duplication, or disclosure by the U.S. Government is subject to restrictions of FAR 52.227-14(g)(2)(6/87) and FAR 52.227-19(6/87), or DFAR 252.227-7015(b)(6/95) and DFAR 227.7202-3(a). DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON- INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Copyright 1999 Sun Microsystems, Inc., 901 San Antonio Road, Palo Alto, Californie 94303 Etats-Unis. Tous droits réservés. Ce produit ou document est protégé par un copyright et distribué avec des licences qui en restreignent l’utilisation, la copie, la distribution, et la décompilation. Aucune partie de ce produit ou document ne peut être reproduite sous aucune forme, par quelque moyen que ce soit, sans l’autorisation préalable et écrite de Sun et de ses bailleurs de licence, s’il y en a. Le logiciel détenu par des tiers, et qui comprend la technologie relative aux polices de caractères, est protégé par un copyright et licencié par des fournisseurs de Sun. Des parties de ce produit pourront être dérivées des systèmes Berkeley BSD licenciés par l’Université de Californie. UNIX est une marque déposée aux Etats-Unis et dans d’autres pays et licenciée exclusivement par X/Open Company, Ltd. Sun, Sun Microsystems, le logo Sun, Sun BluePrints OnLine, SunPS, et Solaris sont des marques de fabrique ou des marques déposées, ou marques de service, de Sun Microsystems, Inc. aux Etats-Unis et dans d’autres pays. L’interface d’utilisation graphique OPEN LOOK et Sun™ a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés. Sun reconnaît les efforts de pionniers de Xerox pour la recherche et le développement du concept des interfaces d’utilisation visuelle ou graphique pour l’industrie de l’informatique. Sun détient une licence non exclusive de Xerox sur l’interface d’utilisation graphique Xerox, cette licence couvrant également les licenciés de Sun qui mettent en place l’interface d’utilisation graphique OPEN LOOK et qui en outre se conforment aux licences écrites de Sun. CETTE PUBLICATION EST FOURNIE "EN L’ETAT" ET AUCUNE GARANTIE, EXPRESSE OU IMPLICITE, N’EST ACCORDEE, Y COMPRIS DES GARANTIES CONCERNANT LA VALEUR MARCHANDE, L’APTITUDE DE LA PUBLICATION A REPONDRE A UNE UTILISATION PARTICULIERE, OU LE FAIT QU’ELLE NE SOIT PAS CONTREFAISANTE DE PRODUIT DE TIERS. CE DENI DE GARANTIE NE S’APPLIQUERAIT PAS, DANS LA MESURE OU IL SERAIT TENU JURIDIQUEMENT NUL ET NON AVENU. Please Recycle Public Key Infrastructure Overview Complex business systems, e-commerce and automated business transactions require robust and rigorous security measures. Companies using the Internet environment as a platform to conduct business have a better probability of success if they accommodate the needs of security-conscious clientele. Today’s Internet clientele demand stringent security protocols to protect their interests, privacy, communication, value exchange, and information assets. This article demonstrates how public key cryptography supports these risk management requirements and solves e-commerce security problems in heterogeneous network environments. Public key cryptography supports security mechanisms such as confidentiality, integrity, authentication, and non-repudiation. However, to successfully implement these security mechanisms, you must carefully plan an infrastructure to manage them. A public key infrastructure (PKI) is a foundation on which other applications, system, and network security components are built. A PKI is an essential component of an overall security strategy that must work in concert with other security mechanisms, business practices, and risk management efforts. PKI is a broad subject matter and is constantly evolving to meet the growing demands of the business world. This article addresses PKI at a relatively high-level and does not include details regarding the underlying cryptography. This article is intended to remove the mystery, fear, and misconceptions of PKI, and offer real world opportunities for its use. Additionally, this article presents business- level reasons for considering a PKI in various environments, and the business problems a PKI can solve. This article is also intended to help organizations determine their requirements and necessity for a PKI, and what features they need for their particular business. This article should be considered as a PKI planning guide. 1 Why Implement a PKI? The omnipresence of the Internet and e-commerce technologies present many opportunities, but also pose security and integrity issues. For e-commerce to flourish, businesses, customers, vendors, suppliers, regulatory agencies, and other stakeholders must be assured that trusted business relationships are maintained. An illustration presents the point. If a merchant today has a physical presence at a store, that is, brick and mortar, and customers patronize them for goods and services, the merchant will typically request and receive payment for these directly from either the customers or their agent (e.g., their bank via the presentation of a monetary instrument such as a check), at the time that the goods and services were bargained for and/or provided. The process of exchanging goods and services for value is almost as universal as the rules by which those conversions take place. In many cases those rules are codified, in others they reflect accepted custom. Whether systematic or custom, the processes in use today provide for the establishment of a trusted business relationship in that the customer and merchant both authenticate one another to the extent that they are willing to undertake the transaction. If an easily recognized monetary instrument like cash is used for transactions, there may be very little authentication which must occur. If a credit card or check is used, then the authentication may include the establishment of the customer's identity to the merchant. In addition, the authentication may also allow for a measure of non-repudiation to be set so that the customer does not deny the transaction occurred. This traditional face-to-face transaction requires only minimal interaction and normally does not necessitate the use of other security and integrity mechanisms. However, for e-commerce on the Internet, additional security and integrity mechanisms become necessary. Merchants are typically not willing to ship goods or perform services until a payment has been accepted for them. In addition, authentication can allow for a measure of non-repudiation so the customer cannot deny the transaction occurred. Similarly, consumers need assurance that they are purchasing from a legitimate enterprise, rather than a hacker’s site whose sole purpose is to collect credit card numbers. With the changes in today's business environments and the shift from the traditional face-to-face business models, mechanisms must be developed to ensure that trusted relationships are maintained and can flourish. The implementation of a PKI is intended to provide mechanisms to ensure trusted relationships are established and maintained. The specific security functions in which a PKI can provide foundation are confidentiality, integrity, non-repudiation, and authentication. 2 Public Key Infrastructure Overview • August 2001 Uses of PKI A PKI does not serve a particular business function; rather, a PKI provides a foundation for other security services. The primary function of a PKI is to allow the distribution and use of public keys and certificates with security and integrity. A PKI is a foundation on which other applications and network security components are built. Systems that often require PKI-based security mechanisms include email, various chip