Public Key Infrastructure: Invisibly Protecting Your Digital Assets - Page 4
Drawbacks of PKI
PKI's privacy and authentication measures work well for any two-way communication. Authentication also works well for one-to-many communication, such as signing a document or an email that many people will read. However, privacy is another matter. Remember that privacy works by having the sender encrypt the information with the recipient's public key. What if there are multiple recipients on an email message that should be kept private? There is no simple answer for this.
Another drawback to encrypted email or any information is the possibility of losing your private key, which is required for decryption of information that is sent to you. The problem is worse with PKI than with symmetric encryption, because you are the only one who has your private key. A simple method to protect your private key is to back it up on a floppy. Then if you lose your hard drive, you have another way to get at your private key.
On the other hand, if someone else got access to the floppy, then your private key would be compromised. You would have to have your certificates revoked and get new ones issued, along with a new private key -- a major hassle. And what about documents that might have been forged before you discovered the problem?
Some systems offer stronger methods to back up keys. For example, a private key can be split into several pieces, called shares. The shares can then be given to different trusted people, or encrypted with each of their public keys and stored (perhaps on a floppy!) by the key's owner. In either case, it is impossible for one person alone to reconstruct the private key. If you plan to use PKI on a large scale or to protect information over a significant period of time, the ability to recover or reconstitute lost keys should be on your product requirements checklist.
Is "everyday" PKI security enough for your organization? If all you are doing is encrypting and signing email or authenticating your web server, everyday security is probably good enough. However, with PKI you have an opportunity to streamline your procedures for protecting and sharing sensitive and valuable information. Appropriate use of PKI can reduce costs, speed operations, and open up new business opportunities by allowing you to safely access and obtain that information via your internal network. If you access your data over the Internet, you will want to use a stronger level of PKI, with more sophisticated software, operations, and longer keys. You owe it to yourself to investigate what doors PKI can open for you and your organization.
ITU-T Recommendation X.509 (1997 E): Information Technology - Open Systems Interconnection -- The Directory: Authentication Framework, June 1997. A widely deployed, international standard for certificates
http://www.ietf.org/rfc/rfc3280.txt -- Internet X.509 Public Key Infrastructure - Certificate and Certificate Revocation List (CRL) Profile (RFC 3280)
http://home.netscape.com/eng/ssl3/draft302.txt - The SSL Specification
http://www.uk.pgp.net/pgpnet/pgp-faq - A PGP FAQ
http://www.ietf.org/rfc/rfc2440.txt - The PGP Standard (RFC 2440)
Applied Cryptography, Second Edition by Bruce Schneier, John Wiley & Sons, New York, 1996 -- Offers a detailed discussion of cryptographic techniques including PKI (also an impressive-looking addition to your bookcase)
Beth Cohen is president of Luth Computer Specialists, Inc., a consulting practice specializing in IT infrastructure for smaller companies. She has been in the trenches supporting company IT infrastructure for over 20 years in a number of different fields, including architecture, construction, engineering, software, telecommunications, and research. She is currently consulting, teaching college IT courses, and writing a book about IT for the small enterprise.
Debbie Deutsch is a principal of Beech Tree Associates, a data networking and information assurance consultancy. She is a data networking industry veteran with 25 years experience as a technologist, product manager, and consultant, including contributing to the development of the X.500 series of standards and managing certificate-signing and certificate management system products. Her expertise spans wired and wireless technologies for Enterprise, Carrier, and DoD markets.