PKI Security

PKI security provides the encryption technologies required by electronic data interchange to meet the following security objectives:

  • Authentication - The process of proving one's identity.
  • Confidentiality - Ensuring that no one can read the message except the intended recipient.
  • Integrity - Assuring the recipient that the received message has not been altered in any way from the original.
  • Non-repudiation - A mechanism to prove that the sender/recipient really sent/received a message.

PKI Details

Public Key Infrastructure security utilises both Symmetric and Asymmetric security to deliver a highly secure security mechanism that removes the disadvantages of each.

PKI achieves each of the security objectives mentioned above.

  • The digital signature is used to Authenticate the message
  • Encryption of the message is used to ensure the Confidentiality of the message
  • The digital signature is used to ensure the Integrity of the message
  • The uniqueness of the digital signature prevents the owner of the signature from disowning the signature and thus provides Non-repudiation

Message Digest

The message digest is a digital fingerprint of a message, which is obtained by performing a hash function on the message data. This hashing function is fast and produces a small message digest from the contents of the message.

The message digest algorithms have two very important features:

  • The same input always produces the same output but different inputs could never produce the same output
  • It is impossible to determine the actual message from the message digest

The message digest is used to guarantee that the message data is not altered during transit.

The message digest is encrypted with the sender’s private key to form a digital signature.

Digital Signatures

A service enabled by public-key cryptography is that of Digital Signatures. This, as the name suggests, is the equivalent of a hand-written signature; many people can read and verify the signature but only one person can produce the signature.

A digital signature relies on the key pair. The signer, to explicitly link the data to himself, uses the private key to sign the data. The public key can then be published/distributed to all trading partners, allowing them to validate the signature.

This is impossible to achieve while using a symmetric key system, as the symmetric key would need to be known by both the signer and the receiving party. Once a symmetric key is revealed to a second party, that key can no longer be exclusively linked to one trading partner. This means for future message exchanges, use of this key would no longer provide authentication.

A digital signature should be seen as a private key operation on data, with the resulting value being a signature. The data to be signed may be of any size (a few kb through to a 100mb file), but a private key operation takes a fixed size input and produces a fixed size output. To solve this problem a hash function is used to produce the fixed sized input (the message digest) for the private key operation.