How to implement PKI
Implementation of the public key infrastructure is basic in the life cycle of any PKI. In most case, developing a PKI is normally a very easy task and many organizations are able to carry it out. However, the implementation stage is one that can be quite hectic. So as to avoid the many problems that are encountered during the implementation process, proper and adequate planning is required. This means that an organization or individual must have a clear set of well laid out strategies and procedures to be followed. In some other cases, a lot of resources are required and therefore a huge investment should be made. It is therefore important that the PKI implementation process is handled with a lot of seriousness since it is an activity that can turn to be a white elephant if all the essential aspects are not taken into consideration. Here are the information which should be held by one so that he can implement it successfully;
Implementing Certificate Authorities
In a public key infrastructure, a Certificate Authority is responsible for the creation and distribution of certificates to the end users and other people that will need them in the environment. These are the public and private keys and one's certificate authority is one's clearing house for this. If one is in a private organization, one may have a private certificate authority which is meant for one's own users and private servers. In such a case, one have to ensure that third party individuals who use one's certificates trust them since in most cases, people tend not to have much trust with certificates that one have built on one's own.
If one are implementing a certificate authority, one are probably implementing a commercial certificate authority or a private certificate authority or a combination of both of them. If one is going to commercial certificate authorities, these are certificates that are built into one's browser and it is a browser that has the capability of sending and receiving the encrypted SSL and TLS type traffic via https. One can go to this commercial certificate authority and purchase a web site certificate that one can use on one's browser. Since everyone trusts that certificate, one's website will naturally be trusted. Occasionally, these commercial certificate authorities will give one some additional options as well. If one provides them with additional information about one's self or one's organization, they may give one a higher level of trust that one can tag on one's website.
Private certificate authorities are obviously certificates that one are building in-house probably in one's Windows operating system. This is a kind of certificate authority that one is building from scratch. If one is a medium organization, one will have such multiple certificates because one is going to have web servers and places where data needs to be encrypted. It could therefore be quite expensive going to a third party to pay for the certificates that will not even be used externally hence it therefore becomes very important to come up with certificate authorities of one's own and start distributing them. Obviously one is going to have to implement these certificate authorities and therefore, one must plan it out. Whenever one are going to implement this king of certificate authority, there needs to be an overall understanding of the strategy in one's organization, which is going to manage the certificates, how the certificates be built, how they will be distributed and how they will be revoked. As an organization, one can choose whether to have a commercial certificate authority or build one's selves a private certificate authority.
Implementing Key Revocation
Key revocation is a natural part of a certificate lifecycle in one's PKI and generally we use a Certificate Revocation List that is maintained by the certificate authority to be able to look for the key that have been revoked. There are many different reasons for revoking keys and we need to think the changes that will cause the key to be revoked such as natural expiration of the key or if the key is used for fraudulent activities. The revocation process is one that is more or less formal. Some other reasons as to why a key might be revoked are having a key that has been compromised, maybe the entire certificate authority has been compromised, and maybe the key has been changed or superseded. In addition, it can also be revoked if the entire business is not in operation or if a key has been suspended due to the presence of a certificate hold for that key. If some specific certificates are revoked, it therefore means that we will have to update our browsers, applications and domains that use the revoked certificates.
If one is using PGP or open PGP, then one does not have a central certificate authority. One are one's own authority of one's own in that one are building the certificate on one's own and also revoking it. Obviously in a web of trust, one creates one's own certificates, other people sign one's certificates hence one create a nice web of trust. When one create one's certificates, one might also want to consider going ahead and create a revocation certificate of one's own, That way, if something was to happen to one's private key, one would have a way to revoke that private key without having direct access to one's private key at all. One can even take that key and enable other people to be able to revoke one's certificate. That way, if something was to happen to one or to the computers that one are using, there would be someone else who is outside the scope of that issue that can then revoke one's certificate to make sure that nobody else would be able to use that in the future.
Implementing Digital Certificates
The implementation of digital certificates is also a very important aspect of cryptography. In this case, it is very essential that there is some special type of digital signatures to assist in the implementation process. In this case, a lot of information and documents can be digitally signed so as to make sure that they are well encrypted. As a matter of fact, this is a practice that is mainly suited for organizations since it could be very hard for an individual to implement digital certificates. They are mostly applied in cases where there could be a lot of encrypted information. The implementation of digital certificates is very important since it reduces the occurrence of non-repudiation. Apart from a few cases where information must be encrypted, the presence of digital certificates does not require encryption since if a message has been digitally singed, one can easily proof the origin of the message and identify whether it has been tampered with in the course of it being sent.
The public key infrastructure(PKI) is a mixture of things working together such as policies, procedures, people, hardware and software all put together to create a standard way to manage, distribute these certificates, store them, revoke them. If one are going to venture into public key cryptography and one are making a PKI, it means that one will be making something that is very big which one need to plan out from the very beginning and set all the processes in place so that it can be as successful as possible. The PKI is responsible for building these certificates and binding them to people or resources.
If one is going to implement one's own PKI, it is going to take a lot of planning to begin with. One is going to research a lot of different PKI software, understand the process one want to have in place and it may start as if one are building a certificate for a single web server. However, once one start building to start building these out and one's organization gets bigger, one will probably need more of those created hence one will need a very specific processing place so as to be able to provide that capability to the rest of the organization. One will need to do encryption with third parties, have digitally signed documents, many more web and email servers and hard drive encryptions so if one plan ahead, one will be in good shape when some of these things start to feature.
Implementing Key Recovery
The idea of key recovery basically means that we have put some processes in place to make sure that should something happen to that key, we have ways of recovering data that had been encrypted with the lost key. One of the ways is to back-up the private key. However, one need to make sure that one do not have too many backups of the private key or rather too many versions of it to avoid it getting into the hands of other people.
If one is implementing a certificate authority or one are building out a set of PKIs in one's environment, then the ability to recover one's keys is very important. The larger one's organization becomes, the more information one are going to start encrypting hence the more important key recovery is going to be important in one's environment. This is a process that is usually integrated into the certificate authority one is using. That way, one can build this plan for one's key recovery have it automatically as part of one's certificate authority and then when one start building other certificate authorities, the key recovery aspect is already integrated in the mathematics behind the keys that one are distributing.
In each and every organization, there is already a key recovery process that will start up from the beginning if the key is lost. We want to have a process where an organization can recover the data or private key and therefore the recovery process is probably built into one's public key infrastructure. It may be a process that is done automatically every time one comes up with a new set of keys
Implementing Public and Private Keys
The public key cryptography methodology is one that was founded by asymmetric encryption. The creation of public keys really involves a lot of mathematics and randomization. A lot of mathematics and prime numbers goes into this so as to create a public key that can be given to anyone in the world. By looking at a public and private key, it is very difficult for one to differentiate between the two.
The implementation of one's public and private key creation is something that is usually that is a formal process especially if one have a formal certificate authority set up, it is integrated into the security policy, one know exactly how to request it, one know the process that goes on to get registered and have that key and the certificate provided back to one. It may be something that is very structured and one need a lot of documentation or even show up in person and it has to be linked to one's ID that one might use or it might be more relaxed where it might be something like PGP or open PGP where one are outside of an organization and maybe building a certificate for one's own use. When building out a PGP secret key and a public key, there is a front end to the open PGP standard called GPG. One can download GPG for Mac OS, Windows, Linux and UNIX hence giving one a great capability on most of the available operating systems.
As a matter of fact, the implementation phase of a PKI is one of the most challenging but once achieved, the life cycle of the PKI is considered complete apart from cases where the PKI may require some revocation due to some other reasons. In addition, the implementation process is one that must be successfully undertaken if one is to have a good encryption mechanism. It is therefore important that PKI implementation is taken with as much seriousness as the development process or any other process.