Public Key Infrastructure - Enabling A Secure Digital Environment
By Philippe Inserra, Vice President - Authentication, Gemalto
According to the recent Breach Level Index (BLI) by SafeNet, 1,500 data breaches occurred worldwide in 2014, leading to one billion compromised data records. 2014 also saw a sharp rise in data breaches (49 percent) and data records that were either stolen or lost (78 percent) as compared to 2013.
What's more, as cyber criminals become increasingly sophisticated in their attacks, there is a shift in their tactics with long-term identity theft becoming more important than the immediacy of stealing a credit card number. The main motivation for cyber criminals in 2014 was identity theft which surpassed any breach category including access to financial data.
With this, governments, enterprises, financial institutions as well as individuals need to be increasingly vigilant to protect identities. They need to supplement their current security mechanisms such as strong passwords with two factor authentication or multi-factor authentication systems.
Public Key Infrastructure (PKI) technology is one of the highest levels of security available today and can be used in combination with various other security mechanisms such as biometrics, strong passwords or One Time Passwords (OTP) among others.
Using a combination of public and private keys that are created with a cryptographic algorithm, PKI enables users to securely authenticate themselves via a user friendly methodology and secure authentication channels. The public key is available as part of a digital certificate issued by a certification authority (CA). The CA stores the information in a database and issues digital certificates that include the public key and links it to the user's identity for verification. On the other hand, the private key is only known to the end-user and is not transmitted over the network therefore validating a user's digital identity, enhancing security and allowing secure transactions across devices.
Using the PKI technology The PKI technology has several applications ranging from secure network logins and remote access, encrypting emails to secure data storage and online transactions.
User authentication: PKI enables secure access and logins. A user can be authenticated by the private key, which generates a digital certificate that is sent to an authentication server. Once received, the certificate is decrypted with the user's public key to validate the login credentials.
Data or information encryption: With PKI, messages, documents and data can be encrypted allowing only the intended recipient to access it. In such a scenario, a person's public key is used to encrypt the information and only the intended recipient can decrypt the information with his or her matching private key.
Digital signature: A digital signature can be used to secure a message, document or even transactions. The digital signature is created and encrypted with the user's private key and attached to the signed contents. When the information is received, the signature is decrypted along with the user's public key to validate the sender's identity, making transactions more secure.
Various PKI form factors The PKI technology can be used in different form factors:
Certificate-based PKI USB authentication tokens enable secure remote access as well as other advanced applications including digital signing, password management, network logon and combined physical/logical access in a single USB Authenticator (USB Token).
Certificate-based smart cards offer strong multi-factor authentication in a traditional credit card form factor and enable organizations to address their PKI security needs. Smart cards offer a single solution for strong authentication and applications access control, including remote access, network access, password management, network logon, as well as corporate ID badges, magnetic stripes and proximity.
PKI Technology across sectors
Government: As more and more government operations move online, advanced identity management systems that incorporate the PKI technology will become increasingly critical. With the increasing volume of confidential and critical data flowing through the government's systems, higher levels of authentication, confidentiality, access control, non-repudiation, and data integrity will be key to gaining citizens' trust and successfully implementing e-governance.
Enterprises: Data breaches due to system glitches, human errors and malicious attacks coupled with a growing mobile workforce are contributing to an upsurge in enterprise security threats. To add to this, devices such as laptops, smartphones and tablets are easy targets for theft, dramatically increasing the chances of proprietary and confidential information being breached. PKI technology can offer the highest levels of authentication to ward off potential hackers and secure confidential enterprise information.
Banking: As banks look to increase their consumer base and find new channels of generating revenue via m-banking and e-banking, security is a major concern. Banks need to implement stringent security measures such as PKI tokens/ smartcards which will be imperative for banks to imbibe trust among its customers, increase loyalty, reduce overheads and support the overall growth of digital banking.
Digital technology offers huge potential for people all over the world. The possibilities are increasing daily but so are the threats. As threats grow, security will continue to remain on the top of the minds of consumers and enterprises. They understand that using a simple layer of security is no longer sufficient. Implementing PKI adds a strong layer of security creating a safer environment for transactions and authentications.