Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6353
  • Last Modified:

PKI advantages and disadvantages

Can some one give me some reasons why a PKI is a good solution to security? Basically what I am trying to figure out or it's advantages and disadvantages.

  • 2
1 Solution
The short one: a PKI allows computers to authenticate to eachother or encrypt and decrypt data WITHOUT prior contact.
So no password exchange on forehand needed, no exchange of passwords over any medium.
The disadvantages:
- you need a thorough understanding of PKI and assymetric encryption principles to set this up. It's not the simplest thing to do for a sysadmin. For endusers its mostly transparant.
- assymetric encryption is slow. That's why it is only used on short messages. For large volume encryption a PKI can be used to exchange the keys of a (fast) symmetric algorithm.

To set you on the way, this is a shor explanation:
The basic principle of assymetric encryption:
- Every system has a public key and a private key. The public key is ... public: it can be handed out to anyone. The private key has to be kept ... private. Nice logic.
- To sign a message (to authenticate or prove integrity or for non-repudiation)  the sender encrypts a 'message' with his private key. The receiver decrypts with the public key of the sender and if the 'message' is what is expected then the receiver knows that it can only be send by the sender.
- To encrypt something the sender encrypts the message with the public key of the receiver. Then only the receiver can decrypt the message using his private key.

A PKI is an infrastructure to allow the generation of the needed certificates (keys can be part of the certificates), the exhange of the certificates, the legal contracts and procedures to initialy verify who you say you are.
There are server and client parts to this.
Also, there is a certification chain composed of CA's (certificate authorities). Starting at the top from a well protected (usually offline) root CA and then down to serveral (usually online) subordinate CA's. The CA's are the server parts.

For more info see:

And if you need to know more, just shout.

Note: (may be relevant) It was recently announced that some U.S. Navy military contractor accessible web sites previously allowing access through PKI certificates (software based) will be changing to Common Access Card (CAC) based authentication only.  All previous methods will be disallowed at some point in the near future.

I suppose the "logic" behind this is the 'owner' must present his or her "key" (the CAC) just as we do when starting a car or entering our homes.  The only thing is a CAC also has a password encoded into it, so a stolen CAC is practically as useless as a stolen computer with PKI certificate installed.  Why a branch of the military would elect one form of authentication over another was not indicated and may safely remain the subject of speculation.

I believe this tidbit might be useful for a organization planning their first venture into PKI certificates and card-based authication methods.
Card based authentication can be used with PKI: certificates can be stored on a smartcard.
They are not mutualy exclusive. In fact CAC is an extension to PKI to store the private key(s) on a secure device (the card).
So they certainly have not dropped PKI, au contraire.
See: http://usmilitary.about.com/od/theorderlyroom/l/blsmartcards.htm


Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now