PKI advantages and disadvantages

Posted on 2007-07-31
Last Modified: 2008-01-09
Can some one give me some reasons why a PKI is a good solution to security? Basically what I am trying to figure out or it's advantages and disadvantages.

Question by:matt_starkey31
    LVL 18

    Accepted Solution

    The short one: a PKI allows computers to authenticate to eachother or encrypt and decrypt data WITHOUT prior contact.
    So no password exchange on forehand needed, no exchange of passwords over any medium.
    The disadvantages:
    - you need a thorough understanding of PKI and assymetric encryption principles to set this up. It's not the simplest thing to do for a sysadmin. For endusers its mostly transparant.
    - assymetric encryption is slow. That's why it is only used on short messages. For large volume encryption a PKI can be used to exchange the keys of a (fast) symmetric algorithm.

    To set you on the way, this is a shor explanation:
    The basic principle of assymetric encryption:
    - Every system has a public key and a private key. The public key is ... public: it can be handed out to anyone. The private key has to be kept ... private. Nice logic.
    - To sign a message (to authenticate or prove integrity or for non-repudiation)  the sender encrypts a 'message' with his private key. The receiver decrypts with the public key of the sender and if the 'message' is what is expected then the receiver knows that it can only be send by the sender.
    - To encrypt something the sender encrypts the message with the public key of the receiver. Then only the receiver can decrypt the message using his private key.

    A PKI is an infrastructure to allow the generation of the needed certificates (keys can be part of the certificates), the exhange of the certificates, the legal contracts and procedures to initialy verify who you say you are.
    There are server and client parts to this.
    Also, there is a certification chain composed of CA's (certificate authorities). Starting at the top from a well protected (usually offline) root CA and then down to serveral (usually online) subordinate CA's. The CA's are the server parts.

    For more info see:

    And if you need to know more, just shout.

    LVL 4

    Expert Comment

    Note: (may be relevant) It was recently announced that some U.S. Navy military contractor accessible web sites previously allowing access through PKI certificates (software based) will be changing to Common Access Card (CAC) based authentication only.  All previous methods will be disallowed at some point in the near future.

    I suppose the "logic" behind this is the 'owner' must present his or her "key" (the CAC) just as we do when starting a car or entering our homes.  The only thing is a CAC also has a password encoded into it, so a stolen CAC is practically as useless as a stolen computer with PKI certificate installed.  Why a branch of the military would elect one form of authentication over another was not indicated and may safely remain the subject of speculation.

    I believe this tidbit might be useful for a organization planning their first venture into PKI certificates and card-based authication methods.
    LVL 18

    Expert Comment

    Card based authentication can be used with PKI: certificates can be stored on a smartcard.
    They are not mutualy exclusive. In fact CAC is an extension to PKI to store the private key(s) on a secure device (the card).
    So they certainly have not dropped PKI, au contraire.


    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now