Public key technology enables risks to be properly managed so that electronic transactions can be performed on open, insecure networks such as the Internet with otal security. It is fundamental technology for:
- Improving business processes by enabling time optimization, managing errors and reducing costs.
- Improving client and user satisfaction, enabling communications from anywhere and at any time.
Electronic transactions cannot take place without the capacity to electronically identify people and machines in a reliable way. Public key technology using digital certificates (equivalent to electronic identity cards) is the most secure form of identifying electronically and protecting electronic data.
A public key infrastructure or PKI offers a range of services that drastically reduce security risks associated with business processes. A PKI offers the following services:
- Digital authentication univocally guarantees an entity’s identity and attributes (who is it and what is it?). Although the identity provides us with the name of a person or machine, the attributes offer us information regarding his or her capacity to practice as a qualified professional, credit limits, date of birth, etc.
- Data integrity is the service that detects any changes that may have taken place accidentally or intentionally while data is stored or transmitted over the Internet. Authentication and integrity services are the basis of electronic signatures, which can be compared with hand-written signatures, thus removing the need for paper.
- The confidentiality service enables electronic data (files and communications) to be protected, and controls access to the data by applying PKI-based authentication mechanisms.
Public Key Infrastructure (PKI) is responsible for offering services required for establishing trusted electronic communications. To do so, trusted third parties (TTPs) will be in charge of guaranteeing the unique connection between entities and the social and economic data they accredit, univocally relating a certain date to specific data and giving proof value that these connections remain valid over time.
Trusted entities are classified in three groups according to the type of responsibility acquired: entities responsible for issuing and managing digital certificates, known as Certification Authorities; entities responsible for guaranteeing the validity of digital certificates, known as Validation Authorities, and lastly, entities responsible for ensuring the existence date of specific data, known as Time Stamping Authorities.
- Certification Authority: In a PKI, the responsibility for issuing certificates is shared between the Certification Authority (CA) and the entity responsible for requesting the generation of certificates, known as the Registration Authority (RA). The RA is the entity onto which the CA delegates the task of receiving certification requests and deciding whether to approve or deny them. The RA can also request the revocation of a digital certificate previously issued by the CA. The CA is exclusively in charge of generating certificates and revocation lists, which contain revoked certificates. While the RA component interacts with the entities that request certificates (for example, people) and with the company’s decision-making system to obtain data or attributes of the applicant, the CA component is exclusively in charge of processing approved requests in order to generate the corresponding certificates. Digital certificates will usually be published in a directory, whose responsibility can fall on the CA or the RA.
- Validation Authority: Services that verify the status of digital certificates are strategic in business processes that require guarantees that a digital certificate’s status has been verified during the process of accepting digitally signed data (for example, electronic transaction orders). The Validation Authority (VA) will provide proof of the validity (revoked or non-revoked certificate) of a digital certificate at a given moment, taking responsibility for these responses. The proof value is therefore the most important advantage compared to traditional CRLs generated by the CA, which do not offer this advantage. Another important factor of this system compared to CRLs is its increased efficiency.
- Time Stamping Authority: The Time Stamping Authority (TSA) guarantees the time and associates it to specific data. The result is the generation of a time-stamp that will be delivered to the applicant. The TSA digitally signs and delivers the time-stamp, endowing the data with proof value. The TSA guarantees a time associated with specific data; it will never verify such data or have access to it, since this is the responsibility of the entity that validates the time-stamp. The advantage of time-stamps is that they provides the proof that a datum existed before a particular time. Examples of systems where time-stamps are required are Public Administration services that need to guarantee delivery dates and Electronic Notary services or offer validity presentations, among others.
- The Directory: The public key infrastructure component responsible for publishing certificates and revocation lists generated by the CA. Users can obtain a digital certificate or revocation list in force by checking the directory, which can also hold other types of data, such as the user’s e-mail address, name, telephone number, etc. Certificates are viewed in the directory when encrypted data is to be sent and the data recipients’ digital certificate is not available or when a digital certificate is required in order to validate a signer’s digital signature.
- End Entities: End entities are people or systems that can hold a digital certificate. They are different from non-end entities (for example: CA) in that they cannot generate certificates for other entities. Among these entities, we can make a distinction between people or groups of people (users) and systems (applications). Users will hold digital certificates for authentication, digital signature or data protection; applications, on the other hand, will hold digital certificates with the generic purpose of being securely authenticated (for example, an electronic banking server to which confidential data must be sent).
PKI technology is considered strategic for the governmental sector for two reasons:
- The Administration must specially assure its procedures, which means that the security mechanisms used should offer a high trust level.
- Electronic Administration significantly improves citizen service levels, thus increasing citizen satisfaction.
One of the key benefits of PKI technology is the business process optimization, guaranteeing the security of electronic data and eliminating physical paper needs. Here are some examples:
- In the health sector scenario, data access control and data protection are essential for supplying information concerning a patient’s health record, which is confidential. Electronic signatures will also be applied to electronic prescriptions, improving the security of the current prescription system and optimizing the process.
- In the banking scenario, digital certificates are required to control clients’ access to their banking accounts and to digitally sign transaction orders. In this scenario, secure validation of the digital certificate prior to accepting the transaction will be increasingly important the greater the transactional sum.
- In the defence sector, data confidentiality and authenticity is particularly important. Stored data, e-mail messages and communications are encrypted with strong encryption algorithms and keys.
In the corporate environment, where any organization’s corporate processes need to be secured, it is highly important for both employees and clients to have a single sign-on system, in addition to electronic messaging and document securing systems. One of the most typical examples of electronic signature use in corporations is generating electronic invoices.