PKI Technology
A PKI (public key infrastructure) enables users of a
basically unsecure public network such as the Internet to
securely and privately exchange data and money through the use
of a public and a private cryptographic key pair that is
obtained and shared through a trusted authority. The public
key infrastructure provides for a digital
certificate that can identify an individual or an
organization and directory services that can store and, when
necessary, revoke the certificates. Although the components of
a PKI are generally understood, a number of different vendor
approaches and services are emerging. Meanwhile, an Internet
standard for PKI is being worked on.
The public key infrastructure assumes the use of public key cryptography, which is the most common method on the Internet for authenticating a message sender or encrypting a message. Traditional cryptography has usually involved the creation and sharing of a secret key for the encryption and decryption of messages. This secret or private key system has the significant flaw that if the key is discovered or intercepted by someone else, messages can easily be decrypted. For this reason, public key cryptography and the public key infrastructure is the preferred approach on the Internet. (The private key system is sometimes known as symmetric cryptography and the public key system as asymmetric cryptography.)
A public key infrastructure consists of:
- A certificate authority (CA)
that issues and verifies digital
certificate. A certificate includes the public key or
information about the public key
- A registration authority (RA)
that acts as the verifier for the certificate authority
before a digital certificate is issued to a requestor
- One or more directories where the certificates (with
their public keys) are held
- A certificate management system
How Public and Private Key Cryptography Works
In public key cryptography, a public and private key are created simultaneously using the same algorithm (a popular one is known as RSA) by a certificate authority (CA). The private key is given only to the requesting party and the public key is made publicly available (as part of a digital certificate) in a directory that all parties can access. The private key is never shared with anyone or sent across the Internet. You use the private key to decrypt text that has been encrypted with your public key by someone else (who can find out what your public key is from a public directory). Thus, if I send you a message, I can find out your public key (but not your private key) from a central administrator and encrypt a message to you using your public key. When you receive it, you decrypt it with your private key. In addition to encrypting messages (which ensures privacy), you can authenticate yourself to me (so I know that it is really you who sent the message) by using your private key to encrypt a digital certificate. When I receive it, I can use your public key to decrypt it. Here's a table that restates it:
| To do this | Use whose | Kind of key |
| Send an encrypted message | Use the receiver's | Public key |
| Send an encrypted signature | Use the sender's | Private key |
| Decrypt an encrypted message | Use the receiver's | Private key |
| Decrypt an encrypted signature (and authenticate the sender) | Use the sender's | Public key |
| reference : | http://searchsecurity.techtarget.com/sDefinition/ |
| 0,,sid14_gci214299,00.html |
 |
The Bank of Thailand CA The Bank of Thailand |
 |
NITMX CA National ITMX Company Limited |
 |
PCC Digital ID CA Processing Center Company Limited |
CA hosted under the TDID infrastructure has been implemented by
|
Standard CA Hardware from SafeNet |
 |
|
Standard CA Software from CyberTrust |
 |
| CA Operation certified ISO 27001:2005 |  |
