Making Sense of Public Key Infrastructure
PKI verifies senders and protects against tampering.
By Michael Rothman
AS LAW FIRMS increasingly use electronic communication tools that do not require physical presence, electronic credentials that prove identity become a necessity. As a driver's license or passport proves identity in the offline world, Public Key Infrastructure (PKI) offers online identification.
PKI not only ensures that people are who they say they are, but also protects documents from tampering. Obviously, that's essential for the documents of daily law practice: the depositions, affidavits, confidential business records, and internal strategy outlines.
Both sender and recipient have "keys:" one "private," the other "public." The two keys work together so that a message scrambled with the private key can only be unscrambled with the public key and vice versa. What are the keys? Extremely long prime numbers. The more digits in these keys, the more secure the process.
Just as you prove identity through a handwritten signature offline, you use a "digital signature" to prove identity online. But without actually seeing the person sign the document, how can you prove it's the right person?
This is where PKI comes into play. A piece of data is run through a complicated mathematical computation to generate another number, which is called a hash. The original data and the hash are inextricably linked -- if any part of either changes the hash will not match and the message cannot be decoded or verified.
To digitally sign a document, a hash is taken of the document and then signed with the user's (let's call her Susan) private key. Remember that data scrambled with a private key can only be unscrambled with the corresponding public key. Any entity can verify the validity of the document (and therefore Susan's identity) by unscrambling the hash with Susan's public key and checking that against another hash computed from the received data.
If the hashes match, the data was not tampered with and Susan did, in fact, sign it. But since I didn't physically watch her sign it, how do I know it wasn't signed by an imposter? This is where the concept of trust enters the system, and creating the need for another entity to verify Susan's online identity (a certificate authority (CA).
The certificate authority is a trusted entity that makes the whole PKI system work. It verifies Susan's identity and issues the keys (both public and private). The private key is securely sent to Susan, and the certificate authority then signs Susan's public key with its own private key, also known as the root key. The combination of Susan's public key and the signature of the CA forms Susan's digital certificate. The root key functions like a machine that applies watermarks to passports. Susan's digital certificate is her online passport that validated by the CA's watermark to prove that Susan is who she says she is.
So why go through all this trouble? Single-key encryption schemes like DES were good enough when law firms had most of their transactions happening on paper or between employees on a closed, highly-secure network with physical protection (locked doors, etc.) surrounding computers. But today, virtually every major firm has opened that network up ( remote workers dial-in, and partners, associates and support staff are all hooked in with document management software and the Internet. In this world of open networks, outsiders can easily crack single-key encryption with today's computing power.
Like any security technology, digital signatures used in the trust model aren't perfect. If the CA's watermark machine (root key) is stolen, then anyone can create passports (digital certificates), which compromises the trust level of the CA and makes all the certificates null and void. CAs go to great lengths, including armored bunkers (I'm not kidding) to keep their keys secure.
They also have to have a secure system for issuing certificates; the higher the level of verification before issuing keys to Susan, the more trustworthy the system. Additionally, if Susan loses her private key (or it's stolen), then she cannot be trusted because anyone possessing the private key can pose as Susan (no clever disguise needed).
More importantly, for the system to work the thousands of applications used throughout law firms today need to be PKI-ready. They need to know how to ask Susan to sign data and how to validate that data using the certificates. In order for PKI to become a widely used technology, it must become a transparent part of software used in day-to-day business so that users without that Ph.D. in mathematics don't need to understand all the complexity behind keys, hashes, and digital certificates.
Michael Rothman is executive vice president of SHYM Technology.