PKI vs. PGP, Bin Laden's weapon of choice

Nov 1, 2001 12:00 PM, Jacqueline Emigh


         Subscribe in NewsGator Online   Subscribe in Bloglines

PKI isn't the only cryptography protocol to be getting attention these days. The competing technology of Pretty Good Privacy (PGP) is also grabbing headlines, but of a different stripe. According to numerous news sources, authorities suspect that Osama bin Laden and his followers used PGP-encrypted e-mail to help plan the Sept. 11 terrorist attacks on the U.S.

PKI and PGP are both methods of public key cryptography, says Matt Smith, president of Sword & Shield Security Management Inc. In contrast, most other approaches use private key cryptography to scramble and unscramble messages.

In private key cryptography, the sender and recipient each use the same key. This key must be kept secret by two parties, a situation that can clearly lead to key management problems.

In contrast, public key cryptography uses two keys — a public key and a private key. Information encrypted using the public key can only by retrieved using a complementary private key.

PKI differs from PGP, by stipulating a “web of trust,” Smith observes. Specifically, PKI uses a hierarchical key management system that includes both a certification authority (CA) and a registration authority (RA).

The CA issues digital certificates by binding the identity of a user or a system to a public key with a digital signature. The CA is also responsible for scheduling expiration dates for digital certificates, and for making sure certificates are revoked when necessary by publishing certificate revocation lists (CRLs).

Organizations can either operate their own CAs, or use the CA services of a commercial CA or a trusted third-party such as a government agency.

The RA, on the other hand, is responsible for authenticating users' IDs and submitting certificate requests to the CA.

Organizations use a variety of methods for distributing certificates, including e-mail and directory services.

Use of a public key system with hierarchical management doesn't mean, though, that PKI is foolproof.

Organizations have been known to fail to password-protect their PKI private keys, as well as to inappropriately store their keys directly on the Internet.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

Today's New Product

Product 1 Image

Privaris Biometric Verification Software

In support of the Privaris family of personal identity verification tokens for secure physical and IT access, an updated version of its plusID Manager Version 2.0 software extends the capabilities and convenience to administer and enroll biometric tokens. The software offers multi-client support, import and export functionality, more extensive reporting features and a key server for a more convenient method of securing tokens to the issuing organization.

To read more...


Govt Security

Cover

SUBSCRIBE

This month in Access Control

Latest Jobs

Popular Stories

Resources

Webinar

A Cost-Effective Framework For Total Security Integration

Join AC&SS and MAXxess as they review two different IP-framework applications
Wednesday, July 30, 2008 at 2:00pm ET/11:00am PT

Register Now!

Back to Top