HYDERABAD: To build an infrastructure based on confidence and security in
dealing with Government online and in e-commerce, Public Key Infrastructure (PKI)
is all set to play a role in the initiatives taken towards the e-government
front. "PKI is basically used to establish the identity of the user and it
is published for all. The PKI technology consists of a public key and a private
key. The technology could prove to be a boon to government agencies," said,
Rolta India Technical Specialist Ram Bhot. He was here to deliver a speech at a
seminar on e-security organized by Rolta India.
Though the technology has not been introduced in the country its implications
could well stretch from banks to private financial institutions and from the
government sector to the insurance sector. "PKI is the technology for fool
proof exchange of documents over the web," he added. The sending-computer
encrypts the document with a symmetric key, then encrypts the symmetric key with
the public key of the receiving-computer. The receiving computer uses its
private key to decode the symmetric key. It then uses the symmetric key to
decode the document, he said.
Computer encryption is based on the science of cryptography, which has been
used throughout history. Before the digital age, the biggest users of
cryptography were governments, particularly for military purposes. Most forms of
cryptography in use these days rely on computers, simply because a human-based
code is too easy for a computer to crack. Most computer encryption systems
belong in one of two categories — Symmetric-key encryption and public-key
encryption.
In symmetric-key encryption, each computer has a secret key (code) that it
can use to encrypt a packet of information before it is sent over the network to
another computer. "Symmetric-key requires that you know the computers that
will be talking to each other so you can install the key on each one," said
Ram Bhot added. Symmetric-key encryption is essentially the same as a secret
code that each of the two computers must know in order to decode the
information. The code provides the key to decoding the message. A technology
like this could be very helpful in government communications where secrecy is
needed.
In the other case Public-key encryption uses a combination of a private key
and a public key. The private key is known only to the computer, while the
public key is given by computer to any computer that wants to communicate
securely with it. To decode an encrypted message, a computer must use the public
key, provided by the originating computer, and its own private key.
Public-key encryption takes a lot of computing, so most systems use a
combination of public-key and symmetry. When two computers initiate a secure
session, one computer creates a symmetric key and sends it to the other computer
using public-key encryption. The two computers can then communicate using
symmetric-key encryption. Once the session is finished, each computer discards
the symmetric key used for that session. Any additional sessions require that a
new symmetric key be created, and the process is repeated.
To implement public-key encryption on a large scale, such as a secure Web
server, requires a different approach. This is where digital certificates come
in. A digital certificate is basically a bit of information that says that the
Web server is trusted by an independent source known as a certificate authority.
The certificate authority acts as a middleman that both computers trust. It
confirms that each computer is in fact who it says it is, and then provides the
public keys of each computer to the other.