Over the past few years, email communication has strongly increased, and is still expanding. Presently, majority of companies use email run business processes both within and out of the business. Aside from the benefits of using email communication such as short response time, cost effectiveness, and improved reachability, there are some issues that may pose a risk for using the method. Email security and the protection of the contents that are confidential cause great concern. This is why most companies choose the easier option for communication, while also taking measures for security by relying on email security solutions. These solutions also consist of options for encrypting emails. A public key infrastructure (PKI) offers support for the distribution and identification of the public encryption keys, thus enabling its users and computers being used to engage in a safe and protected exchange of information, while also verifying the recipient of the data.
The Fundamentals of Public Key Infrastructure
The PKI is basically consistent of personnel, policy, procedures and a core technology that binds users of the email communication to digital identifications so that applications can be able to provide desired security services (Laih, Jen & Lu, 2012). At the core of Public Key Infrastructure are the digital certificates which act by affirming recipient’s identity, and binds the information obtained about the identity to a public key present in the certificate (Braun et al.,2014). Generally, Public Key Infrastructure involves a certificate authority, registration authority, a certificate database, and a certificate store.
The certificate authority is basically the trusted party whose function is to offer services aimed towards authenticating the identities of individuals and computers among many others. A registration authority is commonly known as the subordinate certificate authority mainly because the latter grants it permission to issue specific certificates. The certificate database is responsible for storing certificate requests, issues the certificate, and may even evoke some of the requests. A certificate store is present in the computer being used, and is used to store issued certificates and private keys.
After verifying the identity of an individual, the CA will issue the certificate after preparing it. The preparation process involves the CA signing the certificates using the designated private key. The public key is then given to all interested parties through a self signed CA certificate. This trusted root certificate is what the CA uses to establish a trust chain. This is done by embedding root certificates in web browsers so as to trigger a built-in trust (Laih, Jen & Lu, 2012).
Judging from these fundamentals of Public Key Infrastructure, it is clear that its features and functions can benefit the organization and its information security department by ensuring that data sent to our customers are kept secured and protected. Aside from this, customers will also be able to tell which software belongs to our company, and which does not. Therefore, confidentiality will always be managed, and personnel working within the organization do not have to worry about security anytime they need to communicate with customers or share certain programs (Braun et al.,2014).
Signing of Company Software
One way that PKI can be used to assist in the process of signing the company’s software is through the use of code signing. This is a form of technology that applies both digital certificates and PKI to sign on program files, such that users will be able to tell who the publisher of the file is, very that it is original and not tampered with (Trust Extension for Commodity Computers., 2012). A digital signature is created basing on a private key and the program file contents. This signature is then packaged either with the file or in an associated catalog file. Here, it is important for the publishers to effectively secure their private keys from the outside access.
This method is effective as customers can determine the authenticity of the product they receive. To identify the signatory of the file, as well as its integrity, the user will need to combine the file, certificate and the associated public key. The process of code signing kicks off with the public and private keys developed by the user. Any user can create a digital certificate on his own through the various tools available, one which will contain a public key. Similarly, the digital certificate may be obtained from a trusted certificate authority to whom the public key was provided. Thereafter, the user provides an entity name alongside other identification information. Then the CA will present a certificate to the user, one which has been signed by the certificate authority (Trust Extension for Commodity Computers., 2012).
Comparison of Public and In-House Certificate Authority
Both forms of CAs offer protection of documents being shared through the internet. However, there are many differences between the two. With an internal CA, it is easier to manage administrative tasks, without actually depending on an external entity (In-house or out: how to start building a PKI, 2003). Unfortunately, implementing these is more complicated than simply using the external CAs. Furthermore, customers may not trust a digital certificate signed by the internal CA, but they will definitely trust one signed by an external CA (In-house or out: how to start building a PKI, 2003). Since this company is focused on offering signed software to consumers, it is advantageous to implement the external CA. `This will help the organization’s customers to determine the authenticity of software offered to them.
The use of PKI is very important in any organization that chooses to deal with transfer of data through the internet. It offers protection of documents, provides a means of proofing their authenticities, and also ensures that confidential data and programs are not exposed to the outer world.