What Does PKI Mean to Life Sciences?
What is PKI?
Public Key Infrastructures (PKI) work to enable protection. A PKI is simply a system that facilitates the distribution and trust of public keys, providing security to a range of applications that can be unrelated.
Businesses have requirements for protecting the exchange of information that go beyond what can be physically provided. In the virtual world, these requirements comprise, ensuring the
- Integrity (e.g., An email was not modified in the process of sending),
- Nonrepudiation (e.g., Email sender verification and/or user authentication), and
- Confidentiality (e.g., Email privacy without intrusions) of that information.
Public-key cryptography (a.k.a. asymmetric cryptography) allows businesses to quickly and easily achieve each of these three requirements. Setting the mathematical principles behind the technology aside, the main takeaway can be boiled down to three fundamental components:
- Each participant (sender/recipient) in the exchange of information possesses a closely-guarded “private” key, while freely distributing its related “public” key to the world.
- Information “signed” using a sender’s private key can be “verified” by any recipient in the world using the sender’s corresponding public key, thus ensuring the integrity and nonrepudiation of that information.
- Information “encrypted” by any sender in the world with a recipient’s public key can only be “decrypted” by the recipient who holds the corresponding private key, thus ensuring the confidentiality of that information.
To truly enable trust and security, public key exchanges have to be controlled. The most effective way to control this exchange is through digital certificate authentication and key encryption.
A digital certificate is simply the bundling of a participant’s public key with other identifying data (e.g., name, company, email address, etc.) about that participant. At the core of a PKI is the Certificate Authority (CA), which “issues” the digital certificates to its subscribers. In essence, the CA “signs” subscribers’ digital certificates, ensuring their integrity and nonrepudiation.
Using certificates for the exchange of information helps participants verify that the keys used to sign, verify, encrypt, and decrypt belong to trusted parties. Digital certificates can be used by their holders for authentication, applying digital signatures, and encryption.
PKI provides an increased level of identity assurance, above username and password only authentication—for example – Anyone’s password can be compromised by an attacker, but that same attacker has a much harder time compromising a private key, especially if that private key is held on a secure hardware token. And if a CA requires that subscribers undergo identity verification before receiving digital certificates, every time a subscriber uses his or her digital certificate, the relying party (e.g. a co-worker, or a business entity) can be assured that the subscriber is the holder of the credential, just as if they had verified his or her ID themselves.
PKI can be used in secure e-mail, instant messaging, website server identification, website client authentication, application interface authentication, electronic document processing, smartcard authentication, physical access, IPSec and VPN authentication, as well as encrypted file systems.
Most importantly, many government agencies including the US Department of Defense (DOD), Food and Drug Administration (FDA), and European Medicines Agency (EMA) recommend or require the use of PKI to secure the exchange of information by supporting digital certificate-based authentication to websites or digital certificate-based signing of forms submitted electronically.
PKI provides a simple methodology to comply with government protocols.
Given the benefits of how PKI can help secure exchanges of proprietary information, check out Exostar’s Managed PKI solutions. Exostar’s trusted PKIs have issued digital certificates to over 30,000 subscribers worldwide, seamlessly integrating across global enterprises and industries using existing secure infrastructure for quick and low-cost implementation.