SecureAge SecureAge



News Center


Is Public Key Infrastructure (PKI) already history?

PKI went through a hot frenzy in 1999 but the subsequent market pick up speed is slower than what was expected. In fact, numerous reports have put PKI in a very negative light. How true and reliable are these arguments? Is PKI really a history? One thing is for sure. Organizations that conduct their businesses online will be exposed to possible security risks like fraudulent impersonation, access and compromise. To mitigate these risks, PKI with its strong authentication capability is definitely an essential measure to take. This is especially true when there is no one solution that can completely replace or substitute PKI capability.

Although the benefits of PKI are obvious, the rather lukewarm acceptance of PKI is understandable. To most organizations, implementing PKI is a costly investment that involves tedious maintenance effort. They need to allocate some IT resources to handle the PKI implementation based on the organization's security requirements. After implementation, the system administrators have to monitor the generation and distribution of digital certificates and constantly update the Certificate Revocation List (CRL). But such obstacles should not spell the demise of PKI. Actually, implementing PKI is not really a tedious process. As long as you have done your homework by fully understanding the PKI functionality and thoroughly evaluating whether it matches your organization's security requirements before the actual implementation, it is not as complicated as you think. In any case, any kind of security deployment should not be taken lightly, however easy to use and manage it claims to be.

If you are still not convinced, think again. Online communication and transaction, although provides great convenience to both consumers and businesses, is exposed to potential security breaches like sabotage, theft, fraud and loss of data confidentiality, integrity and privacy. Data, that is stored on a network or transmitted from one user to another over the network, is susceptible to fraudulent access and compromise. Such security breaches will tarnish your business reputation. Your consumers will lose their confidence to do online business with you, causing you to lose huge revenue. Your internal workflow and communications is greatly disrupted due to the loss of valuable company proprietary information like intellectual property. You may even lose your competitive advantage, goodwill and trust. In the end, you suffer substantial financial losses! In fact, according to 2002 CSI/FBI Computer Crime and Security Survey, each affected company loses an average of US$2,044,161 per year as a consequence of security breaches.

Apparently, this is just too high a stake for any organizations with online business initiatives to take! It is definitely crucial for such companies to build a trusted and reliable security infrastructure. Since there is no real substitute for PKI, a solid PKI deployment is the only measure that will address the trust issues inherent in an online business model. PKI is built on mathematical constructions, known as public key cryptography, which assigns a private key to each unique entity and user in a system. This helps to validate users' identities and fully secure transmitted data over unprotected network.

In terms of financial returns, PKI is not really a costly investment. The beauty of PKI is its scalability. You can use the same PKI to secure email, online transactions, desktop documents, document exchange, hard disk and VPN (Virtual Private Network). It is able to scale from one application to accommodate hundreds of applications easily. In other words, future applications can be added without modifying the basic structure of a PKI system, thereby saving your investment cost and in the long run, increase your returns on investment (ROI). Therefore, if you weigh the benefits and cost of PKI implementation, the benefits - in terms of mitigating security risks and saving you from huge financial losses - will significantly outweigh the investment cost.

Recently, there are tell-tale signs that show more and more enterprises are taking a closer look at PKI. As e-commerce proliferates, user authentication and identification are the most critical online business considerations that drive more companies to gravitate towards PKI. For instance, in a B2B (business-to-business) transaction, Company A wants to ensure that they are dealing with a trustworthy online company before making a US$100,000 order request. The last thing Company A wants is committing an order with a fraudulent impersonator and loses US$100,000 as a result of a fabricated sales order. To ensure the sales order is genuine, Company A needs a way to verify the identity of the online company they are dealing with. PKI, using digital signature, verifies the identities of users and online companies to ensure that they are who they claim to be.

Digital signature also enables non-repudiation. Based on the above example, the online company, using the digital signature, is confident that Company A cannot deny the transaction they have committed in the first place. According to the principle of public key cryptography, the private key and digital signature is uniquely assigned to each individual. Therefore, the contract is considered binding once Company A uses their digital signature to sign and commit the order. There is practically no way they can disclaim the existence of this order, since the online company is able to produce irrefutable proof of receipt to establish the legitimacy of the purchase.

However, a concern may surface on your mind: Is the concept of electronic signatures legally recognized? The passing of US E-Sign Law in 2000 and the EU Digital Signature Law in 2001 affirm the legal validity and credibility of digital signatures. The strong support of digital signatures by such legislative actions also signifies the recognition to the need of such a capability.

Data confidentiality is another important consideration in any electronic transaction. Sensitive data, like intellectual property, business plans and customer contacts, that is transmitted over the network or stored in the application server, has to be safeguarded from prying eyes. The best technique to secure such data is by encryption. Encrypting this data, using both symmetric key and public key cryptography techniques, ensures that only authorized users are privy to the content. PKI is the only solution that embraces such encryption capability.

It is also a critical online business need to ensure data integrity. Just imagine the detrimental consequence when the content of a sales quotation is being tampered with in the course of transmitting it electronically to the recipient. How can you ensure that a sales quotation of US$100,000 is not altered to US$10,000 during the transmission? Only PKI gives you such assurance by using a digital signature. It ensures the complete accuracy of the sales quotation from the point it left the sender to the point the recipient receives it. Otherwise, you will lose US$90,000 because of such tampering!

An additional vital factor to consider is access control. Access control spells individual user's access right to the sensitive data stored on a network. For example, no one else, except the Human Resource Department in the company can access the employees' payroll information. PKI uses digital certificates to specify the access privileges of the users in the company. It helps the administrators to verify the users' authorized access level before allowing them to view the data.

But that is not all. An increasing number of organizations are deploying VPNs so that their mobile employees can access the corporate network anytime and anywhere. However, widespread VPN deployment requires the setting up of a PKI component, Certificate Authority (CA), to prevent any unauthorized access. CA will first issue digital certificates to verify and validate remote users' identities before allowing them to gain entry into the network.

Evidently, the pressures to increase revenue, reduce risk and cut cost have propelled more and more enterprises to conduct electronic business in a trusted fashion. To-date, PKI, with no real substitute, is the only solution that focuses on the trust issues inherent in the online business model. PKI, based on the best cryptographic techniques, provides the most comprehensive security infrastructure that fully address today's business concerns over authentication, data confidentiality and integrity, and non-repudiation. As such, more organizations, with online business initiatives, are beginning to re-look at PKI. And if you are one of these organizations, you may consider using SecureAge Technology's SA PKI, which provides digital certificates for identification, access control and authorization. It also validates digital signatures by assigning electronic credentials in the form of a digital certificate from CAs. For more information, please visit our website at or email your enquiries to

Go to Top
Secure Age
Copyright © 2016 SecureAge Technology. All Rights Reserved.