This paper examines Public Key Infrastructure (PKI) as a framework for securing email communications in business environments. It explains the core components of PKI — including digital certificates, certificate authorities (CAs), public and private keys, and digital signatures — and describes how each contributes to authentication and data integrity. The paper also evaluates the practical decision companies face when choosing between hosting an in-house CA versus outsourcing to a public CA, weighing factors such as cost, control, liability, and operational capacity. The author ultimately recommends outsourcing to a trusted public CA as the more cost-efficient solution for most organizations.
Email communication has increased strongly in recent years and continues to grow. It is hard to find a company that does not use email to run its business processes — both internally and with external partners and clients. For this reason, the security of a company's network infrastructure and the confidentiality of its data should be a priority. The use of Public Key Infrastructure (PKI) can significantly reduce this threat. PKI can be defined as the use of a public and private key pair for authentication and proof of content (H. Johner, 2010).
PKI combines hardware, software, policies, and procedures to deliver strict security regulation. A public key infrastructure is commonly referred to as a certificate and functions as a form of digital identification. It provides assurance regarding the quality of information sent and received electronically, as well as the identity of the source and destination. Information secured with a PKI certificate can even be used as evidence in legal proceedings (IQ Suite, 2009).
There are several components of PKI used to maintain high security for emails and other data within a company. These include encryption, digital signatures, public keys, private keys, digital certificates, certificate authorities, certificate revocation, and secure storage. Together, these elements protect the content of data and information being transmitted (IQ Suite, 2009).
A digital certificate is an attachment to an electronic message used for security purposes. It is most commonly used to verify that the person sending a message is who they claim to be, and to provide the recipient with the means to send an encrypted reply. An individual wishing to send an encrypted message applies for a digital certificate from a Certificate Authority (CA).
The CA issues an encrypted digital certificate containing the applicant's public key along with a variety of other identification information. The CA makes its own public key readily available — through print publications or on the Internet. The recipient of an encrypted message uses the CA's public key to decode the digital certificate attached to the message, verifies that it was issued by the CA, and then retrieves the sender's public key and identification information held within the certificate. With this information, the recipient can send an encrypted reply (Adonis, 2005).
A digital certificate is composed of the sender's public key, the sender's name, the expiration date of the sender's key, the name of the certificate issuer, the serial number of the certificate, and the digital signature of the issuer. This structure ensures that every email or piece of information sent is highly secure and cannot be accessed by any unauthorized party (R. Kohlas, 2009).
A certificate authority (CA) is an authority within a network that issues and manages security credentials and public keys for message encryption. As part of a PKI framework, a CA works with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA can then issue a certificate, after which the secured information or email can be accessed (A. Herzberg, 2010).
Depending on the PKI implementation, the certificate typically includes the owner's public key, the expiration date of the certificate, the owner's name, and other information about the public key owner. This allows the recipient to quickly and easily identify the sender upon receiving an email (Adonis, 2005).
"Compares cost, control, and liability of each model"
"Recommends outsourcing to a public CA"
You’re 57% through this paper. Sign up to read the remaining 2 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.