What’s better: having a lock on your door, or having a lock on your door AND a guy standing there making sure it’s you unlocking the door?
Obviously, the more security you have the better, which is why more Government eCommerce systems are moving towards PKI. So, what does PKI mean? The acronym stands for Public Key Infrastructure and it refers to the use of hardware and software-based “keys”, or certificates, to verify a user’s identity and credentials online.
In order to get a key/certificate, you need to contact a Certificate Authority (CA). There are several CAs available, but the Defense Logistics Agency only recognizes Verisign, Identrust, and ORC as approved CAs on DOD EMALL. And when it comes to establishing user identity, CAs don’t take the process lightly. Getting a certificate issued generally requires paperwork, several forms of identification, a notary signature, and on occasion, an in-person visit.
After your identify is verified, the certificate is issued in one of two ways:
1) A software-based certificate installed directly to the user’s computer.
2) A portable, hardware-based certificate that the user physically carries with them (often in the form of a smart card or USB stick).
These certificates also include a user-associated PIN. This is called two-factor authentication, and is why PKI is significantly more secure than the traditional username/password model. It’s more than just what you know (i.e., a password); it’s what you have and what you know.
So, now that you have a certificate, what can you do?
Some sites, such as the DOD EMALL, require users to present a certificate for accessing and using the site. Additionally, certificates enable users to send digitally-signed emails that provide proof of data integrity and origin, while also enabling receipt of encrypted email.
Users can also restrict access to their computers and other devices by requiring a PKI certificate.
So what happens if you lose your certificate? That’s where the CA comes back in. CAs maintain Certificate Revocation Lists (CRLs) that track the revocation status of all issued certificates. So every time a hardware or software-based certificate is presented, its status is validated against the associated CRL. This prevents lost or compromised certificates from being used for unauthorized access. Just like changing the lock on your door.
Makes you wish more things used two-factor authentication, right?