Public Key Infrastructure (PKI) allows users of public networks like the Internet to exchange private data securely. PKI is essentially a set of hardware, software, policies, personnel and procedures needed to create, manage, distribute, use, store and revoke digital certificates. The PKI is one of the core services being offered by the Department of Information and Communications Technology (DICT) that will foster trust in the government by ensuring secure and reliable online transactions.
All government online applications stand to benefit from the use of the PKI, ultimately improving the delivery of government services to citizens. At the heart of the PKI is the concept of digital certificates. These certificates are very small files that can be stored on your computer, an ordinary flash drive or USB token. Through the use of certificates issued and digitally signed by a Certificate Authority (CA), the PKI authenticates the data source and ensures data had not been tampered with in transit. PKI can also be used to encrypt data such as email or online transactions.
If your agency uses email communication or has online transactions with other agencies or the public, or if your agency plans to do so, then you need PKI. Among the applications that use PKI are:
- Document Signing Applications, e.g. Adobe Reader, Foxit Reader, etc.
- Email Applications, e.g. Outlook, Thunderbird, etc.
Some applications, such as email, are fairly easy to configure and integrate with PKI. These applications only require the users to register and receive their digital certificates. More complicated applications, such as those used for online transactions, would require extended development time. Eventually, digital certificates will be issued to private individuals to facilitate transactions with government as well as to secure their personal electronic communication. Wouldn’t it be nice if we can file our income tax returns online, bid on government procurement proceedings, apply for loans, and pay our taxes in the convenience of our home, knowing full well that our transactions are secure and tamper-proof? All these applications require the PKI, and it is only a matter of time before they become a reality.
- Certificate Authority & Registration Authority services
These include processing of applications, issuance of digital certificates, and provision of technical support and assistance
- Validation Authority service
This is used by applications to check validity of certificates via Online Certificate Status Protocol (OCSP)/Certificate Revocation List (CRL)
- Timestamping service
This is used by applications to connect to an authoritative time source for the embedded timestamp in a digitally-signed document
WHO CAN AVAIL
- Government agencies and personnel
- Private individuals
- Government computers, servers and machines
- Vastly improves verifiable identification of an individual or entity
Passwords are often, if not exclusively, used to authorize access to computer systems and applications. A password, even one with a 10-character length, only provides 80-bits of security, and inconvenient discipline must be imposed on users so the passwords they create are not easily breached. A Digital Certificate issued by the PKI will have at a minimum of 2048-bit system generated key to further ensure user identity. This is actually an oversimplified comparison since the complex computations add significant obstacles to those that would compromise a Digital Certificate.
- Digital Certificates imbue on to data sufficient integrity for acceptance as evidence in a court of law
The Philippines, United States, Canada, Korea, Singapore and Malaysia already have laws which provide the legal framework for formally recognizing digitally signed data as proper evidence for courts.
This allows a document in digital form to be signed as if it were a paper document. Moreover, the “signing” also makes the document tamper-proof since the smallest change (1-bit) will be detected upon verification.
- Provides significant protection against unauthorized access of common communications
The government already relies on Information and Communications Technology (ICT) and this is increasing. ICT, however, cannot be secured by traditional methods because of their very nature. Encryption methods being used are not regulated. Moreover, the use of ICT by criminals and enemies of the state requires that legitimate users employ similar, if not better, technologies to keep ahead. To put the PKI’s 4096-bit capability into perspective, Wi-Fi at most can use a 14-character or 96-bit “password” by which to encrypt traffic.