Public Key Infrastructure
Home > 
Best Practices > 
Protect Your Business > 
Access Control > 
Public Key Infrastructure
< back
Examples on Determining the Assurance Level
What is e-Authentication Assurance Level
e-Authentication Methods
e-Authentication for Business
e-Authentication Models
Public Key Infrastructure
Control Access to Critical Information
Single Sign-On
Identity Management

Public Key Infrastructure

Public Key Infrastructure (PKI) is a widely accepted IT security framework based on 'Public Key Cryptography'. The Hong Kong Government has laid a solid foundation for deployment of PKI through the enactment of the Electronic Transactions Ordinance and the establishment of a public Certification Authority (CA) through the Hongkong Post.

Public Key Infrastructure Technology
Certification Authorities and Digital Certificates

Public Key Infrastructure Technology

PKI provides a management framework for enabling deployment of public key cryptography. Public key cryptography processes data with a pair of keys, which are two distinct but corresponding computer codes. Encryption is done with one of the key-pair and decryption is only possible with the use of the other key in the same pair.

One of the keys in the pair is kept by the owner of the certificate (as a personal secret), and is therefore called a 'private key'. The other key is publicly available, and hence called a 'public key'.

Encryption is the means by which the PKI ensures confidentiality. For instance, the privacy of messages sent via email can be protected by encryption with a recipient's public key. Since only the recipient's private key can decrypt the encrypted message, this is an assurance that nobody other than the intended recipient can read the message.

Encryption/Decryption

A digital signature is another means to ensure integrity, authenticity, and non-repudiation. A digital signature is derived by applying a mathematical function to compute the message digest of an electronic message or document, and then encrypt the result of the computation with the signer's private key. Recipients can verify the digital signature with the use of the sender's public key.

Digital signature

Taking email as an example, if a digitally signed email has not been tampered with during the course of transmission (integrity), the digital signature will be valid as verified by the recipient. Since the sender is the only person who has access to the corresponding private key, once the digital signature is verified as valid, the recipient can be certain that the email is indeed from the sender (ensuring authenticity); and the sender cannot deny having created and signed the email (non-repudiation).

Certification Authorities and Digital Certificates

The effective operation of PKI very much depends on the support of a CA. The main role of a CA is to act as a trusted third party to verify the identity of digital certificate subscribers.

The Hongkong Post is the first publically recognised CA under the Electronic Transactions Ordinance ("ETO") (Cap. 553). Any organisation and member of the public can buy digital certificates in Hong Kong from Hongkong Post, and they issue different types of digital certificate such as e-Certs, Bank-Certs and Mobile e-Certs. There are also a number of other recognised CAs under the Electronic Transactions Ordinance.

Related topic(s):
Access Control
Encryption
Password and Authentication
PKI and Digital Certificate
Information For:
IT Professionals