WHAT IS PKI?
Public Key Infrastructure or PKI is an architecture that facilitates secure data transfer over insecure networks such as the Internet. PKI provides technologies and techniques designed to create a more secure data infrastructure. This infrastructure uses what is called a public and a private key pair, sometimes referred to as Digital ID's or Digital Certificates, to verify the identity of an individual. Identity verification is provided through the process of digitally signing documents, files, or email messages. Public and private key pairs may also be used to enhance privacy through a process called encryption. These capabilities are delivered using a mathematical technique called public key cryptography that uses a pair of related cryptographic keys to verify the identity of an individual and/or to ensure privacy. Public and private keys also usually contain a reference to a third resource called a Certificate Authority. The Certificate Authority's responsibility is to serve as a third and higher level authority that maintains the integrity of the keys assigned and distributed, and to verify that an individual is who they say they are. The Certificate Authority also stores and maintains key pairs information, and provides other services such as revoking or reissuing public and private keys.
HOW DOES PKI WORK?
Public-key cryptography uses a pair of mathematically related cryptographic keys. When one key is used to encrypt information for example, then only the related key can decrypt that information. Additionally, knowing the contents of one of the keys does not provide a means to easily determine the content of the other key. A public key is freely distributed and can be referenced by other users. The corresponding private key is kept secret and is not shared with others. The private key enables one to prove that they are who they claim to be. The next sections provide a simple example of how these keys are used in practice.
Basic Encryption Process using a Public Key
When someone wants to send you confidential information, that person uses your public key to encrypt the information. You provide your public key to the sender, or it can be retrieved from a directory where it is stored.
Basic Encryption Process using a Private Key
The data that has been encrypted using your public key, when received, can in turn be decrypted using your corresponding private key. If the private key is able to decrypt the data sent, then you can be certain that the data is intact and has not been modified or viewed by others.
Behind the Scenes
Usually, data is actually encrypted using a secret key algorithm that is much faster than the asymmetric cryptography used by the public and private keys of the user. A random session key is generated using a symmetric algorithm to encrypt the data and the public key is then used to encrypt that key and both are sent securely to the recipient. Additionally, the private key will actually decrypt the session key and the decrypted session key is used to decrypt the actual data sent rather than having the private key decrypting the whole data at once. This is thus more secure as the session key is randomly generated and has to be decrypted first in order to proceed to the next process of decrypting the data.
This process gets further complicated if an email message for example, is encrypted for a specific recipient's viewing only, and the message is also signed to prove a sender's identity. In this case, the keys of both the sender and the recipient are used within the secret key identity algorithm. This process will ensure that only the recipient can view the contents of a message, while also providing the recipient assurance that the sender is verified and the message content has not been modified.
WHY USE PKI?
A PKI infrastructure provides the following benefits:
- Assurance of the quality of information sent and received electronically
- Assurance of the source and destination of that information
- Assurance of the privacy of that information
- Assurance of the integrity of that information
- Confidence that information may be used as evidence in a court of law when a valid Certificate Authority is used