PKI (Public Key Infrastructure), is a framework that enables the encryption of public keys and includes their affiliated crypto-mechanisms. The underlying purpose of any PKI setup is to manage the keys and certificates associated with it, thereby creating a highly secure network environment for use by applications and hardware. X.509 certificates and public keys form the cornerstone of PKI, acting as the mechanism through which cryptography can be established for an endpoint – consequently, PKI may refer to any software, policy, process, or procedure that may be employed while configuring and managing those certificates and keys.
In a nutshell, PKI is responsible for making online interactions more secure, and it does this by:
Establishing the identity of endpoints on a network
Encrypting the flow of data via the network’s communication channels
It does this by using private keys and public keys for encryption and decryption respectively, which are facilitated in turn by digital certificates.
In today’s hyper-connected world, the need for a robust PKI cannot be understated, especially since there is an explosion in the number of devices that are capable of leveraging the internet to communicate with each other – mobile devices, IoT-enabled hardware, and payment systems are just a few examples of infrastructures that require PKI for security, without which they would expose themselves to cyber risk and also failure of compliance standards imposed upon them by various bodies.
1.3 Where is PKI applied?
Secure Browsing (via SSL/TLS)
Securing Email (signing and encrypting messages)
File Security (via Encrypted File Systems)
…and so on.
2. The Workings of PKI
2.1 The Components of an Ideal PKI
PKI infrastructures involve the participation of some or all of the below entities:
Public and Private Keys: The single most important component(s) of PKI, public and private keys are used to encrypt and decrypt the information transmitted over the web, ensuring that the sending and receiving party are the only ones privy to that information. Public key information is available openly online, but can only be effectively leveraged when the receiving party has an approved private key in order to decrypt a message.
Public Key Certificates: Electronically signed documents that verify ownership of a public key. They are as important as keys, as they act as proof that a key-holder is legitimate. They are issued by Certificate Authorities.
Certificate Repository: An electronic, searchable storage facility for signed certificates with public keys that have been generated. It consists of important certificate information, such as certificate validity details, revocation lists, and root certificates. They are often equipped with LDAP (Lightweight Directory Access Protocol), an online directory service where entries are classified and indexed.
Certificate Authority (CA): A trusted body which enables organizations to get themselves verified as public key holders. It does this by verifying a requesting organization, and generating an electronic document called a digital certificate which also holds the public key. It then signs the certificate with its own private key, which acts as a seal of approval that it is trusted by a Certificate Authority.
Registration Authority (RA): Assists the PKI cycle by verifying that the body requesting a certificate is legitimate. Once the verification is complete, it carries out the request by allowing the request to reach the CA, who uses a certificate server to execute it.
Key encryption and storage facilities: Private keys are valuable documents that can be misused if malicious actors gain access to it. Hence, they are stored in encrypted vaults with secured periodic access.
Software to manage and automate PKI operations: Since certificates act as the face of a PKI system, they have to diligently managed, since invalid certificates often result from haphazard management, making them useless measures of security. Certificate Management is a blanket domain involving practices such as issuance, revocations, renewals, and a lot more.
Now that the anatomy of PKI has been deciphered, let’s take a look at how they can be woven together into a working cryptographic system.
Public Key Infrastructure uses Public Key Cryptography as the basis for providing encryption, with the underlying principles, procedures, and policies being part of the overlying ‘infrastructure’ that is compatible with SSL/TLS protocols. Public Key Cryptography uses asymmetric key algorithms to perform its role. According to this principle, both communicating parties establish a working relationship by verifying each other’s identities. Consider the following exchange which enables a server and a web application, for instance, a browser, to communicate with each other:
When a browser wishes to establish a secure communication channel with a web server, it requests the server to present its public key.
The server possesses an asymmetric public key, whose copy it presents to the browser.
The browser generates a ‘session key’, a symmetric key that is encrypted using the public key that the server provided. This session key is then passed to the server.
The web server, which has a unique copy of a private key, uses the private key to decrypt the session key. If it is able to do this, the browser takes it as proof that the server is safe to communicate with, and an encrypted channel is opened.
The entire exchange is facilitated by x.509 certificates (also called digital certificates or PKI certificates), since only those public keys that have been signed by a Certificate Authority and bound to a certificate are considered acceptable for use online.
2.3 The Critical Role of Certificates in PKI
Certificates are the gatekeepers to ensuring that the underlying PKI works properly. We’ve covered how certificates are linked to the Public Key Cryptography process in the previous section already – now, let’s take a brief look at the anatomy of a digital certificate.
Certificate Authorities (CAs) provide much-needed trust for the entire PKI framework. Several major CAs are trusted across the globe to provide authenticity to certificates, and by extension, signed keys. A typical certificate consists of the following information:
A Distinguished Name (DN) which is simply a unique name that identifies the user who requested the certificate.
The date of issuance and the date of expiry, so as to estimate the certificate’s lifetime.
The public key.
The purpose of the certificate, which could range from signing code to encrypting communication channels.
A digital signature, which is the CA’s guarantee that the certificate is valid and belongs to the user in question.
A digital certificate, once issued, has to be diligently managed to ensure that it remains secure. An expired certificate is of no use to anyone, and neither is a compromised one. Certificate Management is a discipline that overlaps with PKI management, and has its own set of rules and protocols that have to be followed.