PKI is universal and can work accross multiple systems and vendors. It is a framework and not an implementation. PKI is an approach to prevent alteration (man-in-the-middle-attack) of public keys in untrusted networks like the internet. The framework is enabling secure public-key (asymmetric) encryption. PKI provides confidentiality and authentication.
  • Confidentiality: encrypts data transmissions and allows secure communication in a insecure network
  • Authentication confirms the owner of the keys by using digital certificates (signatures)

Confidentiality - Keys

Public-Key Encryption or asymmetric cryptography. A private and a public key are created at the same time. The generation of such keys depends on cryptographic algorithms based on mathematical problems to produce one-way functions. Security only requires keeping the private key private; the public key can be openly distributed without compromising security. Any person can encrypt a message using the receiver’s public key, but that encrypted message can only be decrypted with the receiver’s private key. Public-Key cryptography is a fundamental security component of modern applications and protocols assuring the confidentiality, non-repudiation (undeniability) and authenticity of electronic communications and data storage.

Authentication - Trust

Trust in the public keys can be gained by multiple approaches: certificate authorities (CA), web of trust (WoT), simple public key infrastructure (SPKI) and the emering blockchain-based PKI (BPKI).

Let’s look at the CA approach. The primary role of the CA is to bind a given public key with respective identities of entities (like people and organizations). The binding is established through a process of registration (RA) and issuance of a certificate. Depending on the assurance level of the binding, the verification may be carried out by an automated process or under human supervision.

picture of a keyboard

PKI Design

  • A certificate authority (CA) that stores, issues and signs the digital certificates
  • A registration authority (RA) which verifies the identity of entities requesting their digital certificates to be stored at the CA
  • A central directory which is a secure location to store and index keys
  • A certificate management system managing things like the access to stored certificates or the delivery of the certificates to be issued.
  • A certificate policy stating the PKI’s requirements concerning its procedures. It allows to analyze the PKI’s trustworthiness.

It is a system for the creation, storage, distribution and revokation of certificates. The certificates are used to verify that a particular public key belongs to a certain entity.

Implementation examples of PKI

  • E-mail encryption and sender authentication (S/MIME, OpenPgP)
  • WebTraffic encryption and sender authentication (TLS/HTTPS)
  • User authentication (SSL/OpenSSL)
  • Creation of electronic signatures using mobile devices (PKI and biometrics)
  • Bootstrapping of secure communication