PKI is universal and can work accross multiple systems and vendors. It is a framework and not an implementation. PKI is an approach to prevent alteration (man-in-the-middle-attack) of public keys in untrusted networks like the internet. The framework is enabling secure public-key (asymmetric) encryption. PKI provides confidentiality and authentication.
- Confidentiality: encrypts data transmissions and allows secure communication in a insecure network
- Authentication confirms the owner of the keys by using digital certificates (signatures)
Confidentiality - Keys
Public-Key Encryption or asymmetric cryptography. A private and a public key are created at the same time. The generation of such keys depends on cryptographic algorithms based on mathematical problems to produce one-way functions. Security only requires keeping the private key private; the public key can be openly distributed without compromising security. Any person can encrypt a message using the receiver’s public key, but that encrypted message can only be decrypted with the receiver’s private key. Public-Key cryptography is a fundamental security component of modern applications and protocols assuring the confidentiality, non-repudiation (undeniability) and authenticity of electronic communications and data storage.
Authentication - Trust
Trust in the public keys can be gained by multiple approaches: certificate authorities (CA), web of trust (WoT), simple public key infrastructure (SPKI) and the emering blockchain-based PKI (BPKI).
Let’s look at the CA approach. The primary role of the CA is to bind a given public key with respective identities of entities (like people and organizations). The binding is established through a process of registration (RA) and issuance of a certificate. Depending on the assurance level of the binding, the verification may be carried out by an automated process or under human supervision.
- A certificate authority (CA) that stores, issues and signs the digital certificates
- A registration authority (RA) which verifies the identity of entities requesting their digital certificates to be stored at the CA
- A central directory which is a secure location to store and index keys
- A certificate management system managing things like the access to stored certificates or the delivery of the certificates to be issued.
- A certificate policy stating the PKI’s requirements concerning its procedures. It allows to analyze the PKI’s trustworthiness.
It is a system for the creation, storage, distribution and revokation of certificates. The certificates are used to verify that a particular public key belongs to a certain entity.
Implementation examples of PKI
- E-mail encryption and sender authentication (S/MIME, OpenPgP)
- WebTraffic encryption and sender authentication (TLS/HTTPS)
- User authentication (SSL/OpenSSL)
- Creation of electronic signatures using mobile devices (PKI and biometrics)
- Bootstrapping of secure communication