What is PKI and how does it work?

Share on facebook
Share on linkedin
Share on twitter
Share on google
By Steve Morris

What is PKI?

Public Key Infrastructure (PKI) was developed in the early 1970s at the British intelligence agency GCHQ in Cheltenham, UK.  It is the collection of roles, processes, technologies and practices that is in place with the intention of securing the electronic transfer of data across networks via encryption and signing.  Sensitive data exchanged via the internet in any form is heavily reliant on PKI for security.

A Public Key Infrastructure should encompass all of the following elements:

  • Authentication: User identification, managed by the use of digital certificates.

  • Non-Repudiation: Proof of ownership of data, managed by use of digital signatures.

  • Confidentiality: The secure transmission of data managed by the use of encryption.

  • Integrity: Preventing modification of data managed by the use of message hashing.

  • Access Control: Access to data is controlled through the use of public and private key pairs. 

A PKI supports the distribution and identification of public encryption keys, enabling users and computers to both securely exchange data over networks such as the Internet.  Central to the PKI concept is authentication: verifying the identity of the sender.  In the absence of a PKI, there can be confidentiality without authentication: data may still be encrypted and exchanged, but without any guarantee of the identities of the sender or recipient.

A “digital certificate” or “public key certificate” can be considered an “electronic passport” as it verifies identity, is forgery resistant, and is issued by a trusted authority.  Contained inside the certificate is the digital signature of the certificate authority (CA), an expiration date of the certificate, a copy of the public key of the certificate holder and the name of the certificate holder.

What is a Certificate Authority?

A Certificate Authority is a trusted entity for issuing digital certificates.  A Root Certificate is self-signed by the Certificate Authority as it is at the top of a trust pyramid.  A PKI’s Root Signed Certificate is where all subordinate certificates inherit their trust.  A certificate binds a public and private key pair to the identity of an entity.

In creating certificates, CAs act as agents of trust in a PKI. As long as users trust a CA and its business policies for issuing and managing certificates, they can trust certificates issued by the CA. This is known as third-party trust.

A Registration Authority verifies user requests and instructs the Certificate Authority to issue digital certificates if successful.

Certificates are kept in a directory which serves as a repository for public certificates to be published from.  When stored in the directory, the contents do not need to be protected by encryption as they are considered public information.  However, the integrity of the information is verified by the use of digital signatures from the CA.

It’s becoming harder for enterprises to manage their PKI as security is becoming a top priority for businesses. It’s increasingly common for this process to be outsourced to industry professionals.