What Is Public Key Infrastructure (PKI)?

Public Key Infrastructure (PKI) is the cryptography framework used to protect and authenticate digital communications.

Let’s break down this concept so we understand how it works, how it’s different from traditional/symmetric key encryption, and look at its increasing usage.

What is PKI?

Cryptography is the science of transforming information (plaintext) into an unintelligible form (ciphertext) by processing the information with an encryption algorithm. Mathematical in nature, these transformations are an important component of a secure communication system.

A cryptographic framework that uses a set of public-private keys to encrypt and transmit information between two entities is called the Public Key Infrastructure (PKI). It uses public keys that are authenticated by a Certification Authority (CA) to ensure that the communications remain secure and private to the entities involved.

Components in public key infrastructure

Let’s review the key components of a PKI system:

Public and private keys. PKI uses asymmetric encryption. Each entity generates their set of public and private keys:

• The sender encrypts the message using the public key of the recipient that is validated by a Certification Authority.
• The recipient uses their private key to decrypt the message.

Certification Authority (CA) is the entity that acts as a trusted third party to issue, store and sign a Digital Certificate that verifies the ownership of a public key.

Digital Certificate is an electronic document that contains the public key and the identity of its owner. It is used for encryption, code signing and digital signatures.

Registration Authority (RA) is the entity that acts as an intermediary between the CA and the end-user. RA verifies the identity of the entities requesting a digital certificate from the CA. The CA can also act as the RA, but the function of an RA is generally separable from the functions of a CA that include:

• Certificate issuing
• Certificate management
• Certificate revocation

Certificate database is the storage of digital certificates and its metadata. This information is useful to determine the validity (and expiration) of a digital certificate. The public keys are stored and indexed in a separate secure location called the central directory.

Certificate policy is a set of requirements and specifications that describe the procedures for issuing, revoking, handling and managing public keys and digital certificates.

Trust model is a hierarchical trust model where the top authority is recognized as a trusted source to validate the identity of every entity that is a part of the public key infrastructure.

Asymmetric public key cryptography 

Let’s now look at an example of a public key establishment session:

1. Key Generation: Alice and Bob both generate a set of public and private keys. Cryptographic algorithms such as RSA and Elliptic Curve Cryptography.
2. Certificate Request: Alice and Bob both submit their identifying information and public key to the Certificate Authority (CA), to obtain a digital certificate.
3. Certificate Issuance: The CA verifies the identifying information of Alice and Bob with an intermediary Registration Authority (RA). Digital certificates are issued for authentication and mutual acceptance.
4. Secure Session: Alice wants to send a message to Bob. Alice requests the CA for Bob’s public key. Alice creates a message and encrypts it using Bob’s public key. Bob receives the encrypted message and decrypts it using his own private key.

Unlike the traditional symmetric key exchange protocol, PKI uses asymmetric encryption schemes with an advantage that private keys are not shared. The public key is made widely available but is not sufficient to decrypt a ciphertext. The encryption algorithms ensure that the data is secure in two key scenarios, by making it computationally infeasible to achieve two goals:

• Using only the knowledge of a public key to decrypt data.
• Mapping two plaintext objects to the same hash value, which is an output of a cryptographic algorithm function.

If a hacker is able to manipulate the cryptographic scheme to produce the same hash value, they can manipulate the plaintext data and impersonate a legitimate entity.

The CA eliminates this issue by serving as a trusted authority for issuing digital signatures, which verify the identity of the message sender. The CA is also authorized to revoke certificates, expire and recover keys, cross-certify digital signatures and public key certificates that may be issued by another CA.

PKI vs. symmetric key encryption

A key advantage of the PKI cryptography approach over the traditional symmetric key encryption schemes is that it is highly scalable in comparison. The number of keys required to secure multiple users grows quadratically, with the formula:

(n*(n-1)/2)

For n=100 users, the number of keys required to secure communications using symmetric key encryption schemes is 4950.

In contrast for the Public Key Infrastructure, each sender and receiver needs to know their own set of public-private key pairs. The sender and receiver cannot deny a message they send or receive, due to the involvement of the CA as a trusted third party.

Key management

In the latest wave of cryptography where low-power IoT and BYOD devices are frequently used for sensitive business operations, organizations can set up their own VPNs and secure communication channels by establishing an internally trusted PKI model.

Since the number of devices has grown exponentially in recent years, PKI management (or “key management”) has emerged as a challenge for business organizations handling their cryptography infrastructure internally.