Skip to main content

What is PKI (Public Key Infrastructure)?

PKI is a set of security regulations, encryption methods, including key generation, storage, and management applications. PKI also includes tools for creating, distributing, and using keys and certificates. A public key infrastructure (PKI) allows users of an unsecured public network, such as the Internet, to safely and privately communicate data by using public and private cryptographic key pairs obtained and provided by a trusted authority.

Its origins date back over 30 years. It was created in the late 1960s at GCHQ, the government's top-secret communications center. In the mid-1970s, the United States took it a step farther and demonstrated PKI to various commercial organisations. Public key cryptography was created in 1976 by Whitfield Diffie and Martin Hellman. It is also known as asymmetric encryption since it employs two keys rather than one.

What is Meant by PKI?

The most important concept of PKI is the public cryptographic keys that are at its core, as the name indicates. These keys are used not only to encrypt data, but also to verify the identity of the communicating parties or devices. The PKI presumes the use of public key cryptography, which is the most commonly used method on the Internet for message sender authentication or message encryption.

Non-repudiation, integrity, privacy, accountability, and trust are the five requirements for digital security. A successful PKI deployment is critical to meeting all five of these objectives.

Where is PKI used?

Generally use cases for PKI has listed as following:

  • Most common use is SSL certificates for public websites

  • Email security

  • Virtual private networks (VPNs)

  • Private and public cloud-based applications and services

  • Device authentication

  • Code, document and message signing

  • Cloud-based services

  • Internet of things (IoT)

  • Encryption of XML documents

  • Smart card logins

Why is PKI Used?

Today, unauthorized access, unsigned applications (malware) and unsecured email applications are the leading cyber threats that affect users the most. The most up-to-date security solution that can protect systems and companies against these cyber threats is PKI. PKI creates a trustworthy environment by authenticating and verifying the integrity of data and users. PKI-enabled systems use cryptographic features to provide strong authentication and data encryption. Unlike traditional identity processes that employ passwords to identify people,

PKI-based networks have substantially higher security than password-based networks (and all of their known flaws), as well as significantly greater manageability than alternative encryption systems such as pre-shared keys. In PKI-based systems, keys can be used for one-way encryption functions, with only the designated owner of the key being able to decrypt data. Man-in-the-middle (MitM) attacks without knowledge of the key pair are thus prevented.

In case of loss or theft of devices, security certificates can be easily revoked to prevent access in PKI-based systems. That's why PKI is a highly effective security solution for all companies facing cybersecurity threats.

How Does PKI Work?

PKI, like public-key cryptography, secures information with a pair of keys. The following steps are involved in working with PKI:

  1. Generating the key pair is the first step that is involved in working with PKI. The user who wants to encrypt and send the data first creates a key pair in this case. The term "generating a key pair" refers to the user's creation of two keys, one private and the other public. This key pair is specific to each PKI user.

  2. Making use of digital signatures to identify; The sender of an encrypted message is identified by a digital signature attached to the message. It is required to have the same basis in law as a traditional signature. The sender's private key and the original message are used to create a mathematical function called a digital signature.

  3. Encrypting the message comes after the digital signature has been applied. A symmetric key is used to encrypt the message and the accompanying digital signature. This symmetric key is shared by both the message's sender and receiver, and it is used only once for encryption and decryption.

  4. Transmitting the symmetric key; Following the encryption of the message and the digital signature, the symmetric key used to encrypt the message must be provided to the receiver. This is due to the fact that the same key is used to decrypt the message. This can constitute a significant security risk since if this key is compromised, anyone with access to it can decipher the encrypted message. As a result, the symmetric key must also be safeguarded. This is accomplished by encrypting the symmetric key with the public key of the recipient. Only the receiver can decrypt the encrypted symmetric key using his/her matching private key in this manner. The session key and the message are then encrypted and sent to the receiver.

  5. Using a CA to validate the sender's identity; CA (Certificate Authority) serve as trustworthy third parties, verifying the identity of the entities involved in the transaction process. When a receiver gets an encrypted message, the receiver can request that the digital signature associated with the message be verified by the CA. The CA checks the digital signatures upon receipt of the request, and a successful verification certifies that the sender is who he/she claims to be.

  6. Decrypting and validating the message's contents; After receiving the encrypted communication, it must be decrypted. This communication can only be decoded with the encrypted symmetric key that was sent with it. As a result, before decrypting the message, the encrypted symmetric key must first be decrypted with the receiver's private key. The symmetric key then decrypts the message after it has been encrypted. The digital signature of the message is decrypted with the sender's public key, and the message digest is produced from it.

Why is PKI important?

Authentication and access control are the backbone of most security systems. Organizations can benefit greatly from public key infrastructure (PKI) in terms of authenticating users and controlling access. PKI is a sophisticated system that, when properly deployed, can help keep your business secure. With the rise of cloud computing, the internet of things, digital transformation, virtualization, outsourcing and other technologies, the need for verified identities is growing. PKI can assist any organization that is concerned about data integrity and has access to their data. Therefore, this is why PKI is so important.

If PKI is not provided on the system, authentication would fail, it would be unstable, leaving an organization exposed and increasingly vulnerable open to malicious access from outside and an insecure system.

What are PKI Services?

PKI services are primarily built to provide secure communication channels. SSL, S/MIME, and IPSec, VPN for example, are all based on the PKI principle and execute specialized tasks.

SSL is generally used to protect communication between a client's Web browser and a Web server. SSL creates a secure communication channel by employing a variety of cryptographic algorithms between the SSL-enabled server and the SSL-enabled client. It operates on the basis of a PKI, which encrypts data transferred over an SSL connection.

S/MIME, known as Secure Multipurpose Internet Mail Extension. The S/MIME standard is a secure email specification that was created to deal with the issue of email messages being intercepted. Digital signatures are used by S/MIME to validate the sender and receiver of an email message's authenticity.

The Internet Protocol (IP) is used to carry data across big corporate networks and the Internet. IP sends data in packets, which are small, manageable chunks. However, these packets, like e-mail messages, are vulnerable to security concerns. To address these security issues, the IP Security (IPSec) protocol suite was created. IPSec is a collection of extensions to the IP protocol family that, unlike SSL, allows authentication, integrity and privacy of data packets at the network layer.

Virtual private network (VPN) is a private data network that uses public telecommunication infrastructure rather than owned or leased lines to maintain privacy using tunneling protocols and security processes. Virtual private networks (VPNs) are an integral aspect of any E-business strategy. VPNs are being used by some businesses to connect remote personnel, reducing response times and boosting access to corporate data. VPNs require a public key infrastructure (PKI) to authenticate connection points.

What Are The Components Of Public Key Infrastructure?

The public key infrastructure mainly consists of the following components:

  • Certification Authority (CA)

  • Registration Authority (RA)

  • Digital certificates

  • PKI clients

  • Certificate repository

Certificate Authority

The CA (Certificate Authority) is a reputable third party that verifies the identity of entities involved in an electronic transaction.The CA manages all aspects of certification processes within the PKI. The CA is the most critical component of a PKI. A PKI without a CA is impossible to manage. CA is in charge of creating digital certificates. This indicates that a data packet including all of a certificate's information is approved by the CA and then digitally signed. The CA is a vital component in terms of security. The worst thing that may happen with a PKI is if a malicious person tries to gain access to the CA's private key and use it to fabricate certificates. As a result, the CA must operate in a secure environment, with special attention paid to the security of the CA's private key.

Registration Authority

The Registration Authority (RA) is the administrative center where the certificate can be acquired. The RA provides the CA with data that the user has agreed to, and the CA generates a signed certificate from it. There are no strict requirements in the PKIX standard for the operation of a RA within a PKI. In principle, the user can communicate with the CA directly. However, in almost all PKI administrations; direct communication between the user and the RA is blocked.

The tasks performed by RA can be listed as follows.

  • It receives and validates entity requests
  • Send the requests to the CA,
  • It receives the CA's processed certificate and it forwards the certificate to the correct entity

Digital Certificates

We can compare digital certificates to real-world identity cards. Just as people use identity cards to prove their identity, in the electronic world; computers or software also have to use digital certificates to prove their identity.

To avoid security breaches such as impersonation and key alteration, it is critical to ensure the security of a public key. A system that attaches the public key to a globally trusted party that can ensure the identity and authenticity of the public key is required. The intended mechanism should achieve the two objectives. First, It should guarantee the public key's integrity and secondly It should securely bind the public key and its accompanying information to the owner. Digital certificates are one of the most important components of PKI required to achieve these.

Digital certificates are standardized by ITU X.509. The elements of a certificate are as follows:

  • Certificate serial number

  • Digital signature of the Certificate Authority

  • The user's public key, to whom the certificate is issued

  • Expiration date

  • Name of the Certificate Authority (CA) that issued the certificate

PKI Clients

PKI Clients are the entities that ask CAs or RAs for certificates. In order to request a digital certificate from the CA, the PKI client must follow the following paths, respectively.

1- Send a request for a public/private key pair to be generated. This can be done by a CA or the client. The client's information is stored in the key pair.

2- Following the establishment of the key pair, a request for a CA certificate is sent to the CA. An RA could be used to route this request.

3- After receiving the certificate from the CA, the client can use it to prove that it is an authenticated certificate holder.

All data exchanged between a client and the CA is encrypted. Furthermore, the client is responsible for the security of its private key. This is because the encrypted communication cannot be decrypted if the private key is lost.

Certificate Repository

Certificate repository also called with Certificate Distribution System. Certificates are distributed to users and companies through the Certificate Distribution System (CDS). Depending on how PKI is implemented in the company, these certificates can be distributed in two ways. The certificates can either be distributed by the users themselves or by a directory server that uses LDAP to query the user information stored in database.

The main main tasks of this distribution system are as follows.

  • Create and distribute key pairs.

  • It confirms the validity of public keys by signing them.

  • Restrict access to keys that have expired or have been misplaced.

  • Making the public keys available on the directory service server.

Where is PKI Security Used?

PKI security can be utilized in various of ways, the most common of which are as follows:

  • Securing web browsing and communications with SSL/TLS certificates

  • Authenticate users for VPN Access

  • Digital signature software/applications

  • Email and data encryption

  • Encrypting and Decrypting files

  • Smart card authentication

  • Wifi authentication

  • Securing a wide variety of IoT devices

  • PKI is also used in electronic document and form signing, database administration, secure instant messaging and USB storage device security.

What Type of Encryption Does PKI Use?

Public Key Infrastructure (PKI) uses a combination of the following encryption protocols.:

  • Asymmetric Encryption

  • Symmetric Encryption

Symmetrical Encryption

Symmetric cryptography, also known as secret key cryptography, is the process of encrypting and decrypting information with a single key. The same key is used to encrypt and decrypt data in symmetric key cryptography. While decrypting messages without the key is extremely difficult, the fact that the same key must be used to encrypt and decrypt the message creates a substantial risk. This is due to the fact that if the distribution mechanism used to share the key is compromised, the entire system for secure messaging is compromised.

The principle of secret key cryptography has generated plenty of secret key algorithms. The most often used secret key algorithms are as follows: Data Encryption Standard (DES), Advanced Encryption Standard (AES), CAST?128, RC4, Triple?DES (3DES).

Asymmetric Encryption

The approach called �Public Key Cryptography� evolved to address the security issues posed by symmetric cryptography. This solution addresses the difficulty of symmetric cryptography by employing two keys rather than a single key. A pair of keys are used in asymmetric cryptography. One key is utilized for encryption, while the other is used for decryption in this procedure. One of the keys in asymmetric cryptography is freely distributable. This key is referred to as the �public key�, and it is used to encrypt data. The secret or private key, which is utilized for decryption, is the second key. The private key cannot be shared. This key is private for every communicating entity, as its name implies.

Asymmetric and symmetric processes are used in Public Key Infrastructure (PKI). Asymmetric encryption is used in the initial "handshake" between communication parties to secure the secret key that is exchanged to allow symmetric encryption. After the secret key has been shared, asymmetric encryption is utilized for the rest of the transaction.

Asymmetric cryptography is more secure and difficult to steal keys than symmetric encryption. In comparison to symmetric cryptography, it is slower and requires more computing power.

What is PKI Architecture?

There are different PKI architectures based on the number of Certificate Authorities, their arrangement and the relationship between them. We can mainly classify them in 3 different ways.

  • Single CA architecture

  • Enterprise PKI architecture

  • Hybrid PKI architecture

PKI architecture

Figure 1. PKI architecture

Single CA architecture: The Single CA architecture is the most basic and common type of PKI architecture. There is just one CA in this architecture that issues and distributes certificates and Certificate Revocation Lists (CRLs) to the entities. This CA is trusted by all of these entities. This design is appropriate for small businesses with a modest number of users, but it is not appropriate for organizations with rapid growth because it does not allow for the addition of new CAs.

Single CA architecture

Figure 2. Single CA architecture

Enterprise PKI architecture: This is the most popular PKI architecture used by businesses. PKI services are offered by numerous CAs in this architecture. A trust connection exists between all CAs in a hierarchical PKI architecture. The CAs in this architecture are linked by superiorsubordinate relationships. The CA hierarchy is an inverted tree-like structure with a root at the top, known as root CA, and branches or nodes below. These nodes are known to as the root CA's subordinates. These subordinate CAs are similar to regular CAs in that they execute all of the functions of a CA; however, they can delegate certificate issuance to other subordinate CAs beneath them.

Hierarchical PKI Architecture

Figure 3. Hierarchical PKI Architecture

Hybrid PKI architecture: Previous architectures are designed to meet the demands of an enterprise or a user group. However, in many cases, organizations must communicate with other organizations in order to do their business. These organizations' architectures may not always be the same. One organization, for example, may have a hierarchical PKI architecture, whilst another may have a single PKI architecture. In such cases, PKI must provide an optimal solution that allows organizations to connect in a trustworthy environment. PKI, with a hybrid design, provides such an environment.A hybrid architecture enables businesses with different PKI architectures to communicate with one another.

Does SSL Use PKI?

SSL is based on the concept of a public key and the most common use of PKI. All data sent between an SSL-enabled server and an SSL-enabled client is encrypted when an SSL connection is established. An SSL connection, like any other encryption technique, necessitates the encryption of the message by a software that sends it and the decryption of the message by a software at the receiving end.

What is the difference between PKI and SSL?

Main differences between PKI and SSL are as follows:

  • SSL is one of the most popular and widely used PKI certificates.

  • The Public Key Infrastructure (PKI) is the underlying embedded technology that secures the Secure Sockets Layer (SSL).

  • SSL is mainly used to secure communication between a user's Web browser and a Web server.

  • PKI has many leading roles, it is designed to manage the creation, identification, distribution and revocation of public keys. The system is made up of trusted user roles, policies, protocols, hardware, and software.

  • SSL needs public, private keys and SSL certificates to create a secure connection between two points. At this point, PKI comes into play. PKI assists in SSL certificate validation and certificate trust management, which is used to establish the identities of the entities communicating and aids in secure data transfer.

How Can You Get a PKI Certificate?

There are different types of PKI certificates, such as SSL/TLS, email signing certificates, code signing certificates, document signing certificates. Before obtaining PKI certification, you must determine which PKI certification you need for your purpose.

In PKI, third-party trusted organizations called CA (Certificate Authority) generate digital certificates for all parties (client, server) that want to communicate on an untrusted network (internet). The procedure for obtaining a certificate goes like this;

  • Firstly, get your server running and as well as updating your WHOIS record (correct company address and other informations)

  • On the server, you should generate a CSR (Certificate Signing Request).

  • After filling the CSR you should submit it to the Certificate Authority.

  • The Certificate Authority puts the information in the CSR, including the Public Key, into a certificate and signs the certificate with its Private Key and attaches the signature to the certificate.

  • You should make your domain and company validated correctly. Then after, you should install the certificate that you received.

The requirements of the PKI certificates are listed below:

  • A unique IP address
  • A valid CSR,
  • Correct contact information in WHOIS database
  • Some formal documents to validate your business.