PKI (or Public Key Infrastructure) is the framework of encryption and cybersecurity that protects communications between the server (your website) and the client (the users). Think about all the information, people, and services that your team communicates and works with. PKI is essential in building a trusted and secure business environment by being able to verify and exchange data between various servers and users.
Through encryption and decryption, PKI is based on digital certificates that verify the identity of the machines and/or users that ultimately proves the integrity of the transaction. As the number of machines is increasing dramatically in today’s digital age, it’s important that our information is trusted and protected against attacks.
So how does PKI authentication work? There are three key components: digital certificates, certificate authority, and registration authority.
By hosting these elements on a secure framework, a Public Key Infrastructure can protect the identities involved as well as the private information used in situations where digital security is necessary, such as smart card logins, SSL signatures, encrypted documents, and more. These elements are vital in securing and communicating digital information and electronic transactions. We go over these elements in more detail below.
PKI functions because of digital certificates. A digital certificate is like a drivers license—it’s a form of electronic identification for websites and organizations. Secure connections between two communicating machines are made available through PKI because the identities of the two parties can be verified by way of certificates.
So how do devices get these certificates? You can create your own certificates for internal communications. If you would like certificates for a commercial site or something of a larger scale, you can obtain a PKI digital certificate through a trusted third party issuer, called a Certificate Authority.
A Certificate Authority (CA) is used to authenticate the digital identities of the users, which can range from individuals to computer systems to servers. Certificate Authorities prevent falsified entities and manage the life cycle of any given number of digital certificates within the system.
Much like the state government issuing you a license, certificate authorities vet the organizations seeking certificates and issue one based on their findings. Just as someone trusts the validity of your license based on the authority of the government, devices trust digital certificates based on the authority of the issuing certificate authorities. This process is similar to how code signing works to verify programs and downloads.
Registration Authority (RA), which is authorized by the Certificate Authority to provide digital certificates to users on a case-by-case basis. All of the certificates that are requested, received, and revoked by both the Certificate Authority and the Registration Authority are stored in an encrypted certificate database.
Certificate history and information is also kept on what is called a certificate store, which is usually grounded on a specific computer and acts as a storage space for all memory relevant to the certificate history, including issued certificates and private encryption keys. Google Wallet is a great example of this.
Public Key Infrastructure is a complex subject, so you may be wondering if it actually performs encryption. The simple answer is yes, it does. What is PKI if not a one-stop-shop for the encryption of classified information and private identities?
As noted earlier, PKI is best utilized for situations that require digital security, which is where encryption plays a vital role. PKI performs encryption directly through the keys that it generates. It works by using two different cryptographic keys: a public key and a private key. Whether these keys are public or private, they encrypt and decrypt secure data.
By using a two-key encryption system, PKI secures sensitive electronic information as it is passed back and forth between two parties, and provides each party with a key to encrypt and decrypt the digital data.
You might be thinking what PKI security might look like in your day to day. PKI security is used in many different ways. The main ways that PKI security can be used are:
Before we go into the types of encryption that PKI uses, it’s important that we first cover the differences between a public key and private key (we mentioned earlier that encryption works through two different keys).
The public key is available to any user that connects with the website. The private key is a unique key generated when a connection is made, and it is kept secret.
When communicating, the client uses the public key to encrypt and decrypt, and the server uses the private key. This protects the user’s information from theft or tampering.
PKI merges the use of both asymmetric and symmetric encryption. Both symmetric and asymmetric encryption have their own strengths and best use case scenarios, which is what makes the combination of both so powerful in Public Key Infrastructure.
Symmetrical encryption protects the single private key that is generated upon the initial exchange between parties—the digital handshake, if you will. This secret key must be passed from one party to another in order for all parties involved to encrypt and decrypt the information that was exchanged. This secret key can be in the form of a password, or it can be a series of random numbers or letters generated by a random number generator (RNG).
Asymmetric encryption is fairly new to the game and you may know it better as “public key cryptography.” Asymmetric encryption uses two keys, one public and one private. The public key encrypts and the private key decrypts.
It allows you to create a public key for the party who is reporting to you, so that they may encrypt their incoming information, after which you will be able to decrypt the information with a private key.
PKI functions on asymmetric key methodology: a private key and a public key. The private key can only be accessed by the owner of a digital certificate, and they can choose where the public key goes. A certificate is essentially a way of handing out that public key to users that the owner wants to have it.
Private and public PKI keys must work together. A file that is encrypted by the private key can only be decrypted by the public key, and vice versa. If the public key can only decrypt the file that has been encrypted by the private key, being able to decrypt that file assures that the intended receiver and sender took part in the informational transaction.
Most often used for one-way communication, asymmetric encryption utilizes separate keys that are mathematically connected; whatever is encrypted in the public key can only be decrypted by its corresponding private key and vice versa.
A public key is generated through a digital certificate, which carries important information that identifies the public key holder. You can create your own certificate, or apply for a digital certificate through a third-party or Certificate Authority. Certificate Authorities validate the identities of the individuals and/or servers involved in order to prevent fraud and viruses.
PKI authentication through the use of digital certificates is the most effective way to protect confidential electronic data. These digital certificates are incredibly detailed and unique to each individual user, making them nearly impossible to falsify.
Once a user is issued a unique certificate, the details incorporated into the certificate undergo a very thorough vetting process that includes PKI authentication and authorization. Certificates are backed by a number of security processes such as timestamping, registration, validation, and more to ensure the privacy of both the identity and the electronic data affiliated with the certificate.
As far as we know, secure authentication is not a solid guarantee no matter how careful we are to facilitate a foundation of encryption and protection. Breaches in security do happen from time to time, which is what makes the Certificate Authority and Registration Authority so vital to the operations.
Without a top-performing CA and RA to authenticate and manage public key information, the “web of trust” is virtually nonexistent.
With all of the strengths of a Public Key Infrastructure, there is room for improvement. As it currently stands, PKIs rely heavily on the integrity of the associated Certificate Authority and Registration Authority, which aren’t always functioning at the ideal level of diligence and scrutiny. PKI management mistakes are another weak link that needs to be addressed.
Another current security limitation of Public Key Infrastructures today (or rather, a security risk) is the obvious lack of multi-factor authentication on many of the top frameworks. Regardless of the world’s increasing ability to blow through passwords, PKIs have been slow to combat this threat with various levels of authorization before entry.
Furthermore, the overall usability of Public Key Infrastructure has never been ideal. More often than not, PKIs are so remarkably complicated that users would rather forgo the addition PKI authorization in exchange for a more convenient and realistic security process.
Lastly, PKI technology is known for its inability to easily adapt to the ever-changing advancements of the digital world. Users report being unhappy with their current PKI’s lack of ability to support new applications that are geared toward improvements in security, convenience, and scalability.
SSL (Secure Sockets Layer) Cryptography relies heavily on PKI security to encrypt and decrypt a public key exchange using both symmetric and asymmetric encryption. How does PKI work with an SSL? Excellent question. We can sum up the relationship in three phases:
Once the digital relationship has been established, the web browser and the web server are able to exchange encrypted information across a secure channel. The Public Key Infrastructure acts as the framework and facilitator for the encryption, decryption, and exchange of information between the two parties.
PKI is good for high security situations. With digital signing, along with public and private cryptographic keys, PKI provides trust that can be used to secure a variety of applications.
Say you are transmitting data from a Mac workstation to a Mac server. How do you know that you are in fact transmitting your data to a server and not a hoax?
Digital certificates prove the integrity and identification of both parties. They help verify that a particular public key belongs to a certain entity.
If the certificate was issued by a source the server knows and trusts, then the server will accept the certificate as proof of identity. It’s like a TSA officer verifying the validity of your driver’s license or passport authorized by the government.
Let’s recap. PKI authentication (or public key infrastructure) is a framework for two-key asymmetric encryption and decryption of confidential electronic data. By way of digital certificate authorization, management, and authentication, a PKI can secure private data that is exchanged between several parties, which can take the form of people, servers, and systems.
If you want to learn more about how PKI can be used in your life and your business? Contact Venafi and see how we can help you get the authentication you need today.