PKI (or Public Key Infrastructure) is the framework of encryption and cybersecurity that protects communications between the server (your website) and the client (the users). It works by using two different cryptographic keys: a public key and a private key. The public key is available to any user that connects with the website. The private key is a unique key generated when a connection is made, and it is kept secret. When communicating, the client uses the public key to encrypt and decrypt, and the server uses the private key. This protects the user’s information from theft or tampering.
A Public Key Infrastructure requires several different elements for effective use. A Certificate Authority (CA) is used to authenticate the digital identities of the users, which can range from individuals to computer systems to servers. Certificate Authorities prevent falsified entities and manage the life cycle of any given number of digital certificates within the system.
Second in command is the component of a Registration Authority (RA), which is authorized by the Certificate Authority to provide digital certificates to users on a case-by-case basis. All of the certificates that are requested, received, and revoked by both the Certificate Authority and the Registration Authority are stored in an encrypted certificate database.
Certificate history and information is also kept on what is called a certificate store, which is usually grounded on a specific computer and acts as a storage space for all memory relevant to the certificate history, including issued certificates and private encryption keys. Google Wallet is a great example of this.
By hosting these elements on a secure framework, a Public Key Infrastructure can protect the identities involved as well as the private information used in situations where digital security is necessary, such as smart card logins, SSL signatures, encrypted documents, and more.
Public Key Infrastructure is a complex subject, so you may be wondering if it actually performs encryption. The simple answer is yes, it does. What is PKI if not a one-stop-shop for the encryption of classified information and private identities?
PKI performs encryption directly through the keys that it generates. Whether these keys are public or private, they encrypt and decrypt secure data.
PKI merges the use of both asymmetric and symmetric encryption. Symmetrical encryption protects the single private key that is generated upon the initial exchange between parties—the digital handshake, if you will. This secret key must be passed from one party to another in order for all parties involved to decrypt the information that was exchanged.
Asymmetric encryption is fairly new to the game and you may know it better as “public key cryptography.” Asymmetric encryption uses two keys to encrypt plain text, both a public key and a secret key.
Both symmetric and asymmetric encryption have their own strengths and best use case scenarios, which is what makes the combination of both so powerful in Public Key Infrastructure.
PKI functions because of digital certificates. A digital certificate is like a drivers license—it’s a form of electronic identification for websites and organizations. Secure connections between two communicating machines are made available through PKI because the identities of the two parties can be verified by way of certificates.
So how do devices get these certificates? You can create your own certificates for internal communications. If you would like certificates for a commercial site or something of a larger scale, you can obtain a PKI digital certificate through a trusted third party issuer, called a certificate authority.
Much like the state government issuing you a license, certificate authorities vet the organizations seeking certificates and issue one based on their findings. Just as someone trusts the validity of your license based on the authority of the government, devices trust digital certificates based on the authority of the issuing certificate authorities. This process is similar to how code signing works to verify programs and downloads.
PKI functions on asymmetric key methodology: a private key and a public key. The private key can only be accessed by the owner of a digital certificate, and they can choose where the public key goes. A certificate is essentially a way of handing out that public key to users that the owner wants to have it.
Private and public PKI keys must work together. A file that is encrypted by the private key can only be decrypted by the public key, and vice versa. If the public key can only decrypt the file that has been encrypted by the private key, being able to decrypt that file assures that the intended receiver and sender took part in the informational transaction.
PKI authentication through the use of digital certificates is the most effective way to protect confidential electronic data. These digital certificates are incredibly detailed and unique to each individual user, making them nearly impossible to falsify.
Once a user is issued a unique certificate, the details incorporated into the certificate undergo a very thorough vetting process that includes PKI authentication and authorization. Certificates are backed by a number of security processes such as timestamping, registration, validation, and more to ensure the privacy of both the identity and the electronic data affiliated with the certificate.
Public Key Infrastructure is used to protect confidential communication from one party to another. By using a two-key encryption system, PKI secures sensitive electronic information as it is passed back and forth between two parties, and provides each party with a key to encrypt and decrypt the digital data.
PKI security is used in many different ways. The following are a few ways that PKI security can be used:
Securing web communications (such as retail transactions)
Digitally signing software
Digitally signing applications
Smart card authentication
As far as we know, secure authentication is not a solid guarantee no matter how careful we are to facilitate a foundation of encryption and protection. Breaches in security do happen from time to time, which is what makes the Certificate Authority and Registration Authority so vital to the operations.
Without a top-performing CA and RA to authenticate and manage public key information, the “web of trust” is virtually nonexistent.
With all of the strengths of a Public Key Infrastructure, there is room for improvement. As it currently stands, PKIs rely heavily on the integrity of the associated Certificate Authority and Registration Authority, which aren’t always functioning at the ideal level of diligence and scrutiny. PKI management mistakes are another weak link that needs to be addressed.
Another current security limitation of Public Key Infrastructures today (or rather, a security risk) is the obvious lack of multi-factor authentication on many of the top frameworks. Regardless of the world’s increasing ability to blow through passwords, PKIs have been slow to combat this threat with various levels of authorization before entry.
Furthermore, the overall usability of Public Key Infrastructure has never been ideal. More often than not, PKIs are so remarkably complicated that users would rather forgo the addition PKI authorization in exchange for a more convenient and realistic security process.
Lastly, PKI technology is known for its inability to easily adapt to the ever-changing advancements of the digital world. Users report being unhappy with their current PKI’s lack of ability to support new applications that are geared toward improvements in security, convenience, and scalability.
SSL (Secure Sockets Layer) Cryptography relies heavily on PKI security to encrypt and decrypt a public key exchange using both symmetric and asymmetric encryption. How does PKI work with an SSL? Excellent question. We can sum up the relationship in three phases:
First, the web server sends a copy of its unique asymmetric public key to the web browser.
The browser responds by generating a symmetric session key and encrypting it with the asymmetric public key that was received by the server.
In order to decrypt and utilize the session key, the web server uses the original unique asymmetric private key.
Once the digital relationship has been established, the web browser and the web server are able to exchange encrypted information across a secure channel. The Public Key Infrastructure acts as the framework and facilitator for the encryption, decryption, and exchange of information between the two parties.
Let’s recap. PKI authentication (or public key infrastructure) is a framework for two-key asymmetric encryption and decryption of confidential electronic data. By way of digital certificate authorization, management, and authentication, a PKI can secure private data that is exchanged between several parties, which can take the form of people, servers, and systems.
If you want to learn more about how PKI can be used in your life and your business, contact Venafi and see how we can help you get the authentication you need today.
If you want to learn more about how PKI can be used in your life and your business? Contact Venafi and see how we can help you get the authentication you need today.