In-depth

What is public key infrastructure (PKI)?

This technology can help secure data using a number of components

Graphic representing security in either data protection or cyber security contexts

Public key infrastructure (PKI) is an important foundation for digital encryption and an essential part of most security technologies. It is a set of roles, policies and procedures one needs to create, manage and deploy digital certifications and public key encryption.

The role of a PKI is to keep electronically transferred information secure over a number of different network activities, such as e-commerce, internet banking and confidential email. This is a requirement for processes where simple passwords are not strong enough methods of authenticity. It provides those involved with more rigorous proof of identity to provide and access the information being transferred. 

PKI isn't the same as the secure data transfer method known as public-key encryption, however. Public key encryption relies on PKI, but the term 'PKI' actually refers to the broader system which is responsible for verifying identities and handing out public and private keys in the first place.

How does PKI work?

There are several companies involved in Public Key Infrastructure. The first step of the process involves the subject verifying their own identity with a digital certificate. Doing this requires a registration authority (RA) which itself is a requirement set out by the PKI to verify the subject. All requirements need to be published, so they are public, along with details on how the PKI has been developed. 

Upon verification, the RA passes the request along to the certificate authority (CA), which is responsible for approving, issuing, and storing digital certificates. Companies such as GoDaddy, DigiCert, Comodo, as well as non-profit groups like Let’s Encrypt, are all counted as CAs and can handle this process. All issued certificates are stored in a central repository, controlled by a management system that’s tasked with distribution and access permissions.

The CA is also responsible for signing and issuing digital certificates as proof that a subject’s identity has been verified. After a request from a RA is approved, the CA will then issue a private and public key pair to accompany the certificate. While this sounds like a simple step, in reality, there’s a bunch of hardware and software working behind the scenes, managing tasks like automatic data validation, the creation of key pairs, and request approval – all of which form the PKI.

Where is PKI used?

Public Key Infrastructure use features in a large range of applications, but it is most frequently used to protect digital platforms and services. A common deployment is the protection of data transfers so that information being sent over a network can only be viewed by the intended recipient.

It's also used to send emails using OpenPGP (Open Pretty Good Privacy) and S / MIME (Secure / Multipurpose Internet Mail Extensions), user authentication using smart cards and the authentication of client systems using SSL (Secure Socket Layer) signatures or encryption.

You may also encounter a variant of PKI when accessing e-documents and online forms that require user signatures. While there are other ways to verify an e-document, PKI is by far the easiest to use as it's not necessary for the two parties to know each other.

The chain of trust

To enhance the security of Public Key Infrastructure, a trusted relationship is needed called a chain of trust. This hierarchy describes the trust relationship between identities when using Subordinate (intermediate) CAs. The main advantage of this is that it enables the delegation of certificates by Subordinate CAs.

A chain of trust is created by validating each hardware and software component from one end right up to the root certificate. This is to ensure that only trusted software and hardware are used in the PKI.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Microsoft spearheads industry-wide charter against AI cyber attacks
Security

Microsoft spearheads industry-wide charter against AI cyber attacks

23 Oct 2020
Weekly threat roundup: Chrome, Citrix and WordPress
Security

Weekly threat roundup: Chrome, Citrix and WordPress

23 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
CMS platforms succumb to KashmirBlack botnet as businesses rush online
Security

CMS platforms succumb to KashmirBlack botnet as businesses rush online

22 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
How to wipe a laptop easily and securely
Security

How to wipe a laptop easily and securely

5 Oct 2020