In-depth

What is public key infrastructure (PKI)?

This technology can help secure data using a number of components

Graphic representing security in either data protection or cyber security contexts

Public key infrastructure (PKI) is one of the building blocks of digital encryption and is a fundamental part of most security technologies. It's a system of various technologies and procedures designed to verify the identities and legitimacy of digital entities and domains, which in turn informs other security and verification systems.

Advertisement - Article continues below

First, some background: "Public key cryptography" is a cryptographic theory involving a paired set of two unique but mathematically-linked alphanumeric identifiers, known as a public key and a private key. Any data which has been encrypted with a public key can only be decrypted using the corresponding private key.

PKI is not the same as the secure data transfer method known as public key encryption, which uses the above theory. Public key encryption relies on PKI, but the term 'PKI' actually refers to the broader system which is responsible for verifying identities and handing out public and private keys in the first place.

How does PKI work?

In order to obtain a public and private key pair with which to conduct encrypted transactions, entities must verify that they are, in fact, who they claim to be. PKI is the system responsible for conducting that verification and issuing the keys.

This involves a number of different companies acting in various roles. At the start of this chain is the subject, who wants to obtain a key pair. In order to be issued with one, they must prove their identity by obtaining a digital certificate. To get a digital certificate, they must apply to a registration authority (RA). This entity then verifies the subject's identity based on the specific verification requirements of the PKI in question, as detailed in its certificate policy. This policy is made publicly available, and also includes details about how the PKI is constructed and the uses of specific certificates.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Once the RA is satisfied that the subject's identity is correct, it passes the request on to the certificate authority (CA), which is in charge of approving, issuing and storing digital certificates. CAs can include trusted third-party companies like Comodo, GoDaddy or DigiCert, as well as non-profit institutions like the Let's Encrypt consortium. Certificates issued by the CA are stored in a central directory and managed via a certificate management system, which controls things like access permissions and certificate distribution.

Once the CA approves the request from the RA, it signs and issues a digital certificate to prove that the subject is who they say they are, and issues a unique private and public key pair to go with it. This process can involve multiple layers of hardware and software to perform tasks like automatically cross-checking identity verification data, issuing key pairs and approving requests, which also forms part of the PKI itself.

Where is PKI used?

PKI use features in a large range of applications, but it is most frequently used to protect digital platforms and services. A common deployment is the protection of data transfers so that information being sent over a network can only be viewed by the intended recipient.

Advertisement - Article continues below

It's also used to send emails using OpenPGP (Open Pretty Good Privacy) and S / MIME (Secure / Multipurpose Internet Mail Extensions), user authentication using smart cards and the authentication of client systems using SSL (Secure Socket Layer) signatures or encryption.

You may also encounter a variant of PKI when accessing e-documents and online forms that require user signatures. While there are other ways to verify an e-document, PKI is by far the easiest to use as it's not necessary for the two parties to know each other.

The chain of trust

To enhance the security of PKI, a trusted relationship is needed called a chain of trust. This hierarchy describes the trust relationship between identities when using Subordinate (intermediate) CAs. The main advantage of this is that it enables the delegation of certificates by Subordinate CAs.

A chain of trust is created by validating each hardware and software component from one end right up to the root certificate. This is to ensure that only trusted software and hardware are used in the PKI.

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement
Advertisement

Recommended

Visit/security/cyber-security/355267/zoom-hires-ex-facebook-cso-to-boost-platform-security
cyber security

Zoom hires ex-Facebook CSO Alex Stamos to boost platform security

8 Apr 2020
Visit/security/vulnerability/355236/hp-support-assistant-flaws-leave-windows-devices-open-to-attack
vulnerability

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
Visit/security/cyber-security/355234/safari-bug-let-hackers-access-cameras-on-iphones-and-macs
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020
Visit/software/video-conferencing/355229/zoom-we-moved-too-fast
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/server-storage/servers/355254/a-critical-flaw-in-350000-microsoft-exchange-remains-unpatched
servers

A critical flaw in 350,000 Microsoft Exchange remains unpatched

7 Apr 2020
Visit/software/video-conferencing/355257/taiwan-first-country-to-ban-zoom-amid-security-concerns
video conferencing

Taiwan becomes first country to ban Zoom amid security concerns

8 Apr 2020