What is Public Key Infrastructure (PKI)?
Table of Contents
- By Bree Ann Russ
- Sep 18, 2023
Most people navigate the internet with little to no anxiety despite not knowing what goes on behind the scenes. Public Key Infrastructure is one of these background processes that allows everyday users to feel safe online. It prevents middlemen and cyber criminals from tampering with our online activity.
PKI utilizes certificate-based measures to authenticate identities and prevent middlemen and cyber criminals from tampering with our online security. The use of both public and private keys makes PKI nearly impenetrable and has pushed it as the modern standard.
What is Public Key Infrastructure?
Public Key Infrastructure includes everything in creating, distributing, and managing keys and certificates. PKI is used broadly across the internet, but private organizations also employ it to protect internal communications and assets.
PKI Using Asymmetrical Encryption
PKI generates both a public and private key. The public key is given to other users, encrypting all the data they send back to a server. This means that any packets that a cybercriminal manages to steal will be an indecipherable jumble of characters.
Breaking the public key's encryption requires the private key, which is maintained solely by the original creator. Organizations and services go to great lengths to ensure a private key cannot be stolen or tampered with.
The Turn Against Symmetrical Encryption
Symmetrical encryption means the same key is used to encrypt and decipher data. Despite how it sounds, symmetrical encryption was once the gold standard for hiding data.
The problem with symmetrical encryption is that criminals today can easily access people using a public key. Keyloggers, data breaches, and social engineering attacks can acquire the original message, which makes it much easier to reverse-engineer the cipher. If this happens, a PKI using symmetrical encryption would lose all viability.
Asymmetrical encryption doesn't have this weakness. Since different keys are used for encryption and decryption, the criminal can't break them even if they steal the original message.
How Does PKI and Encryption Work?
While these "keys' are where PKI gets its name, there's another critical aspect we haven't touched on. How do you know if you received the correct public key?
This question is the driving reason behind Public Key Infrastructure's success. Without the ability to confirm who's sending encrypted data, a middleman can intercept and tamper with the messages.
A criminal could obtain a public key and create their own private key from it. The criminal's private key wouldn't match the original, but that doesn't matter. After that, the criminal could intercept messages, decrypt them using the fake private key, re-encrypt them using the original public key, and send the message back to the intended recipient. In this scenario, neither the sender nor the recipient sees any sign of interference.
PKI gets around this problem through digital certificates that can identify the sender. Every key is given a certificate to verify the sender's identity. If the identities don't match, then the recipient knows that a third party got involved.
For this system to work, the digital certificates must be issued by reputable institutions known as certificate authorities.
Certificate Authority (CA)
Certificate authorities manage all the certifications for your PKI. They create the digital certificate based on the user's public key and other information you provided. Once the public key's identity is confirmed, the CA stamps the certificate to assure the recipient that the message comes from an authentic source.
There are two types of certificate authorities:
- Root Certificate Authority: Signs a certificate after personally verifying the user's identity. Root CAs have an obligation to be more thorough and honest, as countless subordinate certificate authorities also use their approval.
- Subordinate Certificate Authority: Signs a certificate after it's been verified by a Root CA. Subordinate certificate authorities sign the majority of PKI certificates.
Registration Authority (RA)
Registration authorities receive signing requests from people, programs, or codes requesting certification. The RA is charged with confirming user information from these requests before sending it to the CA it is partnered with. This step must be completed before a certificate is approved and is often performed by notaries.
A certificate store is a local file on your device that organizes the certificates you've interacted with. A store will often contain certificates from various certificate authorities and are generally segmented by level of trust, acceptance status, or personal relation.
A trust store, also known as a trust anchor, is a pre-installed list of root certificates. The trust store is exactly what it sounds like. It stores all of the CAs you should trust.
The most valuable function of a trust store is to confirm your device to subordinate certificate authorities. All the CAs in a trust store are root CAs, allowing them to vouch for your device's identity immediately.
The trust store also allows your device to reject certificates signed by dubious CAs. If this list was absent, then your device wouldn't know who to accept and would have to take an "all or nothing" approach.
Weaknesses of PKI
PKI isn't without its faults. The most prominent problem is that not all certificate authorities can be trusted. Some countries have lax or absent laws regarding signing certificates, and some governments have a vested interest in specific websites and applications appearing safe on the surface.
There are cases where governments and organizations force public certificate authorities to sign deceitful certificates. This can be done for any number of dishonest reasons, such as spying on users, injecting malware, or forcing a data leak to damage a competitor.
Going with a private CA is highly recommended, as there's a much lower risk of outside influence.
What is a PKI Used For?
What you do with a PKI depends on your organization's security risks.
Gaining Secure Status: PKI is primarily used to get SSL (Secure Sockets Layer) certificates and indicates that your website is safe to interact with. Web addresses beginning with https indicate a more secure channel that third parties can't access.
While the "https:" has all but disappeared from most address bars, it's succeeded by the "lock" icon on the address bar's far left.
S/MIME Protocol (Secure/Multipurpose Internet Mail Extensions): S/MIME protocol encrypts emails and ensures the accuracy of the message. S/MIME requires both the sender and recipient of an email to have a signed certificate from a CA. It is highly recommended when engaging in significant dealings as it automatically allows either party to enforce nonrepudiation.
Virtual Private Network (VPN) Authentication: Breaking into someone's VPN allows criminals to get around geographic security and access personal information. This danger makes certificates and PKI a more appealing security measure as they require the certificate to be stored in the device's internal certificate store that a criminal can't copy.
Learn More About Network Security to Remain Safe
PKI is a fundamental and non-negotiable part of any network security infrastructure. Its mechanisms protect organizations and users from a broad range of threats and maintain the integrity and confidentiality of your data during transit.
Building a PKI isn't simple, and there are many points to consider before starting. You must note the most likely security risks, choose between an internal and hosted CA, and automate all certificate delivery.
InfoPay's team is always available if you need help understanding some of these concepts or want to protect your digital privacy better. Our online blog is also an excellent resource for additional research into the most prominent threats you'll find online.