How does Public Key Infrastructure (PKI) work?


The Basics

Numerous organisations are keen on protecting their information assets using some form of cryptography, but are unaware of the details of implementing this effectively. The most popular method in modern day businesses is to utilise a public key infrastructure (PKI). PKI works on the basis of certificates and trust. A certificate is provided to a user, system or device and is a method of verifying that entity as trustworthy. Certificates primarily consist of a digitally signed statement with public key and details of the user. The user is identified within the certificate based on their name as it appears from numerous services such as username, email address or DNS name. By signing the users certificate, the
certificate authority (CA – more on this in a minute) validates that the private key associated with the public key in the certificate belongs to that user, or subject.


So, what is a certificate authority? A certificate authority, is an independent highest root of trust that holds all certificates and is essentially the decision make. If you envisage a tree then the CA would sit on top of that tree. The CA issues users it trusts with certificates containing public keys. This certificate can be freely distributed and in terms of attack, it is irrelevant if an attacker gets hold of this certificate or not as it is useless without a private key pair. So, the public key within the certificate can be used by the user to encrypt data. However, the data can only be decrypted using a private key which is in the users possession and kept secure. The private key can also be used by the user to create a digital signature to validate identities.

The idea is that both keys are dependent upon each other and compromise of one key will not result in compromise of data. The public key can be passed freely across the internet in plain text, the private key must remain secure. The certificate authority will ultimately have control of issuing certificates.

Certificate authorities can be set up in-house or outsourced to a third party. However, it is imperative that the third party is a trusted source as this will represent a single point of failure for securing communications in your business. By using CA’s and a public key infrastructure, companies can gain the benefits of processing information in a secure manner by both identifying and authenticating the source.
Use Cases

So, we have explored the basics of how PKI and certificates work, but how can this be used in a business and what benefits can this provide? We explore some use cases for PKI below:
Securing Emails: Email clients utilise PKI and certificates to maintain the integrity of e-mails and secure the confidentiality of emails via encryption.
Web Communications: Web servers utilise certificates to authenticate clients using client side certificates. Web servers also use server side certificates for confidential, encrypted web traffic
IPSEC Authentication: IPSEC can authenticate clients using certificates.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *