What is Public Key Infrastructure (PKI)? How does it Work? (2024)

Public key infrastructure (PKI) refers to tools used to create and manage public keys for encryption, which is a common method of securing data transfers on the internet. PKI is built into all web browsers used today, and it helps secure public internet traffic. Organizations can use it to secure the communications they send back and forth internally and also to make sure connected devices can connect securely.

The most important concept associated with PKI is the cryptographic keys that are part of the encryption process and serve to authenticate different people or devices attempting to communicate with the network.

PKI works through the implementation of two technologies: certificates and keys. A key is a long number used to encrypt data. Each element of a message gets encrypted using the key formula. For example, if you want to write a message where every letter is replaced by the letter after it, then A will become B, C will be D, etc. If someone is to have this key, they will get what will look like a nonsensical message and decrypt it.

With PKI, the key involves advanced mathematical concepts that are much more complicated. With the alphabetic example above, there is one key, and if the recipient has it, they can easily decrypt the message. With PKI, on the other hand, there are two keys: a private and a public one.

The public key is available to anyone who wants it and is used to encode a message that someone sends to you. A private key is what you use to decrypt the message after you get it. The keys are connected using a complex mathematical equation. Even though the private and public keys are connected, the connection is facilitated by this complex equation. It is therefore extremely difficult to ascertain the private key by using data from the public key.

Certificates, which are issued by a certificate authority (CA), let you know the person or device you want to communicate with is actually who they claim to be. When the correct certificate is associated with a device, the device is considered authentic. The validity of the certificate can be authenticated through a system that checks whether it is real or not.

Symmetric encryption refers to a relatively straightforward algorithm used to encrypt data. During World War II, Germany used symmetric encryption to transmit private messages.

This is how symmetric encryption works:

1. A message is typed using plain, regular text.
2. It is then run through a series of permutations that encrypt it.

The encryption is very difficult to crack because what is put into the permutation process does not always come out the same. For example, the letter A may come out as a group of two characters, such as “4T,” the first time it is entered. But then, it can also come out as “Y8” the second time it is entered. This makes it hard to derive the equation being used.

The word “symmetric” applies to the fact that you need the same key to both encrypt and decrypt the message. Even though it is difficult to figure out the key, the fact that only one key carries the solution to both the encryption and the decryption adds an element of risk. If someone compromises the channel that shares the key, the system can be broken.

The risk of symmetric encryption is solved with asymmetric encryption. With asymmetric encryption, two different keys are created to encrypt messages: the public key and the private one. The message still has to pass through complicated mathematical permutations to get encrypted. However, the private key decrypts it, and the public key encrypts it.

The mathematical properties used to make public and private keys today are Elliptic-curve cryptography (ECC), Rivest-Shamir-Adleman (RSA), and Diffie-Hellman. Each uses different algorithms to make encryption keys. However, they each share the same overall principles regarding how the public and private keys are related.

For example, the RSA 2048 algorithm generates two random prime numbers that are each 1024 bits in length. These are then multiplied by each other. The answer to that problem ends up being the public key. The two random prime numbers used are the private key.

If the two prime numbers are smaller, including, for instance, only two digits, it will be relatively easy for a program to figure out what they are. However, because they each have 1024 digits, it is extremely difficult to figure them out—even when you know the product of the equation.

Sensitive data exposure or data leakage is one of the most common forms of cyberattack. Sensitive data, like credit card information, medical details, Social Security numbers, and user passwords, can be exposed if a web application does not protect it effectively. Attackers who are able to access and steal this information can use it as part of wider attacks or sell it to third parties.

Protecting sensitive data is increasingly important given the stringent rules and punishments of data and privacy regulations, such as the European Union’s General Data Protection Regulation (GDPR). To do so, organizations must be able to protect data at rest and data in transit between servers and web browsers.

Data on a website can be protected using a secure socket layer (SSL) certificate, which establishes an encrypted link between a web browser and a server. It also protects the integrity of data when in transit between a server or firewall and the web browser. Sensitive data exposure can also be prevented by encrypting data through secure encryption processes, protecting stored passwords with strong hashing functions, and ensuring that strong, updated algorithms, keys, and protocols are in place.

PKI certificates refer to documents that grant an entity permission to engage in the exchange of PKI keys. They are similar to passports that carry an identity unique to the holder. Without this passport, the entity is not allowed to participate in the exchange of PKI-encrypted data.

A certificate includes the public key and is used to share the public key between two parties. It also includes official attestation from a source that both entities trust. This confirms the identity of the entity engaging in the digital interaction. The source that issues the certificate is referred to as the CA.

PKI certificates also involve a registration authority (RA), which receives the signing requests for certificates. The signing requests facilitate the issuance and renewal of certificates as they are given to things, people, or applications.

Certificates are stored within a certificate database. This is on a server that hosts the CA. The CA information is also kept on the local device or computer used to engage in the communication. The storage of the certificate for the CA is called the certificate database, while the local storage on the device or computer is called a certificate store.

Another important facet of PKI certificates is certificate policy. This refers to a document that aims to identify each entity involved in a PKI interaction, as well as outline their respective roles. The certificate policy is published within what is called the PKI perimeter. In the case of X.509 certificates, a link can be included in a certain field within the PKI perimeter, and this link is associated with the certificate policy.

1. Hypertext Transfer Protocol Secure (HTTPS): In HTTPS, the certificates identify each website the user tries to reach to make sure the messages sent back and forth are not intercepted or changed. If someone gains unauthorized access, they can engage in fraudulent activity, such as send fake wire transfers or take people’s credit card information. HTTPS can also help prevent a range of man-in-the-middle (MITM) attacks because the hacker has to know how to decrypt the information to effectively intercept and then change or steal the data being sent between two entities. When the communicating parties have to encrypt their messages, not only is key data kept secure but so are passwords and other private information that hackers want to get their hands on.
2. Secure Shell (SSH): SSH provides authentication for computers and users, and uses X.509 certificates. Although different SSH protocols can use different certificate formats, they all perform the same basic function: making sure users and computers are who they claim to be.
3. Signing and encrypting emails: Certificates also come into play when you have to make sure your email communications are secure. As with SSH, there are different options for the implementation of PKI certificates for sending emails, but they perform the same essential functions: securing emails that get sent and received, while also ensuring the sender and receiver are who they claim to be.

The process of creating a certificate follows several, logical steps. First, a private key is created, which is used to calculate the public key. Then, the CA requires the private key owner's attributes presented for verification.

After that, the public key and the owner's attributes are encoded into a digital signature known as a certificate signing request (CSR). This then gets signed by the owner of the key. The signature the owner provides serves as proof that they are the rightful possessor of the private key.

The final step involves the CA. The CSR gets validated by the CA, which then also adds its own signature to the certificate using the CA’s private key. At this point, the certificate is considered legitimate, and communication can commence.

PKI is a good and necessary tool for making sure email is secure, similar to how it is a valuable resource for securing traffic on the internet or within an organization’s internal communications. It is relatively easy to intercept data as it moves through the internet unencrypted. Therefore, email is particularly important to protect.

Often, private, business-critical, or sensitive information is transferred over email. If the person receiving the email is anyone other than the intended receiver, a company's operations or someone’s personal data can be intercepted. When each party has to verify their identity using the certificate process, and then verify their right to receive the information by having the appropriate key, email transmission is far safer.

Otherwise, people can both initiate and intercept emails at will, pretending it is from a device it is not or even grabbing and then changing the content of emails in a kind of MITM attack.

PKI solves a variety of challenges. One of the primary issues PKI addresses is when hackers seek to leverage MITM attacks to intercept and alter or steal information. The “man” attempting to get in the middle will not have the private key needed to decrypt the message. Therefore, the best they can do is to intercept it. It takes an enormous amount of computing power to decrypt a 2048-bit encryption. This makes PKI a strong solution for the prevention of these types of digital assaults.

PKI also addresses the problem of managing certificates. It does this by vetting each one to make sure it is valid. Also, PKI includes methods for getting rid of illegitimate certificates that have been either stolen or lost. It can also revoke certificates after they have expired or have been otherwise compromised.

At the organizational level, PKI can assist organizations in forming a system of discovering and managing certificate data. In this way, the organization can automate the applications and devices that they want to have certificates, as well as where the certificates come from. Generally speaking, regardless of the specific use case, PKI provides a more secure form of communication in a world that relies on the digital transfer of information.

The increasing number of devices introduced to the internet every day makes it a challenge to confirm the security of communications, particularly because devices can be used to impersonate others or intercept communications. The PKI system precludes the easy exploitation of digital communications.

For example, if your email account is secured by adequate multi-factor authentication (MFA), PKI can make it possible for you to send sensitive information such as your phone number to another person, given their email account is equally secure. Also, a company that needs to push an update to a fleet of Internet of Things (IoT) devices can do so without having to worry about a virus being injected in the data stream by a hacker.

If PKI is not executed properly, some significant risks arise, and communications can fail to go through. For example, a digital outage, which is generally when there is a failure within the network or with a connected device, can result in a message not going through. In this case, however, it is unlikely that data will be intercepted by a malicious party.

An unsecured digital identity can pose a more serious issue. This is because someone can use an expired certificate to pretend to be someone they are not. Similarly, failed audits or compromised CAs can result in leaked data. To prevent this, it is crucial that a specific team is put in charge of managing PKI infrastructure, such as the IT team or the networking team, instead of leaving it as an unassigned responsibility.

Adding encryption—or poor encryption—comes with a cost. Encryption requires both time and effort to implement it. This includes figuring out which internal communications must be encrypted and what this will involve for the systems and people who use them. For example, some organizations have to roll out encryption policies for IoT devices connected to their network. Without proper organization, this kind of endeavor can consume large amounts of time and human resources. Poor encryption may result in further problems, particularly if it is responsible for a breach.