Public Key Infrastructure (PKI) is a framework that uses public and private keys for encrypting and decrypting messages, digital signatures to verify message integrity, and certificates for authenticating legitimate computers. This article will take you through the basics of PKI so you can better understand how it works!
What is PKI, and why do I need it?
Many of you may be asking what is PKI? PKI is a framework that uses public and private keys for encrypting and decrypting messages, digital signatures to verify message integrity, and certificates for authenticating legitimate computers. You may ask yourself: why do I need this? If you use the internet or other computer networks regularly (and we’re sure you do), PKI helps keep your information safe! When an email provider like Gmail receives an email, it verifies my identity by checking if the sending IP address matches my certificate in their database of trusted addresses before delivering it to me. Other common uses include signing software binaries so users know they are getting official versions without risk of viruses and securing messages to prevent eavesdropping.
How does PKI work?
Public Key Cryptography uses two keys; one is made public (called the Public Key) while the other remains private (called the Private Key). When you encrypt a message using your Public key, it can only be decrypted by someone with access to your Private key. This ensures that even if my email provider’s servers are compromised, an attacker cannot intercept messages intended for me because they won’t have my private key, which I kept offline after creating it! Digital Signatures are used in conjunction with certificates, so senders know their message was received unaltered.
A sender computes a hash of their message then sends both the original copy and its hash to the receiver. The receiver then recomputes their hash and verifies that they are equal before accepting the message as authentic. If someone alters your encrypted email after I sent it, my Public Key will no longer decrypt properly, which means an attacker could have changed something! Digital certificates are essentially just files with information about you or a website that can be given out freely by companies like Thawte or Symantec (or however the downside networks), allowing others to authenticate them easily using cryptographic signatures.
Why should a Commercial Certificate Authority (CA) be used?
You should never create your certificate or public/private key pair for use with PKI! Why is that, you ask? A commercial CA ensures that the certificates they issue are globally recognized as valid. You can install them on browsers, mail servers, and more to ensure only trusted entities receive encrypted messages meant for you! When sending an email, servers contain a link to download my Public Key from their website. Check if it was signed using one of Google’s root certificates, preinstalled in most operating systems today. If someone else were to generate their own claiming it’s theirs instead of mine, the world would likely reject it since no browser vendor would have a root certificate for it in their trusted list!
When to use Self-Signed Certificates
Self-signed certificates are best used when you don’t want to pay for or deal with installing a CA’s root certificate on every device that might try accessing your website. For example, if I wanted people visiting my personal blog to be able to send me encrypted messages even though it isn’t public-facing nor visited by many users…I could generate myself a self-signed private keypair and have the corresponding public key signed by myself so all browsers would recognize it as valid!
When to use Public Key Cryptography instead of Certificate Signings
Public key cryptography is also used to encrypt sessions (aka cookies) between your web browser and a website in order to ensure that no eavesdroppers can read them. This is because the server only needs its Private Key to decrypt messages encrypted by you with its Public Key which are stored in memory on both sides of the connection! However, certificates allow someone watching our traffic to know who sent us each message. In contrast, public keys do not, so using private-key encryption would be pointless since it wouldn’t benefit over normal session encryption methods!
What is the future of PKI?
More and more companies are going to digital signatures because they’re faster, easier to verify by computers, and less likely that someone could “fake” one. The downside however is that if an attacker somehow manages to steal your private key from wherever you kept it…they can decrypt anything encrypted using its corresponding public key! This has been demonstrated repeatedly over time so maybe we’ll see hardware-based protection becoming popular in coming years as well with phones or other devices generating keys on the device itself instead of sending them off where they might be vulnerable.
Public Key Infrastructure is a complicated topic, but with this brief guide you should be able to understand the basics of what it means for your business. You can then use that knowledge to determine if PKI would benefit your company and take appropriate steps towards implementing it. This article has introduced you to some terminology which will help get you started on understanding how public key infrastructures work in general.
