Public Key Infrastructure (PKI) is a technology for authenticating users and devices in the digital world. The basic idea is to have one or more trusted parties digitally sign documents certifying that a particular cryptographic key belongs to a particular user or device.
PKI is based on a mechanism called a digital certificate. Digital certificates are sometimes also referred to as X.509 certificates or simply as certificates. Think of a certificate as a virtual ID card.
In the real world, people use ID cards such as a driver's license, passport, or an employee ID badge to prove their identity. A certificate does the same basic thing in the electronic world, but with one big difference. Certificates are not just issued to people (users, administrators, etc.). Certificates can also be issued to computers, software packages, or to just about anything else that you may need to prove the identity of.
You may be wondering what certificates have to do with PKI and how does PKI works. PKI works by assigning a user a pair of keys. These keys are generated by running a mathematical process against the user's certificate. The keys themselves are nothing more than a very long alpha-numeric string.
One of the keys is designated as the user's private key, while the other is designated as the user's public key. The idea is that only the user who owns the keys has the private key, but the user's public key can be freely given to anyone. Normally, a certificate authority or a key management server passes out public keys whenever they are requested, but public keys could really be distributed by any means.
Suppose for a moment that a user needed to encrypt a file. The user would use their private key to encrypt the file. Once the file is encrypted, only the public key can decrypt it. At first, this probably doesn't sound very secure since anyone in the world can have the user's public key just by asking for it. However, there is one detail that you need to consider. The user's public key can only decrypt files, it can not be used to encrypt anything. Furthermore, it can only decrypt items that have been encrypted using the corresponding private key. Therefore, if a public key is used to decrypt a file, it absolutely guarantees that the person who encrypted it was the owner of the corresponding private key (assuming that the private key hasn't been stolen). For example, if I encrypted a file with my private key, and you used my public key to open it, then you can be sure that I was the person who encrypted the file.
So, what is a certificate authority? A certificate authority, is an independent highest root of trust that holds all certificates and is essentially the decision make. If you envisage a tree then the CA would sit on top of that tree. The CA issues users it trusts with certificates containing public keys. This certificate can be freely distributed and in terms of attack, it is irrelevant if an attacker gets hold of this certificate or not as it is useless without a private key pair. So, the public key within the certificate can be used by the user to encrypt data. However, the data can only be decrypted using a private key which is in the users possession and kept secure. The private key can also be used by the user to create a digital signature to validate identities.
The idea is that both keys are dependent upon each other and compromise of one key will not result in compromise of data. The public key can be passed freely across the internet in plain text, the private key must remain secure. The certificate authority will ultimately have control of issuing certificates.
Numerous organizations are keen on protecting their information assets using some form of cryptography, but are unaware of the details of implementing this effectively. The most popular method in modern day businesses is to utilise a public key infrastructure (PKI). PKI works on the basis of certificates and trust. A certificate is provided to a user, system or device and is a method of verifying that entity as trustworthy. Certificates primarily consist of a digitally signed statement with public key and details of the user. The user is identified within the certificate based on their name as it appears from numerous services such as username, email address or DNS name. By signing the users certificate, the
certificate authority (CA – more on this in a minute) validates that the private key associated with the public key in the certificate belongs to that user, or subject.
So, what is a certificate authority? A certificate authority, is an independent highest root of trust that holds all certificates and is essentially the decision make. If you envisage a tree then the CA would sit on top of that tree. The CA issues users it trusts with certificates containing public keys. This certificate can be freely distributed and in terms of attack, it is irrelevant if an attacker gets hold of this certificate or not as it is useless without a private key pair. So, the public key within the certificate can be used by the user to encrypt data. However, the data can only be decrypted using a private key which is in the users possession and kept secure. The private key can also be used by the user to create a digital signature to validate identities.
The idea is that both keys are dependent upon each other and compromise of one key will not result in compromise of data. The public key can be passed freely across the internet in plain text, the private key must remain secure. The certificate authority will ultimately have control of issuing certificates.
Certificate authorities can be set up in-house or outsourced to a third party. However, it is imperative that the third party is a trusted source as this will represent a single point of failure for securing communications in your business. By using CA’s and a public key infrastructure, companies can gain the benefits of processing information in a secure manner by both identifying and authenticating the source.
Comments