PKI (public key infrastructure) is the underlying framework that enables entities — users and servers — to securely exchange information using digital certificates. The entities that facilitate and use PKI typically involve general internet users, web clients or browsers, and company servers — though this can extend to other virtual machines (VMs) as well.
The word infrastructure describes PKIs since it does not refer to one single physical entity. Instead, it refers to the components used to encrypt data and authenticate digital certificates. These components include the hardware, software, policies, procedures and entities needed to safely distribute, verify and revoke certificates.
In technical terms, PKI is a two-key asymmetric cryptosystem that supports various information technology (IT) systems in their pursuit of high-level information confidentiality, encryption and confidence. The two keys, in this case, are also the two main pieces that facilitate this secure data management: a public key and a private key.
Similar to real keys, digital keys can lock and unlock digital materials. Lock in this context refers to encryption. Digital information is jumbled through the process of encryption to keep it safe from unauthorized viewers. Users can lock and unlock data at will using a key. Keys are special in that they can be used by multiple people at once. One could decipher another person’s encrypted data and messages if they had access to their digital key. To maintain the security of the parties and data involved, PKI uses two digital keys.
The public key infrastructure uses a pair of keys: the public key and the private key to achieve security. The public keys are prone to attacks and thus an intact infrastructure is needed to maintain them.
Managing Keys in the Cryptosystem:
The security of a cryptosystem relies on its keys. Thus, it is important that we have a solid key management system in place. The 3 main areas of key management are as follows:
- A cryptographic key is a piece of data that must be managed by secure administration.
- It involves managing the key life cycle which is as follows:
- Public key management further requires:
- Keeping the private key secret: Only the owner of a private key is authorized to use a private key. It should thus remain out of reach of any other person.
- Assuring the public key: Public keys are in the open domain and can be publicly accessed. When this extent of public accessibility, it becomes hard to know if a key is correct and what it will be used for. The purpose of a public key must be explicitly defined.
PKI or public key infrastructure aims at achieving the assurance of public key.
Public Key Infrastructure:
Public key infrastructure affirms the usage of a public key. PKI identifies a public key along with its purpose. It usually consists of the following components:
- A digital certificate also called a public key certificate
- Private Key tokens
- Registration authority
- Certification authority
- CMS or Certification management system
Working on a PKI:
Let us understand the working of PKI in steps.
- PKI and Encryption: The usage of cryptography and encryption methods is at the foundation of PKI. A public key is used in both symmetric and asymmetric encryption. How do you know that the public key belongs to the proper person or to the person you assume it belongs to? is the problem at hand. A MITM is always possible (Man in the middle). With the use of digital certificates and a PKI, this problem is solved. It assigns identities to keys in order to facilitate and accurately verify ownership.
- Public Key Certificate or Digital Certificate: Digital certificates are issued to people and electronic systems to uniquely identify them in the digital world. Here are a few noteworthy things about a digital certificate. Digital certificates are also called X.509 certificates. This is because they are based on the ITU standard X.509.
- The Certification Authority (CA) stores the public key of a user along with other information about the client in the digital certificate. The information is signed and a digital signature is also included in the certificate.
- The affirmation for the public key then thus be retrieved by validating the signature using the public key of the Certification Authority.
- Certifying Authorities: A CA issues and verifies certificates. This authority makes sure that the information in a certificate is real and correct and it also digitally signs the certificate. A CA or Certifying Authority performs these basic roles:
- Generates the key pairs – This key pair generated by the CA can be either independent or in collaboration with the client.
- Issuing of the digital certificates – When the client successfully provides the right details about his identity, the CA issues a certificate to the client. Then CA further signs this certificate digitally so that no changes can be made to the information.
- Publishing of certificates – The CA publishes the certificates so that the users can find them. They can do this by either publishing them in an electronic telephone directory or by sending them out to other people.
- Verification of certificate – CA gives a public key that helps in verifying if the access attempt is authorized or not.
- Revocation – In case of suspicious behavior of a client or loss of trust in them, the CA has the power to revoke the digital certificate.
Elements of PKI
A typical PKI includes the following key elements:
- Certificate authority. A trusted party provides the root of trust for all PKI certificates and provides services that can be used to authenticate the identity of individuals, computers and other entities. Usually known as certificate authorities (CAs), these entities provide assurance about the parties identified in a PKI certificate. Each CA maintains its own root CA, for use only by the CA.
- Registration authority. This is often called a subordinate CA and issues PKI certificates. The registration authority (RA) is certified by a root CA and is authorized to issue certificates for specific uses permitted by the root.
- Certificate store. This is usually permanently stored on a computer but can also be maintained in memory for applications that do not require that certificates be stored permanently. The certificate store enables programs running on the system to access stored certificates, certificate revocation lists (CRLs) and certificate trust lists (CTLs).
- Certificate database. This database stores information about issued certificates. In addition to the certificate itself, the database includes the validity period and status of each PKI certificate. Certificate revocation is done by updating this database, which must be queried to authenticate any data digitally signed or encrypted with the secret key of the certificate holder.
Classes of a Digital Certificate:
A digital certificate can be divided into four broad categories. These are :
- Class 1: These can be obtained by only providing the email address.
- Class 2: These need more personal information.
- Class 3: This first checks the identity of the person making a request.
- Class 4: They are used by organizations and governments.
Process of creation of certificate:
The creation of a certificate takes place as follows:
- Private and public keys are created.
- CA requests identifying attributes of the owner of a private key.
- Public key and attributes are encoded into a CSR or Certificate Signing Request.
- Key owner signs that CSR to prove the possession of a private key.
- CA signs the certificate after validation.
Creation of Trust layers among CA Hierarchies:
Each CA has its own certificate. Thus, trust is built hierarchically where one CA issues certificates to other CAs. Moreover, there is a root certificate that is self-signed. For a root CA, the issuer and the subject are not two separate parties but a single party.
Security of Root CA:
The root CA is the ultimate authority, as you can see above. Therefore, the security of the root CA is crucial. A catastrophe could occur if a root CA’s private key is not handled properly. This is due to the fact that anyone can then issue certificates by masquerading as the root CA. A root CA must be offline 99.9% of the time to comply with security requirements. To generate public and private keys and to issue fresh certificates, it must be brought online. Ideally, these tasks ought to be carried out 2-4 times a year.
Use of PKI in Today’s Digital Age:
There are a huge variety of apps today that need authentication. Numerous locations require certifications. Without a public key infrastructure, this is impossible. Depending on the use case and requirements, PKI’s significance has changed over time. This is a clip from that track.
- For the very first time during the period of 1995 to 2002, the use of PKI was limited to the most important and high-value certificates. This included the certificates of eCommerce websites that enabled them to display the lock icon in the search bar. The goal was to make consumers confident about the security and authenticity of various websites.
- The second episode of PKI emerged around 2003 to 2010 when enterprises came into the picture. It was at this time that employees received laptops and the use of mobile phones was rising. Thus, employees needed access to the organization’s assets even outside the office. That is when the use of PKI looked like the best way for authentication.
- The third phase started in 2011 and is continuing to date. With the advent of new technologies like IoT(Internet of Things) and need the to scale PKI, the use, as well as the challenges in using PKI, have increased tremendously. Today, millions of certificates are issued to authenticate mobile workforces. However, managing this huge number of certificates is quite challenging.
- S/MIME, Document Signing, code or app signing also uses PKI.
Challenges that a PKI Solves:
PKI owes its popularity to the various problems its solves. Some use cases of PKI are:
- Securing web browsers and communicating networks by SSL/TLS certifications.
- Maintaining Access Rights over Intranets and VPNs.
- Data Encryption
- Digitally Signed Software
- Wi-fi Access Without Passwords
Other than these, one of the most important use cases of PKI is based around IoT(Internet of Things). Here are two industries that are using PKI for IoT devices:
- Auto Manufacturers: Cars these days have features like GPS, call for services, assistants, etc. These require communication paths where a lot of data is passed. Making these connections secure is very important to avoid malicious parties hacking into the cars. This is where PKI comes in.
- Medical device Manufacturers: Devices like surgical robots require high security. Also, FDA mandates that any next-generation medical device must be updatable so that bugs can be removed and security issues can be dealt with. PKI is used to issues certificates to such devices.
Disadvantages of PKI:
- Speed: Since PKI uses super complex algorithms to create a secure key pair. So it eventually slows down the process and data transfer.
- Private Key Compromise: Even though PKI can’t be hacked very easily but a private key can be hacked by a professional hacker, since PKI uses Public and Private key to encrypt and decrypt data so with user’s private key in hand and public key which is easily available the information can be decrypted easily.