Public Key Infrastructure (PKI)
What is a "Public Key Infrastructure (PKI)"?
A Public Key Infrastructure (PKI) is a combination of policies, procedures and technology needed to manage digital certificates in a public key cryptography scheme. A digital certificate is an electronic data structure that binds an entity, being an institution, a person, a computer program, a web address etc., to its public key. Digital certificates are used for secure communication, using public key cryptography, and digital signatures. The purpose of a PKI is to make sure that the certificate can be trusted.
Public key cryptography
Public key cryptography is an application of asymmetric cryptography. In asymmetric cryptography, two different but mathematically related keys are used to accomplish encryption and decryption of data. Data encrypted with one key can only be decrypted with the other key, and vice versa. Additionally, it is not possible to deduce one key knowing the other.
In public key cryptography, the "public key" is meant for public distribution while the "private key" is to be only accessible to the key pair owner. A public-private key pair has two very useful properties:
- the public key is used to encrypt data in a way that only the key pair owner can decrypt the data, using the private key. This is useful for secure communication.
- only the key pair owner can encrypt data with the private key, ensuring all recipients of the authenticity of the sender, for only the associated public key will decrypt the data. This is used as a digital form of signature.
Digital certificates
The objective of a public key cryptography scheme is trust. A digital certificate is an electronic signature from one or more trusted third parties that guarantees the validity and authenticity of a public key. This certificate is the digital identifying proof that confirms an entity is what it says it is, as passports are identity proofs for citizens. There are two trust models used in practice: "Web of Trust" and central "Certification Authority" based.
Web of Trust
The "Web of Trust" scheme is applicable in cases where certified entities are people. In this case people can sign certificates of other people they personally know or whose identity they have verified by official documents at a physical meeting. This creates a graph of trust relations and people can choose their personal trust thresholds based on that, eg. "I will trust any certificate that is trusted by at least two persons I trust". This scheme is most famously used by PGP encryption which is very popular for secure email. A strong side of Web of Trust is its theoretical simplicity and resistance to compromise by any one participant. However, its dependency on people following the right procedures and its lack of a dedicated central management makes cataloguing and especially the revocation of certificates complicated.
Certification Authority
A Certification Authority (CA) is a trusted third party specialized in issuing and managing digital certificates. A CA can issue a certificate to a client directly or, as it is often the case, authorise another entity to do so, thus creating a "certification chain". Using a central CA reduces the number of third parties necessary to verify a certificate and also ensures that proper professional procedures are followed. However, it also creates a single point of failure which can have catastrophic consequences when compromised, as demonstrated by the DigiNotar case.