What is Public Key Infrastructure?

Published by Amy Nihad on

KT Secure - penetration testing, software code signing, hsm management

Public Key Infrastructure (PKI) is an infrastructure designed to provide integrity, authentication and confidentiality of electronic information.  The infrastructure and associated processes provide the capabilities to manage secure cryptographic credentials and distribute them to individuals and devices to enable secure transactions to occur.

Public Key Infrastructure (PKI) is a general term to describe everything used to establish and manage public key encryption, one of the most common forms of internet encryption.  Every web browser in use today uses it to secure traffic across the public internet, however, it can also be deployed internally within organisations to secure internal communications and devices.

How Does Public Key Infrastructure (PKI) Work?

Public Key Infrastructure requires a number of different infrastructure components to operate effectively.  A Certificate Authority (CA) and Registration Authority (RA) are required to authenticate digital certificates and to manage the lifecycle of certificates, along with providing new digital certificates and revoking expired or invalidated certificates.

By including all these elements and operating them under a secure framework a PKI solution can protect identities and information where security is necessary such as SSL transactions, document encryption and single sign-on.

At the heart of Public Key Infrastructure are the public cryptographic keys that are used during the encryption process and to prove the identity of the parties or devices involved in the communication.

Public Key Infrastructure utilises both symmetric and asymmetric encryption to leverage the inherent strengths of each approach to create the most powerful, efficient and scalable solution.  Initial communication between the parties in a transaction is established using asymmetric encryption, once establish the private (secret) key is exchanged to enable symmetric encryption, all other communication then continues to utilise asymmetric encryption.

The asymmetric element of PKI is achieved through the use of digital certificates.  A digital certificate is a method of identification for websites, organisations and applications.  The use of these digital certificates allows the identities of the two parties to be verified and is the basis for secure communication.  With asymmetric encryption a public and a private key are used.  The private key should only be known and accessed by the owner of a digital certificate with the public key being distributed as the name implies publicly as needed.  The certificate is a method of distributing this public key,  The public and private keys work in tandem with data that is encrypted with a private key only being able to be decrypted by the corresponding public key and vice-versa.  The fact that the use of matching keys is required to successfully decrypt data that has been encrypted with a specific private key ensures that the intended receiver and sender are participating in the transaction.

The integrity of a PKI system is founded on the digital certificates that are used.  This being the case digital certificates contain a large amount of information and this information is checked thoroughly before being issued.  There are a number of processes and mechanisms employed to maintain the integrity of the identity and the data associated with a certificate.  These processes/mechanisms include validation, time-stamping, expiration, revocation mechanisms and more.

Even with all the process and security mechanisms that are in-place with digital certificates and PKI, it still has weaknesses as with any system.  The whole integrity of the system relies on the operation of the Certification and Registration authorities and the robust operation of the security checks involved in issuing certifications.  If these authorities cannot be trusted the integrity of the whole system is compromised.

As noted the key pair used in a PKI system are of vital importance and it is essential that these keys are managed and stored effectively and securely.  It is common for Hardware Security Modules to be used to ensure the secure storage of the keys used by the CA and RA.

Uses For Public Key Infrastructure (PKI)

Public Key Infrastructure has many use-cases.  Outlined below are some of the scenarios where PKI can be used.

Securing web communications

SSL is almost certainly the most widely used and well known PKI system, securing transactions that utilise SSL/TLS in web browsers, APIs and applications globally.

Secure email

A great deal of sensitive information is transmitted via Email on a daily basis.  With a vanilla email system this data is transmitted unencrypted and the identity of the sender is not verified.  Secure email is a PKI solution that encrypts the contents of email and provides verification of the identity of the sender.  S/MIME is one of the oldest PKI solutions for securing email and is available in many email clients, with the growing prevalence of web based email a number of these services are also now supporting S/MIME.

Digitally signing software

Secure Code Signing utilises PKI to enable the software end users or the systems on which the software is installed to verify that software images and updates are from a legitimate source. The solution is intended for companies looking to distribute digitally signed software updates to remote devices or systems, such as TV box sets and IoT devices.

Digitally Signing Documents

Similar to software code signing document signing uses PKI to electronically sign documents.  The signature is essentially an electronic fingerprint that securely associates the signer to the document in a secure recorded transaction.  This signatures are standardised and adhere to regulations published in different jurisdictions, details of which may be found here.

Securing Local Area Networks

PKI Solutions can provide identity verification of users and devices before admitting them to access LAN resources.  These capabilities are integrated into directory services such as Microsoft Active Directory and can be implemented in Network Admission Control solutions such as Cisco ISE.

Public Key Infrastructure (PKI) and Hardware Security Modules

In a PKI environment a Hardware Security Module is commonly used to create, store and managed the Asymmetric Key pairs that are used by the Certification and Registration authorities.

Need help with your HSM?

KT Secure have extensive experience using and managing Hardware Security Modules.  Whether you are looking for advice on how to use a HSM in your PKI infrastructure, offload your cryptographic operations to a HSM or looking for someone to deploy and manage your HSMs we can help.  Look here for more information about our HSM service offerings.

Although it may seem counter intuitive as to why an organisation may want to outsource the management of its HSMs to a third party – there are numerous business benefits:

  • Staff costs saved on both initial training and on-going certifications
  • Allows key Staff to focus on less admin related tasks and focus on higher end business processes
  • Utilising external supplier may provide more rapid deployment and business agility than internal resources
  • Ability to leverage external experience in best practices, process definitions and documentation support
  • Reduces vendor or solution tie in by utilising external expertise