Public Key Infrastructure (PKI) is a set of technologies and standards using public key cryptography to issue and revoke digital certificates. A PKI consists of servers called Certification Authorities (CA), digital certificates, policies and procedures. At its core PKI provide three main services which provides authentication, integrity and confidentiality. Having a PKI environment enables you to use it in a range of different applications to provide security and simplified logins.
Authentication is used to verify someone or something’s identity. In terms of computer security this is generally something you know (password), something you have (physical token) or something you are (biometric).
Let’s say I want to login to my server and send it my username “patricko” and password “LetMeIn!”. The server would then compare my credentials to the information stored in its database, verifying that I can authenticate my identity (patricko).
This login procedure with username and password is called private key encryption, as opposed to public key encryption. Instead of public and private key encryption you will also come across the terms asymmetric and symmetric encryption.
Using something I have, a smart card, I could use it to login without having to know any password. The smart card in turn would have my digital certificate stored in its chip. Since my server would trust the certificate authority which issued my digital certificate which allows the server to verify my identity (patricko). In this example I would have leveraged PKI to authenticate my own user. PKI can also be used to authenticate a VPN tunnel between two routers or allow a laptop login to a wireless network.
Providing integrity allows us to trust our data. In order to trust data we want to be sure that it hasn’t been altered, this could be intentionally or unintentional modification. We want to be able to verify the integrity of the data after it has been in transit, meaning that if we send the data across a network from A to B we want the data to be identical on both locations. Also we could also be interested in verifying the integrity between “then” and “now”, i.e. has the data been modified in any way during the last six months?
An example could be a contract where we want to make sure that the contract we signed hasn’t been changed since we signed it. Looking at a network session we want to be sure that the bits hasn’t been modified, i.e. from a man in the middle attack.
With a certificate we can digitally sign data before we send it across a network, using the digital certificate the receiver can verify the digital signature and have confidence in the integrity of the data.
Confidentiality ensures that information, in transit or at rest, is only accessible for those who are authorized to see the information.
When you are using your credit card online you want to make sure that no one but yourself and the merchant can see your credit card number. Encrypting the data between your computer and the server you are connected to provide confidentiality.
Likewise when you connect to your company through a VPN you want all the traffic to be encrypted and thus provide confidentiality. Another example is if you have a laptop and want to encrypt your hard disk.
Every PKI hierarchy starts with a Root Certification Authority which everyone trusts. This CA can issue certificates either directly to end users and devices or to a subordinate CA, which in turn issues its own certificates.
The information within the digital certificate describe what kind of certificate has been issued, how long it is valid and what it can be used for.
If the certificate is lost the CA administrator can revoke the certificate in order to make sure that it no longer can be used.
The components of a PKI are one or more servers which have the CA services installed, a certification practice statement which describes how the CA issues certificates, administrators responsible for the certificate life cycle, digital certificates, servers hosting the certificate revocation lists and nodes using the certificates.
This post is part of the Getting Started with Public Key Infrastructure series.