Topics
Public Key Infrastructure

Public Key Infrastructure

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures to facilitate the secure electronic transfer of information over a network, including the Internet, for a range of online activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are not sufficient as an authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.

In cryptography, a PKI is an arrangement that binds private and public keys with the identities of entities (like people and organizations). The binding is established through a process of registration and issuance of digital certificates at and by a certificate authority (CA). Depending on the assurance level of the binding, this may be carried out by an automated process or under human supervision.

In addition to data confidentiality and data integrity, it is also important that the receiver be able to verify that the data was sent by the sender as expected. Even if data was not tampered with or nobody was able to read the data in transit, the sender itself was fraudulent and masquerading as someone else, or they could do a lot of damage. Asymmetric-key encryption provides a mechanism to allow the receiver to verify the identity of the sender using something known as digital signatures.

Digital signatures help achieve the following two key objectives:

  • Authentication:

A hacker could pretend to be someone by copying many publicly known features of the original sender, such as their email id, and website, and send data pretending to be the sender. The process of ensuring that the sender is the one the recipient is expecting to be is referred to as authentication. With a digital signature attached to the data being transmitted, the receiver can be assured that the sender has been surely authenticated.

  • Non-Repudiation:

While we have considered entities with malicious intent trying to disrupt a transaction between a legitimate sender and recipient, there could be a situation where the legitimate sender itself could go rogue and claim some data was never sent by them. For example, a business may place a large order online but later change its mind and attempt to claim the order was placed fraudulently. Non-repudiation is a mechanism where it can be proven undoubtedly, that the transaction was initiated by the actual sender which can be proven by the attached digital signature.

A digital signature is essentially a private-public key pair issued to an entity by a trusted authority. There are globally and publicly trusted authorities known as Certification Authorities who issue digital signatures to an entity after verifying its identity. In a closed group, the digital signature may be issued locally by any entity the group trusts, but these signatures may not be trusted outside the group.

Since the digital signature is issued by a trusted authority to an entity and the private key is kept securely with the entity it is issued to, any data or transaction signed by the private key could have been sent by that entity only. It can be proven without a doubt, and the entity cannot claim that they haven't sent it.

The PKI is widely used for critical transactions over the Internet using a combination of Digital Certificates and Digital Signatures issued by trusted organizations across the world.

The core Internet application protocols, email, file transfer protocol, and telnet are by default insecure protocols, which means data transmitted using these protocols can be intercepted and read or tampered with. PKI solutions help secure these applications protocols as well.