Public Key Infrastructure
A Public Key Infrastructure (PKI) is a collection of software, standards, and policies combined to enable users
from the Internet or other unsecured public networks to securely exchange data. PKI uses a public and private
cryptographic key pair obtained and shared through a trusted authority. Services and components work together to
develop the PKI. Some of the key components of a PKI include the following:
• Certificates: A form of electronic credentials that validates users, computers, or devices on the
network. A certificate is a digitally signed statement that associates the credentials of a public key to the
identity of the person, device, or service that holds the corresponding private key.
• Certificate authorities (CAs): CAs issue and manage certificates. They validate the identity of
a network device or user requesting data. CAs can be either independent third parties, known as public CA, or they
can be organizations running their own certificate-issuing server software, known as private CAs.
• Certificate templates: Templates used to customize certificates issed by a Certificate Server.
This customization includes a set of rules and settings created on the CA and used for incoming certificate requests.
• Certificate Revocation List (CRL): A list of certificates that were revoked before they reached
the certificate expiration date. Certificates are often revoked due to security concerns such as a compromised certificate.
Public Keys and Private Keys
A cornerstone concept of the PKI infrastructure is public and private keys. The term key is used for good reason -
public and private keys are used to lock (encrypt) and unlock (decrypt) data. These keys are actually long numbers,
making it next ot impossible for someone to access a particular key.
When keys are used to secure data transmissions, the computer generates two different types of keys:
• Public key: A nonsecret key that forms half of a cryptographic key pair used with a public key
algorithm. The public key is freely given to all potential receivers.
• Private key: The secret half of a cryptographic key pair used with a public key algorithm. The
private part of the public key cryptography system is never transmitted over a network.
Keys can be used in two different ways to secure data communications:
• Public (asymmetric) key encryption uses both a private and public key to encrypt messages.
The public key is used to encrypt a message or verify a signature, and the private key is used to decrypt the
message or to sign a document.
• Private (symmetric) key encryption uses a single key for both encryption and decryption.
If a person possesses the key, he or she can both encrypt and decrypt messages. Unlike public keys, this single
secret key cannot be shared with anyone except people who should be permitted to decrypt as well as encrypt messages.
Where is PKI Used?
The following list discusses areas in which PKI is normally used. Knowing what PKI is used for gives you a
better idea of whether it is needed in a particular network.
• Web security: As you know, the Internet is an unsecured network. PKI increases web security by
offering server authentication, which enables client systems to validate that the server they communicate with
is indeed the intended server. Without this information, it is possible for people tp place themselves between
the client and server and intercept client data by pretending to be the server. PKI also offers client
authentication, which validates the client's identity.
• Confidentiality: PKI provides secure data transmission using encryption strategies between
the client and the server. In application, PKI works with Secure Socket Layer (SSL) protocol and the Transport
Layer Security (TLS) protocol to provide secure HTTP transfers, referred to a Hypertext Transport Protocol Secure
(HTTPS). To take advantage of the SSL, and TLS protocols, both the client system and the server require
certificates issued by a mutually trusted certificate authority (CA).
SSL was first created for use with the Netscape web browser and is used with a limited number of TCP/IP protocols
(such as HTTP and FTP). TLS is not only an enhancement to SSL, but also a replacement for it, working with almost
every TCP/IP protocol. Because of this TLS is popular with VPNs and VoIP applications. Just as Kleenex is often
used to represent any tissue whether it is made by Kimberly-Clark, SSl is often the term used to signify the
confidentiality function whether its actually SSl in use or TLS, the latest version of which is 1.2.