Open in app

Sign in

Write

Sign in

Introduction to PKI (Public Key Infrastructure)

Kenneth Choi
4 min readMay 14, 2018

--

Public Key Infrastructure, as its name indicates, is more like a framework rather than a protocol.

A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.

Before discussing PKI, let’s introduce several concepts first.

  • Asymmetric encryption
  • Hash function
  • Digital certificate
  • Digital signature

Asymmetric encryption

A pair of keys

In asymmetric encryption, there is a pair of keys for one identity.

  • Private key
  • Public key

The private key must not be shared to others, while the public key can be shared with anyone.

Keys in *nix sytem

If you have ever generated keys for application of SSH, you can find them in the following locations.

ssh-keygen is a tool for creating new authentication key pairs for SSH
www.ssh.com

~/.ssh/id_rsa // private key

~/.ssh/id_rsa.pub // public key

The file name may be id_rsa or id_dsa, which depending on your key generation algorithm.

Encryption and decryption

When a message is encrypted by the private key, it can be decrypted by the paired public key.

On the other hand, the message encrypted by the public key, can be decrypted by the paired private key.

Hash function

Hash function is a one-way function that its result can be considered a small-sized snapshot of the original message. The calculated result is called digest. It is fast to calculate, and hard to revert. Therefore it is called one-way function.

The digest for different messages is completely different. Theoretically, there are collisions, but it’s nearly impossible to find the collided message for modern hash function. Thus, we can assume that the result of hash function is always unique to each message.

Digital signature

Digital signature is like a real-life signature. It is used to ensure that the message is confirm by the signer, and no further changes are made beyond the knowledge of the signer.

The signature is generated by two steps.

  1. Get the digest of the message
  2. Use sender’s private key to encrypt the digest

That is, the encrypted message digest is the sender’s digital signature.

You can see the following diagram learning the steps to verify the integrity of the message by digital signature.

Digital certificate

Digital certificate is used to verify the identity of the sender, i.e. authenticity of the sender. Digital certificate contains several main components.

  • Subject (owner)
  • Subject’s public key
  • Issuer’s digital signature, to ensure the identity of subject’s identity and its public key. We often call it Certificate Authority (CA).

Now, the story starts…

Problem in asymmetric encryption

  • Bob wants to send an encrypted message to Alice using her public key.

Can he ensure the public key is really from Alice?

Real-life solution

  • Alice goes to the government authority, shows her ID card and tell the authority her public key.
  • The government then issues a certificate (the government’s signature is on the certificate) proving that this submitted public key is truely from Alice.
  • Bob must trust the government, so that he could trust the certificate issued by the government proving Alice’s public key. Otherwise, the public key is not trustable.

Back to the problem

Remember that when we verify a message’s signature, we have to use its public key.

How can we ensure that the public key (and the authority’s signature) is really from a trustable authority?

Simple solution

A few certificated authorities are pre-configured in users’ OS and browsers. By the time they install the software, a list of CAs is trusted by default.

You trust several CAs, and the CAs will help you to verify all other people in the world.

The PKI

Actually, we have learnt the primary components and procedures in the PKI.

  • Asymmetric encryption
  • One-way function
  • Digital signature
  • Digital certificate
  • Certificate Authority

We now know that what is the usage of each component, what kind of problem it solves, and how they depend on each other to form the PKI framework.

Under the PKI framework, Bob is able to send an encrypted message to Alice safely. We finally reach confidentiality of message.

Elements of security

In this article, I have included three elements of security.

  • Authenticity — The message is truely sent from the people we are expecting.
  • Integrity — The message is not altered by unauthorized people.
  • Confidentiality — The message is encrypted and can only be decrypted by authorized people.
Security
Encryption

--

--

Kenneth Choi

Written by Kenneth Choi

68 Followers

Software Engineer@Adobe

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams