Public Key Infrastructure (PKI) — What it is and How It Works
A public key network is a collection of policies, roles, equipment, applications, and procedures needed to create, maintain, transmit, use, store, revoke digital certificates, and handle public-key encryption.
PKI also requires pair of a key — a public key and a private key — in an intuitively recognized process called public-key encryption.
Public Key and Private Key
The public key, as the name implies, is available publicly. The private key, on the other hand, is kept private.
One key is used to encrypt the message, and another is used to decrypt it. Both keys are distinct, but they are connected to each other mathematically.
It means that information that is encrypted with a single key can only be decrypted using the associated key.
Areas in which Public Key Infrastructure is applicable:
Website Security (SSL/HTTPS)
PKI’s most popular use is to deliver secure, encrypted communication between Web browsers and Web servers.
This is achieved by the HTTPS protocol, enforced by installing an SSL certificate on the web server.
SSL are protocols designed to provide communications security over a computer network. Websites can use TLS to secure all communications between their servers and web browsers. If you buy an SSL certificate, you will get both the public and private keys. The private key is secretly stored on the web server and is used by the website to show its validity.
An SSL certificate by its use of PKI:
- Protects message integrity,
- Protects from man-in-the-middle attacks, and
- authenticates both the interacting parties (browser and server).
Such a three-pronged protection approach is crucial when transmitting critical information such as passwords, credit card details, private messages, etc.
How PKI Works in SSL/TLS
(1) On request by the user, when the client (browser) visits the web server, the client sends its supported cipher suites and compatible SSL/TLS versions to the server to commence the connection. This is considered as a “client hello” message.
(2) The web server checks the cipher suites in return along with the SSL/TLS version, and sends its public certificate to the client along with the message “server hello.”
(3) When the certificate file is received it is authenticated by the client (browser). If the certificate is found to be legitimate the browser begins the private key verification process by encrypting the “pre-master secret/key” with the SSL/TLS certificate’s public key.
(4) In return, the Web server with its private key decrypts the pre-master code.
(5) Now, both the client and the server generate client random session keys, the server random, and the pre-master code. The session key that both generate must be the same.
(6) The client sends the message “finished”, encoded with the session key.
(7) The server sends the message “finished”, encoded with the session key.
Once all the above steps are completed and the SSL/TLS handshake process is complete, a secure client-browser connection is established.
Secure Shell Protocol (SSH)
Secure Shell (SSH) is a cryptographic network protocol that delivers secure network services over an unsecured network between host and user. It’s used to make safe remote access from one device to another.
Email Security
Like the SSL/TLS protocol, here too, a certificate is used to enforce PKI — but the way they do that varies. This end to end encryption encrypts the message itself instead of encrypting the secure communication channel.
Secure Messaging
we all use communications services or apps, whether it’s WhatsApp, Facebook Messenger, or other such messaging services. Many of these services are encrypted using PKI, so they defend against attempts to decrypt and manipulate data.
Code/App Signing
A code signing certificate authenticates the developer or publisher identity as well as the file’s integrity. This allows browsers to verify that using public-key encryption, the software itself hasn’t been altered in any way.
Advantages and Disadvantages of Public Key Infrastructure
Advantages
Privacy: PKI keeps the original data secure by encrypting the data between the sender and the recipient, so that only the intended recipient can see the data in its original format.
Authentication: Using the private and public key, PKI facilitates authentication in a smooth and unprecedented way.
Data Integrity: When sending sensitive information online, it is imperative that both parties have the receiver receiving the data in the unchanged form. Using a “hashing” method, PKI helps the receiver to test whether the message/document/data has remained in the same form.
Disadvantages
Private Key Compromise: PKI security depends on the reliability of the private key, as the data protected by the public key can be decrypted. If the private key is stolen, the super complex mathematical equations need not to crack by a cybercriminal. With the private key, they can decrypt the data. This could lead to compromised organizational passwords, financial information, etc.
Speed: PKI is an extremely secure process providing what it is supposed to deliver. Much of the credit goes to key pairs and to super-complex math algorithms. This complexity, though, brings computational overhead when it comes to encrypting large volumes of data. As a result, the data transfer process is slowed to a minor degree, 5 milliseconds (ms).