What is PKI? And how it secures just about everything online

Public key infrastructure helps you authenticate the people you talk to and keep what you talk about secret

keep out sign do not tresspass privacy authentication access barbed wire by tim husser getty
Tim Husser / Getty Images

PKI definition

Public key infrastructure (PKI) is a catch-all term for everything used to establish and manage public key encryption, one of the most common forms of internet encryption. It is baked into every web browser in use today to secure traffic across the public internet, but organizations can also deploy it to secure their internal communications and access to connected devices.

The most crucial concept involved in PKI is, as its name implies, the public cryptographic keys that are at its core. These keys not only are part of the encryption process, but they help authenticate the identity of the communicating parties or devices. 

with a cryptographic key of 3, that would mean that every letter in your message is replaced by one three letters later in the alphabet — A becomes D, B becomes E, and so forth. To decode its message, your recipient would need know not only that you were using the Caesar cipher but that your key was 3.

Obviously the mathematics behind modern encryption is much more complicated than this. One of the ways it's different gets around a somewhat obvious problem with the Caesar cipher: you have to somehow let your recipient know the key used to encode the encrypted message. PKI gets its name because each participant in a secured communications channel has two keys. There's a public key, which you can tell to anyone who asks and is used to encode a message sent to you, and a private key, which you keep secret and use to decrypt the message when you receive it. The two keys are related by a complex mathematical formula that would be difficult to derive from brute force. If you want to get into the weeds on this form of encryption, known as asymmetrical cryptography, .

So that covers how data is encrypted within a public key infrastructure. But remember, PKI is widely used because, in addition to encrypting messages, it also lets you know that the person with whom you're exchanging encrypted messages is who they say they are. That's where certificates come in.

What are PKI certificates?

PKI certificates are documents that act as digital passports, assigned to any entity that wants to participate in a PKI-secured conversation. They can include quite a bit of data. One of the most important pieces of information a certificate includes is the entity's public key: the certificate is the mechanism by which that key is shared. But there's also the authentication piece. A certificate includes an attestation from a trusted source that the entity is who they claim to be. That trusted source is generally known as a certificate authority (CA).

With these concepts under our belt, these are the elements that go into PKI.

  • A certificate authority, which issues digital certificates, signs them with its own public key, and stores them for reference.
  • A registration authoritywhich verifies the identities of those requesting digital certificates. A CA can act as its own registration authority or can use a third party to do so.
  • A certificate database that stores both the certificates and metadata about them—most importantly, the period of time for which the certificate is valid.
  • A certificate policy outlining the PKI's procedures, which allows outsiders to judge how trustworthy the PKI is.

How to get a PKI certificate

From the description of those components, you can see that trust is at the center of any PKI infrastructure. One of the things I'm doing when I send you my digital certificate is trying to get you to trust that I am who I say I am—and the certificate helps by having a trusted third party vouch for me.

To understand how that works in practice, let's consider for a moment the most widespread public key infrastructure system out there: the in which users' certificates are signed by other users. A web of trust system is better suited to self-contained networks or organizations, or small communities of users.

What is PKI used for?

SSL may be the most widespread implementation of PKI, but it certainly isn't the only one. has a great list of real-world PKI applications, including:

  • Providing a recovery key for an encrypted hard drive
  • Securing internal communications with database servers
  • Signing documents
  • Securing local networks — PKI capacities are , for instance, and can work with physical keycards that store digital certificates to ensure that users are who they say they are.
  • Secure messaging — The , for instance
  • Email encryption
  • Securing access to internet of things (IoT) devices

Why do we need PKI for secure email?

PKI is great for securing email for the same reason that it's great for securing web traffic: because data flowing over the open internet can be easily intercepted and read if it isn't encrypted, and because it can be difficult to trust that a sender is who they claim to be if there isn't some way to authenticate their identity. As we've seen, establishing near-universal PKI for web traffic has been relatively easy because most of the necessary infrastructure is built into web browsers and servers. Email is accessed through more heterogenous clients, which makes things a bit trickier.

One of the oldest and best-established PKI systems for securing email is S/MIME; there's also PGP (Pretty Good Privacy), which uses the web of trust model we discussed above. Support for these kinds of email protections are built into clients like . The rise of web-based email in recent years has seen a step backwards in this regard. Gmail, for instance, only , not free accounts.

What are the risks of poor PKI execution?

Having PKI in place does not guarantee security. Companies sometimes fail to deploy or manage it properly. A by the Ponemon Institute surveyed nearly 17,000 IT and security practitioners about their key and certificate management practices. The report identified the most significant risks associated with securing digital identities using PKI:

Downtime and outages due to mismanaged digital certificates is rising, with 73% of respondents reporting certificate-related incidents. Fifty-five percent said their organizations had experience four or more incidents in the past two years.

Unsecured digital identities undermine trust. Organizations use an average of 88,750 keys and certificates, but only 74% of respondents said they knew the exact number or when they all expire and 76% said that failure to secure keys and certificates would undermine the trust their organizations need to operate. Fifty-nine percent of respondents say cybercriminals misusing keys and certificates increases the need to secure them.

Failed audits and CA compromise are the biggest threats. Attackers can use compromised or rogue CAs " that can take you much, much more in depth. Among other things, SmallStep takes you through the process of actually issuing certificates, so you can see what they contain.

If you're looking for a way to set up a public key infrastructure and play with it to understand some of the basic concepts, this explains how to do it on Linux.  If you want to see how you'd build a certificate authority for an in-house PKI, HashiCorp has a tutorial on how to do that , which should demonstrate the concepts.

购彩信誉平台 © 彩票信誉平台 IDG Communications, Inc.

The 10 most powerful cybersecurity companies