What is a public-key infrastructure (PKI)?

PKI is an acronym for public key infrastructure, which is the technology behind digital certificates. A digital certificate fulfils a similar purpose to a driver’s license or a passport – it is a piece of identification that proves your identity and provides certain allowances. A digital certificate allows its owner to encrypt, sign, and authenticate. Accordingly, PKI is the technology that allows you to encrypt data, digitally sign documents, and authenticate yourself using certificates.

As the word “infrastructure” in public key infrastructure implies, PKI is the underlying framework for the technology as a whole; it is not a single, physical entity. PKI encapsulates various “pieces” that make up the technology, including the hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates. An important piece of the PKI technology is the CA, which is the certification authority. The CA is the entity that issues digital certificates.

Entrust PKI Overview

Entrust’s industry-leading PKI solution is trusted to keep people, systems, and things securely connected. Available in on-premises, managed, and as-a-service deployment models to support many use cases.

What are the components that make up an effective public key infrastructure?

There are a number of requirements that businesses have with respect to implementing effective public key infrastructures. First and foremost, if users cannot take advantage of encryption and digital signatures in applications, a PKI is not valuable. Consequently, the most important constraint on a PKI is transparency. The term transparency means that users do not have to understand how the PKI manages keys and certificates to take advantage of encryption and digital signature services. An effective PKI is transparent. In addition to user transparency, a business must implement the following items in a PKI to provide the required key and certificate management services:

• Public key certificates
• A certificate repository
• Certificate revocation
• Key backup and recovery
• Support for non-repudiation of digital signatures
• Automatic update of key pairs and certificates
• Management of key histories
• Support for cross-certification
• Client-side software interacting with all of the above in a secure, consistent, and trustworthy manner

Note: The term “client-side” refers to application clients and application servers. PKI requirements are the same for both application clients and servers, and both are “clients” of the infrastructure services.

All of these requirements must also be met to have an automatic, transparent, usable PKI.

What are the roles of certificates and certification authorities?

For public key cryptography to be valuable, users must be assured that the other parties with whom they communicate are “safe” – that is, their identities and keys are valid and trustworthy. To provide this assurance, all users of a PKI must have a registered identity.

These identities are stored in a standard X.509 digital public key certificate format. Certification authorities (CAs) represent the people, processes, and tools to create digital certificates that securely bind the names of users to their public keys. In creating certificates, CAs act as agents of trust in a PKI. As long as users trust a CA and its business policies for issuing and managing certificates, they can trust certificates issued by the CA. This is known as third-party trust.

CAs create certificates for users by digitally signing a set of data that includes the following information (and additional items):

1. The user’s name in the format of a distinguished name (DN). The DN specifies the user’s name and any additional attributes required to uniquely identify the user (for example, the DN could contain the user’s employee number).
2. A public key of the user. The public key is required so that others can encrypt for the user or verify the user’s digital signature.
3. The validity period (or lifetime) of the certificate (a start date and an end date).
4. The specific operations for which the public key is to be used (whether for encrypting data, verifying digital signatures, or both).

The CA’s signature on a certificate means any tampering with the contents of the certificate will be easily detected. The CA’s signature on a certificate is like a tamper-detection seal on a bottle of pills – any tampering with the contents of a certificate is easily detected. As long as the CA’s signature on a certificate can be verified, the certificate has integrity. Since the integrity of a certificate can be determined by verifying the CA’s signature, certificates are inherently secure and can be distributed in a completely public manner (for example, through publicly accessible directory systems).

Users retrieving a public key from a certificate can be assured that the public key is valid. That is, users can trust that the certificate and its associated public key belong to the entity specified by the distinguished name. Users also trust that the public key is still within its defined validity period. In addition, users are assured that the public key may be used safely in the manner for which it was certified by the CA.

Why is PKI important?

PKI is a critical part of the IT strategic backbone. PKI is important because the certificate-based technology helps organizations establish a trusted signature, encryption, and identity between people, systems, and things.

With evolving business models becoming more dependent on electronic transactions and digital documents, and with more Internet-aware devices connected to corporate networks, the role of public key infrastructure is no longer limited to isolated systems such as secure email, smart cards for physical access or encrypted web traffic. PKIs today are expected to support larger numbers of applications, users and devices across complex ecosystems. And with stricter government and industry data security regulations, mainstream operating systems and business applications are becoming more reliant than ever on an organizational PKI to guarantee trust.

What is certification authority or root private key theft?

The theft of certification authority (CA) or root private keys enables an attacker to take over an organization’s public key infrastructure (PKI) and issue bogus certificates, as was done in the Stuxnet attack. Any such compromise may force revocation and re-issuance of some or all of the previously issued certificates. A root compromise, such as a stolen root private key, destroys the trust of your PKI and can easily drive you to reestablish a new root and subsidiary issuing CA infrastructure. This can be very expensive in addition to damaging an enterprise’s corporate identity.

The integrity of an organization’s private keys, throughout the infrastructure from root to issuing CAs, provides the core trust foundation of its PKI and, as such, must be safeguarded. The recognized best practice for securing these critical keys is to use a FIPS 140-2 Level 3 certified hardware security module (HSM), a tamper-resistant device that meets the highest security and assurance standards.

What’s the difference between PKI and SSL?

PKI and SSL, while different, are both certificate-based solutions that establish “trust” with certificates issued by a certificate authority (CA) – whether it’s public trust (SSL) or private trust (PKI).

PKI is an entire framework that consists of hardware, software, policies, and more. A PKI also includes a CA, which is what issues the digital certificates to establish trust. Typically that CA is governed internally according to policies and procedures that align with the security and assurance levels required of the organization.

SSL is one of the top use cases of PKI. It also involves a CA that issues certificates, but it must be recognized by browsers as a publicly trusted CA. And while there are many use cases for PKI, the purpose of SSL is to secure sensitive data transferred via online communications, like online banking or e-commerce transactions.

• More on PKI
• More on SSL

What are common use cases for PKI?

The primary use cases for PKI can be determined by looking at the applications that most commonly use digital certificates, such as:

Traditional use cases

These business-critical applications make it clear that PKI is a strategic part of the core IT backbone.

• SSL certificates for public-facing websites and services
• Private networks and virtual private networks (VPNs)
• Public cloud-based applications and services
• Private cloud-based applications
• Email security
• Enterprise user authentication
• Device authentication
• Private cloud-based authentication
• Document/message signing
• Code signing

PKI technology has a wide range of use cases and is implemented in various industries to provide secure communication, data encryption, and identity authentication. Let's explore some of the most common use cases and case studies:

1. Secure Email Communication: PKI is widely used in secure email communication to encrypt emails and authenticate the sender's identity. In this case, a digital certificate is used to sign and encrypt emails to ensure that only the intended recipient can read the message.
2. Online Transactions: PKI is commonly used in e-commerce transactions to provide a secure online payment system. Digital certificates are used to authenticate the website and ensure that the payment information is encrypted and secure.
3. Healthcare: PKI is implemented in the healthcare industry to secure patient data and ensure that only authorized healthcare providers have access to the patient's medical records. Digital certificates are used to authenticate the healthcare providers and encrypt patient data.
4. Government: PKI is widely used in government agencies to secure sensitive information and ensure the authenticity of government documents. Digital certificates are used to authenticate government officials and encrypt sensitive data.
5. Banking: PKI is implemented in the banking industry to provide a secure online banking system. Digital certificates are used to authenticate the bank and ensure that the customer's financial information is encrypted and secure.

Case studies:

1. US Department of Defense (DoD): The DoD implemented a PKI system to secure communication and ensure that only authorized personnel have access to sensitive information. The PKI system provides digital certificates to authenticate the identity of the user and encrypt sensitive data.
2. KSA Government: Estonia is one of the most advanced countries in terms of e-government services, and PKI is a key component of its e-government infrastructure. Digital certificates are used to authenticate citizens and ensure the authenticity of government documents and transactions.
3. German National Health Service: The German National Health Service implemented a PKI system to secure patient data and ensure that only authorized healthcare providers have access to the patient's medical records. Digital certificates are used to authenticate the healthcare providers and encrypt patient data.
4. Australian Taxation Office (ATO): The ATO implemented a PKI system to provide a secure online tax system. Digital certificates are used to authenticate the ATO and ensure that the customer's financial information is encrypted and secure.

In conclusion, PKI technology is a critical component of the IT strategic backbone and is implemented in various industries to provide secure communication, data encryption, and identity authentication. The use cases and case studies mentioned above illustrate how PKI technology is used to secure sensitive information and ensure the authenticity of transactions in various industries.