The role of PKI is evolving as more internet-aware endpoints get connected to enterprise networks, and emerging business models that are more dependent on digital documents surge. PKI is no longer restricted to isolated systems such as secure email, encrypted web traffic, or smart cards for physical access.
PKI is increasingly being used to support many users, applications, and endpoints across complex IT environments. And with stricter regulation standards, mainstream operating systems (OSs) and business applications are becoming more reliant than ever on PKI to provide trust.
In this post, learn the basics about what PKI is, how it works, and why it is important.
What Is Public Key Infrastructure?
PKI is a system that governs the issuance of digital certificates that protect sensitive data and secure end-to-end communications. Digital certificates also provide unique digital identities to users, applications, and devices in an online world.
The basic idea behind PKI is to have one or more trusted parties electronically sign a document proving that a particular cryptographic key belongs to a specific user or endpoint. The system then uses the key as an identity for the user or endpoint in enterprise networks.
A typical PKI has the following components:
Public-Key Cryptography (asymmetric cryptography)
This is a cryptographic system that uses two types of keys: private and public. A private key is secret (only known by the entity) and is used to sign the message. In contrast, the public key — which is mathematically derived from the private key — is made available to anyone on the internet and used to verify signatures. When the system encrypts messages via the public key, such a message can only be decrypted by the corresponding private key. This helps to establish the private and public key ownership, ensuring that only the intended parties read the message.
Certificate Authority (CA)
This trusted third-party organization issues digital certificates, proving that the public key indicated on the certificate indeed belongs to the named subject. CA allows other parties to rely upon signatures about the private key corresponding to the certified public key.
A certificate is a digital document certified by the CA, confirming that the public key indicated on the certificate belongs to the entity. The certificate has many attributes, including the subject name, public key, client authentication, and server authentication. Most digital certificates are based on the X.509 standard.
Registration Authority (RA)
This entity receives certificate signing requests and provides the certificates to entities on a case-by-case basis. The PKI system stores all the requested, received, and revoked certificates in an encrypted certificate database.
How Does Public Key Infrastructure Work?
When securing communications, PKI serves two primary roles: encryption, which ensures that other participants don’t read your messages, and authentication, which certifies that the other party is a legitimate entity.
As mentioned earlier, PKI uses asymmetric and mathematically related keys to encrypt and decrypt messages. In the PKI context, the encryption system is a two-step process:
- The client uses the recipient’s public key to encrypt the message.
- When the recipient receives the encrypted data, it decrypts it by using its private key.
You can also use digital certificates to authenticate yourself, the server, or the client via public-key cryptography. Suppose you want to authenticate yourself to JumpCloud.com via a web browser. The steps below explain how a PKI-based authentication will work:
- The browser connects to the JumpCloud.com web server to obtain the server’s certificate and the public key.
- The browser verifies whether the JumpCloud.com’s certificate was issued by a trusted CA from its database. If the browser determines that JumpCloud.com’s certificate is legitimate, then it initiates the communication process.
- The browser encrypts its data using JumpCloud.com’s public key and transmits it to the server. If JumpCloud.com’s web server can read the encrypted message, then the browser proves that the server has the right private key and that it is connecting to the correct server.
Why Is Public Key Infrastructure Important?
PKI is an essential component of IT security because it helps organizations establish trusted signatures, encryptions, and identities. Below are some reasons why PKI is important:
PKI Can Secure Websites
Transport layer security (TLS) protocol is the most familiar use of PKI. TLS certificates and cryptographic authentication of the web server can help prevent man-in-the-middle (MitM) attacks.
PKI Can Support Email Signing and Encryption
The secure/multipurpose internet mail extensions (S/MIME) and pretty good privacy (PGP) are PKI-based protocols that specify message formats for signed and encrypted messaging.
PKI Can Secure Local Networks
Directory services such as Microsoft’s Active Directory (AD) integrate PKI capabilities to authenticate identities and provide other security functionalities on Windows domains.
PKI Can Secure the Internet of Things (IoT)
PKI enables organizations to safely authenticate IoT devices and safeguard data at rest and in transit.
Challenges Associated with Implementing PKI in Organizations
Despite its crucial benefits, in-house PKI deployments can create far more challenges than they can solve. For example, PKI isn’t like other technologies you have in the IT stack. You need highly skilled in-house IT teams to run it effectively. Unfortunately, finding the skill set that can run PKI efficiently is not only rare, but it’s also difficult to retain.
Many organizations also still use outdated and manual methods when deploying and managing their PKI. For example, most organizations still tackle their problems with a patchwork of internal PKI and CA-provided tools. This is despite the changing methods of running IT infrastructures — from static hardware to highly automated systems.
Public key infrastructure relies on a strong identity and access management (IAM) strategy. To build a strong IAM foundation for secure and effective PKI, download our Forrester whitepaper, Building Your Identity and Access Roadmap.