What is Public key Infrastructure PKI?
In this blog post, I will be talking about basic definition of Public Key Infrastructure PKI, and reveal the problems that PKI promises to solve.
Internet is a city
Imagine you live with your family in friendly neighborhood. Most likely you know everyone in your neighborhood. You just need to look at someone’s face to quickly identity and authenticate him. You authenticate people in the neighborhood because you can identify them from their faces and the way they look or sound.
Now, let us move on and talk about a small company with couple of hundred employees. On your first day in this company, you will get know couple of people who works directly with you. With time, you establish authenticity with other people, and you start greeting them when you see them. It is impossible for you to know and learn the names of every single person in the company. Usually such companies use badges with pictures and names on them, to make it easy for people to identify each other’s. If you see a person with a badge that has a company’s logo, then you can assume that that person is authentic and works on your company. Seeing that badge would give you initial signals to establish basic trust.
Now let us imagine that the internet is a city, it would be the most crowded city in the world. Inside this city, you would also discover that not everyone is who they seem to be. There a lot of unfamiliar faces, and you quickly start to think that not everyone is trust worthy. Authenticity in such city becomes a great challenge.
What is Public key Infrastructure PKI?
Public Key Infrastructure PKI is a framework that helps identify and solve these problems for you, by establishing safe and reliable environment for electronic transactions in the internet. It uses public key encryption techniques to protect the confidentiality, integrity, authenticity and non-repudiation of data.
Instead of distributing badges, people (and services) are issued a certificate that identify them. You can think of those certificates like birth certificates or your driving license. If someone is questioning your identity, you can give him your driving license. That person will look at the picture in that license and compare it to your face. If they match, he will then try to see if the driving license is issued by a government agency by looking at a stamp or signature. If everything looks fine, and since that person trust the government, that person would successfully authentication you, although you never met before.
So, imagine the same thing is happening in the digital word, and someone is trying to authenticate you. instead of giving him a driving license, you will give him a digital certificate. instead of your picture, the certificate will have a public key that everyone can have a look at. The person trying to authenticate you will look at your digital certificate, and will see your name there, and your public key. Since anyone can fake such a certificate, that person will try to authenticate the certificate itself by looking at who issued that certificate. If it is issued by an authority he trusts, that he will verify that the certificate is signed by that authority. If everything looks fine, that party will authenticate you.
Sounds simple but complicated. Public key Infrastructure PKI is all about building trusts between people and services in the digital words. It helps establishing such trusted authorities and building a trust chain.
Symmetric vs Asymmetric keys
When cryptography and encryption started, it was all about how to hide or cipher information, so that messages can be sent to the other side, without the enemy knowing its content. Knowing the encryption key would be enough to decipher the whole message as the key used to encrypt the data, is the same key that is required to decrypt the data, hence it is called symmetric encryption
With time, many new encryption algorithms are now used to protect data at rest and in transit. Encryption is great, because you can just encrypt your data and go away. Think about it in this way. When you park your car and go to work, instead of hiring a guard that will make sure no one will steal your car, you can just lock your car and take the key with you.
But another problem appears, which is how can someone encrypt a piece of information using a key, and then send the encrypting information over the insecure internet, to another party in the internet. If you think about it, two problems appear here:
- If you are sending encrypted information over the internet to another person, how can you make sure that person is who claims to be?
- How can you send to the other person your encryption key safely, so that he can decrypt and read your message?
Public Key Infrastructure PKI helps in establishing such trust between people in the internet, and facilitate a secure way to transfer or exchange that encryption key over the internet, to the other party. Public Key Infrastructure PKI uses asymmetric cryptography to accomplish its goals. If you think about it, Public Key Infrastructure PKI does not care about encrypting or decryption messages. It cares about solving the previous two problems. Another clear reason why asymmetric cryptography is not used for actual encryption is due to the large size of the asymmetric keys. Usually symmetric encryption keys are 128, 256 bits in size, while asymmetric encryption key sizes start with 1024 bits. If you use asymmetric cryptography for encryption, it will be so slow and time consuming. Nevertheless, asymmetric encryption can be used to encrypt small messages, like credit card numbers.
Public key Infrastructure PKI key concepts
To establish trust in the digital word, a person or entity should trust some kind of an authority. Everything else starts afterword’s. Once that trust is established, that authority will produce digital certificates to people. For example, suppose you want a driving license. You would go and apply for one, and you will be asked to provide some sort of a document that proof your identity like your birth certificate. You will then get a driving license that is signed or stamped by a government agency.
Same happen in PKI. You will go a a trusted authority that you know many people out there are trusting, and provide some documents to initialize authenticate yourself. Then you will get a digital certificate that is stamped and signed by that trusted authority. Later, you can just present that digital certificate to anyone that trust that trusted authority, and authenticity would be accomplished.
In asymmetric cryptography, you usually end up with two keys. When you encrypt a message with one key, you need the other key to decrypt the message. Usually, you keep one key hidden from everyone [private key], and you make the other key available for anyone. Now your digital certificate that you got from the trusted authority contains your public key. So, when you present your digital certificate to other parties, they would be able to authenticate you and learn your public key.
Since they learn your public key, and they know this key belongs to you, and only you, since they authenticate your digital certificate, they can use that public key in an interesting way. For example, they can send you an encrypted message that is encrypted with a symmetric encryption key [Key A]. Then they will use your public key to encrypt [Key A] and will send you that encrypted key. Since that key is encrypted with your public key, only your private key is able to decrypt it. Mission accomplished.
PKI opens the door for many security implementations in the real words. With PKI, SSL can be used to safely browse secure website and enables secure bank transactions on the web. Email digital signature and protection is another key implementation for PKI. With PKI, smart cards can be used to provide two factor authentication, and prevent the risk of knowing the password.
There are a lot of implementations of PKI, and it exist in almost any application nowadays, especially with cloud computing. Knowing PKI is an essential knowledge nowadays, and it can help you plan your security framework for any application or implementation.