PKI (Public Key Infrastructure) is an arrangement in cryptography that facilitates third party examination of, and vouching for, user identities.
PKI allows the binding of public keys to users. These public keys are most frequently stored in cartificates. This binding of public keys to users is usually carried out by software in a central location, in coordination with other associated software components installed in distributed locations.
The term Public Key Infrastructure is sometimes used in a broader sense to mean both the Certificate Authority (CA) and related arrangements as well, and in some other times, confusingly or wrongly, to denote public key algorithms used in electronic communications. In the latter case, it should be kept in mind that public key algorithms do not require PKI.
Working with PKI
Public Key Infrastructure arrangements help users to authenticate each other and to use the information in identity certificates (public keys of each person) to encrypt and decrypt messages between each other.
Here is the way PKI works: The public key infrastructure architecture consists of client software, server software such as a certificate authority, hardware (e.g., smart cards) and operational procedures. Using his/her private key, a user may sign messages digitally, and another person can verify this signature using the public key embedded in that user’s certificate issued by a certificate authority within the Public Key Infrastructure, thereby enabling two or more parties to establish confidentiality, message integrity and user authentication without having to compromise any secret information in advance or during the process.
Most enterprise PKI systems depend upon certificate chains to establish a party’s identity. That is, while the certificate for any party may be issued by a certificate authority computer, it becomes mandatory that the legitimacy of that computer in turn need to be certified, and that is done by a higher certification authority and the chain goes on.
This certification hierarchy, at a minimum level, will consists of many computers, often more than an organization, and an assortment of interoperating software packages from different systems across different sources. This hierarchical structure is in fact inevitable as standards are critical to PKI operation. Many of the operating standards in this area are formulated by the IETF PKIX workgroup.
Enterprise-scale public key infrastructure systems are sometimes tied closely with the enterprise’s directory schema by combining the employee’s public key – embedded in a certificate – with other personal details such as name, designation, and department. X509 is the most commonly used certificate format alongside the directory schema LDAP.
PKI Applications
Public Key Infrastructures, irrespective of the vendors, have many uses. These include providing public keys and bindings to user identities which are used for:
- Encryption or authentication of documents. For example, XML signature standards if the document concerned is encoded in XML.
- The same, but in case of email messages (using S/MIME or OpenPGP).
- Verification and authentication of users to applications such as in smart card login and client validation using SSL.
- Bootstrapping secure communication protocols such as SSL and Internet Key Exchange (IKE).
PKI Alternatives
Newer techniques for the authentication of public key information have been introduced and some of them are already in use by various enterprises. Most popular amongst them include the Web of Trust, Simple Public Key Infrastructur (SPKI) and Robot Certificate Authorities or Robot CAs.
