A PKI or Public Key Infrastructure is a trust infrastructure that issues and manages digital, cryptographically secure credentials to people, devices, and things, which enables electronic transactions to take place. A PKI provides integrity, authenticity, and protection of digital information and transactions.
A PKI consists of a mixture of roles, policies, hardware, software, and procedures required to create, manage, distribute, use, store and revoke digital certificates and their corresponding cryptographic keys.
Modern life and the digitization of business and organizational processes that we take for granted simply wouldn’t function without the trust services and digital identities or signatures that are enabled by the use of PKI.
No other IT security system in the world underpins as many diverse use cases as PKI. Digital signatures are used everywhere even when we are not actually aware, example uses include:
• Retail payment systems like MasterCard/Visa chip and pin,
• High-value interbank payment systems (CHAPS, BACS, SWIFT etc),
• e-Passports and e-ID cards,
• Business and legal document signing,
• Logging on to SSL-enabled websites or connecting with corporate VPNs.
How does a PKI work?
The details of how all the elements of a PKI interact at each stage are complex, but briefly, the main PKI components and their roles are:
• Certificate Authority (CA) — stores, issues and signs the digital certificates
• Registration Authority (RA) — checks and registers the identity of users’ digital certificates
• Central Directory — where users keys are securely stored and indexed
• Revocation Services — provides a means of checking to see if a digital certificate can no longer be trusted
• Certificate Management system — access and distribution for stored digital certificates
• Policy — sets out the PKI’s requirements and procedures.
Digital Certificates:
A digital certificate is an electronic identification for a person, website or organization. By using PKI, secure connections between two communicating devices can be made. And the identities of the two parties can be verified using these certificates.
Public and Private Keys:
The PKI relies on the fact that each user has at least one pair of cryptographic keys — a public key and a private key. The public key is embedded into a certificate that is digitally signed by a Certification Authority (CA). The user’s public key or public certificate is widely accessible, whilst their private key is held securely by the owner.
These two keys and corresponding certificates are used by applications to provide the following:
Information Protection \ Encryption:
Information can be encrypted with a user’s public key\certificate which can then only be decrypted by the holder of the private key.
Data Integrity \ Digital Signature:
Information can be digitally signed by the holder of a private key and then verified by recipients using the signer’s public key.
Authentication:
Digital Certificates can be used to authenticate a server to which your web browser will send information securely, this is called Server Authentication. Digital Certificates can also be used to authenticate a client to a server or other back end process or application such as a wireless network or VPN.
Applications using PKIs and digital signatures can also provide the following:
Authentication and non-repudiation
To answer the questions of ‘Who really signed this electronic document?’
And ‘Could it have been altered since signing?”
Long term Verification (LTV)
Business and legal documents need to be verifiable months and years into the future.
Timestamping
Data in electronic form which binds other electronic data to a particular time establishing evidence that these data existed at that time.
Establishing identity and e-Identity
Positive assurance that people and entities really are who they claim to be. The initial checking and enrolment is done by the Registration Authority or may draw on the services of a Trusted Service Provider (TSP).
Standards:
In 2016 the European Standard ‘ETSI EN 319 142–1’ was published on Electronic Signatures and Infrastructures (ESI) and PAdES digital signatures. It is intended to cover digital signatures supported by PKI and public key certificates and aims to meet the general requirements of the international community to provide trust and confidence in electronic transactions.
