Public Key Infrastructure, commonly abbreviated as PKI, is a system that allows users of an inherently insecure public network, such as the Internet, to exchange data and money securely and privately. This is made possible through the use of a pair of cryptographic keys: a public key and a private key, obtained and shared through a trusted authority.
PKI Components
- Cryptographic Keys:
- Public Key: Can be distributed freely and is used to encrypt data or verify digital signatures.
- Private Key: Must be kept secret by the owner and is used to decrypt data encrypted with the public key or to create digital signatures.
- Digital Certificates:
- A digital certificate is an electronic document that associates a public key with an entity, such as a person or an organization, through the digital signature of a Certificate Authority (CA).
- Certificates contain information about the identified entity, the entity’s public key, the digital signature of the certificate authority, and the validity period of the certificate.
- Certificate Authority (CA):
- CAs are trusted entities that issue, renew, and revoke digital certificates. Their primary function is to ensure that the public key present in the certificate actually belongs to the identified entity.
- Registration Authority (RA):
- RAs are responsible for verifying the identity of entities requesting a certificate before the CA can issue it.
- Certificate Directory:
- Directories are public repositories where digital certificates can be stored and accessed. These repositories facilitate the distribution of public keys and the verification of certificates.
- Certificate Revocation List (CRL):
- The CRL is a list maintained by the CA that contains certificates revoked before their expiration date. This allows users to know which certificates are no longer valid.
How PKI Works
- Certificate Issuance:
- An individual or organization requests a digital certificate from a CA. The request is verified by an RA, which authenticates the requester’s identity.
- Once the identity is verified, the CA issues a digital certificate containing the requester’s public key and other relevant information.
- Certificate Distribution:
- The digital certificate is distributed to the requester, who can now use it to communicate securely.
- The public key can be distributed freely, while the private key must be kept secret.
- Certificate Verification:
- When a digital certificate is received, its authenticity can be verified by checking the digital signature of the certificate authority.
- If the certificate is valid, the public key can be used to encrypt data intended for the certificate owner or to verify digital signatures created by the owner.
- Certificate Revocation:
- If a certificate needs to be revoked (for example, because the private key has been compromised), the CA adds it to the Certificate Revocation List (CRL).
- Users can consult the CRL to verify that the certificate has not been revoked before using it.
Public Key Infrastructure is fundamental to ensuring the security of communications over insecure networks, such as the Internet, by offering a robust mechanism for authentication, confidentiality, and data integrity.
