PKI explained in 4 minutes

The public key infrastructure (PKI) security method has seen a major upswing in popularity, and is used for everything from enabling e-services to securing the internet of things. Martin Furuhed, PKI expert at identity and security company Nexus Group, explains the method in 4 minutes.

What is PKI used for?

“The public key infrastructure (PKI) security method enables trusted electronic identities (eIDs) for people, software and things, which make it possible to implement strong authentication, data encryption and digital signatures.

“These security mechanisms are used to grant secure access to physical and digital resources; secure communication between people, software and things; and enable digital signing of documents and transactions,” says Furuhed, product manager of Nexus’s certificate authority (CA) software Certificate Manager.

What makes up a PKI?

“A typical PKI consists of policies, standards, hardware and software that manage the creation, distribution, revocation and administration of digital certificates. The heart of a PKI is a certificate authority, which is a trusted entity that ensures the trustworthiness of the digital certificates,” says Furuhed.

What is a digital certificate?

“A digital certificate is a file containing a range of information, such as identifying information, a serial number and expiration dates. It also includes the digital signature of the certificate authority that has issued the certificate, which is what gives validity to the certificate, as well as the certificate holder’s public key.

“This is the purpose of PKI: to reliably tie a public key to a person, software or thing. Nearly all digital certificates used within PKI are based on the X.509 standard, and support for these certificates are built into a lot of software, such as email clients and servers, web servers, and operating systems,” says Furuhed.

What are public and private keys?

“In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm. Public and private keys are generated in pairs that are mathematically linked, and they are used in asymmetric cryptography, also known as public key cryptography.

“The public key is accessible to everyone and the private key is only available to the key holder. When a public key is used to encrypt data, the only way to decrypt the data is to use the corresponding private key. When a private key is used to sign a message, the corresponding public key is used to verify the signature. The use of two different keys is what gives asymmetric cryptography its name. In symmetric cryptography, the same key is used for both encryption and decryption,” says Furuhed.

What makes up an electronic identity (eID)?

“A digital certificate, which is publicly available and includes a public key, and a private key. In combination, this functions like a digital passport: it can be used to affirm the identity of a person, software or thing,” says Furuhed.

Read our guide  How to choose the right physical identity and access management (PIAM) system                                                   

How does PKI facilitate authentication?

“When, for example, a user tries to authenticate their identity to a server, the server generates random data and sends it to the user. The user encrypts the data with their private key, and sends it back to the server. The server decrypts the data with the public key in the user’s digital certificate, and if the decrypted data is the same as the sent data, the server knows that the user is who they claim to be,” says Furuhed.

How does PKI facilitate digital signing?

“The first step is to calculate a so called hash value of the document or transaction that is to be signed. The hash value is computed with an algorithm and the result is what can be described as a digital fingerprint of the file’s contents. The hash value is then encrypted with the signing user’s private key, and the encrypted hash value is added to the document or transaction – this is the signature.

“The user’s digital certificate, which includes the user’s public key, is also added to the document or transaction. Anyone can then decrypt the signature using the public key and calculate the hash value of the document. If the two results are identical, the validity of the signature and the integrity of document is confirmed,” says Furuhed.

How does PKI facilitate encryption and decryption of data?

“When large amounts of data are to be encrypted and decrypted, symmetric cryptography has to be used, since asymmetric cryptography is too slow. Since the same key is used for both encryption and decryption in symmetric cryptography, the key first has to be shared between the two communicating parties. One of the parties generates the key and sends it to the other party using asymmetric cryptography, which is enabled by the PKI,” says Furuhed.

Published 21/4 2017

News, customer cases and blog posts