Public Key Infrastructure (PKI) is the collection of trusted authenticators, key storage mechanisms and policies that enable effective public-key cryptography on public and unsecure networks. Simply stated, the objective of public key infrastructure is to prevent an attacker (say Eve) from issuing a public key posing as Alice and thereby receiving the information intended for Alice. PKI achieves this by tying public keys to entities and verifying that they are who they claim to be through the issue of an independently verifiable certificate from a trusted third party.
Public key infrastructure is built to facilitate effective use of public key cryptography.
In public key cryptography, the (public) encryption and (private) decryption keys differ. The public keys are published and are used for encrypting messages so that only the holder of the private decryption key is able to decrypt and read the messages. Public key infrastructure acts to ensure that the published public keys are bound to authenticated parties who hold the relevant decryption key and therefore PKI ensures that nefarious keys or questionable entities may be identified as such (by their lack of certification).
Public Key Infrastructure enables confidence that the public key found for any entity does indeed belong to that entity and not an attacker. This trust that messages, information and data will reach the intended recipient (and only said recipient) safely is necessary for asymmetric cryptosystems to be used on public networks.
The role of PKI is most prominent when looking at websites and SSL certificates which are used to prove ownership of a private key as part of the HTTPS protocol for secure web browsing.
PKI is important for web browsing, data sharing in the internet of things (IoT), financial transaction verification, blockchain infrastructure for cryptocurrencies and bootstrapping secure messaging systems - as all of these applications require trust between the parties that they are sharing data with the intended party and can therefore expect that their website request / money / sensitive data / message will end up in the right place.
As the diagram above shows central to any PKI is the Certificate Authority (CA). A PKI may in fact be formed with many CAs as may be necessary to increase network capacity. We fill focus on the single CA case for simplicity but there is little difference in the multiple CA case. A certificate authority is a trusted entity that undertakes identity verification and issues digital certificates. Formally, the CA is responsible for issuing, revoking and publishing digital certificates.
Take the case where Bob wishes to send a message to Alice. Once a PKI has been set up Bob may attain Alice’s public key from the CA and verify that it is truly hers by attaining its digital certificate either from Alice, from the certificate authority directly or from anyone in the network who happens to hold it. Validation can then be carried out by using the public key of the CA to check the validity of the certificate as explained in the next paragraph. This is valid due to the fact that digital certificates are independently verifiable. The digital certificate contains Alice’s details, the details of the issuing CA and Alice’s public key. Once Bob has this certificate he can be sure (as long as the CA is trusted) that the public key belongs to Alice and hence will only be able to be read by her. Bob may then continue under the normal encryption protocol for the cryptosystem in place (following ElGamal or RSA encryption for example).
The certificate authority has its own public keys that are used in the generation and verification of the digital certificates it issues. Certificates are standardized to be issued in X.509 format. Upon issuing a digital certificate the CA will use their private key to digitally sign it. A digital certificate is simply a quantity of digital data (usually the details of the certified party) that has been signed using cryptographic means. The X.509 format standardizes the information to include who the certificate was issued to and by whom it was issued. Further to this the issue and expiry dates as well as the plaintext that was signed (usually SHA hashes of the content) form part of the signed data. Verification is then undertaken simply by following the verification protocol for whichever digital signature algorithm was used for issuing the certificate.
If for example the RSA digital signature is used in certificate generation verification can be done by taking the RSA public key from the CA embedded in the certificate and then checking that the following congruence holds where the digital signature is denoted by z, the plaintext by x and the RSA public key by the encryption key e, and the modulus n.
The management system by which certificates are published, suspended, renewed and revoked is known as a certificate management system. This system is maintained by the CA as a central database for reference upon receiving requests for certificate verification.
The private keys of users of the PKI are stored offline and only linked to the PKI when necessary. This enables clients to avoid keeping their private keys online where they are vulnerable to theft. Separating them from the network on different hardware which itself is encrypted enables greater security and limited exposure to risk. This notion has been expanded in the world of cryptocurrencies, where cold or offline storage is preferred over hot wallets which are always online, after several high profile thefts of various cryptocurrencies.
Verification of identity can be onerous and time consuming and often full verification is not needed for exchanging emails as what is desired is the ability to avoid fraudulent emails and imposters. However, some cases such as government communications will require heavy vetting and the time and expense of this is justified when dealing with national secrets. The need for differing levels of authentication has been solved through a certification leveling system. The typical levels are as below.
- Class 1: Certificates easily acquired by verifying an email address.
- Class 2: Requires additional personal information beyond an email address to be issued.
- Class 3: Checks upon the requestor’s identity must be carried out before certification at level 3.
- Class 4: Rigorous checks carried out. Level 4 is generally used by large financial institutions and governments.
Clearly class 4 requires more effort to attain and the greater difficulty in attaining one and rigour of the checks confers greater confidence in the holder of a class 4 certificate than of a class 1. This is why class 4 certificate holders are trusted with financial transactions whereas class 1 holders will only be trusted to send emails and class 2 to serve websites.
A web of trust is a decentralized PKI wherein there is no one specific certification authority. Each user of the PKI issues their own signature which is authenticated and validated by others on the network. The ‘votes of confidence’ from other network members accumulate to yield a position where the community is able to confer that the digital certificate is valid and correctly bound to the identity of the self-issuer.
This is the form of PKI used by Pretty Good Privacy (PGP) the creator of which, Phil Zimmerman, invented the web of trust concept. He is quoted as saying the below:
As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys.
Similar more modern approaches have considered using a single effectively immutable blockchain as a means of instigating a PKI through distributed ledger systems. The idea being that the consensus regarding the true blockchain inspires trust in the system as well as an ability to verify certificate issuance by a decentralized community who act independently to maintain the blockchain by working on the version they believe to be true. This ‘voting with computing power’ approach to verification of what is considered the truth is the basis of the trust behind the issuing of digital certificates in such a blockchain PKI.
Public key infrastructure enables trust in public key cryptosystems by providing confidence that the public keys relate to the entities with which you wish to communicate. In general, public key infrastructure role is to prevent Eve from issuing a public key posing as Alice and thereby receiving the information intended for Alice.
The systems of PKI are dependent on digital signatures which can be independently verified to prove that the owner of the private key counterpart to the public key is indeed the issuer of the signature. These signatures are used to form digital certificates. Trust in the PKI is based on the community as a whole in the case of distributed setups or on certificate authorities who verify signatures and collect personal information on clients in the PKI for the purpose of identity verification.