What is public key infrastructure (PKI)?

security in either data protection or cyber security
(Image credit: Shutterstock)

One of the most important elements of digital encryption and cryptography is public key infrastructure (PKI), which is an essential component of security technology. PKI governs the management and deployment of digital certification and public key encryption by establishing the roles, policies and procedures required.

This crucial element is normally deployed to keep information conveyed through digital channels secure over several networking activities - such as e-commerce, internet banking and private email communications. For example, there is one requirement for processes where basic or straightforward passwords are not strong enough as authentication methods, and provides those involved with a more rigorous proof of identity to provide and access information being transferred.

Public key encryption relies on PKI mechanisms, but the term actually refers to the wider system, which is itself responsible for verifying authentication attempts and distributing keys in the first place. It should be noted that PKI isn’t the same as the secure data transfer method public-key encryption, however.

How does PKI work?

Many organisations take part in the process of developing PKI, and the first step involves a subject verifying their identity using a digital certificate. Firstly, a registration authority (RA) is required under PKI to verify the subject. All requirements must be published too, alongside information on how the PKI was established.

The request is passed from the RA to a certificate authority (CA) following successful identity verification, and this organisation is charged with approving, issuing and storing digital certificates. CAs with some profile include Comodo, DigiCert and even GoDaddy, with the likes of Let’s Encrypt also categorised as a CA. These certificates, which are issued by the CA, are held in a central hub controlled by management systems also tasked with distribution and access permissions.

The CA is in charge of signing and issuing digital certificates as proof that a subject’s identity has been verified, and following an approved RA request, the CA will issue pair of private and public keys to accompany this. This might come across a simple step in this process, but there are various pieces of hardware and software working silently in the background to make this happen. These include managing tasks like automatic data validation, the creation of key pairs, and request approval. These elements all form the PKI.

Where is PKI used?

Person checking email inbox while sitting at a desk

(Image credit: Shutterstock)

Public Key Infrastructure use features in a large range of applications, but it is most frequently used to protect digital platforms and services. A common deployment is the protection of data transfers so that information being sent over a network can only be viewed by the intended recipient.

It's also used to send emails using OpenPGP (Open Pretty Good Privacy) and S / MIME (Secure / Multipurpose Internet Mail Extensions), user authentication using smart cards and the authentication of client systems using SSL (Secure Socket Layer) signatures or encryption.

You may also encounter a variant of PKI when accessing e-documents and online forms that require user signatures. While there are other ways to verify an e-document, PKI is by far the easiest to use as it's not necessary for the two parties to know each other.

The chain of trust

To enhance the security of Public Key Infrastructure, a trusted relationship is needed called a chain of trust. This hierarchy describes the trust relationship between identities when using Subordinate (intermediate) CAs. The main advantage of this is that it enables the delegation of certificates by Subordinate CAs.

A chain of trust is created by validating each hardware and software component from one end right up to the root certificate. This is to ensure that only trusted software and hardware are used in the PKI.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.