Public key infrastructure (PKI) isn’t a single protocol or process for providing security to an organization. Instead, it is the whole system of policies and procedures that create, store, distribute, and revoke digital certificates through an organization. PKI can be very different for the various services it can be applied to. For example, the PKI for managing SSH permissions to users will be very different from the PKI used to secure HTTPS traffic with SSL/TLS. However, in general, the PKI implementations are all based on asymmetric encryption with RSA.
How do Public Keys and Private Keys work?
Public keys and private keys both consist of a combination two numbers, and the public key is used for encryption, while the private key is used for decryption. Any information that is encrypted with the public key can only be decrypted with the private key. Because of this, it is crucial for a private key to remain secret.
The public and private keys are selected as part of the RSA algorithm. The specific steps of RSA are shown below:
- Choose two large prime numbers (p and q).
- Calculate n = p*q.
- Calculate λ(n) = lcm(p − 1, q − 1).
- Choose a number e where 2 < e < λ(n).
- Calculate d = e−1 (mod λ(n))
Having selected p, q, and e, and calculated the other parameters, n and e are bundled to make the public key, and n and d are bundled to make the private key. The number n is typically a 2048 bit number.
As part of PKI, servers and clients will securely store these public and private keys to perform a range of authentication functions. One of these functions is providing digital certificates.
What are Digital Certificates?
Digital certificates are files provided by a Certificate Authority to a server or client that they can use to verify their identity. The certificate will contain the distinguished name (DN of the owner), the owner’s public key, the date of issuance, the expiration date, the DN of the issuing CA, and the CA’s digital signature.
When any two parties with digital certificates try to communicate, each party will give the other a challenge based on the public key. This challenge will only be solvable with the private key. Through this challenge, it is useless to forge a digital certificate without knowing the private key.
What else is PKI used for?
PKI is used in many more applications that will be covered later. To touch on a few, these applications include:
- Accessing SSH
- Signing documents
- Initiating SSL/TLS connections