What PKI is and how it works
In this post, we’re discussing a topic as complex as it is crucial to enterprise security: public key infrastructure (PKI). So, let’s dive right into this essential cryptographic concept.
Public key infrastructure (PKI) is, as the name suggests, a type of data security infrastructure designed around public key cryptography. More precisely, PKI is a system for managing digital certificates. Great—but what does that really mean?
Digital certificates are electronic files that bind identifiable information of an application or machine to an asymmetric key pair.
These asymmetric key pairs are “asymmetric” because they consist of a public key, which encrypts data, and a private key which decrypts it. In addition to identifiable information, digital certificates also include a public key. This public key, when certified by its assigned private key, authenticates the identifiable information in the certificate. This, finally, authenticates the identity of a user, device, document, message, or other entity on a network.
In fewer words, public key infrastructure uses asymmetric encryption and digital certificates to ensure that only authorized recipients can access shared data. In even fewer words, PKI is the foundation of trust throughout an enterprise.
Deploying PKI (and certificate authority)
Deploying PKI starts with deploying a certificate authority (CA). Whereas PKI refers to a system, a certificate authority is a digital entity that creates and issues digital certificates.
Earlier, we mentioned that the public keys included in digital certificates are certified by an assigned private key (which forms the other half of the asymmetric key pair). This private key belongs to a certificate authority. All CAs have private keys with which they validate the public keys included in digital certificates. As such, CAs are an essential component of public key infrastructure.
So, if deploying public key infrastructure starts with deploying a CA, how do you deploy a CA?
The role of certificate authority (CA)
First, a secure cryptographic device like an HSM or key management server creates an offline root certificate authority. The offline root CA occupies the highest place within the hierarchy of public key infrastructure, and is the absolute foundation of trust across an enterprise. The HSM will also create asymmetric key pairs—one public key and one private key. The root CA’s private key is kept offline within a FIPS 140-2 Level 3 and PCI HSM validated Secure Cryptographic Device, until such a time when the private key is needed to validate subsequent CAs. Keeping the private key offline until it’s needed helps keep it safe from attack and exposure.
The root CA is used to authenticate what’s called an issuing CA. Issuing CAs are on a lower tier of the PKI hierarchy, subordinate to the root CA. Issuing CAs do most of the work. Importantly, they provide signed certificates that are distributed to applications, users, devices, and more. This creates a circle of trust between certificates and keys. The CA both creates and signs the asymmetric keys used in digital certificates.
The role of cryptographic modules
All of these cryptographic functions take place within the secure boundary of an HSM or key management server deployed either on-premises or in the cloud. So, after either installing a physical HSM in your server rack or spinning up an HSM-as-a-Service in the cloud, users can access the HSM’s CA functionality to begin issuing and managing digital certificates, opening the door to enterprise PKI.
Implementing an effective PKI can be a big challenge for organizations. Not only do you have to purchase hardware or integrate a cloud service through a trusted vendor; you must also set key management policies, design approval workflows, and define other security policies. In the past, organizations had to rely on different applications and solutions for key management, certificate issuing, encryption, digital signing, and related services.
To bypass these challenges, there are now solutions that consolidate all of this functionality into a single platform that streamlines the integration process and provides tons of functionality beyond just PKI, like tokenization, application encryption, IoT security management, registration authority, code/object signing, and more.
Practical uses of PKI
Now that we understand what public key infrastructure is and how it works, let’s talk about the practical side of PKI. Who needs to use PKI, and why?
In short, any organization that wants to make sure its resources are only accessed by authorized parties will need PKI. Let’s say you’re running an application connected with other resources. Multiple users, devices, or other applications might interact with this application regularly. Each of these entities can be validated with a digital certificate that lets them access the application. Otherwise, attackers or unauthorized insiders could connect to the application and access sensitive data.
Specifically, an organization might deploy a CA to issue certificates to its client domains—the computer workstations and devices used by employees. That way, whenever their servers get requests from employee client domains, they’ll recognize the certificates (which may be tied to their IP addresses, or other identifiable information) and grant the employee access to authorized company resources.
Another example of PKI may involve a manufacturer of IoT devices. Each device will be connected to networks of other devices which may all exchange information. If any one of these devices is not secured with a digital signature or certificate, it could be exposed to potential cyberattacks. As such, establishing a PKI to manage this process keeps all of the devices, and the network itself, secure.
Other common use cases of PKI involves digital signing, where digital signatures are applied to keys, files, applications, and code. Being able to sign code is crucial for developers to maintain trust in the integrity of their projects. On a more general basis, securing email via PKI helps protect your internal communications from attack.
In summary
We hope this rundown of public key infrastructure has helped explain the concept in clear terms. PKI may seem complicated at first, but it’s really just a matter of deploying the right HSM or key management solution.
If you have any questions about PKI, CA, asymmetric encryption, or anything cryptography-related, please feel free to reach out to our subject matter experts to continue the conversation!
FAQ
How does the hierarchy within a PKI, particularly the relationship between the root CA and issuing CAs, ensure trust in the system?
The hierarchical structure of a PKI, anchored by the root CA and comprising subordinate issuing CAs, is fundamental for instilling trust in the system. The root CA, holding the highest level of trust, validates the public keys of issuing CAs, establishing a chain of trust. This process ensures that each subsequent CA in the hierarchy is trusted because it is certified by a higher-level CA, ultimately tracing back to the root CA. As a result, when issuing CAs provide signed certificates, these certificates are trusted by association with a trusted CA in the chain, fostering confidence in the authenticity and integrity of digital certificates for secure communication and access control.
What are the main challenges organizations face when implementing PKI, and how have recent solutions addressed these challenges?
Challenges in PKI implementation include purchasing hardware or integrating cloud services, setting key management policies, and defining security policies. Recent solutions consolidate functionality into a single platform, streamlining integration and providing additional features like tokenization and IoT security management.
What are some advanced applications of PKI beyond traditional use cases, particularly in areas like IoT security and code integrity?
Advanced PKI applications extend beyond traditional uses to areas like IoT security and code integrity. In IoT security, PKI manages digital signatures to authenticate devices and establish secure communication channels, mitigating cyber risks. Similarly, in code integrity, PKI allows developers to digitally sign code, ensuring its authenticity and protecting against unauthorized modifications, thereby enhancing user trust and software security.
