A PKI (public key infrastructure)
enables users of a basically unsecure public network such
as the Internet to securely and privately exchange data
and money through the use of a public and a private cryptographic
key pair that is obtained and shared through a trusted authority.
The public key infrastructure provides for a digital certificate
that can identify an individual or an organization and directory
services that can store and, when necessary, revoke the
certificates. Although the components of a PKI are generally
understood, a number of different vendor approaches and
services are emerging. Meanwhile, an Internet standard for
PKI is being worked on.
The public key infrastructure assumes the use of public
key cryptography, which is the most common method on the
Internet for authenticating a message sender or encrypting
a message. Traditional cryptography has usually involved
the creation and sharing of a secret key for the encryption
and decryption of messages. This secret or private key system
has the significant flaw that if the key is discovered or
intercepted by someone else, messages can easily be decrypted.
For this reason, public key cryptography and the public
key infrastructure is the preferred approach on the Internet.
(The private key system is sometimes known as symmetric
cryptography and the public key system as asymmetric cryptography.)
A
public key infrastructure consists of:
A
certificate authority (CA) that issues and verifies digital
certificate. A certificate includes the public key or information
about the public key
A registration authority (RA) that acts as the verifier
for the certificate authority before a digital certificate
is issued to a requestor
One or more directories where the certificates (with their
public keys) are held
A certificate management system
How Public and Private Key Cryptography Works
In public key cryptography, a public and private key are
created simultaneously using the same algorithm (a popular
one is known as RSA) by a certificate authority (CA). The
private key is given only to the requesting party and the
public key is made publicly available (as part of a digital
certificate) in a directory that all parties can access.
The private key is never shared with anyone or sent across
the Internet. You use the private key to decrypt text that
has been encrypted with your public key by someone else
(who can find out what your public key is from a public
directory). Thus, if I send you a message, I can find out
your public key (but not your private key) from a central
administrator and encrypt a message to you using your public
key. When you receive it, you decrypt it with your private
key. In addition to encrypting messages (which ensures privacy),
you can authenticate yourself to me (so I know that it is
really you who sent the message) by using your private key
to encrypt a digital certificate. When I receive it, I can
use your public key to decrypt it. Here's a table that restates
it:
|