A public key infrastructure (PKI) is a security infrastructure that provides services for the secure exchange of data between communication partners. With the help of the PKI, certificates and the affiliation of public keys can be verified.
What is a PKI (Public Key Infrastructure)?
The abbreviation PKI stands for public key infrastructure and refers to a system that can be used to issue, distribute and verify digital certificates. Thanks to PKI, the secure and encrypted exchange and signing of data on the Internet is possible. The PKI provides services with which the affiliation of public keys and the authenticity of certificates can be reliably verified.
In addition, the public key infrastructure provides directories for storing certificates or certificate revocation lists. Data is encrypted and signed using asymmetric encryption methods.
Public key infrastructure – secure use of asymmetric encryption methods
Asymmetric encryption methods use private and public keys. Data encrypted with a public key of a communication partner can only be decrypted again with the secret private key of the same communication partner. The public keys are available to everyone. However, there is the problem that the affiliation of a public key must be verifiable beyond doubt. This task is performed by the public key infrastructure. It issues certificates that confirm the authenticity of the public key.
The digital certificates themselves are signed by a digital signature of the certification authority (CA) and can be verified with the issuer’s public key. In turn, a certificate is required to verify the authenticity of the issuer. This creates a certificate chain that leads up to a root certificate. Operating systems and browsers usually have a list of trusted CAs that can be used to determine the authenticity of certificates.
The most important components of a PKI
A public key infrastructure requires several components to perform its functions. These include digital certificates, certificate authorities (CAs), subordinate registries, certificate directory services, certificate revocation lists, validation services, and many others.
The PKI hierarchical trust model
As a rule, a strictly hierarchical trust structure is found in the public key infrastructure. This structure assumes the existence of a root CA (root certification authority ) that is trusted by all entities participating in the PKI. In practice, there are several root CAs with their own PKIs, which can be country-specific or company-specific.
The certificates of the root CA are the so-called root certificates and form the starting point of a hierarchical trust tree. The root certificates of the most important root CAs are usually integrated into software such as browsers or operating systems. The protection of the root CA and its private key is of paramount importance for a PKI.
The Web of Trust trust model
A trust model contrary to the hierarchical structure is the Web of Trust (also WoT or network of trust). In this model, the mutual signatures (confirmations) of the various participants ensure the authenticity of digital keys and certificates.
The more signatures are added to a certificate, the more trustworthy the certificate is. In the Web of Trust, the many different participants, therefore, assume the role of a single trusted instance of the hierarchical model.
