{"id":12038,"date":"2020-02-12T13:50:00","date_gmt":"2020-02-12T18:50:00","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=12038"},"modified":"2024-05-20T16:20:12","modified_gmt":"2024-05-20T20:20:12","slug":"what-is-pki-a-crash-course-on-public-key-infrastructure-pki","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/what-is-pki-a-crash-course-on-public-key-infrastructure-pki\/","title":{"rendered":"What Is PKI? A Crash Course on Public Key Infrastructure (PKI)"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-ever-wonder-what-public-key-infrastructure-pki-is-and-how-it-works-it-s-only-one-of-the-most-critical-systems-used-to-ensure-authentication-data-integrity-and-privacy\">Ever wonder what public key infrastructure (PKI) is and how it works? It\u2019s only one of the most critical systems used to ensure authentication, data integrity, and privacy\u2026<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The world of cryptography is full of brilliant ideas, and\none of those ideas is <a href=\"https:\/\/www.thesslstore.com\/blog\/wide-world-pki\/\">public\nkey infrastructure (PKI)<\/a>. But what is PKI and what does it entail for\norganizations and data privacy? In a nutshell, it\u2019s a system of processes,\npolicies, authentication, and technologies that govern encryption and is ultimately\nwhat protects our text messages, emails, passwords, credit card information, and\ncute cat photos\u2026 okay, you get the point, right? <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">PKI is an infrastructure that has become an essential\npart of our everyday lives \u2014 and the overwhelming majority of us don&#8217;t even\nknow what it is! Well, that&#8217;s something that saddens all of us here at Hashed\nOut, and that&#8217;s why we try to break down complicated, nerdy stuff into an\nunderstandable form. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, what is PKI? In this post, I&#8217;ll introduce you to the\nart and science that is public key infrastructure (PKI) and everything that it\nentails.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n<span style=\"--tl-form-height-m:150.25px;--tl-form-height-t:121.4583px;--tl-form-height-d:121.4583px;\" class=\"tl-placeholder-f-type-shortcode_12753 tl-preload-form\"><span><\/span><\/span>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-key-problem-in-conventional-encryption\">The \u201cKey\u201d Problem in Conventional Encryption <\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">But before we move on to answering the \u201cwhat is PKI?\u201d\nquestion and talking about how it works, let\u2019s first consider a simple\nscenario. Let&#8217;s say there&#8217;s a spy named Alice who wants to send a confidential\npiece of information to Bob, her senior officer. She can\u2019t send this\ninformation in plaintext as enemies could easily intercept and read\/tamper with\nit. That&#8217;s why she must send this information in an unreadable form that Bob\nwill be able to derive, but their enemies won&#8217;t. In other words, Alice will\nneed to encrypt the information.&nbsp; <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"303\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/12\/Primitive-Encryption-1024x303.png\" alt=\"\" class=\"wp-image-10578\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/12\/Primitive-Encryption-1024x303.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/12\/Primitive-Encryption-300x89.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/12\/Primitive-Encryption-768x227.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/12\/Primitive-Encryption.png 1251w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">But here comes a problem. If Alice locks (encrypts) the\nmessage using a key (some logic), then how will Bob decrypt it? He must have\nthe key with him, right? To give the key to Bob, there\u2019s no option other than\nmeeting with him face-to-face, which is totally impractical (to say the least)\nor to send it via courier and risk it being intercepted. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Such an encryption method is problematic not only in the\nphysical world but also in the virtual world. Every time two computers want to\ncommunicate securely, they&#8217;d have to agree on a single encryption key every\nsingle interaction. This is a mathematical process and takes time. And if\nthere&#8217;s a server (for example, a bank) that communicates with multiple users,\nthen the server will have to perform a computational process for each client\ntransaction, and that would slow it down even further. All of these things\ninvolve a variety of complex processes and agreements that must be handled at\nmicro speed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That&#8217;s where PKI comes in.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"What is Public Key Infrastructure (PKI) by Securemetric\" width=\"960\" height=\"540\" src=\"https:\/\/www.youtube.com\/embed\/i-rtxrEz_E8?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-pki-changes-everything\">How PKI Changes Everything<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.thesslstore.com\/blog\/difference-asymmetric-encryption-algorithms-vs-symmetric-encryption-algorithms\/\">In addition to conventional encryption<\/a> (also known as symmetric encryption) in which the same key is used for encryption and decryption, PKI also involves the use of a key pair \u2014 a public key and a private key \u2014 in a process that\u2019s known intuitively known as public key encryption. One of these keys encrypts information and the other decrypts it. Both these keys are distinct, but they&#8217;re mathematically related to each other. It means that the information encrypted with one key can be decrypted only using the key associated with it. The public key, as the name implies, is available publicly. The private key, on the other hand, is kept private.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, if Alice and Bob are using public key infrastructure instead of the symmetric encryption method, Alice could encrypt the secret message using Bob&#8217;s public key that she has. Bob, with his private key, is then the only person who can decrypt the message. This way, they could communicate securely without letting their enemies read\/tamper with it. Not only that, but Bob can be sure of that the message came from Alice and not from someone else.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Quite cool, isn\u2019t it?<\/p>\n\n\n<span style=\"display:none\" class=\"tl-placeholder-f-type-shortcode_15135\"><\/span>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-popular-areas-in-which-pki-applies\">Popular Areas in Which PKI Applies<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">When answering\nthe question \u201cwhat is PKI?\u201d you need to talk not only about what it constitutes\nbut also how it\u2019s used. There are several ways that businesses and\norganizations around the world use public key infrastructure: <\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-website-security-https-ssl\">Website Security (HTTPS\/SSL) <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The most popular <a href=\"https:\/\/www.thesslstore.com\/blog\/pki-uses-applications-examples\/\">use of PKI<\/a> is in providing secure, encrypted communication between web browsers (clients) and web servers (websites). This is done by employing the HTTPS protocol, which is implemented by installing an <a href=\"https:\/\/www.thesslstore.com\/new-to-ssl\/what-is-ssl-tls.aspx\">SSL certificate<\/a> on the web server.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The SSL\ncertificate works as the identity card of the website through which browsers\ncan verify that they&#8217;re communicating with the right website. When you purchase\nan SSL certificate, you get the public and private keys. The private key is\nstored secretly on the web server, and the server uses it to prove its\nlegitimacy.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"674\" height=\"577\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/01\/verified-identity-secure-website-example.png\" alt=\"What is PKI? It's about authentication and secure data. Here's a screenshot of SSL certificate information that identifies the website owner organization.\" class=\"wp-image-12018\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/01\/verified-identity-secure-website-example.png 674w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/01\/verified-identity-secure-website-example-300x257.png 300w\" sizes=\"auto, (max-width: 674px) 100vw, 674px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Through its\nuse of PKI, an SSL certificate: <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>protects<br>the integrity of the message, <\/li>\n\n\n\n<li>protects<br>the information from man-in-the-middle attacks, and <\/li>\n\n\n\n<li>authenticates<br>both the communicating parties (browser and server). <\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Such a\nthree-pronged approach to security is vital when you send critical information\nsuch as passwords, credit card information, private messages, etc. That\u2019s why\nit wouldn\u2019t be an exaggeration to call PKI \u201cthe bedrock of web security.\u201d<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-secure-shell-protocol-ssh\">Secure Shell Protocol (SSH)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Secure Shell\n(SSH) is a cryptographic network protocol that provides secure network services\nin between hosts and users over an unsecured network. It&#8217;s used to facilitate a\nsecure remote login from one computer to another. SSH also has the public key\ninfrastructure (PKI) at its heart.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-email-security-s-mime-protocol\">Email Security (S\/MIME Protocol)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Another\nsignificant use of PKI is done in encrypting and digitally signing emails and\nemail communications. This is done through an internet standard\/protocol known\nas S\/MIME, or what\u2019s known as a secure\/multipurpose internet mail extension). These\ncertificates are known as <a href=\"https:\/\/www.thesslstore.com\/blog\/what-you-need-to-know-about-s-mime\/\">S\/MIME\ncertificates<\/a>. <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"902\" height=\"143\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/email-signing-certificate-example.png\" alt=\"What is PKI? Here's an example of PKI in action for email signing\" class=\"wp-image-12039 addshadow\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/email-signing-certificate-example.png 902w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/email-signing-certificate-example-300x48.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/email-signing-certificate-example-768x122.png 768w\" sizes=\"auto, (max-width: 902px) 100vw, 902px\" \/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Like the\nSSL\/TLS protocol, here too, PKI is implemented using a certificate \u2014 but the\nway they do so differs. Instead of encrypting the secure communication channel,\nthis end-to-end encryption encrypts the message itself. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This means that S\/MIME certificates not only encrypt emails but also digitally sign them to authenticate the identity of the sender and the integrity of the message itself.<\/p>\n\n\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-secure-messaging\">Secure Messaging <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Whether it&#8217;s WhatsApp, iMessage, Facebook Messenger, or other such messaging services, we all use communications services or apps. Many of these services are encrypted using PKI and protect against attempts of data interception and tampering. End-to-end encryption in particular is something that <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/www.washingtonpost.com\/politics\/2019\/07\/29\/trump-administration-wants-be-able-break-into-your-encrypted-data-heres-what-you-need-know\/\" target=\"_blank\">many governments would like to do away with<\/a>, though companies such as Apple, Microsoft, and Facebook are holding firm in their plans to implement it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-document-signing\">Document Signing <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Like physical signatures to authenticate physical documents, there&#8217;s a need to sign documents digitally. For one, it helps the recipient ensure that the message is coming from a verified entity; it also allows them to ensure it&#8217;s not been tampered with. This is also done by PKI using document signing certificates.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"559\" height=\"359\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/image.png\" alt=\"\" class=\"wp-image-12049\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/image.png 559w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/image-300x193.png 300w\" sizes=\"auto, (max-width: 559px) 100vw, 559px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-code-app-signing\">Code\/App Signing <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Millions of users <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/www.businessofapps.com\/data\/app-statistics\/\" target=\"_blank\">download millions of applications<\/a> on computers and mobile devices every single day. Development companies or individuals create these programs. But what&#8217;s the guarantee that the software you&#8217;re installing is from the company\/individual that you think it&#8217;s from? Can&#8217;t someone just change the name of the file and disguise malicious software as the software? Yes. And that\u2019s a very real concern for everyone. Well, that&#8217;s where code signing certificates come in.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/comodosslstore.com\/resources\/wp-content\/uploads\/2019\/07\/VerifiedPublisherWindow.png\" alt=\"Windows Authenticode code signing certificate, used properly, shows a verified publisher message.\" class=\"wp-image-1275\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">A code signing\ncertificate authenticates the identity of the developer or publisher and the\nintegrity of the file. This enables browsers to verify that the software itself\nhasn\u2019t been altered in any way using public key encryption. It does this by\napplying a <a href=\"https:\/\/www.thesslstore.com\/blog\/digital-signatures-why-you-should-sign-everything\/\">digital\nsignature<\/a> and a one-way hash. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-pki-101-certificates-keys-certificate-authorities\">PKI 101: Certificates, Keys, &amp; Certificate Authorities<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Many people ask us, \u201cWhat exactly is PKI?\u201d Well, the answer is quite simple: it\u2019s a system that\u2019s used for encryption and authentication purposes and isn\u2019t so much a specific product\/software. Therefore, it needs some material basis to implement encryption. This comes in the form of a variety of technologies (hardware and software), entities (such as <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-certificate-authority-ca-and-what-do-they-do\/\">certificate authorities<\/a>, which we\u2019ll speak to more later), processes, policies, and procedures. This system facilitates and governs encryption and everything that makes it possible \u2014 everything from the basics of public keys and digital certificates to the management of them and understanding the CAs that issue and revoke them. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Consequently,\nwe can say that the public key infrastructure is made of three main elements:\nkey pairs, X.509 digital certificates, and certificate issuing authorities. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now that we\nunderstand key pair, let\u2019s understand the other two crucial components of the\nPKI \u2014 digital certificates and certificate authorities (CAs).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-digital-certificates\">Digital Certificates <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">A digital\ncertificate is a set of files through which we can implement various security\napplications of public key infrastructure (PKI). In simpler words, it\u2019s a\ndocument that proves the identity of its owner. It consists of information\nabout the key, information about the identity of its owner, and the digital\nsignature of the certificate authority. There are several different types of\ndigital certificates, which (you may notice correspond to the popular uses of PKI\nthat we covered above). Here are some of the types of X.509 digital\ncertificates that you can find within the PKI infrastructure:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SSL\/TLS<br>certificates<\/li>\n\n\n\n<li>S\/MIME<br>certificates<\/li>\n\n\n\n<li>Code<br>signing certificates<\/li>\n\n\n\n<li>Client<br>authentication certificates<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-certificate-authorities\">Certificate Authorities <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s\nunderstand a simple scenario.If Alice wants to send Bob an encrypted\nmessage, she can get his digital certificate, encrypt the information using its\npublic key and send him a secure message. But here comes a potential problem: How\ncan Alice be sure that it\u2019s actually Bob who owns the certificate and the\npublic key she used? What if she actually sends a message to an enemy spy who\u2019s\njust claiming to be Bob? <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here come certificate\nauthorities (CAs) to the rescue!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Certificate\nauthorities are the trusted third-party entities that issue and manage digital\ncertificates. They\u2019re the most crucial entity in PKI since millions of users \u2014\nknowingly or unknowingly \u2014 are going to rely on them. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Before issuing\na digital certificate, a CA is supposed to conduct a vetting process to make\nsure that it issues the certificate to a legitimate entity. Even just a small\nmistake in the vetting process could result in a mis-issuance and cause a\ndisaster not just in terms of the damage, but also in terms of the overall\ntrust in the system that is PKI. Therefore, to be a trusted CA, you must fulfil\nsuper-stringent criteria formed by an independent body of browsers, operating\nsystems, and mobile devices that\u2019s known as the CA\/Browser Forum (or CA\/B Forum\nfor short). On top of that, you need a multi-million dollar infrastructure that\nincludes sizeable operational elements, hardware, software, policy frameworks,\npractice statements, auditing, security infrastructure, and personnel.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-advantages-of-public-key-infrastructure\">Advantages of Public Key Infrastructure<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">With all of\nthis in mind, there are multiple advantages of using public key encryption as\npart of your public key infrastructure. What are they? Oh, I\u2019m so glad you\nasked\u2026 <\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-authentication\">Authentication<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In the age\nwhen fraudsters and scamsters are trying every trick in the book to fool users,\nauthentication\/validation becomes an out and out necessity. When you&#8217;re\ntransmitting information through a website, an email, or text messages, making\nsure that you&#8217;re communicating to the intended entity is a must. Thanks to the\nvetting process conducted by certificate authority and the use of the private\nand public key, PKI facilitates authentication in an unprecedented, smooth way.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-privacy\">Privacy <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">One of the\nessential security elements when it comes to online communication is privacy.\nAfter all, nobody wants to disclose their passwords, credit card information,\nor cute cat photos. By encrypting the data between the sender and the\nrecipient, PKI keeps the original data secure so that only the intended\nrecipient can see the data in its original format.&nbsp; <\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-data-integrity\">Data Integrity <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">When you send\nsensitive information online, it\u2019s imperative for both the parties to have the\nrecipient receive the data in the unaltered form. Through a technique called\n\u201chashing,\u201d PKI allows the recipient to check whether the message\/document\/data\nhas remained in the same form or not. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-non-repudiation\">Non-Repudiation<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">PKI provides a\nmechanism to digitally sign online transactions (files, emails, documents,\netc.), the way we physically sign documents and stuff. This way, it acts as proof\nthat the person who signed it is the originator of the data. And, therefore, it\nalso makes it impossible for the sender to deny that he\/she was the one who\nsigned and sent it. This is called &#8220;non-repudiation.&#8221;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-disadvantages-of-public-key-infrastructure\">Disadvantages of Public Key Infrastructure<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">While there\nare many advantages of public key infrastructure and the encryption it\nprovides, we\u2019ll admit \u2014 it\u2019s not perfect. There are some specific disadvantages\nas well that are worth noting:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-speed\">Speed <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">PKI is an extremely secure process that delivers what it&#8217;s supposed to. A large part of the credit goes to the key pair and super-complex mathematical algorithms. However, this complexity brings computational overhead when it comes to encrypting data in large volumes. As a result, it slows down the data transfer process to a minor degree, 5 milliseconds (ms) to be precise. In terms of CPU usage, the difference between <a href=\"https:\/\/www.keycdn.com\/blog\/https-performance-overhead\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">encrypted connections and unencrypted connections<\/a> is found to be 2%. Although this difference is quite small, you could consider migrating to HTTP\/2 to speed up the data transfer process. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-private-key-compromise\">Private Key Compromise <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The\nmathematics behind PKI is supposed to be so strong that even <em>super-computers<\/em>\n(let alone hackers) aren\u2019t able to crack it within a practical time. However,\nthe entire PKI security doesn\u2019t depend on the unconquerable mathematics; it\nalso depends on the security of the private key as it can decrypt the data\nencrypted by the public key.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Therefore, if the private key gets compromised, a cybercriminal doesn&#8217;t need to crack the super-complex mathematical algorithms. They can decrypt the data (of the past as well as of the future) with the private key and can also imitate the server to fool clients. This could result in organizational secrets, passwords, financial information, etc. being compromised. In other words, it could cause unprecedented disasters. This is a significant cause for concern while using PKI.<\/p>\n\n\n<span style=\"--tl-form-height-m:861.156px;--tl-form-height-t:899.625px;--tl-form-height-d:899.625px;\" class=\"tl-placeholder-f-type-shortcode_12653 tl-preload-form\"><span><\/span><\/span>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-reliance-on-certificate-authorities\">Reliance on Certificate\nAuthorities <\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">PKI is not a\ntechnology; it&#8217;s a system. And like every other system, it has components. One\nof the key components of PKI are the certificate authorities who issue the\ncertificates. As we saw earlier, CAs are supposed to conduct vetting process\nand sign digital certificates to make sure that certificates are issued only to\nthe legitimate people\/organizations. But if, for some reason, the CA gets\ncompromised, then it could cause security mayhem for millions of people and\norganizations worldwide.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-pki-works-in-ssl-tls\">How PKI Works in SSL\/TLS<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">There are more than <a href=\"https:\/\/www.statista.com\/statistics\/617136\/digital-population-worldwide\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"4.5 billion internet users (opens in a new tab)\">4.5 billion internet users<\/a> in the world, and all of them use PKI through SSL\/TLS, even if they might not be aware of it. As you&#8217;re reading this sentence right now, your browser and our server are transferring data through a <a href=\"https:\/\/www.thesslstore.com\/blog\/how-pki-works\/\">PKI encryption<\/a> process known as an &#8220;SSL\/TLS handshake.&#8221; Let&#8217;s explore this process in a bit more detail:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1. First, when\nthe client (browser) visits the web server upon request by the user, the client\nsends the server its supported <a href=\"https:\/\/www.thesslstore.com\/blog\/cipher-suites-algorithms-security-settings\/\">cipher suites<\/a> and compatible SSL\/TLS version to\ninitiate the connection. This is regarded as a &#8220;client hello&#8221;\nmessage.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">2. In return,\nthe web server checks the cipher suites along with the SSL\/TLS version and\nsends its public certificate to the client along with the &#8220;server\nhello&#8221; message.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">3. On\nreceiving the certificate file, the client (browser) authenticates it. If the\ncertificate is found to be valid, the browser initiates the process of private\nkey verification by encrypting the &#8220;pre-master secret\/key\u201d with the public\nkey of the SSL\/TLS certificate.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">4. In return,\nthe web server decrypts the pre-master secret with its private key.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">5. Now, both the\nclient and the server generate session keys from the client random, the server\nrandom, and the pre-master secret. This session key generated by both must be\nthe same.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">6. The client\nsends the \u201cfinished\u201d message, encrypted with the session key.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">7. The server\nsends the \u201cfinished\u201d message, encrypted with the session key.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Once all of\nthe above steps are done and the SSL\/TLS handshake process is complete, a\nsecure connection is &nbsp;established between\nthe client and the browser.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Voila!<\/em> That\u2019s it. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">(<strong>Note: <\/strong>The\nabove handshake process is of TLS version 1.2. Although the process is quite\ncomplex, we\u2019ve simplified it here for better understanding. <a href=\"https:\/\/www.thesslstore.com\/blog\/explaining-ssl-handshake\/\">Check out this post<\/a> for an in-depth look at the SSL\/TLS\nprocess. It\u2019s also important to note that <a href=\"https:\/\/www.thesslstore.com\/blog\/tls-1-3-everything-possibly-needed-know\/\">TLS\n1.3<\/a> is also in use, but that TLS 1.2 is more commonly used as of the\nwriting of this article.)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-final-word\">Final Word<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We think we\u2019ve\nthoroughly answered your question \u201cwhat is PKI?\u201d As you now know, public key\ninfrastructure is the stone wall that keeps the cybercriminals at bay from our\nemails, passwords, financial details, personal messages, etc. It&#8217;s what forms\nthe bedrock of today&#8217;s web security \u2014 and it&#8217;s impossible to imagine a world\nwithout it, considering that PKI keeps us secure from many fronts. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Is PKI unbreakable? No, it has scope for improvement; and that\u2019s why, time after time we see changes in the PKI ecosystem. <a href=\"https:\/\/www.thesslstore.com\/blog\/digicert-leads-initiative-to-enhance-ev-ssl-certificates\/\">The world\u2019s leading certificate authorities are pro-active and are always looking for ways to improve our security.<\/a> It\u2019s safe to say that we\u2019re in the best hands.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ever wonder what public key infrastructure (PKI) is and how it works? It\u2019s only one of the most critical systems used to ensure authentication, data integrity, and privacy\u2026 The world&#8230;<\/p>\n","protected":false},"author":10,"featured_media":12051,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":1,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[130,16,10200],"tags":[228],"class_list":["post-12038","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-everything-encryption","category-hashing-out-cyber-security","category-monthly-digest","tag-pki","post-with-tags"],"views":52303,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/public-key-infrastructure.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/12038","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=12038"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/12038\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/12051"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=12038"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=12038"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=12038"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}