PKI (Public Key Infrastructure) is a system of processes, technologies, and policies that governs the asymmetric encryption of data. It governs the issuance of PKI-based certificates which in turn safeguards sensitive data and provides identity assurance and access management in the digital ecosystem. In a nutshell, PKI technology directs everything that encompasses asymmetric encryption to ensure end-to-end security and integrity in the digital ecosystem.
As a part of PKI implementation, X.509 certificates and asymmetric keys are issued which act as the cornerstone of this technology. These PKI-based certificates are akin to a driver’s license or any other identity proof for the digital world. Consequently, PKI may refer to any software, policy, process, or procedure that may be employed while configuring and managing those certificates and keys.
Some of the most common examples of PKI implementation can be found in SSL certificates, S/MIME certificates, Code Signer Certificates, Digital Signature Certificates (DSC), and authentication for Internet of Things (IoT) devices.
Public Key Infrastructure has a long history of safeguarding the digital ecosystem with two primary objectives, first, ensuring the confidentiality of data transmitted. Second, authenticating the sender.
Let us look at how PKI work, the importance, challenges and use cases of PKI implementation.
Understanding PKI: Building Blocks of Public Key Infrastructure
To understand how PKI works, it is crucial to revert to the basic components of PKI technology that make up this technology. With encryption at its core, a cryptographic algorithm is the building block. It is a highly defined, complex mathematical formula governing encryption and decryption. PKI uses asymmetric encryption algorithms, which deploy two different cryptographic keys- a private key and a public key.
PKI utilizes public keys linked to a digital certificate, which in turn attaches a digital identity to the device or the user. Digital certificates are issued by a trusted source, a certificate authority (CA), and act as a type of digital passport to ensure sender authentication.
Components of PKI
- Public Key
- Private Key
- Public key certificate
- Certificate Repository
- Certifying Authority
- Registration Authority
- Certificate Lifecycle Management
How Does PKI (Public Key Infrastructure) Work?: Asymmetric Encryption
Public and private keys, also known as asymmetric keys are the most vital components of PKI. These are used for encryption and decryption of the transmitted information respectively. To understand the implications of private and public keys, let us delve a little deeper into the technicalities of asymmetric encryption.
As we know, Public Key Cryptography uses two separate keys for encryption and decryption i.e, public and private keys. A public key’s information is available openly online, but the data can only be decrypted using the private key of the receiver. Another fascinating aspect to keep in mind is, while a public key can be generated from the private key, the vice versa does not hold true.
Let us look at an example. If (A) wants to send a private message to (B). (A) will use the public key of (B) to encrypt the message that can be only decrypted by the private key of (B). Thus, securing the integrity of the message.
Most PKI deployments today use the RSA/SHA-1 algorithms for encryption and decryption. This algorithm functions by generating two random prime numbers of 1024 bits. The prime numbers are multiplied, and the product of these prime numbers is the public key, while the multiplicand is the private key.
The Role of Digital Certificates in PKI
A major challenge that asymmetric encryption faces are, verifying that the public key received by the sender belongs to the receiver (any deviation can lead to a man-in-middle attack). This is where digital certificates come into play. Issuance of PKI-based digital certificates confirms the digital identity of people, devices, or applications who owns private key and their parallel public key.
In layman's terms, digital certificates attach a verifiable identity to the entity ensuring confidence in the communication channels. Digital certificates are also known as X.509 certificates or PKI certificates, the following are some of the criteria to be classified as a digital certificate.
- Must contain verifiable identity details
- Must ensure the integrity and authenticity of the information
- Must have a trackable audit trail
- Must contain the date of issuance and date of expiration, i.e. must have a limited lifecycle
- Is issued from a trusted third party, Certifying Authority (CA)
- Must go through a validation process
Certifying Authority: Role, Hierarchies, and Layers of Trust
A certifying authority (CA) like eMudhra is a globally trusted body and issues digital certificates, policies, practices, and procedures for the issuance of certificates. CA defines the vetting procedure, the type of certificate issued, the information contained, and the security and operations of the digital certificate to be issued.
Certificate Issuance Process
Since PKI is heavily reliant on asymmetric encryption, mentioned below is a simplified jest of the certificate issuance process followed by a CA.
- The user sends a Certificate Signing Request (CSR) along with the distinguished name (DN, acting as a unique identifier), a public key, and a user signature
- The CA vets the details provided
- The issuing CA validates the request and signs the certificate with the CA’s private key
- A digital certificate is issued with a distinguished name, public key, CA's name, and the signature of the certificate authority
- You can store this signed certificate
CA Hierarchy and Layers of Trust
Hierarchy and segmentation apply both to administration and the role of a certifying authority creating layers of trust. The Root CA sits at top of the CA hierarchy followed by issuing CA in the 2-tier system, while the 3-tier system has a Policy CA as an intermediate between root and issuing CA. While an issuer and a user of digital certificates are two different bodies, root CAs are the exception, acting as a self-authorized body. Thus, an inherent trust is placed in Root CA and any certificate that traces back to it.
Thus, security is of paramount importance for Cas and any security breach can lead to fraudulent certificate issuance. The impact of a security breach is even higher when you move up the hierarchy. An important point to note here is that root CAs cannot revoke a certificate, thus creating an even more severe impact of a security breach. Additionally, root certificates have an extended life cycle of 15-20 years compared to the issuing CA lifecycle of 7-12 years.
It can be concluded that a two-tier CA hierarchy is sufficient to provide integrity and security in the digital ecosystem as additional tiers lower the usability and scalability of PKI due to a subsequent surge in the complexity of the policies and procedures governing the PKI.
Certificate Lifecycle Management (CLM): Issuance, Revocation and Renewal of Digital Certificates
As digital certificates are at the center of the PKI ecosystem, management of these certificates is vital for the smooth functioning of the PKI ecosystem. But what is certificate management and how does it work?
All certificates issued using the PKI technology have a limited lifecycle and expire after a particular time period. The revocation of expired certificates, renewal of existing certificates, and issuance of new certificates are what comes under the blanket domain of Certificate Lifecycle Management (CLM).
Now the question is how can you verify if a certificate is revoked for any given reason? Well, every CA has a revocation list of certificates that have either been irreversibly revoked or have been marked as temporarily invalid. Maintaining this extensive list is one of the key responsibilities of a CA. This list is known as Certificate Revocation List (CRL).
CAs also maintain a certificate repository which essentially is a searchable storage facility for signed certificates. It is often equipped with LDAP (Lightweight Directory Access Protocol) that maintains the certificate validity details, revocation lists, and root certificates.
Why is PKI Important in Today’s Digital Era and How Does it Increase Digital Trust?
The importance of PKI in today’s day and age cannot be undermined. With rapid propulsion towards digital transformation which includes process digitization, we are exposed to potential threats more than ever before in history, thus mandating the need for a water-tight security solution. PKI’s identity-first approach to security is what is needed at the enterprise and individual levels.
The need for a strong PKI-based solution can be traced back to the mid-1990s when the biggest use case for PKI was to issue certificates to eCommerce websites followed by the need for access management to multiple devices, usually through a VPN, which obligated authenticating devices and secure remote user access to systems.
Today, the population of IoT devices has well surpassed the human population and at the core of all these devices is enhanced connectivity which needs to be protected, authenticated, and be able to get firmware updates.
Where is PKI Used?
The following are some of the use cases where PKI can be applied to achieve secure digital transformation:
- Websites and applications
- Device authentication (smart watches, routers, health monitoring devices, Mobile, and other IoT devices, etc.)
- Cloud applications
- Passwordless Shell Access to Machines (SSH)
- Multi-factor Authentication (MFA) for VPN or private network access
- Wi-Fi Protected Access
- Mutual authentication for secure web applications (MTLS)
- Email security
Industry-Based Use Cases of PKI
The following are the industries that have the highest volume of PKI deployment.
- Government and Defense
- Telecom & IT
Best Practices for PKI Management
Establishing and managing an ideal PKI system would involve an impeccably managed infrastructure. Here are some considerations to keep in mind:
- Maintaining a Certificate Inventory: It is a part of maintaining a robust certificate lifecycle management suite. The active directory acts as a centralized inventory where every certificate can be mapped to the endpoint. It helps in streamlining the renewal, revocation and issuance process.
- Protecting private keys: Maintaining the integrity of the private key is one of the key factors ensuring optimal PKI deployment as a compromised private key can sabotage the PKI ecosystem. One of the best practices to protect the private key is to install Hardware Security Modules (HSMs) that are FIPS 140-2 compliant. A Private key must undergo automated rotation within the HSM to ensure minimal human intervention, thus lowering the chances of mishandling.
- Opting for a trusted CA as a PKI solution provider: It is always advised to opt for a globally trusted CA as a PKI solution provider as opposed to a self-signed CA. One of the major differentiators between the two is the global compliance provided by the former. A globally accredited CA also ensures enhanced security, improved credibility as well as a simplified centralized document management system.
- Practicing crypto agility: The concept of crypto agility is the ability to efficiently manipulate the PKI constituents. This concept revolves around the effective switch between certificates, streamlining and speeding up the enrollment/renewal/revocation processes with CAs along with updating and switching outdated protocols in response to changes in security requirements, attacks, or other factors that may affect the system security.
- Conducting periodic audits: It ensures adherence to CP (Certificate Policy) and CPS (certificate Policy Statement) thus reinforcing the trust in the PKI ecosystem. Regular audits also ensure the lowered potential threat of data exploitation.
Public Key Infrastructure (PKI) Solutions Video Guide
PKI (Public Key Infrastructure) Solutions: Why Choose eMudhra?
eMudhra is a global trust provider. We specialize in offering PKI solutions for enterprises in both the public and private sectors. We at eMudhra prioritize delivering trust in the digital ecosystem through our identity-first security approach. Services offered by eMudhra can seamlessly deploy and manage trusted identities for people, devices, and services, further reinstating the information security of an organization. As a global CA, we offer X.509 certificates, a comprehensive certificate lifecycle management suite, on-device key management suite, whereas our global trust services offering includes SSL certificates, IoT certificates, Code Signer Certificates, S/MIME certificates, certificates for signing and encrypting for individuals, and PKI consultation and deployment for establishing Certifying Authorities.
- Empowering Security and Digital Transformation in Defense
- Securing Internet of Things using Public Key Infrastructure
- The Foundational Relation between PKI and EMV Payment Cards explained!
- How is PKI Technology Safeguarding Smart Cars?
- Securing IoT Devices at Scale: PKI for IoT Identity
- PKI for ePassport: An Ecosystem Built on Technology, Trust & Compliance