PKI: The Invisible Shield Behind Internet Security

From signing into websites to logging into bank account applications and exchanging documents over a network, Public Key Infrastructure ensures the secure communication of systems, devices, and applications.

PKI ensures data integrity and confidentiality by properly verifying users and devices to prevent unauthorized access and cyberattacks.

This article aims to break down PKI and its significance in securing communication over digital devices and networks.

Public key infrastructure is a framework that combines software, hardware, policies, and procedures to assign, identify, verify, and revoke users and devices via digital certificates to secure digital communications.

PKI is a form of internet encryption that secures and authenticates traffic between end-to-end communication, such as web browsers and web servers, over a public or private network. The two main purposes of PKI are to ensure data security and verify the sender's legitimacy.

The relationship between Encryption and Public Key

Data encryption uses cryptographic algorithms, categorised into symmetric and asymmetric encryption methods, to secure data. Encryption is a process whereby plaintext is converted into ciphertext to secure communication

A symmetric key algorithm uses a single key to encrypt and decrypt data. On the other hand, asymmetric cryptography uses a public key to encrypt and a private key to decrypt.

A public key is a numerical value created using an asymmetric algorithm to encrypt data. The public key is shared openly with anyone who wants to send you encrypted data. In other words, anyone can use your public key to send you a secure message.

When data is received, it can be read or decrypted with the private key that only you can access.

Purpose of PKI: Securing communication.

Public Key Infrastructure (PKI) secure communication between a network and devices ensuring confidentiality, integrity, and data access control. It creates trust between these networks, services, and devices, ensuring that data remains authentic and trusted.

The purpose of Public Key Infrastructure (PKI) is to verify users' identity using digital certificates, ensuring that only authorised users have access to systems and networks, preventing them from malicious activities, and cyber threats.

What is a Public Key Certificate?

A Public Key Certificate, also called a digital certificate, is an electronic document that verifies the identity of a user, device, or service within a Public Key Infrastructure.

A PKI certificate typically includes;

• Distinguished name (Owner name)
• Owner's public key
• Date of issuance
• Expiration date
• Distinguished name of the certificate authority
• Issuing a certificate authority's digital signature

There are different types of PKI certificates, including;

TLS/SSL Certificates: Transport Layer Security (TLS), commonly referred to as Secure Sockets Layer (SSL), is a protocol used to secure internet communication. TLS/SSL certificates are used to encrypt data exchanged between a user's browser and a web server, ensuring data is transmitted securely and cannot be modified or stolen by unauthorized parties.

**Code Signing Certificates: A code signing certificate is a public key certificate used to sign software, ensuring its integrity and authenticity.

It contains the publisher's public key, identity details, and digital signature from a Certificate Authority. Developers use their private key to sign the code, and end users use the associated public key to verify the signature.

When users download software, their browser or operating system may validate the signature to ensure it has not been altered since it was signed.

Document Signing Certificates: Document Signing Certificates are used to sign electronic documents to verify their source. These certificates ensure that both parties signing a contract digitally can confirm that the document is authentic and trustworthy.

Verified Mark Certificates (VMC): A Verified Mark Certificate is a digital certificate that displays a brand-registered logo next to the brand or sender's name in supported email clients. This helps recipients identify trusted brands, enhancing email authenticity. In other words, VMS focuses on enhancing brand trust using the visual identity.

Email S/MIME (Secure/ Multipurpose Internet Mail Extensions) Certificates: S/MIME certificates are used to secure email communication. They ensure that emails are encrypted, allowing only the intended recipient to read their contents, and digitally sign to verify the authenticity and integrity of the message.

For example, the sender signs the email with their private key, and the recipient verifies the signature with the sender's public key. To send an encrypted reply, the recipient uses the sender’s public key to encrypt the message, which the sender can then decrypt using their private key.

This process prevents spoofing, protects sensitive information, and builds trust in email communication.

EU Qualified Certificates: EU qualified certificates are public key certificate that adhere to stricter legal and technical requirements under eIDAS (Electronic, Identification, Authentication and Trust Services) regulation in the European union.

They are issued by a Quality Trust Service Provider (QTSP) , and are used to support qualified trust services such as qualified electronic seals. These seals verify the identifying of the entity ensuring documents remains unchanged with after seal is applied.

PSD2(Payment Service Directive) certificates: PSD2 corticates are digital certificate used to secure and authenticate communication between banks and third-party providers (TPPs) under EU's Revised Payment Services Directive to ensure authentication, and trust in financial transactions.

The two main types of PSD2 certificates are:

QWAC (Qualified Website Authentication Certificate): Used to authenticate third-party providers and establish secure communication channels. It ensures the trustworthiness of online transactions by verifying website's identity.

QSealC (Qualified Electronic Seal Certificate): This is used to seal data digitally, ensuring its integrity and non-repudiation (proving data hasn't been altered)

How does PKI work?

PKI (Public Key Infrastructure) enables organizations to request digital certificates issued by a Certificate Authority. A digital certificate proves the authenticity of an entity such as a user, device, or server.

When an organization generates a CSR (Certificate Signing Request), it is sent to a Registration Authority (RA), which verifies the identity of who makes the request and confirms this to the Certificate Authority, which will issue the digital certificate

The process is divided into:

Enrolment: Involves submitting a request to the Certificate Authority. The request includes a public key and identity information, like a domain name, to prove identity to the Certificate Authority or Registration Authority.

Verification: The Certificate Authority or Registration Authority verifies identity, and after successful verification, the Certificate Authority issues a digital certificate that contains the entity's public key identity information, Certificate Authority digital signature, and expiration data, etc

Certificate Validation: The recipient verifies the Certificate Authority's digital signature, certificate validity status, and verifies that the certificate has not been revoked. Certificates can be revoked if the private key is compromised, if the certificate was issued incorrectly, if the certificate has expired, or if the identity of the entity has changed.

Key components of a public key infrastructure include the following;

Certificate Authority: Certificate Authority is a trusted entity that issues, stores, and signs digital certificates. It uses its private key to sign digital certificates, which can be verified using the Certificate Authority's public key.

Registration Authority: The registration authority is responsible for verifying the identity of users, devices, or organizations that require digital certificates. It works alongside the certificate authority by forwarding validated requests to the certificate authority.

The Certificate Authority can act as a Registration Authority, or the Registration Authority can be a separate third party focusing only on identity verification.

Certificate Database: This is a database or repository that stores and manages individual digital certificates along with metadata such as the valid period of the certificate, revocation status, etc.

Certificate Management System: These are protocols used to manage digital certificates in an organized manner, including access control, creation, distribution, storage, and revocation.

Central Directory: A central directory is a location where cryptographic keys are indexed and stored securely.

Certificate Policy: This is a public document that defines rules, practices, and standards of the Public Key Infrastructure. It helps third parties determine whether the certificates issued under PKI can be trusted.

Benefits of PKI

Several benefits of Public Key Infrastructure include the following;

Data Confidentiality and Integrity: PKI ensures that information is accessible only to authorized parties. It supports encryption, which protects communication and ensures that data in transit is not tampered with.

Digital Signatures: Digital signatures verify the authenticity and integrity of data. PKI enables digital signatures by providing cryptographic keys and certificates required to validate the sender, ensure data has not been altered, and prevent the signer from denying they signed the document (called non-repudiation)

Access Control: Digital certificates and public-private key authentication restrict access to systems, files, and networks, ensuring that users with valid certificates can access resources.

Secure Website Communication: PKI enables SSL/TLS certificates, which encrypt data transmitted between a browser and a website, ensuring data confidentiality and integrity.

Authentication: PKI supports certificate-based authentication for users' devices and services, confirming that something or someone is trustworthy.

Improved Trust: Verifying identities and securing communication, PKI builds trust. For example, websites with valid SSL certificates are most likely to be trusted by users.

Challenges of PKI

The limitations of Public Key Infrastructure include;

Outdated Protocols: Deprecated and Outdated protocols can become vulnerable to security incidents and data breaches.

Weak Keys and Irregular Key Rotation: Weak keys are considered a security risk because they are easy to break. Many systems do not rotate keys frequently, which causes attackers to use compromised keys to impersonate entities and steal sensitive information.

Mismanaged Certificates: Mismanaged certificates involve failing to issue, renew, or revoke certificates on time. This can lead to expired or insecure certificates, which may cause vulnerabilities and service outages, impact the organization's network, compliance posture, and potentially cause a data breach.

Improper Protection and Management of Private Keys: Private keys ensure that data is kept securely, and if they are not protected, attackers can steal them or use vulnerabilities to access confidential information for malicious purposes.

Email Encryption: PKI ensures that email content is encrypted, and only authorised recipients can decrypt it.

Digital Signatures: Digital signatures verify the authenticity and integrity of digital documents by signing them with a private key and verifying them with a public key.

SSL/TLS (HTTPS): SSL/TLS certificates issued through PKI secures the communication between browsers and servers by encrypting data.

VPNs: VPNs use certificates to authenticate users and devices, ensuring that only trusted parties can access a private network.

Public Key Infrastructure (PKI) ensures secure communication and authentication over networks and devices. It uses cryptographic keys (a public and private key) to ensure that that data is exchanged securely.

PKI is used to secure websites, encrypt emails, authenticate users and devices, digitally sign software’s, and help to maintain confidentiality authenticity and integrity across digital infrastructure.