What is a public key infrastructure (PKI)?
When it comes to data security and secure communication on the internet, the term Public Key Infrastructure is unavoidable. It refers to a network of various involved entities—an infrastructure. It is a type of key management and serves to confirm digital identities and encrypt data.
Here we explain how it works and what you need to consider in its management. You will also learn how you can easily adapt your PKI to your company’s IT security requirements with essendi xc.
Inhalt:
What are the components of a PKI?
A Public Key Infrastructure (PKI) consists of the following components:
Public and Private Keys:
Asymmetric cryptographic keys are usually used. Public and private keys are always generated as a pair and are mathematically linked to each other. In asymmetric encryption, data encrypted with the first key of a key pair can only be decrypted with the corresponding second key.
A distinction is made between a public and a private key. The public key is freely accessible to everyone in the network. The private key, however, is only known to the owner and is not shared.
Digital Certificates
Certificates are used in digital communication for authentication, encryption, and as a signature. They consist of various pieces of information, including:
- the certificate’s expiration date,
- the digital signature of the issuing certification authority, and
- the public key of the certificate holder.
Certificate Revocation List (CRL)
All invalid certificates are entered into the certificate revocation list. A certificate is invalid if it has been revoked or suspended, e.g., because it has been compromised or because permissions have changed.
Validation Services (Validation Authority)
A validation service (OCSP / CT Logs) checks the validity of digital certificates. To do this, it queries the validity of a certificate with the certification authority, for example by checking the certificate revocation lists. essendi xc also provides a validation service, the CT Log Monitor.
Registration Authority (RA)
The registration authority works closely with the certification authority. It identifies and registers the applicant. In addition, it verifies the accuracy of the data in the certificate application and then forwards it to the certification authority.
Certificate Authority (CA)
The certification authority is the public trust anchor of the PKI. It receives the certificate application and issues the requested digital certificate. In doing so, it confirms that the certificate holder is indeed who they claim to be.
It monitors the validity of the certificates it has issued and places all invalid certificates on the certificate revocation list.
How does a Public Key Infrastructure work?
The functioning of a Public Key Infrastructure is roughly comparable to applying for an identity card:
The IT administrator of a company first generates the Certificate Signing Request (CSR) and a cryptographic key pair. The CSR and the public key are then forwarded to the Registration Authority. This is comparable to submitting the application form for an ID card together with a passport photo at the citizens’ office.
The Registration Authority checks the CSR and the key. After successful verification, it forwards both to the Certificate Authority (similar to the federal printing office). The Certificate Authority then issues the requested certificate (the ID card) and sends it back to the applicant. The Registration Authority, acting as a Trust Center, is considered one of the trusted entities.
The IT administrator then installs the certificate together with the private key in the company’s infrastructure. From this point, the company can identify itself when exchanging information over the internet and encrypt its data traffic.
What is a PKI used for?
PKI encryption and decryption is performed asymmetrically (encrypt and decrypt). Data is encrypted with the public key before transmission. The recipient can only decrypt it with the private key.
This works with all electronic identities that communicate with a counterpart. These include, for example, smartwatches, intelligent pacemakers, and even industrial production systems.
It is therefore used to protect a wide variety of information. It encrypts vital communications, such as those between an aircraft and a control tower. It also protects personal data, for example when transferred from a smartwatch to an app.
Smart cards also transmit their data securely via a Public Key Infrastructure (PKI secured). Smart cards include, for example, access control and time-tracking cards in companies.
We also all know its encryption services from the web browser. The small, closed padlock at the beginning of the browser address bar indicates that data is being transmitted securely. Without the padlock, the web server will classify the page as “insecure.”
For this purpose, the PK Infrastructure creates, stores, distributes, and revokes digital certificates (SSL / TLS / x.509 certificate). It manages them throughout their entire lifecycle. These certificates confirm the identity of the holder in internet communications (certificate authentication). The certificate serves as a kind of ID card that is presented. This ensures that the communication partner really is who they claim to be (authentication).
Web browsers also use the keys contained in the certificate to protect transmitted data from unauthorized access. Only the holder of the private key can decrypt the message. This allows a secure connection to be established between the web browser and the web server. It also prevents manipulation of the transmitted data.
PKI email encryption has particular importance (pki e-mail encryption). 80% of all hacker attacks occur via email. Therefore, the most effective method is to send emails digitally signed and encrypted.
The encryption of sent emails protects against data theft and alteration or manipulation of the contents. This is especially important if emails contain attachments with Excel spreadsheets or personal data.
In end-to-end email encryption, both sender and recipient must know each other’s public key. The sender encrypts their message to the recipient with the recipient’s public key. The recipient can then decrypt and read it with their private key.
In the case of a digital signature, on the other hand, the message is signed with the private key. The corresponding public key confirms the signature.
Who uses a PK Infrastructure?
Basically, anyone who works with encryption methods and certificates requires a Public Key Infrastructure. You can set it up yourself and, for example, use the Microsoft Public Key Infrastructure, or alternatively rely on a PKI provider.
What is a Managed PKI?
Managed PKI (MPKI) means that the entire infrastructure is managed by an external service provider or organization. This provider takes over the tasks related to the creation, issuance, management, and updating of digital certificates. Companies can choose a “Managed PKI” to reduce the complexity of managing their own PKI, save resources, and ensure that the PKI meets the required security standards.
Such a service provider, for example SwissSign, offers connection options to a preconfigured MPKI.
The use of a Managed PKI can be particularly useful for large organizations or companies that may not have the resources or expertise to operate and maintain a comprehensive PKI infrastructure internally.
What is a certificate chain?
A certificate chain is the list of all certificates used to confirm a digital identity. The certificate chain always ends with the root certificate, which was issued by the root certification authority (Root CA). The Root CA is the public trust anchor for all parties involved in a certificate process.
A certificate chain consists of the following components:
Root Certificate
Root certificates belong to the Root CAs and are strictly monitored by them. A root certificate is always self-signed by the certification authority and represents the root of the trust tree.
Intermediate Certificate
In a certificate chain, there is at least one intermediate certificate, but often several. Intermediate certificates are the branches of the trust tree. They form the link between the root certificates and the server certificates.
Server Certificate
The server certificate is issued specifically for the domain that the user wants to secure.
The chain is only trustworthy if it can be traced back seamlessly to its origin—the root. This means that the signatures of all certificates in the chain must be checked and confirmed up to the root certificate. The root certificates of the most important Root CAs are already stored in many operating systems or browsers. This simplifies and speeds up the later verification of certificate chains. Errors in the certificate chain therefore lead to problems. For example, a certification path is faulty if:
- no root certificate is included
- the private key is not at the end of the list
- the order of the certificates is incorrect
- incorrect or too many certificates are included
- certificates are missing.
What are Code Signing Certificates?
A code signing certificate provides verifiable confirmation of who the publisher of a particular software is. The publisher applies a digital signature to their application before offering it for download. The code signing certificate shows the user during download that the software has not been damaged or altered.
Code signing certificates are also issued by certification authorities. As trust centers, they confirm in this case the identity of the programmer or the software publisher.
The latter must ensure that the code signing certificate is renewed or extended in time. Otherwise, the software will no longer be classified as trustworthy. However, the download process and the application itself would still continue to function.
What is the difference between Web of Trust and PKI?
The Web of Trust (WoT) is a contrasting trust model to PKI. A Public Key Infrastructure is structured hierarchically, with the central trust anchor being the Certificate Authority (CA). All other entities participating in the PKI trust this root certification authority. Therefore, protecting the Root CA and keeping its private key secret are fundamental prerequisites for a PKI.
In contrast, within the WoT all participants collectively confirm the authenticity of digital certificates and cryptographic keys. The more participants confirm (sign) a certificate, the more trustworthy it becomes. In the Web of Trust, many different participants act as trust centers, thus replacing the CA of the hierarchical PKI model.
Why is essendi xc a valuable PKI tool?
A Public Key Infrastructure is a security solution that can be reliably adapted to the specific needs of a company. It must also be able to reflect increasingly complex IT landscapes. Therefore, the human factor plays an important role here as well.
A key infrastructure solution must be optimally configured to ensure that no vulnerabilities arise. There is much to consider, and broad expertise is required.
Support is provided by certificate management tools such as the key management software essendi xc. xc functions as a Key Management System and supports crypto management. It generates cryptographic keys according to company requirements in the required key length. In doing so, it complies with regulatory requirements such as ISO/IEC 27001, BSI IT-Grundschutz, or NIST. This way, user errors can be avoided.
xc provides timely warnings before certificates expire. Depending on the settings, it automatically handles renewal or extension, up to and including installation in the target system. It helps deliver as many functions as possible in digital ecosystems with the highest level of security and convenience.
In combination with the CT Log Monitor, it detects forged certificates. If required, it can automatically block and revoke them.
Manually configured setups can often only be adapted with significant time effort and hidden risks. essendi xc, on the other hand, has been designed to be flexible from the outset. Therefore, it can be quickly, easily, and securely adapted to changing requirements.
