Public Key Infrastructure, aka PKI, is a set of roles, procedures and policies used to manage digital certificates and public key encryption. The end goal is to provide a secure method of exchaning information between parties.
Public Key Cryptography
With symmetric encryption, the same key is used for both encryption and decryption. So if A wants to send B the raw message M, it will use the key K to generate the encrypted message E. When B receives the encrypted message E, it will use the same key K to decrypt it and it will get the raw message M.
As you can see, both A and B must have a shared key provided to both of them ahead of time. Hence the term usually used for this aproach: using a pre-shared key (or secret). It’s biggest flaw is that secure methods to share the key are hard to find or implement.
Asymmetric Encryption (PKC)
With asymmetric encryption, aka Public Key Cryptography (PKC), there is one key used in the encryption process and another key used in the decryption process. Therefore, we have a key-pair.
The two keys in the pair are called private-key and public-key. As the name suggests, a public-key can be shared with anyone but the private-key should only be known to the entitiy it belongs to.
The keys in the key-pair must have certain characteristics in order to be viable. This is done via a mathematical relationship between the private-key and the public-key. The most important characteristic of this relationship is that messages encrypted with the public-key can only be decrypted with the private-key. It doesn’t work the other way around and it is computationaly unfeasable to deduce the private-key from the public-key or other data exchanged between the parties. The method used to exchange the key information between parties is known as Diffie-Hellman and RSA (Rivest-Shamir-Adleman) is an implementation of this method.
The DH method is mostly used to secretly agree on a shared key between the parties envolved in a data exchange. Once the shared key is established, it is further used to encrypt the messages exchanged between parties because symmetric encryption is a much simpler process and through this method, it’s biggest flaw – sharing the secret – is addressed
One of the most important things when it comes to crytpography is authentication which is the process of verifying that an entity really is who it claims to be. In modern cryptography this is usually done through a digital certificate.
A digital certificate binds an entity’s identity with a public key. The binding is performed by a Certificate Authority (CA) through the process of signing.
The process of getting the certificate signed starts with an entity generating a key-pair. The next step for the entitiy is to create a Certificate Signing Request (CSR) which will contain the public-key, the identity information, the Distinguished Name (DN) for which it requests the certificate and a section which is generated using the private-key. That is to say the private-key is not part of the CSR but it is used to sign the CSR in order to attest that the request comes from the owner of the public-key.
The CSR could go through a Registration Authority (RA) that verifies the identity of the entitiy against the provided CSR before reaching the Certificate Authority (CA) for signing. Most of the times, RA and CA are the same so it all looks like a single step.
After it is signed, the certificate is exported to the requester. The standard for these certificates is registered as X.509 but there are different formats for the certificate (.pem, .p12, .cer, .crt and others). The p12 format allows adding an additional passphrase to the certificate so it is not readable without knowing the passphrase.
Chain of Trust
A certificate chain is a list of certificates that have the following characteristics:
- The issuer of each certificate matches the subject of the next certificate in the list.
- The private-key used to sign each certificate can be verified using the public-key of the next certificate in the list
- The last certificate in the list is trusted through other methods (manually set to trust, embedded in the system, etc)
By using this chain of trust, the certificate provided by an entitiy is verified by another entity and the chain goes from the certificate under verification, through intermediate certificates, up to the CA’s root certificate.
In some simple scenarios you can provide your own certificate by performing the signing process yourself. In this case the certificate is called “self-signed” but others may not have a high level of trust in this kind of certificate.
Web browsers usually include intermediate certificates provided by well-known CAs and set to trust in order to enable the verification process to take advantage of the chain up to the well-known CAs without passing their root certificates to the public.