SBN

Your Guide to How PKI Works & Secures Your Organization

Public key infrastructure is a key part of your everyday life in the cyber world. It secures everything from the login credentials in your browser to the sensitive data you share via email — here’s a breakdown of how PKI works

Public key infrastructure is intrinsic to cyber security. It’s the crust to your pie and the wind to your sail; basically, it’s one of the things that makes cyber security work.

Public key infrastructure, or PKI, is often talked about as a type of cyber security technology or framework — but it’s more than that. You likely know that the term relates to encryption, but do you actually know what it does or how PKI works?

We’re here to answer those burning questions relating to how public key infrastructure works. In the process, we’ll break down the components of the public key infrastructure and how you might already be using PKI each day to protect your business and customers.

Let’s hash it out.

Before We Can Answer “How Does PKI Work?” Let’s First Break Down What It Is…

Before jumping into the nitty-gritty details of how public key infrastructure works, let’s first cover what PKI is to ensure we’re all on the same page.

In a nutshell, public key infrastructure is a system (based on encryption key pairs and digital certificates) that’s used for securing communications between different computer systems. It’s also a system that helps your organization remain compliant with regulatory data security and privacy requirements and avoid penalties, fines, and reputational loss.

There are two things PKI does to secure communications:

  • Authentication — This ensures that the other party is the legitimate server/individual that you’re trying to communicate with.
  • Encryption — This makes sure that no other parties can read your communications.

To make this whole process all a more understandable, let’s consider the SSL certificate that this website is using as an example. See the padlock icon in your browser? That means this website is using an SSL certificate, which is based on PKI. SSL uses PKI to do two things:

  1. Your browser authenticates that it’s connected to the correct server that’s owned by thesslstore.com.
  2. All of the data that passes between your browser and our web server is encrypted.

In a more technical sense, PKI is a combination of cryptographic technologies, policies and procedures that you use to secure data in the digital world and to authenticate yourself. The term also relates to the issuance, use, storage, distribution, management, and revocation of digital certificates and keys — also known as the certificate lifecycle — as well as the entities that issue them.

In a roundabout way, what all of this means is that public key encryption is a two-key (asymmetric) cryptosystem that protects everything you do and the information you send and receive online. From the ecommerce transactions on your website to the emails that you send within your organization that contain sensitive information, the data is secure thanks to PKI

The main function of PKI is to distribute public keys to the right devices, software, and users who need them. This means that PKI is all about ensuring that your sensitive data doesn’t fall into the wrong hands.

The Nitty-Gritty: The 6 Key Components of PKI

To better understand how PKI works, you first need to know what’s involved in it. Of course, there are several critical components within the public key infrastructure — and we’ll dive into each of these topics more in depth a little later in the article:

  • X.509 digital certificates — These types of certificates include a key, information about the identity of the owner (of the certificate and keys), and the digital signature of the certificate authority. These types of certificates include:
    • S/MIME (client authentication) certificates,
    • Code signing certificates, and
    • Document signing certificates.
  • Digital signatures — Digital signatures are what guarantees that a message, file, or data hasn’t been altered in any way. It uses an encrypted hash of a message to ensure the integrity of your data by making it so that nobody can modify the message without the recipient finding out.
  • Public and private key pairs (asymmetric and symmetric) — PKI works because of the key pairs that encrypt and decrypt data. In asymmetric encryption, there’s a public key that’s shared with everyone and a matching private key that’s kept secret. In symmetric encryption, there is one key that both parties use to communicate.
  • Certificate authorities (CAs) — Certificate authorities are what make the whole system trustworthy. CAs verify parties and issue certificates. Without CAs, PKI simply wouldn’t work because anybody could just issue certificates to themselves saying that they’re Amazon.com, Bill Gates, or whomever they feel like impersonating.
  • Chain of trust — The chain of trust is a series of certificates (root, intermediate, and leaf certificates) that links back to the issuing CA who signed off on it.
  • Proper certificate management tools, policies, processes, and procedures — This includes the use of a certificate management tools such as a certificate manager.
A graphic illustration of how PKI works
Here’s an overview illustration of how public key infrastructure works.

If you want more information about what PKI is, I’d suggest you check out the articles my colleagues wrote about it and how it facilitates trusted, secure communication. They’ve already done a great job of it, and I’m not trying to reinvent the wheel here.  

How Does Public Key Infrastructure Work?

Okay, so now that you know what PKI is and how it relates to public key cryptography, it’s time to talk about what it does and how it does it. There are a few key things to know about how PKI works:

  1. PKI authenticates you and your server. It allows your site users’ web browsers to authenticate your server before connecting with it (so they can verify that they’re connecting to a legitimate server). You can also use client certificates to limit access to authenticated users. This gives you greater control over your network and other IT systems.
  2. PKI facilitates encryption and decryption. PKI enables you to use digital certificates and public encryption key pairs to encrypt and decrypt data or the transmission channels you use to send it using the secure SSL/TLS protocol.
  3. PKI ensures the integrity of your data. PKI lets users, their browsers or their devices know whether the data you send has been tampered with.

Of course, doing any of these things requires the use of a public encryption keys that have strong entropy. Every key is a randomly generated string of binary numbers — a random series of 1s and 0s — that’s used to determine how plaintext transforms into ciphertext. So, when we talk about entropy, what we mean is that the keys are generated with enough randomness that it would take thousands — if not millions — of years for even modern supercomputers to guess.

PKI Works By Authenticating Users and Servers

The first part of the PKI process is authentication. Through the use of digital certificates (such as client certificates and SSL/TLS certificates), you can authenticate yourself, your client, or your server using asymmetric encryption. (Again, asymmetric encryption is that two-key pair of public and private keys.)

Let’s consider a simple step-by-step explanation of how authentication works using the following scenario of someone connecting to Amazon.com:

  1. The web client (for example) connects to the Amazon.com web server to get the server’s certificate and public key.
  2. The client then uses its store of trusted root certificates and the chain of trust to verify whether that site’s certificate was issued by a trusted CA. (Note: The chain of trust is based on digital signatures, which can’t be faked. So, if the trust chain checks out, then your browser can be confident that it’s communicating with the correct server.)
  3. The client then encrypts a piece of data using the certificate’s public key and sends it to the server. If the server can read it, then it proves that the server has the correct private key and that it’s connecting to the right server.

To facilitate this this process (and to create a secure, encrypted connection eventually), the user’s web client and your server begin what’s known as an SSL or TLS handshake. This process, which mitigates the risk of man-in-the-middle (MitM) attacks and eavesdropping, allows the client to:

  • Determine which encryption parameters they can both use,
  • Authenticate the server (as mentioned above), and
  • Generate a unique session key that both parties can use to exchange encrypted information.
TLS 1.2 Handshake; TLS 1.3 handshake
An illustration of the TLS 1.2 handshake.
Graphic of the TLS 1.3 Handshake
An illustration of the TLS 1.3 handshake, which has fewer roundtrips than its TLS 1.2 predecessor.

But what if the server wants to authenticate you as the user? That’s possible, too. In that case, you’ll need a certificate (a client certificate, or what’s known as an email signing certificate) that’s issued by a CA the server trusts. A similar process happens (but in reverse) with the server checking your digital certificate before allowing you to access the applications or content on the server.

PKI Works by Encrypting Data (or the Connections That Your Data Transmits Through)

The way that public key infrastructure works is that it uses asymmetric, mathematically related keys to encrypt and decrypt data. Basically, we’re talking about taking a message that you can read (plaintext) and scrambling it into an undecipherable format (ciphertext). Then it needs to be unscrambled, or deciphered, when it reaches the other party.

How Encryption Works

An easy-to-understand encryption is an old-fashioned shift cipher (substitution cipher), or what’s more commonly known as the Caesar cipher.

In this type of encryption, plaintext letters “shift” a set number of spaces depending on the secret key. For example, the word “CERTIFICATE” becomes the ciphertext “IKXZOLOIGZK” if your key is “6” because you’ve shifted each letter six spaces.

Shift cipher or Caesar cipher example graphic
A basic example of how a shit cipher (Caesar cipher) works.

Of course, this is encryption in one of its most basic forms. Modern cryptographic techniques have come a long way from the days of ancient Rome where notes were delivered by horse or boat. After all, we now have supercomputers and technology on our side to help us encrypt (and decrypt) data, messages, and other sensitive information.

How PKI Encryption Works

The way that encryption works in the PKI context is that data gets encrypted by a public key and decrypted by its corresponding private key.

But that isn’t the only trick PKI has up its sleeve. Another function of PKI is that it enables the generation of symmetric encryption keys as well. Although symmetric keys are considered less secure than their asymmetric counterparts, they’re invaluable because they make communication faster and require less processing power. Without diving deep into the details, PKI lets you have the best of both worlds — the security of asymmetric encryption and the simplicity of symmetric encryption.  

How to Apply Encryption to the Different States of Data

When we talk about data states, we aren’t talking about locations. There are three main states of data — data in transit, data at rest, and data in use. For the purpose of this article, however, we’re just going to talk about two of those data states here. Why? Because even though it’s possible to run computations on encrypted data in use through something called homomorphic encryption (more specifically fully homomorphic encryption), it’s a slow process that doesn’t scale well using current technologies. So, we’re going to put a pin in that one for now and focus on the other two data states.

Regardless of whether or not you know it, encryption is in use all around you to secure data in transit and data at rest:

  • Data in transit (aka data in motion) — Data in transit encryption creates a secure channel through which information can transmit from one party to another. An example of encrypting data in transit is when you use an SSL/TLS certificate to encrypt the communication channel between a customer’s browser and your website’s server. This process ensures that users connect to your site using a secure HTTPS connection instead of the insecure HTTP protocol.
  • Data at rest — Protecting data at rest encryption involves the use of file or device encryption. A great example of encrypting data at rest is when you use an email signing certificate to encrypt an email before hitting “send.” This encrypts the data of the message itself (and any attachments) so that it even if someone hacks your mail server, they can’t read the message if they don’t also have the corresponding private key.  
How PKI works illustration of an HTTPS encrypted communication channel
An illustration of the secure, encrypted communication channel offered by HTTPS.

Here’s an illustration of how installing an SSL/TLS certificate on a server facilitates a secure, encrypted connection between a website visitor’s client and the web server it connects to.

PKI Works by Ensuring Data Integrity

One of the most critical aspects of how public key infrastructure works is that it helps to ensure that data comes from a legitimate source and hasn’t been altered in any way. One of the ways it does this is by giving you the ability to apply a digital signature to your email, software, or files. Furthermore, every digital certificate itself is signed using the CA’s private key.

Basically, what a digital signature does is inform the user or their client about whether a file, email, or document:

  • Has been signed by the true, authenticated individual or business, and that it
  • Hasn’t been modified since it was initially signed.

Don’t worry, we aren’t going to get into all of the specifics of hashing and checksums here. Frankly, it’s too involved and we still have other things to talk about relating to how PKI works.

Validation and Functionalities: What Each Type of Digital Certificate Helps You to Achieve

Digital certificates are the data files that help you (or a client or server) to authenticate to another computer system and protect the integrity of your data. Digital certificates come with different levels of validation:

  • Domain validation is the most basic type of validation. It simply involves a CA verifying that you own or control a specific domain by sending you a link in an email or requiring you to upload files to a specific file of the site’s web server.
  • Organization validation (OV) offers basic business validation. This process requires an issuing CA to verify information that you provide about your organization using official third-party resources. This way, it can offer assurance that you are who you claim to be.
  • Extended validation (EV) offers extensive business validation. This is the most in-depth of the three verification processes and requires that your business exists for a minimum of three years and is in good standing. The advantage of using this type of certificate is that it offers the most identity assurance.

There are several types of X.509 digital certificates that can protect data in different situations, depending on your needs:

  • SSL/TLS certificates — These certificates secure data sent to/from your website and are available in single domain, multi-domain, wildcard, and multi-domain wildcard options.
  • S/MIME certificates — Also known as email signing certificates, personal authentication certificates, and client authentication certificates, these digital certificates offer identity assurance from a trusted third-party CA. They can be used to digitally sign and encrypt emails or to authenticate you (as an individual user) to a web server. 
  • Code signing certificates — If you’re a developer or publisher who wants to offer identity assurance while also showing that your software hasn’t been tampered with, then this is the right certificate for you. These certificates are available with individual validation (IV), organization validation (OV) or extended validation (EV).
  • Document signing certificates — Document signing certificates validate that your document hasn’t been tampered with by applying a digital signature to it. (If a file is modified after being signed, a warning message will pop up to warn users.) These certificates can be used to sign a variety of files, including Microsoft Office documents and PDFs.

Where Certificate Authorities Fit Into the PKI Picture

Screenshot of some of the pre-downloaded trusted root certificates
A screenshot of some of the trusted root certificates that can be viewed in the MMC console.

When diving into an in-depth topic about how PKI works, then it’s vital to talk about the roles and responsibilities of third-party CAs. A certificate authority, like Sectigo or DigiCert, is a trusted third party that’s responsible for issuing and managing the private keys and certificates that support PKI. (The exception here would be that they don’t see or touch the private keys of leaf certificates [with the exception of EV document and code signing certificates].)

Although there are a few dozen CAs in existence around the world, there is only a handful of them that control the lion’s share of the market.

Now, to be considered publicly trusted, a CA must adhere to a set of baseline requirements that are outlined by the industry’s governing body, which is known as the CA/Browser Forum (CA/B Forum).

Before a CA can issue any type of digital certificate or private key, they first must verify the information that’s provided by the person or organization requesting it using official sources. They can do this themselves or, in cases where a certificate is ordered via a subordinate CA, this is where a registration authority (RA) comes into play.

Simply put, an RA is a network authority that acts as an intermediary between CAs and the organizations or individuals who request certificates from them. They’re responsible for handling certificate issuance requests from individuals and organizations like yours on an individual basis and verifying the information you provide. In these scenarios, registration authorities play an integral role in the chain of trust.

What Is the Chain of Trust?

A screenshot of The SSL Store's certificate chain of trust
A screenshot of the certificate chain of trust for TheSSLStore.com.

The effectiveness of public key infrastructure rests upon the validity of what’s known as a certificate chain, or the chain of trust. The chain of trust refers to a series of digital certificates that leads back from your individually assigned certificate to the certificate authority who signed off on it. If an RA is involved, they’d be the “middleman” between you and the CA.

There are typically three components to the chain of trust — root, intermediate, and leaf (server) certificates. It’s easiest to think of these components in terms of a tree.

(To view the chain of trust for your SSL/TLS certificates, click on the padlock icon in your browser, navigate to the certificate information, and click on the “Certificate Path” tab.)

Root Certificates (Roots and Trunk of the Tree)

A screenshot of a trusted root certificate.

A root certificate, which is also known as a trusted root, is the heart of public key infrastructure. Every CA issues only a handful of root certificates, and they are pre-downloaded into the trust store or root store within most browsers and operating systems. Their corresponding public keys are pre-downloaded as well to a device’s key store.

So, why is this certificate so important? Any certificate that’s signed by a trusted root certificate is considered valid automatically by all of the major operating systems and browsers. Each browser or operating system gets to choose which root certificates to include by default. 

Intermediate Certificates (Supportive Tree Branches)

An intermediate certificate is the go-between (it serves as an intermediary, hence the name) that lies between a trusted root certificate and a leaf certificate. Basically, it’s a buffer between the two that’s issued by an intermediate CA.

Because certificate authorities want to keep their root certificates safe, they typically use intermediate certificates to issue the leaf certificates. Since root certificates can be stored offline, this means that once they sign the intermediate certificates, they aren’t needed again and can be kept in a safe location. This helps CAs to ensure that their root certificate private keys are safe and not readily accessible to cybercriminals.

Leaf (Server) Certificates (Leaves and Smaller Tree Branches)

A leaf certificate, or end user certificate as it’s sometimes called, is basically the certificate that gets issued to your specific domain. This type of cert has a much shorter lifespan — certificates issued prior to Sept. 1, 2020 have two-year lifespans, whereas any certificates that will be issued on or after that date will be limited to one year.

For PKI to Work, Proper Certificate and Key Management Is a Must

Although this should go without saying, I’m going to say it anyhow (because, inevitably, someone always misses this memo): Your certificates are good only for as long as they are valid.

It’s amazing how many people seem to always miss this memo. If your certificate is invalid — which could occur due to improper installation or configuration, certificate expiry, or the unlikely revocation by the issuing CA, it means that your website is no longer secure. Even worse, your entire system can go down as a result. Check out our blog “This Is What Happens When Your SSL Certificate Expires” for a few examples (from brands you’ll recognize!)

Regardless of the reason, it’s important that you stay on top of these issues. You can do this by adhering to certificate and key management best practices and by using reliable management tools. These tools provide visibility into your network for all certificates and helps you to track and manage their lifecycles, which involves the issuance, use, storage, distribution, management, and revocation of digital certificates and keys. This way, you can reissue certificates before they expire or stay abreast of any revocations that come down the pipeline.

Certificate Management Checklist

Manage Digital Certificates like a Boss

14 Certificate Management Best Practices to keep your organization running, secure and fully-compliant.

How You Can Use PKI to Protect Your Business

For virtually any modern business, having secure communications and access to reliable data are key to your success. But how does PKI work to help secure your business and its invaluable data? Public key infrastructure makes it possible for your organization to:

  • Secure the communication channel for data that transmits to and from your web server, which makes it more secure in the eyes of Google and other search engines. (You avoid having “not secure” warnings appearing in users’ browsers when they visit your site.)
  • Digitally sign and/or encrypt email communications, which helps to mitigate phishing scams and email-based data breaches
  • Digitally sign documents (not to be confused with electronic signatures), which ensures the integrity of those docs
  • Digitally sign software, which affirms that your software is signed by a legitimate authority and that it hasn’t been modified since it was signed
  • Assert your organizational or individual identity
  • Control access to only specific users or applications (authentication)
  • Control which operations a user or application can perform in specific systems (authorization)
  • Have a trusted third party affirm the integrity of your messages and data (non-repudiation)
  • Demonstrate to search engines that your website or server securely transmits data

Just to give you a bit of an idea of what we mean, let’s consider the following example of how PKI works to secure email communications.

How PKI Secures and Authenticates Your Email Communications

Say you need to send some sensitive information to your colleague, Erica. To do this, you draft up an email, add your attachments, and send it from your email address to hers. This means that any message you send will travel from your outbox to the email server. It will then travel across the internet to her mail server before it gets delivered to her email client’s inbox.

This entire process typically occurs within a few mere seconds. (Unless, of course, you’re waiting for a really important email — then, for some reason, that email always seems to break from reality and require hours or even days for it to eventually come through [if you receive it at all].) But there’s still one critical thing to keep in mind: Without encryption, any message you send will be sent in plaintext, meaning that anyone who intercepts it can read it.

This is where public key encryption comes into play. If both you and Erica have properly configured email signing certificates (or what are known as S/MIME certificates), you can use her public key to encrypt the message before sending it. Using your private key as the sender, you also can digitally sign the email, which she can double-check using your public key to ensure that she knows that it was really you who sent the message and not an imposter.  

Without public key infrastructure, none of this would be possible.  

Final Thoughts on How PKI Works and Why It’s Necessary for Your Organization

Cyber security is becoming more complex every day. Hackers are finding new avenues of attack as well as new ways to spin old tactic methods. So, it’s now not only a matter of protecting your network and keeping your data out of the hands of hackers, but it’s also a process of gatekeeping as well.

Public key infrastructure is increasingly at the heart of cyber security for businesses and organizations of any size. Whether you’re looking to protect your own intellectual property or the privacy of your customers, PKI is what helps you to secure and protect the integrity of your data. It’s also what makes authentication possible by having a trusted third party validate your legitimacy. So, for obvious reasons, knowing how PKI works is essential to keeping the system running as it should.

But for PKI to work as intended, you must properly manage all aspects of the certificate lifecycle. This is a critical responsibility that you can’t take lightly — your organizational reputation and compliance depend on it.


*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Casey Crane. Read the original post at: https://www.thesslstore.com/blog/how-pki-works/