Public Key Infrastructure

Public Key Infrastructure Technology

Main Security Functions of PKI

PKI provides a management framework for enabling deployment of public key cryptography. Public key cryptography processes data with a pair of keys, which are two distinct but corresponding computer codes. Encryption is done with one of the key-pair and decryption is only possible with the use of the other key in the same pair.

One of the keys in the pair is kept by the owner of the certificate (as a personal secret), and is therefore called a 'private key'. The other key is publicly available, and hence called a 'public key'.

Encryption is the means by which the PKI ensures confidentiality. For instance, the privacy of messages sent via email can be protected by encryption with a recipient's public key. Since only the recipient's private key can decrypt the encrypted message, this is an assurance that nobody other than the intended recipient can read the message.

A digital signature is another means to ensure integrity, authenticity, and non-repudiation. A digital signature is derived by applying a mathematical function to compute the message digest of an electronic message or document, and then encrypt the result of the computation with the signer's private key. Recipients can verify the digital signature with the use of the sender's public key.

Taking email as an example, if a digitally signed email has not been tampered with during the course of transmission (integrity), the digital signature will be valid as verified by the recipient. Since the sender is the only person who has access to the corresponding private key, once the digital signature is verified as valid, the recipient can be certain that the email is indeed from the sender (ensuring authenticity); and the sender cannot deny having created and signed the email (non-repudiation).