In this post, we’re discussing a topic as complex as it is crucial to enterprise security: public key infrastructure (PKI). So, let’s dive right into this essential cryptographic concept.
Public key infrastructure (PKI) is, as the name suggests, a type of data security infrastructure designed around public key cryptography. More precisely, PKI is a system for managing digital certificates. Great—but what does that really mean?
Digital certificates are electronic files that bind identifiable information of an application or machine to an asymmetric key pair.
These asymmetric key pairs are “asymmetric” because they consist of a public key, which encrypts data, and a private key which decrypts it. In addition to identifiable information, digital certificates also include a public key. This public key, when certified by its assigned private key, authenticates the identifiable information in the certificate. This, finally, authenticates the identity of a user, device, document, message, or other entity on a network.
In fewer words, public key infrastructure uses asymmetric encryption and digital certificates to ensure that only authorized recipients can access shared data. In even fewer words, PKI is the foundation of trust throughout an enterprise.
Deploying PKI (and certificate authority)
Deploying PKI starts with deploying a certificate authority (CA). Whereas PKI refers to a system, a certificate authority is a digital entity that creates and issues digital certificates.
Earlier, we mentioned that the public keys included in digital certificates are certified by an assigned private key (which forms the other half of the asymmetric key pair). This private key belongs to a certificate authority. All CAs have private keys with which they validate the public keys included in digital certificates. As such, CAs are an essential component of public key infrastructure.
So, if deploying public key infrastructure starts with deploying a CA, how do you deploy a CA?
The role of certificate authority (CA)
First, a secure cryptographic device like an HSM or key management server creates an offline root certificate authority. The offline root CA occupies the highest place within the hierarchy of public key infrastructure, and is the absolute foundation of trust across an enterprise. The HSM will also create asymmetric key pairs—one public key and one private key. The root CA’s private key is kept offline within a FIPS 140-2 Level 3 and PCI HSM validated Secure Cryptographic Device, until such a time when the private key is needed to validate subsequent CAs. Keeping the private key offline until it’s needed helps keep it safe from attack and exposure.
The root CA is used to authenticate what’s called an issuing CA. Issuing CAs are on a lower tier of the PKI hierarchy, subordinate to the root CA. Issuing CAs do most of the work. Importantly, they provide signed certificates that are distributed to applications, users, devices, and more. This creates a circle of trust between certificates and keys. The CA both creates and signs the asymmetric keys used in digital certificates.
The role of cryptographic modules
All of these cryptographic functions take place within the secure boundary of an HSM or key management server deployed either on-premises or in the cloud. So, after either installing a physical HSM in your server rack or spinning up an HSM-as-a-Service in the cloud, users can access the HSM’s CA functionality to begin issuing and managing digital certificates, opening the door to enterprise PKI.
Implementing an effective PKI can be a big challenge for organizations. Not only do you have to purchase hardware or integrate a cloud service through a trusted vendor; you must also set key management policies, design approval workflows, and define other security policies. In the past, organizations had to rely on different applications and solutions for key management, certificate issuing, encryption, digital signing, and related services.
To bypass these challenges, there are now solutions that consolidate all of this functionality into a single platform that streamlines the integration process and provides tons of functionality beyond just PKI, like tokenization, application encryption, IoT security management, registration authority, code/object signing, and more.
Practical uses of PKI
Now that we understand what public key infrastructure is and how it works, let’s talk about the practical side of PKI. Who needs to use PKI, and why?
In short, any organization that wants to make sure its resources are only accessed by authorized parties will need PKI. Let’s say you’re running an application connected with other resources. Multiple users, devices, or other applications might interact with this application regularly. Each of these entities can be validated with a digital certificate that lets them access the application. Otherwise, attackers or unauthorized insiders could connect to the application and access sensitive data.
Specifically, an organization might deploy a CA to issue certificates to its client domains—the computer workstations and devices used by employees. That way, whenever their servers get requests from employee client domains, they’ll recognize the certificates (which may be tied to their IP addresses, or other identifiable information) and grant the employee access to authorized company resources.
Another example of PKI may involve a manufacturer of IoT devices. Each device will be connected to networks of other devices which may all exchange information. If any one of these devices is not secured with a digital signature or certificate, it could be exposed to potential cyberattacks. As such, establishing a PKI to manage this process keeps all of the devices, and the network itself, secure.
Other common use cases of PKI involves digital signing, where digital signatures are applied to keys, files, applications, and code. Being able to sign code is crucial for developers to maintain trust in the integrity of their projects. On a more general basis, securing email via PKI helps protect your internal communications from attack.
In summary
We hope this rundown of public key infrastructure has helped explain the concept in clear terms. PKI may seem complicated at first, but it’s really just a matter of deploying the right HSM or key management solution.
If you have any questions about PKI, CA, asymmetric encryption, or anything cryptography-related, please feel free to reach out to our subject matter experts to continue the conversation!