What is PKI?
PKI or Public Key Infrastructure is, at its most basic level, a system for supporting
authentication, encryption and integrity of data. To understand the functionality of PKIs,
an explanation of public key cryptography is in order.
Public Key Cryptography
The type of cryptography that most people are familiar with is referred to as symmetric key cryptography. In symmetric key cryptography, the party encrypting the data and the party decrypting the data share the same key. This has been compared to a safe where one party using the combination puts valuables inside the safe, and another party knows the same combination to open the safe and retrieve the valuables. Public key cryptography uses asymmetric key cryptography where every party has two keys, a private and a public key. The private key is kept secret and not distributed to anyone but its owner, while the public key is freely distributed. If user A wants to encrypt data for user B, A will acquire B's public key, encrypt the data with it and transfer the encrypted data. User B will then decrypt the data with his private key. This has been compared to a public mailbox where anyone can mail a letter but only one key will open the mailbox. Asymmetric key cryptography is generally more processor-intensive than symmetric key cryptography, making it unsuitable for encrypting data streams. A common solution for this consists of one party generating a symmetric key, signing and asymmetrically encrypting it, and sending it to the other party. The other party decrypts the key, verifies it, and establishes a data-stream using symmetric key cryptography.
Another use for private key cryptography is digital signing. When digitally signing
data, the data is mathematically combined with the user's private key to produce a
signature. This signature is then sent with the original data. A second party that wants
to verify the authenticity of the data acquires the signer's public key and verifies it
against the signature.
Public Key Infrastructure
The distribution of public keys is, curiously enough, the primary function of a PKI (Public Key Infrastructure). The basic tool for this is a certificate: a data structure holding information about the certificate's owner, the owner's public key, who issued the certificate, and when the certificate was issued. The certificate will also have the digital signature of the authority that issued the certificate
The components of the DoD PKI consist of a CA (Certificate Authority), a RA (Registration Authority), a LRA (Local Registration Authority), and PKI enabled software for the end-user.
The CA, RAs and LRAs are organized hierarchically. The primary purpose of a CA is to issue certificates to the RAs. The RAs revoke user certificates and issue certificates to LRAs and servers. The LRAs issue certificates to users and forward server certificate requests to RAs. The final piece of the system is the end user with PKI-enabled software.
A basic example of PKI usage is the SSL protocol commonly used to encrypt World Wide Web transactions. The end user's web browser comes with the public keys of several Certificate Authorities. When a user encounters a web site that uses encryption, the first stage of the exchange involves the remote web server to send a copy of its certificate to the end user. The end user's browser then extracts the web server's public key, which is signed by a Certificate Authority. The end user's browser then checks the digital signature of the web server's public key. If it is valid, the browser then generates a symmetric key, encrypts it with the web server's public key, and sends the encrypted key to the web server. The web server decrypts the symmetric key with its private key, and a symmetrically encrypted transaction then takes place.