PKI - Public Key Infrastructure
Public Key Infrastructure (PKI) is a technology for authenticating users and devices in the digital world. The basic idea is to have one or more trusted parties digitally sign documents certifying that a particular cryptographic key belongs to a particular user or device. The key can then be used as an identity for the user in digital networks.
The users and devices that have keys are often just called entities. In general, anything can be associated with a key that it can use as its identity. Besides a user or device, it could be a program, process, manufacturer, component, or something else. The purpose of a PKI is to securely associate a key with an entity.
The trusted party signing the document associating the key with the device is called a certificate authority (CA). The certificate authority also has a cryptographic key that it uses for signing these documents. These documents are called certificates.
In the real world, there are many certificate authorities, and most computers and web browsers trust a hundred or so certificate authorities by default.
A public key infrastructure relies on digital signature technology, which uses public key cryptography. The basic idea is that the secret key of each entity is only known by that entity and is used for signing. This key is called the private key. There is another key derived from it, called the public key, which is used for verifying signatures but cannot be used to sign. This public key is made available to anyone, and is typically included in the certificate document.
Most public key infrastructures use a standardized machine-readable certificate format for the certificate documents. The standard is called X.509v3. Originally, it was an ISO standard, but these days it is maintained by the Internet Engineering Task Force as RFC 3280.
Common Uses of Certificates
Secure Web Sites - HTTPS
The most familiar use of PKI is in SSL certificates. SSL (Secure Sockets Layer) is the security protocol used on the web when you fetch a page whose address begins with
https:. TLS (Transport Layer Security) is a newer version of the protocol. In practice, most websites now use the new version.
With HTTPS, certificates serve to identify the web site you are connecting to, to ensure that no-one can eavesdrop on your connection or, for example, inject fraudulent wire transfers or steal credit card numbers.
Certificates and cryptographic authentication of the server prevent man-in-the-middle attacks. For secure communications, it is necessary to authenticate the communicating parties and encrypt the communications to protect passwords and data from malicious devices and hackers in the network.
Authenticating Users and Computers - SSH
Email Signing and Encryption
Certificates are also used for secure email in corporations. The S/MIME standard specifies a message format for signed and encrypted messaging, using the X.509 certificate formats.
PGP (Pretty Good Privacy) and its free version, Gnu Privacy Guard (GPG), use their own certificate format and a somewhat different trust model. However, they still offer email encryption and are quite popular.
Security Limitations of Public Key Infrastructure
The main weakness of public PKI is that any certificate authority can sign a certificate for any person or computer. Certificate authorities exist in many countries, some of which have rather authoritarian or even potentially hostile governments. Sometimes certificate authorities create or are coerced to create certificates for parties they have no business vouching for.
Among other things, intelligence agencies can use fraudulent certificates for espionage, malware injection, and forging messages or evidency to disrupt or discredit adversaries. For this reason, only limited trust should be placed on certificates from public certificate authorities.
Some organizations run their own private public key infrastructures. This means they run their own internal certificate authority. When the organization only trusts the internal CA for a certain purpose, there is a fair certainty that no-one else can issue certificates on their behalf. When they also trust public PKIs for the same entities, there is no added security, but they may save cost.
SSH's Role in the Development of Public Key Infrastructure
SSH Communications Security was one of the early pioneers in PKI. We participated in the standardization work for X.509v3 and proposed an alternative approach called Simple Public Key Infrastructure (SPKI) to address some of the trust issues with the X.509 standard. We wrote some of the standards documents on certificate enrollment protocols. We were also selling an advanced certificate authority product called SSH Certifier from 2001 onwards. Among other things, it pioneered support for multiple certificate authorities and multiple registration authorities in the same system and using customizable policy rules for choosing the certificate authority to obtain a certificate from. For more information, see SSH's contributions to PKI and Certificate management.