PKI stands for Public Key Infrastructure. It refers to a set of technologies, policies, and laws that ensure information security. PKI allows individuals, organizations, and governments to ensure the authenticity and integrity of any transaction. It can be a financial transaction, exchange of some documents, contract signing between interested parties, or simply transmission of any website data. Additionally, PKI enables non-repudiation. It means when a transaction happens between interested parties, everyone involved is held liable and none can deny the transaction in any future timeline.
Technology
Let’s assume Abdullah and Zami wants to sign a contract. Abdullah wants to make sure the contents of the contract are kept confidential and only Zami can see it. On another hand, Zami wants to make sure the contract copy he receives is actually coming from Abdullah. They can ensure both confidentiality and authenticity through PKI. For confidentiality, the contract can be Encrypted while Digital Signature can make sure the contract is coming from an authentic source.
Symmetric key
A symmetric key refers to a single key used to encrypt and decrypt data. Some algorithms that use a symmetric key are DES, AES, ChaCha20, etc.
Asymmetric key
Asymmetric key refers to a key pair. There is a public key and a private key. If any data is encrypted with a public key it can only be decrypted with the corresponding private key. If any data is encrypted with the private key, it can only be decrypted with the corresponding private key. Some algorithms that use an asymmetric key pair are RSA, DH, EC, etc.
Hash
A hash value refers to a fixed-length string generated from any data. This value is unique and changing the contents of the data will change the hash value. The strength of a hash algorithm is determined by bits. The higher the bits, the less likeliness of collision. Collision means that the same string is generated from two different data. Some examples are SHA1, SHA256, SHA384, SHA512, etc.
Abdullah and Zami generate an asymmetric key pair using an algorithm they agreed upon. Now, they both have a private key and a public key. Their private key must be kept secret while the public key can be distributed for authentication purposes.
First, Abdullah needs to generate a hash value of the contract document. Then he encrypts the hash value with his private key. This is Abdullah’s Digital Signature. Then, he encrypts the entire document with Zami’s public key. This way only Zami can decrypt the document with his private key and see the actual contents.
On Zami’s end, Zami receives the encrypted document. He decrypts the document with his private key. Then, he decrypts Abdullah’s Digital Signature with Abdullah’s public key. Zami also generates his own hash value of the document. Then, he compares his own hash value with the hash value found in Abdullah’s Digital Signature. If these two hash values match then the document is received as is and the Digital Signature is valid. However, if the hash values do not match then the document contents might have changed and the Digital Signature can not be trusted.
Policy
In the example, Abdullah and Zami generated their own key pair. However, someone else can also generate a key pair as well and impersonate Abdullah or Zami. How do we tackle this problem? Here comes the role of Certifying Authority or CA for short. CA is a trusted body that issues Digital Certificates after verifying the identity of an individual or an organization. A Certifying Authority may operate by themselves or may operate under a license from the government or another root CA. They strictly follow certain policies to ensure trust among their clients and these policies are listed in the Certificate Practice Statement (CPS).
Law
Certain laws give PKI legal validity compared to their traditional counterpart. Such as Digital Signature against wet-ink signature. In Bangladesh, PKI is given legal validity under the ICT Act 2010. Some other countries that use PKI in their national infrastructure such as in e-governance, e-ID, and e-voting are:
- India: e-governance framework
- Estonia: e-identity and e-voting
- Singapore: PKI enabled national identity card
- Japan: e-governance (GPKI)
- Belgium: national identity card (eID)
- USA: healthcare and financial services
Apart from that, the most common use of PKI is perhaps an SSL certificate which enables the HTTPS and SFTP protocols for secure communication and file transfer in a browser.
