PKI Explained: Why It Is Necessary and Relevant Now More Than Ever

By Mark B. Cooper

The Nexus  |  Monday, 14 May 2018

Unauthorized access, unsigned applications (malware) and unsecured email. What can help prevent these top 3 cyberthreats impacting organizations today? Public key infrastructure (PKI). PKI enables a trusted environment by authenticating and ensuring the integrity of data and users. The word “authentication” is of Greek origin, authentikos, meaning “real, genuine.” Authentication is the process of proving something to be true, genuine or valid.

At the highest level, PKI is a set of software and hardware technologies designed to manage the creation, storage, transmission and authentication of digital certificates and their associated encryption keys. A real-world analogy to a digital certificate is a driver’s license. In the digital realm, a digital certificate serves as a way for people or devices to prove who or what they are, because a part of the PKI known as a certificate authority (CA) has issued and “signed” the certificate, vouching for the person/device.

PKI-enabled systems provide strong authentication and encryption of data by using cryptographic functions. Unlike traditional identity processes where users are identified by passwords, a PKI issues a certificate via known, trusted channels and binds the certificate to a cryptographic key pair. The key pair consists of a widely shared public key, and the holder of the certificate maintains a private key that is unknown to anyone else. A cryptographic function ties these 2 keys together so that actions performed by one can be verified or decrypted by the other.

Why Would an Organization Need PKI?

PKI-based networks have significantly stronger security than those that rely on passwords (and all of their known weaknesses) and have significantly better manageability properties than other encryption schemes such as pre-shared keys. Specifically:

  • PKI-based systems enable authentication and encryption to occur without the need to share highly confidential private keys.
  • The keys in PKI-based systems can be used for one-way encryption functions where only the designated owner of the key can decrypt data. This prevents man-in-the-middle (MitM) attacks without knowledge of the key pair.
  • Certificates used in PKI-based systems can be easily revoked (i.e., in the event of a lost or stolen device).

PKI is a highly effective solution for any organization facing cybersecurity threats including ransomware, human factor, financial pretexting, phishing and outside attackers.

As opposed to phase-shift keying (PSK)-based systems, PKI-based systems do not require unique sets of keys for all combinations of devices that must communicate with each other. Instead, a server stores only its own key pair and does not have to store all of its clients’ keys. This dramatically reduces the workload required to manage sets of keys and allows the number of network devices and users to scale to large numbers.

While PKI is not a brand new technology, it is a highly effective solution for any organization facing the latest cybersecurity threats including ransomware, human factor, financial pretexting, phishing and outside attackers. By leveraging a PKI, virtual private network (VPN) environments can vastly improve their security posture. Cryptographic keys cannot be socially engineered or easily stolen, so by requiring a certificate to authenticate to a VPN, organizations have a much higher level of assurance of who or what is connecting to the network.

For applications such as HTTPS-protected websites or web applications, Transport Layer Security (TLS) uses certificates to identify hosts providing TLS services and to bootstrap the encryption process for clients and servers. TLS can also be used to support client-side authentication where clients must present a certificate to authenticate to a website rather than using password-based authentication. This mutual authentication ensures both parties are able to positively identify the other. Thinking of this process—in a very simplified form—as a virtual, encrypted handshake makes it clear that it is a way of validating a connection.

Mark B. Cooper

Is president and founder of PKI Solutions. He has deep knowledge and experience in all things PKI and has been known as “The PKI Guy” since his early days at Microsoft. PKI Solutions Inc. provides consulting, training and software solutions for Microsoft PKI and related technologies for enterprises around the world. Prior to founding PKI Solutions, Cooper was a senior engineer at Microsoft, where he was a PKI and identity management subject matter expert who designed, implemented and supported Active Directory Certificate Services (ADCS) environments for Microsoft’s largest customers.