PKI 101: All the PKI Basics You Need to Know in 180 Seconds

PKI 101: All the PKI Basics You Need to Know in 180 Seconds

1 Star2 Stars3 Stars4 Stars5 Stars (15 votes, average: 5.00 out of 5)
Loading...

Set your watch — we’ll cover all the PKI basics you didn’t know you didn’t know in less time than it takes to make a good cup of coffee

Have you recently made a purchase or shared other sensitive personal information with a website? If so, public key infrastructure likely had a hand in facilitating security for your internet transactions. Let’s dive right into what you need to know about PKI basics.

Public Key Infrastructure Explained: What Is PKI? A Look at the Basics

Public key infrastructure is the foundation of internet security and digital trust. It’s the rules, technical processes, and technologies that make it possible to exchange data securely on the internet. It relies on the use of public key infrastructure, which uses asymmetric cryptography (i.e., public key cryptography) to protect sensitive data from unintended eyes. (More on asymmetric encryption is just a moment.)

Encryption is the process of taking plaintext (i.e., readable) data and turning it into something indecipherable without the use of a secret key. On the internet, this involves using digital certificates that are issued by third-party certificate authorities (CAs). These publicly trusted entities must meet specific security standards to issue certificates.

Don't make the same mistakes

Yahoo, Equifax, Home Depot,

LinkedIn, and Ericsson did!

Get our free 15-point checklist and

avoid the same costly pitfalls.

Please Select Your Country
  • Afghanistan
  • Albania
  • Algeria
  • Andorra
  • Angola
  • Antigua & Deps
  • Argentina
  • Armenia
  • Aruba
  • Australia
  • Austria
  • Azerbaijan
  • Bahamas
  • Bahrain
  • Bangladesh
  • Barbados
  • Belarus
  • Belgium
  • Belize
  • Benin
  • Bermuda
  • Bhutan
  • Bolivia
  • Bosnia Herzegovina
  • Botswana
  • Brazil
  • Brunei
  • Bulgaria
  • Burkina
  • Burundi
  • Cambodia
  • Cameroon
  • Canada
  • Cape Verde
  • Central African Rep
  • Chad
  • Chile
  • China
  • Colombia
  • Comoros
  • Congo
  • Congo {Democratic Rep}
  • Costa Rica
  • Croatia
  • Cuba
  • Curaçao
  • Cyprus
  • Czech Republic
  • Denmark
  • Djibouti
  • Dominica
  • Dominican Republic
  • East Timor
  • Ecuador
  • Egypt
  • El Salvador
  • Equatorial Guinea
  • Eritrea
  • Estonia
  • Eswatini
  • Ethiopia
  • Fiji
  • Finland
  • France
  • Gabon
  • Gambia
  • Georgia
  • Germany
  • Ghana
  • Greece
  • Grenada
  • Guatemala
  • Guinea
  • Guinea-Bissau
  • Guyana
  • Haiti
  • Honduras
  • Hungary
  • Iceland
  • India
  • Indonesia
  • Iran
  • Iraq
  • Ireland {Republic}
  • Israel
  • Italy
  • Ivory Coast
  • Jamaica
  • Japan
  • Jordan
  • Kazakhstan
  • Kenya
  • Kiribati
  • Korea North
  • Korea South
  • Kosovo
  • Kuwait
  • Kyrgyzstan
  • Laos
  • Latvia
  • Lebanon
  • Lesotho
  • Liberia
  • Libya
  • Liechtenstein
  • Lithuania
  • Luxembourg
  • Macedonia
  • Madagascar
  • Malawi
  • Malaysia
  • Maldives
  • Mali
  • Malta
  • Marshall Islands
  • Mauritania
  • Mauritius
  • Mexico
  • Micronesia
  • Moldova
  • Monaco
  • Mongolia
  • Montenegro
  • Morocco
  • Mozambique
  • Myanmar
  • Namibia
  • Nauru
  • Nepal
  • Netherlands
  • New Zealand
  • Nicaragua
  • Niger
  • Nigeria
  • Norway
  • Oman
  • Pakistan
  • Palau
  • Panama
  • Papua New Guinea
  • Paraguay
  • Peru
  • Philippines
  • Poland
  • Portugal
  • Qatar
  • Romania
  • Russian Federation
  • Rwanda
  • St Kitts & Nevis
  • St Lucia
  • Saint Vincent & the Grenadines
  • Samoa
  • San Marino
  • Sao Tome & Principe
  • Saudi Arabia
  • Senegal
  • Serbia
  • Seychelles
  • Sierra Leone
  • Singapore
  • Slovakia
  • Slovenia
  • Solomon Islands
  • Somalia
  • South Africa
  • South Sudan
  • Spain
  • Sri Lanka
  • Sudan
  • Suriname
  • Sweden
  • Switzerland
  • Syria
  • Taiwan
  • Tajikistan
  • Tanzania
  • Thailand
  • Togo
  • Tonga
  • Trinidad & Tobago
  • Tunisia
  • Turkey
  • Turkmenistan
  • Tuvalu
  • Uganda
  • Ukraine
  • United Arab Emirates
  • United Kingdom
  • United States
  • Uruguay
  • Uzbekistan
  • Vanuatu
  • Vatican City
  • Venezuela
  • Vietnam
  • Yemen
  • Zambia
  • Zimbabwe

Contact details collected on InfoSec Insights may be used to send you requested information, blog update notices, and for marketing purposes. Learn more...

What PKI Helps You Do

At its core, PKI enables you to do three important things (we’ll dive into the specifics of these more a little later):

  1. Authenticate entities you’ve never met (users, clients, servers, and other devices). The use of digital signatures helps you verify the other party’s identity, so you know you’re communicating with the right person or entity.
  2. Encrypt your data in transit (emails, files, and data transmissions). Public key encryption allows you to secure the data channel that you and the other party use to transmit data. This helps protect your data’s privacy and confidentiality by keeping it from prying eyes.
  3. Protect the integrity of your data (ensure no one secretly modifies data). Cryptographic hashes help you ensure that your data isn’t tampered with in transit.

Fundamentals of PKI: Asymmetric Cryptography Protects Data on Insecure Networks

Let’s take a closer look at PKI security fundamentals to understand how it’s used to secure data on the internet. Asymmetric cryptography relies on a public-private keypair:

  • The public key encrypts data, and
  • The private key decrypts it.

For you skimmers, here’s a quick overview of PKI basics in video form:

Up until the 1970s, encryption was always symmetric, meaning that one key would encrypt and decrypt data. This is why symmetric cryptography is also known as private key encryption (because it uses a single key instead of two unique ones). This means you’d have to physically meet up to exchange keys with someone to communicate via this private key encryption.

Obviously, this doesn’t work when you’re using the internet to do business with someone in another state, country, or continent. This is why asymmetric encryption came into the picture. Experts realized the need for exchanging sensitive key data even when only insecure (open) channels were available.

With public key cryptography, you don’t have to meet up in person because you’re using a cryptosystem that involves a public shared value and a private value. The sender uses the recipient’s public key to encrypt data, and then the recipient decrypts it using their corresponding private (secret) key. This enables the sender to give the recipient symmetric key information that both parties can use to create a secure, symmetrically encrypted session to communicate.

Asymmetric vs Symmetric Encryption

Here’s a quick overview of public key vs private key encryption:

An illustration that compares the single key of symmetric encryption with the two keys (public and private) used in asymmetric encryption.
Image caption: A side-by-side comparison that shows the most basic difference between asymmetric and symmetric encryption.

Why bother using symmetric session? It’s because symmetric encryption is faster than asymmetric encryption, less resource intensive, and more secure when using smaller keys. But in order to get to a point where you can use symmetric encryption when connecting with someone in another geographic location, you first need to use asymmetric encryption to securely exchange data via open networks.

PKI Basics Example: How PKI Works to Create a Secure Website Connection

Let’s walk you through a basic overview of how it works when you connect to a website. This is known as an SSL/TLS handshake. In this process, your web client (browser):

  • Verifies the site server’s digital identity using its SSL/TLS certificate. This ensures the client is connecting to the right place.
  • Uses cryptographic processes (including encryption) to create a secure channel. This helps to protect your data as it transmits from your device to the website’s server.
  • Protects the integrity of your data. This way, your recipient knows your data wasn’t tampered with or stolen in transit.

The process looks like this:

An illustration that walks you through the PKI basics of how public key infrastructure facilitates secure website connections between a user's client and the website's server it connects to on the other end.
Image caption: An illustration that shows the basics of how asymmetric encryption plays a pivotal role in establishing a secure website connection. Basically, public key cryptography is used to create a secure private key session.

PKI Fundamentals: PKI Isn’t Just About Encryption

It also uses other types of cryptographic functions — and hashing ciphers and digital signature algorithms — to help with protecting data integrity and enabling identity verification.

  • Hash function — This form of cipher is used to convert data of any size to a fixed-length string. Unlike encryption, which is a two-way function because encrypted data is intended to be reversed, hashing isn’t meant to be reverse engineered. It protects data integrity by informing you about whether data has been altered since it was signed.  To learn more, check out our article on hashing vs encryption.
  • Digital signature — A digital signature is what enables your device or operating system to idendgfgerrgfwergergearfgaergaerfgaergghtgtify an email, software executable, or another piece of data to determine whether it’s authentic (i.e., came from the legitimate party, not an intruder). 

These cryptographic processes play important roles in cyber security, including in the SSL/TLS handshake explained above.

Why You Should Use PKI for Your Organization

Aside from the reasons we’ve already covered (authentication, data integrity, and security), here are several other motivations for why you should use PKI to secure your organization and data:

  • Secure access privileges at scale. Rather than relying strictly on traditional usernames and passwords, PKI digital certificates (i.e., X.509 digital certificates) — particularly when paired with certificate life cycle management automation — help you secure access to your most sensitive resources and data more efficiently.
  • Instill trust in your brand. People are more likely to want to do business with you if they can trust your business. Having a verifiable digital identity goes a long way in helping you earn that trust.
  • Improve your Google ranking. If you didn’t know that enabling HTTPS on your website helps improve your search ranking, now you do. (You’re welcome.) So, if you want your website to have a chance of landing in Google’s top 10, then you need to install an SSL/TLS website security certificate on your server ASAP.
  • Meet regulatory requirements. Even if they don’t necessarily mention PKI by name, many cybersecurity regulations and data privacy laws require the security, confidentiality, and data integrity protection PKI affords. This includes:

Final Thoughts on PKI Security Fundamentals

We hope that you’ve found this article on PKI basics informative and useful. It’s easy to see why PKI has been trusted as the foundation of internet security for decades. To learn more about various aspects of public key infrastructure, we invite you to go back and check out the resources embedded in the article. 

About the author

Casey is a writer and editor with a background in journalism, marketing, PR and communications. She has written about cyber security and information technology for several industry publications, including InfoSec Insights, Hashed Out, Experfy, HackerNoon, and Cybercrime Magazine.