PKI Explained over a Short Coffee Break!

In today's world IT security has become a major concern in every industry. Sensitive data and vital information are being transferred over unsecure channels on a daily basis. However, the usability of PKI as a security infrastructure has seen a significant upswing in terms of IoT communication and digital document signing, as explained by Hrvoje Bek, PKI Product Manager, over a short coffee break.

What is PKI?

"Let me start off by saying: “If you need trust, you need PKI”. To be more technical, public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store & revoke digital certificates and manage public-key encryption. Basically, to ensure your information is safeguarded, you really need something more than just a password. PKI is based around the notion of verification functions between two parties. To put it simply, you can imagine a passport which was issued by the government (a trusted party) and this represents your identity. They are trusted all over the world, because the border guard trusts the government that signed the passport. Every passport is signed by the owner and the authorized government department. Also, to ensure that nobody tampers with the information within the passport you need to encrypt it with dedicated encryption algorithms, and you are ready to travel.”

What are the key components of PKI?

"Going beyond just pure IT infrastructure such as servers, storages and applications, we can state that a typical PKI consists of policies, standards, hardware and software that manage the creation, distribution, revocation and administration of digital certificates. The Rosetta stone of the PKI is the Certificate Authority (CA), which is a trusted party that ensures that the above mentioned digital certificates are trustworthy. Moreover, the whole PKI concept relies on the private and public key pairs which are the baseline for asymmetric cryptography. “

What is a digital certificate?

"A digital certificate contains information that helps guarantee a person is not an impostor. You get a digital certificate by request by visiting a CA website and providing information that identifies you. Finally, the purpose of digital certificates is to tie the public key to a person, service or thing. “

What are public and private keys?

"Public and private keys are essentially two numbers which are generated using cryptographic algorithms based on mathematical problems. On the other hand, moving away from pure technical definition, the public key is something that is disseminated widely and private key is something known only to the owner. In such a system, any person can encrypt a message (containing information) using the receiver's public key, but that encrypted message can only be decrypted with the receiver's private key.”

How does PKI support strong authentication?

“When, for example, two entities (a server and a client) try to communicate, the server generates random data and sends to the client. The client encrypts the data with its private key and sends it back to the server. The server decrypts the data with the public key in the client’s digital certificate and if the decrypted data is the same as the sent data, the server acknowledges the client identity.”

How does PKI support digital document signing?

“The first thing we need to do is to apply algorithms which will convert the information into a digital twin of the document contents – what is commonly named hash value. The next thing is to encrypt the resulted hash value with the document owner’s private key. Adding this encrypted hash value to the original document actually means that we have digitally signed the document. Adding the owner’s digital certificate, which contains the public key, to the document implies that the receiving side can decrypt the signature. As well, the receiving party can confirm the validity of the signature (non-repudiation) and integrity of the document (evidence of non-tampering) by calculating the hash value of the document and matching it to the decrypted value, provided that the results are identical.”

Hrvoje Bek started his career as a mobile network optimization engineer. After that he worked for several years in the position of a business development consultant, working in the markets of the Near East and Latin America, mainly with the telecom and power sector, offering enterprise solutions in the process and resource management domain. During his professional career, he completed his EMBA study at Cotrugli and is currently in the position of Product Manager at Asseco SEE HR.