public key infrastructure (PKI)

Definition of public key infrastructure (PKI) in The Network Encyclopedia.

What is PKI (public key infrastructure)?

A set of services that support the use of public key cryptography in a corporate or public setting. A public key infrastructure (PKI) enables key pairs to be generated, securely stored, and securely transmitted to users so that users can send encrypted transmissions and digital signatures over distrusted public networks such as the Internet.

An effective, trustworthy public key infrastructure is essential for secure e-mail and World Wide Web (WWW) transactions, e-commerce, and virtual private networks (VPNs).

How It Works

Generally, a public key infrastructure consists of the following coordinated services:

  • A trusted certificate authority (CA) that can verify user identities and issue users digital certificates and public/private key pairs. Sometimes the verification of user identities is performed by a separate registration authority (RA), but this service can also be integrated with the CA.
  • A certificate store in which users can access the public keys of other users for encrypting messages or validating digital signatures. This store is usually based on the X.500 directory recommendations.
  • A digital certificate and key management system for generating, storing, and securely transmitting certificates and key pairs to users who request them.

Public key infrastructures can have different scopes. For example, a corporate enterprise can use Microsoft Certificate Server to establish a PKI for all its users and for those of partner companies such as suppliers and wholesalers. The PKI system can then be used to secure transactions between users that are sent over the Internet. PKIs can also be established on a national or global scale to support secure e-commerce transactions over the Internet involving users and vendors who are geographically and politically separated. PKIs on this scale consist of a hierarchy of CAs managed by different governments or companies and linked to a trusted root CA (such as the U.S. government). The current leader in worldwide PKI implementation is probably VeriSign, Inc., which is both a vendor of CA software and a CA.

In order for a public key infrastructure to work, it must be implemented in a hierarchical fashion with authorities, super-authorities, and root authorities, similar to the Internet’s Domain Name System (DNS). Standards bodies and cryptography vendors such as PKIx of the Internet Engineering Task Force (IETF), Pretty Good Privacy (PGP), Simple Public Key Infrastructure (SPKI), and Public Key Cryptographic Standards (PKCS) have proposed a global public key infrastructure, but there is no universal standard that has been agreed upon for a public key infrastructure, and implementations of the existing standards are often not interoperable.

Web References