Public key infrastructure (PKI)
Public key infrastructure (PKI) refers to the deployment and management of a public key encryption system, where asymmetric encryption keys are used to enable secure authentication and encryption-key exchange. PKI’s authentication and key-exchange mechanisms enable security functionality such as access control, secure messaging, data encryption, data/message signing, secure boot, and more. PKI is considered highly secure but also hard to manage, as it requires a set of roles, policies, and procedures to create, manage, distribute, use, store, and revoke encryption keys and related digital certificate
In PKI, digital certificates are used to associate a public key of a private-public key-pair (i.e. RSA, ECC) with the identity of its owner. In order to authenticate that the identity disclosed in the digital certificate, the owner needs to respond to a challenge using the private key belonging to the key-pair, that only he has access to.
Traditional PKI requires a trusted certificate authority (CA) to validate identities and create the digital certificate attesting to this validation. This centralized architecture creates a single point of failure where if the signing keys used to generate digital certificates are compromised, then the whole PKI is compromised. A decentralized PKI attempts to replace the central CA with a distributed certificate creation/signing scheme.
PKI relies on a trusted CA. If a CA is compromised, then the whole PKI is compromised and new certificates need to be issued. PKI also assumes that the private keys are controlled and accessible solely by their owners. Stealing or controlling the private key means that the identity represented by this key is compromised.
Yes, encryption is performed in PKI. PKI uses both symmetric encryption and asymmetric encryption to encrypted data.