The Secret Security Wiki


Public key infrastructure

Public key infrastructure (PKI) refers to the deployment and management of a public key encryption system, where asymmetric encryption keys are used to enable secure authentication and encryption-key exchange. PKI’s authentication and key-exchange mechanisms enable security functionality such as access control, secure messaging, data encryption, data/message signing, secure boot, and more. PKI is considered highly secure but also hard to manage, as it requires a set of roles, policies, and procedures to create, manage, distribute, use, store, and revoke encryption keys and related digital certificate

  • How does PKI use Digital certificates?

    In PKI, digital certificates are used to associate a public key of a private-public key-pair (i.e. RSA, ECC) with the identity of its owner. In order to authenticate that the identity disclosed in the digital certificate, the owner needs to respond to a challenge using the private key belonging to the key-pair, that only he has access to.

  • What are known weaknesses in public key infrastructure?

    Traditional PKI requires a trusted certificate authority (CA) to validate identities and create the digital certificate attesting to this validation. This centralized architecture creates a single point of failure where if the signing keys used to generate digital certificates are compromised, then the whole PKI is compromised. A decentralized PKI attempts to replace the central CA with a distributed certificate creation/signing scheme.

  • What trust model does PKI rely on?

    PKI relies on a trusted CA. If a CA is compromised, then the whole PKI is compromised and new certificates need to be issued. PKI also assumes that the private keys are controlled and accessible solely by their owners. Stealing or controlling the private key means that the identity represented by this key is compromised.

  • Does PKI perform encryption?

    Yes, encryption is performed in PKI. PKI uses both symmetric encryption and asymmetric encryption to encrypted data.