The term public key infrastructure is a very broad concept in cryptography. It commonly refers to the policies, procedures, hardware, and software responsible for creating, distributing, managing, storing, revoking, and handling other processes associated with digital certificates.
PKI is also used as a way to associate a certificate with people or devices, usually in conjunction with a Certificate Authority (CA). This association helps establish trust, confirming that a particular user or device is really who they claim to be.
Before diving into public key encryption, it's important to understand symmetric encryption. In symmetric encryption, the same key is used for both encrypting and decrypting information.
In popular culture, this is often depicted as a single secret key locked in a suitcase, secured to a delivery person to ensure no unauthorized access. However, sharing the same key among multiple parties can lead to scalability issues as the number of individuals or devices increases.
Although sharing the key among many users poses challenges, symmetric encryption is widely used because it is very fast and has minimal computational overhead compared to asymmetric methods.
Unlike symmetric encryption, asymmetric encryption uses two different keys: one for encryption (public key) and one for decryption (private key). These two keys are mathematically related and are generated simultaneously.
The true power of asymmetric encryption is that, although both keys are related, it is computationally infeasible to derive the private key from the public key. This ensures secure communication even if the public key is widely distributed.
Tools such as PGP or GPG facilitate the generation of a public and private key pair through processes that involve significant randomization and the use of large prime numbers. Typically, the key generation process is completed only once at the outset.
After generation, the public key is distributed openly (for example, on a website or social media), while the private key is stored securely, often protected by a password. This protects the private key from unauthorized access.
Consider an example where Alice creates a public/private key pair. She makes her public key available to everyone while keeping her private key secure. Bob, who wants to send Alice an encrypted message, uses her public key to encrypt his plaintext message ("Hello, Alice") into ciphertext.
Even if the ciphertext is intercepted, it cannot be decrypted without Alice's private key. When Alice receives the ciphertext, she uses her private key to decrypt it, recovering the original plaintext.
In organizations with hundreds or thousands of users, managing each user's public and private keys can be complex. In such cases, third-party key management services or key escrow arrangements might be used. Key escrow allows an organization to securely store private keys, ensuring that data can still be decrypted even if the original user is unavailable.
Although handing over a private key to another party might seem controversial, it can be necessary to maintain data accessibility and uptime in larger environments.