A Public Key Infrastructure (PKI) is used to manage and distribute keys and digital certificates in publicly accessible networks to ensure secure digital communications. The exchange of data, information and messages via the Internet takes place in a PKI through a key pair consisting of a public key and a private key. The keys are linked by a mathematical function so that data which is encrypted with the public key can only be decrypted with the private key (one-way.) If a sender and a recipient want to exchange sensitive data, various parts of the PKI handle the verification checks of the transmitted data (integrity) and authentication of the communication participants using the key pair (authentication).
The public-key infrastructure issues certificates, passes them on to the communication participants and checks the certificates for authenticity. With this multi-stage check, sender and recipient are authenticated and the data to be transmitted is subjected to an integrity test. Public Key Infrastructures are a combination of symmetric and asymmetric encryption methods that work with two different keys to solve the key exchange problem in cryptography, using an information technology infrastructure and a certification authority that digitally signs data and keys in an automated process. The standard protocol on the Internet is called PKIX (Public Key Infrastructure Exchange). Other similar approaches exist, such as Let’s encrypt or OpenPGP.
The secure transmission of messages between senders and receivers was an important issue with the development of the Internet, which also attracted the attention of the tech-savvy public. The importance of data protection and privacy has grown rapidly with the technological development, especially in e-commerce, B2B commerce, and later also in online banking. The focus was not only on the encryption of data, but also on the threat of communication participants who were able to interfere with the transmission of data using computer-assisted methods, for example, to crack passwords, copy customer data or paralyze whole systems.
While transmitted data has been encrypted with symmetrical methods since the 1950s, the need for a review of the communication participants has become evident. A one-to-one communication between government agencies can be relatively easily protected if the key is kept secret, but one-to-many communication on the World Wide Web requires key distribution and management, because of the quantity of participants. To test the actual identities of transmitters and receivers, new asymmetric as well as hybrid methods were invented and tested. One of the best-known methods still used today is the RSA cryptosystem, which was released in 1977.
The concepts of public-key infrastructure and public key encryption encompass various approaches which have developed partly in parallel over the past fifty years and built on one another. Some examples of PKIs or similar infrastructures and security protocols:
Public key infrastructures are characterized in particular by a trusted third party which is responsible for the confidentiality of transmitted messages. This party is called certification authority (CA) in a PKI. It is the hub for managing certificates and can itself be certified, for example, by Internet users (Web of Trust), ISPs, or an Internet Engineering Task Force (IETF).
The most important components of a public key infrastructure:
If a message is to be encrypted and sent, the sender uses the recipient’s public key. The sender signs this message and uses his private key for the digital signature. The receiver decrypts the message again with his private key. The supplied signature is also decrypted. The public key of the sender can be used for this purpose. Thanks to the separate transmission of the digital signature, the recipient can authenticate the sender and, thanks to the private key of the receiver, he can only read the message in the plaintext. The provision of the certificates, which are digitally signed, creates a secure communication channel, which can only be used by trusted transmitters and receivers. However, the certification authority itself must not be compromised, which is an essential problem of the hierarchical model.
PKI systems are, in principle, one of the safest methods of digital data transmission. However, the current state of these types of encryption methods and procedures for verifying integrity and authenticity is unclear. Depending on the application, different systems are in use and the variety of providers makes public key encryption sometimes unworkable for the end user. This is because the sender and the recipient have to define a procedure which can be problematic in large, distributed networks such as the World Wide Web.
The result is that there are currently different types of trust models in digital communication, none of which have yet been implemented. The following approaches should be mentioned:
Only some applications of hybrid encryption methods such as HTTPS, SSL or TLS are often used in practice. For example, HTTPS is the standard in e-commerce, banking, and B2B commerce. In private email communication, public key procedures are less frequent, since recipients of emails can read them only if they are participating in the same process as the sender. In general, the PKIs market is diversified. It remains to be seen what kind of PKI system will protect the Internet of the future from identity theft, man-in-the-middle attacks, and eavesdropping.