Public Key Infrastructure | CompTIA Security+ 701

Key Concepts in PKI

Public Key

Think of a public key as a special padlock that you give to everyone. Anybody can use this padlock to lock a box (encrypt a message), but only you have the key (your private key) to open it. Public keys are freely shared and used to encrypt messages or verify digital signatures.

Example: Alice wants to send a private message to Bob. She uses Bob’s public key to encrypt the message before sending it. This ensures that only Bob, with his private key, can decrypt and read the message, even if someone intercepts it.

Private Key

Your private key is like the secret key to your padlock. It must be kept secure and never shared. You use it to decrypt messages that were encrypted with your public key or to sign messages digitally.

Example: Bob receives Alice’s encrypted message. He uses his private key to unlock (decrypt) it and read the contents.

Dual Role of Public and Private Keys

Public and private keys can be used in two ways:

• Encrypting and Decrypting Messages: If someone encrypts a message using your public key, you can decrypt it using your private key. This ensures confidentiality.
• Digital Signatures: When you use your private key to sign a document, it creates a unique signature. Anyone can verify it with your public key to ensure the message is authentic and hasn’t been tampered with.

Other Key Components of PKI

Key Escrow

Key escrow is like having a spare key stored safely with a trusted third party. In PKI, this means securely storing a copy of your private key with an escrow agent.

Example: If Bob loses access to his private key, he can retrieve it from the escrow agent to regain access to encrypted data.

Digital Certificates

A digital certificate is like an ID card for websites, proving their identity. Certificates are issued by Certificate Authorities (CAs) and include information such as the owner’s public key, expiration date, and the CA’s digital signature.

Why PKI Matters

Secure Communication

PKI ensures secure communication by encrypting sensitive data like messages, financial transactions, and login details.

Data Integrity

PKI ensures that the data you receive hasn’t been altered. Digital signatures verify that data remains unchanged during transmission.

Authentication

PKI authenticates users and systems. For example, when you visit your bank’s website, your browser checks its digital certificate to ensure you’re communicating with the real bank.

Examples of PKI in Action

Online Banking

When logging in to your bank account, PKI secures the connection. Your browser checks the bank’s certificate to confirm it’s legitimate. Once verified, your data is encrypted before being sent.

Email Encryption

Email services use PKI for encryption. If you send an email, your client encrypts it using the recipient’s public key. The recipient then decrypts it using their private key, ensuring only they can read it.

Challenges and Considerations

Key Management

Managing keys is critical. Losing a private key can mean losing access to encrypted data. Similarly, if a private key is stolen, the thief can impersonate the owner. Strong protections and policies are necessary to secure keys.

Certificate Revocation

If a digital certificate is compromised, it must be revoked to prevent misuse. Systems like Certificate Revocation Lists (CRLs) or the Online Certificate Status Protocol (OCSP) ensure revoked certificates are no longer trusted.

Trust Hierarchy

PKI relies on Certificate Authorities (CAs) to issue and validate certificates. However, trust in PKI depends on the reliability of these CAs. If a CA is compromised, security breaches can occur. Regular audits and careful selection of CAs help maintain trust.