What is PKI?

PKI is the acronym for Public Key Infrastructure. The technology is called Public Key because unlike earlier forms of cryptography it works with a pair of keys. One of the two keys may be used to encrypt information which can only be decrypted with the other key. One key is made public and the other is kept secret. The secret key is usually called the private key. Since anyone may obtain the public key, users may initiate secure communications without having to previously share a secret through some other medium with their correspondent. The Infrastructure is the underlying systems needed to issue keys and certificates and to publish the public information.

Public Key Certificates

A public key needs to be associated with the name of its owner. This is done using a public key certificate, which is a data structure containing the owner's name, their public key and e-mail address, validity dates for the certificate, the location of revocation information, the location of the issuer's policies and possibly other information such as their affiliation with the certificate issuer (often an employer or institution). The certificate data structure is signed with the private key of the issuer so that a recipient can verify the identity of the signer and prove that data in the certificate has not been altered. Public Key Certificates are then published, often in an LDAP directory, so that users of the PKI can locate the certificate for an individual with whom they wish to communicate securely.

Encryption and Signing

A secret key allows two transformations of data to occur. Plain text is transformed to cipher text, which is unreadable until it is transformed back to plain text using the secret key. A public key system uses the Encrypt and Decrypt functions in turn to implement two primitive operations, data encryption and signatures.

To encrypt data you use the public key of the recipient to transform a plain text message to cipher text. The cipher text of the message can be converted back to plain text only by using the corresponding private key. Since this private key is known only by the intended recipient, only that individual can decrypt the message.

A signature is created by transforming plain text to cipher text using the private key of the signer. A signature is verified by looking up the public key of the signer and attempting to transform the cipher text of the signature back to plain text. If the operation is successful this verifies that the data encryption was done with the corresponding private key. This implies that the signature was produced by the owner of that private key.

Back to PKI Lab Home

Dartmouth College PKI Lab
Last update: 7 January 2004