Understanding PKI - Part 1

by Russ Rogers - 5/12/2000

Chances are, your life has changed with the impact of the Internet. Work communications are quicker and easier and the same thing applies to communication with your family and friends. At first glance, this might all seem fine and good, but once you begin to consider the privacy implications associated with sending your personal data across a global network you might change your mind.

There is, however, a solution. It's called Public Key Infrastructure (PKI), and unless you've been hiding under a rock for the last year or so, you've probably already heard of it. But what EXACTLY is PKI and how does it work?

PKI is a tool to help you positively identify anything that you can communicate with on the network. The objective is to know, without a doubt, that the person you are talking to on the other end IS the person you think it is. This task is accomplished using " public key cryptography".

Secure Transmissions

Public Key Cryptography uses a mathematical algorithm, combined with a user-defined value (or password) to encrypt information, making it unreadable. This information can be decrypted using a second mathematical algorithm (that complements the first algorithm) and another user-defined value.

One of these algorithm/value sets is called a public key. The public key is used by your friends, family and collegeages to encrypt messages that are being sending to you. The second algorithm/value set is called a private key and is maintained by you, the user. This key is used to decrypt messages that have been encrypted using your public key. The two keys together are referred to as a "key pair".

This method of encrypting/decrypting allows you to exchange secure email and communication across the Internet. You send your public key to your friends and they send their public key to you. When you send them an email, you encrypt the message using the public key they sent you. When they receive the encrypted message, they will use their private key to decrypt it and make it readable again.

You could also make your public key available on a public "key server" so that anyone can send you encrypted email. Public keys are available on key servers so that you don't actually have to send your public key to everyone you know. They can just look it up for themselves.

Ensuring Identity

You can also use these key pairs to create a "digital signature". Digital signatures are used to positively identity a user or computer from across the network. Your public key is embedded in the digital certificate and the digital certificate is attached to an email message or sent via web browser to identify you or to identify the remote site.

To actually create this digital signature, a copy of your message and personal information is encrypted using your private key. This digital signature is sent, along with the original email message, to the recipient. The total package created is called a digital certificate. Once the email is received, the recipient's email software will decrypt and verify the digital signature using the sender's public key, which is also embedded in the digital certificate.

Using these techniques, a recipient can be fairly confident that the sender IS who they say are and that the information has not been tampered with.

More to come in Part II...