PKI (Public Key Infrastructure)

From Bauman National Library
This page was last modified on 18 June 2016, at 15:01.
Public Key Infrastructure
Developer(s) British intelligence agency GCHQ
Repository {{#property:P1324}}
Written in C++
Operating system Windows
Type Directory service
Website Official


Public Key Infrastructure (PKI) - a system of digital certificates, certification authorities, and registration authorities that verify and confirm the identity of each entity involved in an electronic transaction by using public key cryptography. PKI uses public key technology to:

  1. Identification of the electronic exchange of principals (users, programs, systems)
  2. Ensure the confidentiality of information,
  3. Monitor the integrity of the information,
  4. Determine the origin of the information.
Certificationprinciple v2.jpg

Basic definitions

Digital certificate - Data Structure that is used to bind a particular module with a specific public key. Digital certificates are used to verify the authenticity of users, applications and services, and access control (authentication).

Digital envelope - a method of using a public-key encryption for secure distribution of secret keys used in symmetric encryption for sending encrypted messages. Significantly reduced the problem of distributing keys associated with symmetric encryption.

Digital signature- method of public key encryption utilization to ensure data integrity and non-repudiation of sending. The encrypted information unit after decrypting recipient, the sender identifies and confirms the data. For example, the document "compressed", the HASH is encrypted by using the sender's private key and attached to the document (in fact, it means to make a "fingerprint" of the document). The recipient uses the public key to decrypt the received message to a state of "squeeze", which is then compared with the "squeeze" obtained after the "compression" the sent document. If both "squeeze" do not match, it means that the document has been altered or corrupted during transmission.

Public key encryption - encryption type, which uses a pair of keys: an open, ie, freely available, and the corresponding private key, known only to a particular user, the application or service, who possess this key. This key pair is connected in such a manner that the encrypted private key can only be decrypted by the public key and vice versa.

Symmetric encryption - encryption type, in which the sender and receiver use the same key for encryption and decryption. This means that many users must have the same keys. Obviously, it is impossible to obtain the encryption key by the user, with the key distribution network is not secure. Others dissemination methods such as special courier, expensive and slow.

The RSA algorithm - the first cryptographic system with a public key, named after its inventors: Ronald Rivest, Adi Shamir, and Leonard Adleman.[1]

PKI Components


The basic idea

PKI is the object of the definition of digital certificate issuance policy, the issuance and cancellation of them, keeping the information necessary for the subsequent validation of certificates. The number of applications that support the PKI, includes: secure e-mail, payment records, electronic checks, electronic exchange of information, data protection in an IP protocol networks, electronic forms and documents with an electronic digital signature (EDS).

Activities of public key management infrastructure is based on a system of regulation. PKI is based on the principles of a cryptographic system using a public key. Public Key Infrastructure consists of the CA [2], end users, and optional components: registration center and the network directory.

PKI operates in the certificates. Certificate - an electronic document that contains the user's e key - open or key pair (keypair), - information about the user that owns the certificate certifying the signature certificate issuance center and information about the validity of the certificate.

In order for the client to work with the certification authority, you must enable the center to the trusted list. After inclusion in the list, any certificate issued by a trusted, considered reliable, and its owner - worthy of trust.

Certification Center also publishes and CRLs (Certificate Revocation List / CRL), which customers can use public key infrastructure, when deciding the issue of confidence in the certificate user and / or computer.

It creates a key pair or certificate issuance authority (Certification Authority), requested by the user, or by the user with the help of special software. The user makes a certificate request, and then, after the user identification procedures, the center gives him a certificate with his signature. This signature indicates that the certificate is issued is that the issuance of the certificates center and none other.

The private key is used to sign data, the public key, in turn, is used to encrypt data. The public key known to everyone and a private key is kept secret. The owner of the private key is always stored it in a secure vault and under no circumstances should not allow for this to become a well-known hackers or other users. If the private key is all the same will be known attackers, it is considered to be compromised and must be revoked and replaced. Only the private key holder can sign the data, and decrypt data that was encrypted with a public key corresponding to the private key of the owner. The signature on the data and letter guarantees the authorship of the information received and that the information in the course of transmission has not undergone changes. binary signature guarantees that the software really made this company and does not contain malicious code, if the company declares it.

PKI Architecture

Basically allocate 5 types of PKI architectures:

  1. Simple PKI (single certification authority).
  2. Hierarchical PKI.
  3. Network PKI.
  4. Cross-certified enterprise PKI.
  5. Architecture Bridge CA.

PKI is mainly divided into different architecture on the following grounds:

  1. The number of CAs (as well as the number of CAs that trust each other).
  2. Difficulty inspection certification path.
  3. The effects of granting the attacker himself for CAs.

Examples use the PKI

Messaging Encryption

Party B encrypts a document open side key A. To make sure that the public key really belongs to the side A, side B requests a public key certificate from the certifying center. If so, then the only party A can decrypt the message, as has the corresponding private key.

Electronic imprint

Electronic fingerprint - is the information with which you can check whether the obtained public key is the one that was sent by the sender. Electronic fingerprints public and private key pair are identical one, so checking the fingerprint obtained key (for example, by phone) with the imprint of the sender's private key, you can set the corresponding public private key.

Electronic Digital Signature (EDS)

Party A forms with electronic document and sends the document to the side B. Party B requests a public key certificate from side A Certification Authority, as well as information about the validity of the certificate. If the certificate is valid and the parties A signature verification is successful, then the document was signed by Party A and not someone else.


Cite error: Invalid <references> tag; parameter "group" is allowed only.

Use <references />, or <references group="..." />


  • - A Method for Obtaining Digital Signatures and Public-Key Cryptosystems
  • CA - Certification Authority