Everything You Need to Know About PKI
(Public Key Infrastructure)
Everything You Need to Know About PKI
(Public Key Infrastructure)
PKI Definition
PKI Definition
Public Key Infrastructure (PKI) is a catch-all term for everything used to establish and manage public key encryption, one of the most common forms of internet encryption. It is baked into every web browser in use today to secure traffic across the public internet, but organizations can also deploy it to secure their internal communications and access to connected devices.
The most crucial concept involved in PKI is, as its name implies, the public cryptographic keys that are at its core. These keys not only are part of the encryption process, but they help authenticate the identity of the communicating parties or devices.
Public Key Infrastructure (PKI) is a catch-all term for everything used to establish and manage public key encryption, one of the most common forms of internet encryption. It is baked into every web browser in use today to secure traffic across the public internet, but organizations can also deploy it to secure their internal communications and access to connected devices.

The most crucial concept involved in PKI is, as its name implies, the public cryptographic keys that are at its core. These keys not only are part of the encryption process, but they help authenticate the identity of the communicating parties or devices.
How does PKI work?
How does PKI work?
The most important concepts to understand to grasp how PKI works are keys and certificates. A key, as already noted, is a long string of bits — a number, in other words — that's used to encrypt data. For instance, if you used the ancient and simple Caesar Cipher with a cryptographic key of 3, that would mean that every letter in your message is replaced by one three letters later in the alphabet — A becomes D, B becomes E, and so forth.
The most important concepts to understand to grasp how PKI works are keys and certificates. A key, as already noted, is a long string of bits — a number, in other words — that's used to encrypt data. For instance, if you used the ancient and simple Caesar Cipher with a cryptographic key of 3, that would mean that every letter in your message is replaced by one three letters later in the alphabet — A becomes D, B becomes E, and so forth.
To decode its message, your recipient would need know not only that you were using the Caesar cipher but that your key was 3.
Obviously the mathematics behind modern encryption is much more complicated than this. One of the ways it's different gets around a somewhat obvious problem with the Caesar Cipher: you have to somehow let your recipient know the key used to encode the encrypted message. PKI gets its name because each participant in a secured communications channel has two keys. There's a public key, which you can tell to anyone who asks and is used to encode a message sent to you, and a private key, which you keep secret and use to decrypt the message when you receive it. The two keys are related by a complex mathematical formula that would be difficult to derive from brute force.
To decode its message, your recipient would need know not only that you were using the Caesar cipher but that your key was 3.
Obviously the mathematics behind modern encryption is much more complicated than this. One of the ways it's different gets around a somewhat obvious problem with the Caesar Cipher: you have to somehow let your recipient know the key used to encode the encrypted message. PKI gets its name because each participant in a secured communications channel has two keys. There's a public key, which you can tell to anyone who asks and is used to encode a message sent to you, and a private key, which you keep secret and use to decrypt the message when you receive it. The two keys are related by a complex mathematical formula that would be difficult to derive from brute force.
What are PKI Certificates?
What are PKI Certificates?
PKI certificates are documents that act as digital passports, assigned to any entity that wants to participate in a PKI-secured conversation. They can include quite a bit of data. One of the most important pieces of information a certificate includes is the entity's public key: the certificate is the mechanism by which that key is shared. But there's also the authentication piece. A certificate includes an attestation from a trusted source that the entity is who they claim to be. That trusted source is generally known as a certificate authority (CA).
PKI certificates are documents that act as digital passports, assigned to any entity that wants to participate in a PKI-secured conversation. They can include quite a bit of data. One of the most important pieces of information a certificate includes is the entity's public key: the certificate is the mechanism by which that key is shared. But there's also the authentication piece. A certificate includes an attestation from a trusted source that the entity is who they claim to be. That trusted source is generally known as a certificate authority (CA).
What is PKI used for?
What is PKI used for?
SSL may be the most widespread implementation of PKI, but it certainly isn't the only one.
A great list of real-world PKI applications, including:
- Providing a recovery key for an encrypted hard drive
- Securing internal communications with database servers
- Signing documents
- Securing local networks — PKI capacities are built into Microsoft's Active Directory, for instance, and can work with physical keycards that store digital certificates to ensure that users are who they say they are.
- Secure messaging — The Signal protocol uses PKI, for instance
- Email encryption
- Securing access to internet of things (IoT) devices
SSL may be the most widespread implementation of PKI, but it certainly isn't the only one.
A great list of real-world PKI applications, including:
- Providing a recovery key for an encrypted hard drive
- Securing internal communications with database servers
- Signing documents
- Securing local networks — PKI capacities are built into Microsoft's Active Directory, for instance, and can work with physical keycards that store digital certificates to ensure that users are who they say they are.
- Secure messaging — The Signal protocol uses PKI, for instance
- Email encryption
- Securing access to internet of things (IoT) devices
What are the risks of poor PKI execution?
What are the risks of poor PKI execution?
Having PKI in place does not guarantee security. Companies sometimes fail to deploy or manage it properly. A recent study by the Ponemon Institute surveyed nearly 17,000 IT and security practitioners about their key and certificate management practices. The report identified the most significant risks associated with securing digital identities using PKI. Downtime due to mismanaged digital certificates is rising, with 73% of respondents reporting certificate-related incidents. Fifty-five percent said their organizations had experience four or more incidents in the past two years.
Having PKI in place does not guarantee security. Companies sometimes fail to deploy or manage it properly. A recent study by the Ponemon Institute surveyed nearly 17,000 IT and security practitioners about their key and certificate management practices. The report identified the most significant risks associated with securing digital identities using PKI. Downtime due to mismanaged digital certificates is rising, with 73% of respondents reporting certificate-related incidents. Fifty-five percent said their organizations had experience four or more incidents in the past two years.
Unsecured digital identities undermine trust. Organizations use an average of 88,750 keys and certificates, but only 74% of respondents said they knew the exact number or when they all expire and 76% said that failure to secure keys and certificates would undermine the trust their organizations need to operate. Fifty-nine percent of respondents say cybercriminals misusing keys and certificates increases the need to secure them.
Failed audits and CA compromise are the biggest threats. Attackers can use compromised or rogue CAs to deliver malware to conduct man-in-the-middle or phishing attacks. Security or compliance audits might fail to detect vulnerabilities due to unenforced key management policies or inadequate key management practices.
More encryption increases operational complexity and cost. Two-thirds of respondents are adding layers of encryption to meet regulatory and IT policy requirements. For example, 60% say they are adding encryption layers to secure IoT devices. That can diminish the overall efficiency of business processes, say 64% of respondents, and 58% say management of more keys and digital certificates is increasing cost.
Most organizations lack resources to support PKI or do not assign clear ownership of it. Only 38% of respondents said they have the IT staff to properly support PKI. Responsibility for PKI, budget-wise, is often spread across the organization with IT operations (21%) and lines of business (19%) the most common owners. Thirteen percent said responsibility was shared with no single owner. Respondents spent about 16% of their security budget on PKI, or $3 million on average.
Unsecured digital identities undermine trust. Organizations use an average of 88,750 keys and certificates, but only 74% of respondents said they knew the exact number or when they all expire and 76% said that failure to secure keys and certificates would undermine the trust their organizations need to operate. Fifty-nine percent of respondents say cybercriminals misusing keys and certificates increases the need to secure them.
Failed audits and CA compromise are the biggest threats. Attackers can use compromised or rogue CAs to deliver malware to conduct man-in-the-middle or phishing attacks. Security or compliance audits might fail to detect vulnerabilities due to unenforced key management policies or inadequate key management practices.
More encryption increases operational complexity and cost. Two-thirds of respondents are adding layers of encryption to meet regulatory and IT policy requirements. For example, 60% say they are adding encryption layers to secure IoT devices. That can diminish the overall efficiency of business processes, say 64% of respondents, and 58% say management of more keys and digital certificates is increasing cost.
Most organizations lack resources to support PKI or do not assign clear ownership of it. Only 38% of respondents said they have the IT staff to properly support PKI. Responsibility for PKI, budget-wise, is often spread across the organization with IT operations (21%) and lines of business (19%) the most common owners. Thirteen percent said responsibility was shared with no single owner. Respondents spent about 16% of their security budget on PKI, or $3 million on average.
How do I Get Started with a PKI Cybersecurity Plan for My Organization?
How do I Get Started with a PKI Cybersecurity Plan for My Organization?
22Vets is the diversity partner for Widepoint ORC.
WidePoint-ORC is the premier organization in the Information Assurance industry with Authority to Operate (ATO) across the Federal Bridge.
WidePoint has stood up and continues to manage the PKI infrastructure for the DoD, DHS the White House as well as commercial and education institutions.
22Vets is the diversity partner for Widepoint ORC.
WidePoint-ORC is the premier organization in the Information Assurance industry with Authority to Operate (ATO) across the Federal Bridge.
WidePoint has stood up and continues to manage the PKI infrastructure for the DoD, DHS the White House as well as commercial and education institutions.
This has been a high-level introduction to the concepts around PKI. If you're looking for a way to set up a public key infrastructure and to understand some of the basic concepts, contact us for a no cost consultation.
This has been a high-level introduction to the concepts around PKI. If you're looking for a way to set up a public key infrastructure and to understand some of the basic concepts, contact us for a no cost consultation.
Contact Us
300 W. Front St.
Harvard, IL 60033
847-350-9943
info@22vetsllc.com