What is PKI? The basics

Posted On

By Team Intertrust


There are almost 4.5 billion internet users across the globe, using 13 billion devices to connect. What’s more, over 75 billion Internet of Things (IoT) devices are projected to be online by 2025. So how do all of these people, web browsers, laptops, cell phones, and smart IoT devices communicate with each other without actually knowing who’s on the other side? How can they send and receive information and trust that it won’t be stolen or malicious, respectively? The answer is by using a public key infrastructure (PKI) to provide a secure backbone to the systems.

Though that naturally raises a further question: What is PKI? Let’s have a closer look.

What is PKI?

PKI stands for Public Key Infrastructure. The underpinning concept of PKI, where one person encrypts a message knowing that the recipient has the secret key to decrypt it, has been in practice for thousands of years. Today, it’s most familiar use is probably online  communications. To ensure data safety when communicating with others, the data is encrypted and can only be decrypted by a party with the correct private key.

However, considering the billions of users sending and receiving data, it’s not possible for everyone to know every secret key that another person or device is using. The solution is to encrypt data using secure and authenticated public keys, which can then be decrypted using paired private keys, which is the ‘public’ part of PKI explained.

The whole system is a vital part of the internet’s structure. Smooth encryption and decryption of data by individual users enables secure data transmission, communication, and authentication.

How PKI works

Past encryption systems, such as the Caesar cipher, used relatively basic methods to disguise the message they were protecting. Due to the value of deciphering secret messages, decryption efforts, like those happening at Bletchley Park during WW2, became increasingly important. As a result, encryption had to become more complicated to try to stay ahead. In the age of supercomputers that can perform 200 quadrillion calculations per second, encryption now employs incredibly complex mathematical formulas and arrays of numbers to keep data safe.

In a PKI, this happens through the use of two linked keys:

  • Public key: This key is widely available and used by others who want to encrypt a message being sent to you.
  • Private key: This is a secret key held by the user and is the only key that can decrypt messages that are sent to it.

PKI explained

A good way of describing what is PKI and how the public and private keys of a PKI work is the “lockbox analogy.” Imagine Bob has a three-position lockbox, which locks to the left and also locks to the right, and only in the center position is it unlocked. The lockbox has two keys, Left Key (which can only turn to the left) and Right Key (which can only turn to the right). So if the box is in the left-locked position, only the Right Key can open it. And if the box is in the right-locked position, only the Left Key can open it. Bob can make copies of the Left Key and pass them around while keeping the Right Key secret. This means that plenty of people can send him things in a box which only he can open (i.e., they are locked to the left). Also, as Bob is the only one with the Right Key, if someone else receives the box and it has been locked to the right, they know it came from Bob and can unlock it with their Left key. This form of authentication is known as “digital signatures.”

When it comes to the internet, the public key is tied or signed by a digital certificate provided by a certificate authority (CA). This means that the CA is, in effect, authenticating that Bob is Bob in the first place. These CAs are trusted third-parties and follow a set of policies and security guidelines that reinforce the faith people place in their certificates. 

For example, the SSL/TLS security protocol transfers SSL certificates, which prove that the communicating parties are who they say they are. If an entity is in breach of the policy specifications, the CA will revoke its authenticating certificate, and web servers will flag it as potentially untrustworthy. The actual process is very complex featuring algorithms and ciphers but those are the basics of PKI explained.

Where and what is PKI used for

Guaranteeing the safety of data and authenticating user identity are the biggest security concerns in the ever-growing online universe. Public key infrastructures improve security in both of these situations and are becoming increasingly important for performing many functions. These include:

Internet of Things

Smart devices that gather and analyze data about us have the potential to change and improve our lives in many ways. However, these devices themselves are also prime targets for hackers looking to steal or inject false data. For device manufacturers, the best way to maintain a secure distributed computing network is through public key infrastructure.

By using a PKI to deliver trusted device identities into IoT devices, the authenticity of those devices, and the data coming from those devices, can be trusted. Intertrust’s Seacert, a managed PKI service, has been specifically designed with this in mind. It not only verifies device identity, but also manages access to different types of information depending on policies and permission levels.

Ensuring the security of local networks

PKI certificates can be used to authenticate the identities of the people or devices that participate in closed networks. These could be virtual networks (i.e., a company’s intranet) or physical ones, such as the access settings for rooms within a secure building environment.

Device entity provisioning

For companies that manufacture “smart” devices, the provisioning of unique, trusted identities for each of them is an essential element in keeping both the device and the firm secure. With Seacert, device identities can be provided right from the factory floor to ensure system integrity. Seacert also enables  provisioning of devices once they’re installed, using cloud identity provisioning. 

This is increasingly important for device manufacturers who may be collaborating with third-party producers and cannot guarantee a secure environment. Trusted device identities can be injected into devices during manufacture on the factory floor, bringing trust into the whole ecosystem.

Trust the experts

Intertrust’s Seacert has already been used to provision identities to over 1.9 billion devices, at times in upwards of 10 million devices per day. We offer a full range of PKI services, such as mutual authentication, access control, and secure over-the-air updates at a cost savings of 50% to 85% over an in-house PKI.

To have PKI explained in more depth and to learn more about using PKI to build a trusted IoT device ecosystem, download the white paper “Creating Secure IoT Device Identities.”

Want to speak to one of our PKI experts? Get in touch with our team.


seacert CTA Banner

Related blog posts


Top IoT device security mistakes keeping manufacturers up at night

Read more


Secure data processing for smart grids and IoT

Read more


OWASP’s Top 10 IoT vulnerabilities and what you can do

Read more