What is PKI? The PKI fundamentals

Posted On

By Team Intertrust


  • Public Key Infrastructure (PKI) uses digital certificates, public and private keys, and trusted third parties to secure data and communications over networks
  • With PKI, users can securely exchange data over unsecured networks such as the internet. With a strong level of verification, it authenticates users and ensures trust
  • To secure data and data access and protect against tampering, PKI utilizes encryption, digital signatures, and non-repudiation

What is PKI? Let’s first understand why we need PKI security and then take a closer look at the various fundamentals of PKI.

There are more than 5 billion internet users across the globe, using nearly 17 billion devices to connect. What’s more, over 75 billion Internet of Things (IoT) devices are projected to be online by 2025. So how do all of these people, web browsers, laptops, cell phones, and smart IoT devices communicate with each other without actually knowing who’s on the other side?

How can they send and receive information and trust that it won’t be stolen or malicious, respectively? The answer is by using a public key infrastructure to provide a secure backbone to the systems.

The underpinning concept of PKI, where one person encrypts a message knowing that the recipient has the secret key to decrypt it, has been in practice for thousands of years. Today, it’s most familiar use is probably online communications. To ensure data safety when communicating with others, the data is encrypted and can only be decrypted by a party with the correct private key.

However, considering the billions of users sending and receiving data, it’s not possible for everyone to know every secret key that another person or device is using. The solution is to encrypt data using secure and authenticated public keys, which can then be decrypted using paired private keys, which is the ‘public’ part of the fundamentals explained.

The whole system is a vital part of the internet’s structure. Smooth encryption and decryption of data by individual users enables secure data transmission, communication, and authentication.

How PKI fundamentals work

With the basics explained, let’s take a look at the processes of PKI infrastructure. Past encryption systems, such as the Caesar cipher, used relatively basic methods to disguise the message they were protecting. Due to the value of deciphering secret messages, decryption efforts, like those happening at Bletchley Park during WW2, became increasingly important. As a result, encryption had to become more complicated to try to stay ahead.

In the age of supercomputers that can perform 200 quadrillion calculations per second, encryption now employs incredibly complex mathematical formulas and arrays of numbers to keep data safe.

In a PKI, this happens through the use of two linked keys:

  • Public key: This key is widely available and used by others who want to encrypt a message being sent to you.
  • Private key: This is a secret key held by the user and is the only key that can decrypt messages that are sent to it.

PKI explained

A good way of describing PKI fundamentals is and how the public and private keys of a PKI work is the “lockbox analogy.” Imagine Bob has a three-position lockbox, which locks to the left and also locks to the right, and only in the center position is it unlocked.

The lockbox has two keys, Left Key (which can only turn to the left) and Right Key (which can only turn to the right). So if the box is in the left-locked position, only the Right Key can open it. And if the box is in the right-locked position, only the Left Key can open it. Bob can make copies of the Left Key and pass them around while keeping the Right Key secret.

This means that plenty of people can send him things in a box which only he can open (i.e., they are locked to the left). Also, as Bob is the only one with the Right Key, if someone else receives the box and it has been locked to the right, they know it came from Bob and can unlock it with their Left key. This form of authentication is known as “digital signatures.”

When it comes to the internet, the public key is tied or signed by a digital certificate provided by a certificate authority (CA). This means that the CA is, in effect, authenticating that Bob is Bob in the first place. These CAs are trusted third-parties and follow a set of policies and security guidelines that reinforce the faith people place in their certificates. 

For example, the SSL/TLS security protocol transfers SSL certificates, which prove that the communicating parties are who they say they are. If an entity is in breach of the policy specifications, the CA will revoke its authenticating certificate, and web servers will flag it as potentially untrustworthy. The actual process is very complex featuring algorithms and ciphers but those are the basic PKI fundamentals explained.

Where and what is PKI used for?

Guaranteeing the safety of data and authenticating user identity are the biggest security concerns in the ever-growing online universe. Public key infrastructures improve security in both of these situations and are becoming increasingly important for performing many functions. These include:

Internet of Things

Smart devices that gather and analyze data about us have the potential to change and improve our lives in many ways. However, these devices themselves are also prime targets for hackers looking to steal or inject false data. For device manufacturers, the best way to maintain a secure distributed computing network is through deploying and adhering to solid PKI fundamentals.

By using a PKI to deliver trusted device identities into IoT devices, the authenticity of those devices, and the data coming from those devices, can be trusted. Intertrust PKI is a managed PKI service specifically designed with this in mind. It not only verifies device identity, but also manages access to different types of information depending on policies and permission levels.

Ensuring the security of local networks

PKI certificates can be used to authenticate the identities of the people or devices that participate in closed networks. These could be virtual networks (i.e., a company’s intranet) or physical ones, such as the access settings for rooms within a secure building environment.

Device entity provisioning

For companies that manufacture “smart” devices, the provisioning of unique, trusted identities for each of them is an essential element in keeping both the device and the firm secure. With Intertrust PKI, device identities can be provided right from the factory floor to ensure system integrity. Intertrust PKI also enables provisioning of devices once they’re installed, using cloud identity provisioning. 

This is increasingly important for device manufacturers who may be collaborating with third-party producers and cannot guarantee a secure environment. Trusted device identities can be injected into devices during manufacture on the factory floor, bringing trust into the whole ecosystem.

Trust the experts

Now that you know more about PKI fundamentals, it’s important to note that Intertrust PKI has already been used to provision identities to over 1.9 billion devices, at times in upwards of 10 million devices per day. We offer a full range of PKI services, such as mutual authentication, access control, and secure over-the-air updates at a cost savings of 50% to 85% over an in-house PKI.

To have PKI explained in more depth and learn more about using PKI to build a trusted IoT device ecosystem, download the white paper “Creating Secure IoT Device Identities.”

Want to speak to one of our PKI experts? Get in touch with our team.


Related blog posts


Building a scalable digital infrastructure for your energy industrial control systems

Read more


Nine use cases for IoT data analytics

Read more


Interview with Julian Durand: The evolving role of PKI

Read more