Features and benefits of PKI
PKI is built around, and includes the use of, public key cryptography – a form of cryptography in which there are two keys: one that is publicly available (known as the public key), and a second that is kept secret at all times (known as the private key). The two keys are mathematically linked, but in such a way that it is not possible to calculate the private key from the public key.
One of the most beneficial features of PKI is the digital signature, which is made possible by having the two keys. The private key is kept private by that individual and never shared with anyone or sent over the Internet. The public key is stored in a directory as part of a digital certificate. Anyone who wants to send a secure message uses the public key of the recipient to encrypt it. The recipient is the only one who can decrypt it, using his or her private key.
- If there is any change at all to the content of the document after the digital signature has been put (even changing one letter), the digital signature will be invalidated.
- Anybody can validate the digital signature because this is done using the public key. However, this does not enable them to forge the digital signature because this can only be done with the private key.
If someone obtains your private key, then all data encrypted to the private key can be decrypted and signatures can be made in your name. Therefore it becomes very important to protect your private key. Computers with private keys should have minimal external connections and therefore minimize the number of users who have access to the private key. Also CCA has made it now mandatory to purchase a cryptographic token that meet the minimum of FIPS 140-2 Level 2 certification for the protection of private key. Cryptographic hardware does not allow export of the private key to software where it could be attacked.
Confidentiality is also provided through the encryption techniques employed by PKI. The public key of the recipient is used to encrypt the data to be sent. The encrypted data can only be decrypted using the corresponding private key, ensuring that only the authorized recipient can access the original message.