Public Key Encryption & Digital

Signatures
What is Public Key Infrastructure (PKI)?
• Public key infrastructure or PKI is the governing body behind issuing digital
certificates. It helps to protect confidential data and gives unique identities
to users and systems. Thus, it ensures security in communications.
• The public key infrastructure uses a pair of keys: the public key and the
private key to achieve security. The public keys are prone to attacks and
thus an intact infrastructure is needed to maintain them.
• Public key infrastructure affirms the usage of a public key. PKI identifies a
public key along with its purpose. It usually consists of the following
components:
• A digital certificate also called a public key certificate
• Private Key tokens
• Registration authority
• Certification authority
• CMS or Certification management system
• Public key cryptography is a method of encrypting
or signing data with two different keys and making
one of the keys, the public key, available for
anyone to use. The other key is known as the
private key. Data encrypted with the public key
can only be decrypted with the private key.
Because of this use of two keys instead of one,
public key cryptography is also known
as asymmetric cryptography. It is widely used,
especially for TLS/SSL, which
makes HTTPS possible.
 Key generation and distribution

• Cryptographic algorithms such as the RSA algorithm (named after founders

Rivest, Shamir, and Adleman) and Diffie-Hellman are used to generate a
public and private key pair.
• These algorithms are based on complex mathematical problems—such as
factoring large prime numbers or solving discrete logarithms—that are
easy to compute in one direction but difficult to reverse without
the private key.
• The public key is shared widely through directories, application
programming interfaces (APIs), or digital certificates issued by a certificate
authority. The private key remains confidential. If it's lost or stolen, it
cannot be recovered, creating a major vulnerability. If compromised, a
private key can allow attackers to decrypt messages, forge digital
signatures, or impersonate legitimate users.
• Organizations often use related keys for different tasks: one asymmetric
key for signing, another for encryption, and ephemeral keys for short-lived
sessions. Managing these cryptographic keys effectively is critical to the
security of any encryption system.
 Working on a PKI
• PKI and Encryption: The root of PKI involves the use
of cryptography and encryption techniques. Both symmetric and
asymmetric encryption use a public key. The challenge here is - "how do
you know that the public key belongs to the right person or to the person
you think it belongs to?". There is always a risk of MITM(Man in the
middle). This issue is resolved by a PKI using digital certificates. It gives
identities to keys in order to make the verification of owners easy and
accurate.
• Public Key Certificate or Digital Certificate: Digital certificates are issued
to people and electronic systems to uniquely identify them in the digital
world. Here are a few noteworthy things about a digital certificate. Digital
certificates are also called X.509 certificates. This is because they are
based on the ITU standard X.509.
– The Certification Authority (CA) stores the public key of a user along with other
information about the client in the digital certificate. The information is signed
and a digital signature is also included in the certificate.
– The affirmation for the public key then thus be retrieved by validating the
signature using the public key of the Certification Authority.
 Digital Certificates & Certifying
Authorities
• Certifying Authorities: A CA issues and verifies certificates. This authority
makes sure that the information in a certificate is real and correct and it
also digitally signs the certificate. A CA or Certifying Authority performs
these basic roles:
– Generates the key pairs - This key pair generated by the CA can be either
independent or in collaboration with the client.
– Issuing of the digital certificates - When the client successfully provides the right
details about his identity, the CA issues a certificate to the client. Then CA further
signs this certificate digitally so that no changes can be made to the information.
– Publishing of certificates - The CA publishes the certificates so that the users can
find them. They can do this by either publishing them in an electronic telephone
directory or by sending them out to other people.
– Verification of certificate - CA gives a public key that helps in verifying if the
access attempt is authorized or not.
– Revocation - In case of suspicious behavior of a client or loss of trust in them, the
CA has the power to revoke the digital certificate.
 Classes of a Digital Certificate
• A digital certificate can be divided into four broad
categories. These are :
• Class 1: These can be obtained by only providing
the email address.
• Class 2: These need more personal information.
• Class 3: This first checks the identity of the person
making a request.
• Class 4: They are used by organizations and
governments.
 Process of creation of certificate:
• The creation of a certificate takes place as follows:
• Private and public keys are created.
• CA requests identifying attributes of the owner of a private key.
• Public key and attributes are encoded into a CSR or Certificate Signing Request.
• Key owner signs that CSR to prove the possession of a private key.
• CA signs the certificate after validation.

• Each CA has its own certificate. Thus, trust is built hierarchically where one CA
issues certificates to other CAs. Moreover, there is a root certificate that is
self-signed. For a root CA, the issuer and the subject are not two separate parties
but a single party.
• Security of Root CA:
• As you saw above, the ultimate authority is the root CA. Hence, the security of root
CA is of huge importance. If the private key of a root CA is not taken care of, then it
might turn into a catastrophe. This is because anyone disguised as the root CA can
then issue certificates. To meet security standards, a root CA should be offline
99.9% of the time. However, it does need to come online to create public and
private keys and to issue new certificates. Ideally, these activities should be
performed 2-4 times a year.
 Use of PKI in Today's Digital Age

• First time during the period of 1995 to 2002- imited to the most important
and high-value certificates. This included the certificates of eCommerce
websites that enabled them to display the lock icon in the search bar. The
goal was to make consumers confident about the security and authenticity
of various websites.
• Second episode of PKI emerged around 2003 to 2010 when enterprises
came into the picture. It was at this time that employees received laptops
and the use of mobile phones was rising. Thus, employees needed access
to the organization's assets even outside the office. That is when the use
of PKI looked like the best way for authentication.
• The third phase started in 2011 and is continuing to date. With the advent
of new technologies like IoT(Internet of Things) and need the to scale PKI,
the use, as well as the challenges in using PKI, have increased
tremendously. Today, millions of certificates are issued to authenticate
mobile workforces. However, managing this huge number of certificates is
quite challenging.
 Digital Signatures
• Digital signatures and certificates are two key technologies that play an important
role in ensuring the security and authenticity of online activities. They are essential
for activities such as online banking, secure email communication, software
distribution, and electronic document signing. By providing mechanisms for
authentication, integrity, and non-repudiation, these technologies help protect
against fraud, data breaches, and unauthorized access.
• A digital signature is a mathematical technique used to validate the authenticity and
integrity of a message, software, or digital document.

• Signing Algorithms: To create a digital signature, signing algorithms like email

programs create a one-way hash of the electronic data that is to be signed. The
signing algorithm then encrypts the hash value using the private key (signature key).
This encrypted hash, along with other information like the hashing algorithm, is the
digital signature. This digital signature is appended with the data and sent to the
verifier. The reason for encrypting the hash instead of the entire message or
document is that a hash function converts any arbitrary input into a much shorter
fixed-length value. This saves time as now instead of signing a long message a
shorter hash value has to be signed and hashing is much faster than signing.
• The Verifier receives a Digital Signature along with the data. It then uses a
Verification algorithm to process the digital signature and the public key (verification
key) and generates some value. It also applies the same hash function on the
received data and generates a hash value. If they both are equal, then the digital
signature is valid else it is invalid.
Digital Signatures
 Benefits and Applications in
E-Commerce
• Legal documents and contracts: Digital signatures are legally binding. This
makes them ideal for any legal document that requires a signature
authenticated by one or more parties and guarantees that the record has
not been altered.
• Sales contracts: Digital signing of contracts and sales contracts
authenticates the identity of the seller and the buyer, and both parties can
be sure that the signatures are legally binding and that the terms of the
agreement have not been changed.
• Financial Documents: Finance departments digitally sign invoices so
customers can trust that the payment request is from the right seller, not
from a attacker trying to trick the buyer into sending payments to a
fraudulent account.
• Health Data: In the healthcare industry, privacy is paramount for both
patient records and research data. Digital signatures ensure that this
confidential information was not modified when it was transmitted
between the consenting parties.
 Digital Certificate

• Digital certificate is issued by a trusted third party which proves sender's

identity to the receiver and receiver’s identity to the sender. A digital
certificate is a certificate issued by a Certificate Authority (CA) to verify the
identity of the certificate holder. Digital certificate is used to attach public
key with a particular individual or an entity.
• Digital Certificate Contains
• Name of certificate holder.
• Serial number which is used to uniquely identify a certificate, the
individual or the entity identified by the certificate
• Expiration dates.
• Copy of certificate holder's public key. (used for decrypting messages and
digital signatures)
• Digital Signature of the certificate issuing authority.
• Digital certificate is also sent with the digital signature and the message.
 Advantages of Digital Certificate

• Network Security: A complete layered strategy is required by

modern cybersecurity methods, wherein many solutions cooperate to
offer the highest level of protection against attackers. An essential
component of this puzzle is digital certificates, which offer strong defense
against manipulation and man-in-the-middle attacks.
• Verification: Digital certificates facilitate cybersecurity by restricting access
to sensitive data, which makes authentication a crucial component of
cybersecurity. Thus, there is a decreased chance that attackers will cause
disturbance. At many different endpoints, certificate-based authentication
provides a dependable method of identity verification. Compared to other
popular authentication methods like biometrics or one-time passwords,
certificates are more flexible.
• Buyer Success: Consumers demand complete assurance that the websites
they visit are reliable. Because digital certificates are supported by a
certificate authority that users' browsers trust, they offer a readily
identifiable indicator of reliability.