It can be difficult to understand the public key infrastructure (PKI) at a high level. However, breaking it down into smaller components makes it easier. Many of these components reuse or build on the basic or elementary components.
Asymmetric cryptography is what we mean by public key encryption. This is where anyone can encrypt data with the public key, but only the person, process or system with the private keys can decrypt it.
PKI is a combination of a private and public key pair. We would need to make our public key available to anyone who wants to receive encrypted messages. Then, we have our private key that can decrypt the message. We use their public key to encrypt our message, and they decrypt it with their private key.
With all this in mind let’s look at the six components of public-key encryption. This is useful for both IT pros as well as non-technical people.
CompTIA A+ Core 2, 220-1002Related training from SPOTO
Get started training1. Self-signed
Self-signed is not the only way to create a key pair. This is something that is important to grasp in order to understand. There are two main methods of creating the public key/signing it. The first is to use a certificate authority, or CA. You can also self-sign. This refers to certificates that are not signed by a CA. They are typically signed on the spot by the system or application, but some certificates are signed “from factory” well in advance.
Because it is easy to generate without the need for a CA, a self-signed key is often the starting point. It is also free, so it works out well. TLS/encryption are very important. Many services come pre-installed with an SSL certificate. There are many barriers that could prevent a public CA issuing these certificates directly from the factory. Therefore, they start off with a self signed certificate that is generated on the first run or boot. Many system administrators will later replace them with CA-signed certificates.
A self-signed certificate is not trusted by default. If it will be used continuously, the other end will have to trust it only once. Any Linux Administrator or System Administrator who had to access a default web interface to manage tools likely encountered a self-signed cert that the browser didn’t trust. You had to push through to allow the untrusted certificate to reach the content.
2.Private Keys
Private keys are a name that is well-known because they must be kept secret and shared only when absolutely necessary. They should be kept under strict access control. If someone had access to any private keys, they could decrypt encrypted data it protects.
It is crucial that you do not keep duplicates of your private keys around. You run the risk of your private keys being compromised if you do. If a private key is ever compromised, a new one should always be generated and the certificate or public key should be revoked to ensure it cannot be used again.
3. Public Keys
Public keys are public keys. These keys are shared to allow others to encrypt data you or your systems will decrypt at one point. It’s similar to a mailing address. You want people to be capable of sending you mail so that it can be delivered to your mailbox. The private key is like a locked mailbox. You are the only one who can retrieve the key. The mailman can deliver mail to it.
Unintended mail or advertisements may occasionally be sent to your address. However, it is not a security problem and is a minor inconvenience. The same applies to sharia.