Home Page


Email & Spam

Security Terminology

Security Topics

VPN & Cryptography





VPN Terminology

VPN Tutorial Guide



Aggressive Mode

Authentication Header

Asymmetric Encryption


Certification Authority

Data Integrity



Digital Certificate

Dynamic IP addresses





IPSec Quick Mode


Main Mode







Pre-Shared Key

Remote Access User


Security Association


Site to Site VPN


Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel


Security Products Guide

Which Anti-Virus Software?

Which Firewall?

Which Spam Filter?

Which Internet Security Suite?


What is Guide

What is a Firewall?

What is a Virus?

What is Spam?


Essential Security Guides

Securing Windows XP Guide

Securing Windows Vista Guide

A Guide to Wireless Security



Top 8 Internet Security tips

Why both, Firewall and Anti Virus?

Free or purchased security - Which one?



Public Key Infrastructure - How PKI works



PKI (Public Key Infrastructure)

PKI is a set of standards, procedures, software, and people for implementing authentication using public key cryptography. PKI is used to request, install, configure, manage and revoke digital certificates. PKI offers authentication via digital certificates, and these digital certificates are signed and provided by certificate authorities.

PKI uses public key cryptography and works with x509 standard certificates. It also provides other things such as authenticating users, producing and distributing certificates, maintaining, managing and revoking certificates. PKI is an infrastructure in which many things happen and is not a process or algorithm itself, so PKI consists of a number of aspects to enable the infrastructure to work. As well as authentication, PKI also enables the use of providing integrity, non-repudiation and encryption.

If a company wanted a public key they would require a digital certificate. They will have to request this certificate from a certificate authority or a registration authority. The certificate authority is someone who everyone should trust as a centralised authority for managing and maintaining certificates. The CA will require the company to fill in a number of details and validate their request before they can hand out a certificate. This certificate is a proof that the company is who they say they are in the digital world (like a passport in the real world). An RA is just an organisation who processes requests on behalf of a CA.

PKI combines well with Diffie-Hellman in providing secure key exchanges, as Diffie-Hellman does not provide authentication on its own capabilities. PKI is used in various protocols such as PGP and SSL.

Two main PKI models

Central –

Used for small to medium sized companies or flat network design. A single authority assigns all their certificates.

Hierarchical –

Hierarchical is used in medium to large organisations. You have a root CA, such as Microsoft in house solution, or it can be a public trusted company such as Verisign. Then you have separate sub ordinate CA's assigning separate security domains digital certificates. Hierarchical is a multi tiered approach suited for enterprise networks. Subordinate CA's hand out certificates to employees and other people (systems and individual users).


Certificate request

A company requests for a digital certificate.

The CA would require some information back from this company. Usually some proof they are who they claim to be, and require their registration information.

After the CA is happy with the company’s request, it would generate a public key for the company with the identity information attached to the certificate. This public key along with its related private key can be generated by the CA or by the system the company will be installing this certificate on. If it is produced by the company then on the device a public and private key pair would be generated and sent to the CA.

The CA will sign and issue the company with a digital certificate, and this will be their identification proving they are who they claim to be.

The company can now use this information to participate in the PKI system.


How two companies or two users would communicate a secure channel between each other via public key.

Joe wants to communicate with Carl and so sends his certificate to Carl. Carl checks out this certificate's CA signature with his CA, Verisign for example. He will look at the CA public key with Verisign to ensure the CA signature is on the certificate. If the certificate is valid then Carl can assume Joe is who he says he is, and the connection would be accepted. Then Joe checks Carl’s certificate, and if the certificate is fine and valid, the VPN process can be progressed.

How a secure key is agreed upon by two peers

The process works by two peers exchanging their public keys. Joe would send his public key to Carl and Carl would send his public key to Joe. Joe would then use the public key sent from Carl and its own private key to generate a symmetric key using the Diffie-Hellman algorithm. Carl would also take the same process as Joe and in turn produce the exact same symmetric key as Joe, though enabling them to communicate securely over the in-secure internet. Both peers can now encrypt, transmit and decrypt data using their symmetric keys.

Further Reading

Wikipedia's guide to Public Key Infrastructure