Skip to main content
Skip table of contents

Applications of PKI

As a security service, PKI has several applications. Some of the most popular applications are described in the subsequent sections:

Note that this is not an exhaustive list and only the most commonly deployed applications are cited.

Digital Signatures

A digital signature is a piece of data which is attached to a message and which can be used to find out if the message was tampered with during the conversation (such as through the intervention of a malicious user). This is effective in high speed communications like TLS and in protecting documents and other information ensuring the information has not been tampered with since it was signed. The digital signature for a message is generated in two steps

  1. First, a message digest is generated. A message digest is a summary of the message to be transmitted, and has two important properties:

    • It is always smaller than the message itself and


    • Even the slightest change in the message produces a different digest. The message digest is generated using a set of hashing algorithms.

  2. Second, the message digest is encrypted using the sender's private key.

The resulting encrypted message digest is the digital signature. The digital signature is attached to the message and sent to the receiver. The receiver then does the following: Decrypts the digital signature to obtain the message digest generated by the sender using the sender's public key. It uses the same message digest algorithm used by the sender to generate a message digest of the received message.

It compares both message digests (the one sent by the sender as a digital signature, and the one generated by the receiver). If they are not exactly the same, a third party has tampered with the message. We can be sure that the digital signature was sent by the sender (and not by a malicious user) because only the sender's public key can decrypt the digital signature which was encrypted by the sender's private key. It is useful to keep in mind that what one key encrypts, the other one decrypts, and vice versa. If decrypting using the public key renders a faulty message digest, this means that either the message or the message digest is not exactly what the sender sent.

Using public key cryptography in this manner ensures integrity because we have a way of knowing if the message we received is exactly what the sender sent. However, notice how the above example guarantees only integrity. The message itself is sent unencrypted. This is not necessarily a bad thing; in some cases we might not be interested in keeping the data private, we simply want to make sure it is not tampered with. To add privacy to this conversation, we would simply need to encrypt the message as a second step or use an encrypted method of transporting the information from originator to recipient such as secure email.

This technology can be applied to signing things like email, PDF documents, Microsoft Office documents, Open Office documents to name a few.
 It can even be used to create signatures on files that don't support signing internally to ensure they aren't tampered with after storage or archiving. This is especially handy for legal evidence and documents required by regulation authorities.

Network / Virtual Private Network Authentication

Utilizing prevalent and widely adopted industry standards such as 802.1x, IPSec, L2TP, or SSL-VPN for network or virtual network authentication standards, certificates issued by a CA can easily identify users and devices and even provide single sign-on capabilities for organizations securing wireless, wired or remote access connections to their network resources.

Encryption

Upon generation of private/public key pairs users can utilize these keys to encrypt data of various types, including entire storage devices like hard drives, email messages, documents, network transmissions and many others.

Travel Documents

PKI is used as a security feature in the issuance of travel documents. Digital data is signed by a document signer during the document issuance process. The use of PKI is part of the International Civil Aviation Organization (ICAO) standard on travel documents and has led to a new wave of PKI implementations all over the globe. Second and third generation travel documents make use of extended access control (EAC). This requires an additional PKI system called the EAC PKI for issuance and verification.

Authentication

As a form of digital identification, PKI can be used to provision digital identities. This is often performed through the use and deployment of smart cards for private key storage. The use of certificates on smart cards for authentication is inherently supported by Microsoft systems

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close