What is PKI and why is it important?

The number of IoT devices that organisations connect to networks continues to grow extremely fast. Not so strange, considering the fact that IoT has enormous potential when it comes to efficiency gains, improving customer service processes, perfecting decision-making processes, and increasing the value of the business. IoT technology is also deployable in a wide array of different industries, from retail to finance and from manufacturing to healthcare.

However, deploying and adopting IoT technology on a grand scale also comes with a big challenge. Connecting IoT devices to your network in a secure fashion isn’t always easy, especially not when you are dealing with a lot of devices that need to be placed in the right segment. This is where public key infrastructure (PKI), a smart framework of encryption and cybersecurity, comes in handy. What is PKI? And why is it important? Read on and find out!

What is PKI?

PKI (public key infrastructure) is the framework of encryption and cybersecurity that protects communications between the server (your website) and the client (the users). PKI is essential in building a trusted and secure business environment by being able to verify and exchange data between various servers and users. This allows you to manage all the information, people, devices and services that your teams work and communicate with.

PKI uses digital certificates. They check and verify the identity of devices and users to prove the integrity of a transaction or information exchange. A PKI delivers the set of roles, policies, hardware, software, and procedures that you need to create, manage and distribute digital certificates and manage public-key encryption.

In Operational Technology (OT) systems, such as those used in industrial processes and critical infrastructure, PKI provides a foundation for secure device authentication, encrypted communication, and data integrity. It ensures that only authorised devices can access and interact with the industrial control systems, helping prevent unauthorised access, data breaches, and potential disruptions. By incorporating PKI into OT security strategies, organisations can establish a robust and trusted framework for safeguarding critical processes and infrastructure against cyber threats and vulnerabilities.

How does it work?

But how does PKI actually work? To explain this, we should first have a closer look at the different components that actually build public key infrastructure. These are:

• The digital certificate. This is a form of electronic identification (comparable to a driving licence or passport in the real world) for your website(s) or organisation. You can create your own certificates, but also obtain them from a reliable third-party issuer (certificate authority).
• The certificate authority authenticates and confirms the digital identities of the users (which can be persons, but also computer servers, systems or devices).
• The registration authority (RA) is authorised by the certificate authority to provide digital certificates to users on a case-by-case basis. All the certificates that both the certificate authority and the registration authority request, receive and revoke are stored in an encrypted certificate database.

When you build a PKI, the certificate authority authenticates and confirms the digital identities of the users and assures that no entity can maliciously or unwittingly view a payload in clear text or tamper with transmitted data. Subsequently, the CA validates your information and signs it with a digital signature such that neither your information nor the signature can be modified. Once signed, the information becomes a digital certificate. Devices that receive a digital certificate can verify the information in the certificate by validating the signature using public key cryptography.

What kind of encryption does PKI use?

One of the features that makes PKI such a powerful security mechanism is the joint use of symmetric and asymmetric encryption.

Symmetric encryption

Symmetric encryption protects the single private key that is generated upon the initial exchange between parties. You can see it as the digital equivalent of the handshake that is commonplace after closing a deal in the physical business realm. The secret key has to be passed from one party to another for all parties involved to encrypt and decrypt the information that was exchanged. This secret key can take various shapes. It can be a password, but also a series of random numbers or letters generated by a random number generator (RNG).

Asymmetric encryption

Asymmetric encryption (also known as public key cryptography) is a newer technology and uses two keys instead of one: a public and a private key. The first one encrypts data, whilst the second one (which can only be used by the owner of a digital certificate) decrypts. By combining two encryption methods, PKI gives you a lot of flexibility and allows you to get access to the best of both worlds.

Why and when is PKI useful?

PKI is useful and important for a number of reasons. First of all, the technology allows you to authenticate a user’s identity via the web. This gives you the opportunity to minimise fraud and timely identify suspicious transactions and requests. PKI also provides and protects the privacy of messages by lowering the risk that this information can be read while in transit or by unauthorised persons.

PKI also protects the integrity of your digital communications by lowering the risk of data being changed or tampered with in any way without the recipient’s knowledge or authorisation. PKI provides non-repudiation of online transactions too. There is always proof, meaning that individuals can’t deny their involvement in a valid online transaction.

PKI versus PPSK

When it comes to IoT management, security and assurance, you also have the option to use pre-shared keys (PPSK). PPSKs function in much the same way as the passwords that we are all so familiar with. It enables an IoT device to securely connect to a wireless LAN. You can also assign maximum time frames to the PPSKs so that they change passwords every couple of weeks or months (for example every six months) and determine that the pre-shared keys do not use the same password their entire lifecycle.

PPSK can be a good option when you are dealing with site-to-site traffic in a trusted and isolated environment. If users are working from remote sites and travelling in untrusted and unfamiliar digital territory, PKI is usually the way to go. Pre-shared keys are easier to work with (less complexity, more automation), but generally considered to be less secure. If a key is compromised, unauthorised access to the network may be obtained. Additionally, there are more opportunities to get or steal a pre-shared key because this type of key is stored in all your IPsec systems.

More information

PKI significantly increases the security of your network and provides a strong foundation for securing all internet-connected things. The technology is a core component of data confidentiality, information integrity, authentication, and data access control.

Would you like to find out more about PKI and implement this encryption technology in your organisation? Then feel free to contact us or have a look at one of our PKI partners.