Why do we need TLS certificates?
Introduction to PKI - Public Key Infrastructure.
Table of contents
No headings in the article.
PKI is a set of rules which is used to manage security via asymmetric encryption. It governs encryption keys through the issuance and management of digital certificates. These certificates are used as proof of identity and issued by certificate authorities. It also includes the public key of the owner which you can rely on for encryption. The most common use case of PKI is SSL/TLS certificates which are used for secure web and communication. Other examples can be digital signatures and email encryption.
Symmetric / Asymmetric Encryption
Let's explain some terms that we used earlier to understand PKI better. I mentioned asymmetric encryption. But, let's talk about symmetric encryption first. Assume, you will send a message to Alice. Before you send this to Alice, for privacy reasons, you may want to encrypt your message. You use a key to encrypt and then send it to Alice. Alice will use the same key to decrypt your information. The usage of the same key for both encryption and decryption is called symmetric encryption. The problem in this is that if a third person gets the key somehow, then the communication would not be safe anymore. The message on the way can be decrypted by hackers. This is where asymmetric encryption comes in handy. In the asymmetric one, we set two keys; a public key for encryption and a private key for decryption. These keys are generated at the same time with some mathematical algorithms. The important point to remember is that they both belong to a single person or organization. Anyone can see the public key. But the private key is only known by the owner. With this, you can provide better safety when communicating. First, you ask Alice for her public key. This is used to encrypt your data. Then, you send it to Alice. Alice will use her private key to decrypt this data to see the message. Asymmetric encryption is the underlying technology in PKI.
There is still an important issue that may arise in our case. How do you know if that person is Alice? Maybe someone else is pretending to be Alice and trying to see the information you want to send. At this point, you need proof of identity (authentication for Alice) which shows that the public key belongs to her. PKI resolves this challenge with digital certificates (aka X.509 certificates). In each certificate, public keys are assigned to owners so that recipients can accurately verify the owners. Then, who creates those certificates? There are often trusted third-party organizations so-called Certification Authorities (CA) that are responsible for creating certificates. In our scenario, before starting to communicate with Alice, we ask for Alice's certificate from one of the CAs. When we get the certificate back from CA, we can start communication with the asymmetric encryption method as we discussed earlier. As you can see, the whole communication now becomes much more secure.