1.4 Cryptographic solutions
📘CompTIA Security+ SY0-701
🔷 What is PKI (Public Key Infrastructure)?
Public Key Infrastructure (PKI) is a framework used to manage digital certificates and encryption keys securely.
It ensures confidentiality, integrity, authentication, and non-repudiation in communication.
Think of PKI as the system that manages encryption keys and digital certificates in an organization or over the internet.
🔸 Why PKI is Important
In IT environments, PKI is used for:
- Secure website connections (HTTPS / SSL/TLS certificates)
- Secure emails (digitally signed or encrypted)
- VPN authentication
- Code signing (verifying that software hasn’t been tampered with)
- Smart card logins / digital identity verification
It’s a core part of cybersecurity because it makes sure data sent between systems or users is private and trusted.
🔷 Key Concepts in PKI
1. Public Key and Private Key
PKI uses a pair of keys that work together but serve different purposes.
| Key Type | Who Holds It | What It Does | Example Use |
|---|---|---|---|
| Public Key | Shared openly (available to anyone) | Used to encrypt data or verify a digital signature | Used in digital certificates on websites |
| Private Key | Kept secret by the owner | Used to decrypt data or create a digital signature | Stored securely on a server, device, or HSM |
🔹 They always work together — what one key encrypts, only the other can decrypt.
For example:
- When someone encrypts data using your public key, only your private key can decrypt it.
- When you digitally sign something with your private key, others can verify it using your public key.
2. Certificate Authority (CA)
A Certificate Authority (CA) is a trusted organization that issues digital certificates.
It confirms that a public key belongs to a specific user, system, or organization.
- The CA verifies identity before issuing a certificate.
- Examples: DigiCert, GlobalSign, Let’s Encrypt.
In an enterprise, the CA could be internal — part of Active Directory Certificate Services (AD CS) — or external.
3. Registration Authority (RA)
An RA is like an assistant to the CA.
It helps verify identities and approve certificate requests before they reach the CA.
Example:
An employee requests a digital certificate for email signing → The RA checks their identity → Sends approval to the CA → The CA issues the certificate.
4. Digital Certificates
A digital certificate binds a public key to an identity (a person, system, or organization).
It contains:
- Owner’s name or organization
- Public key
- Issuer (CA)
- Validity period
- Digital signature of the CA
Purpose:
- To confirm that the public key really belongs to the claimed entity.
- Used for authentication and encryption.
5. Certificate Revocation
Sometimes, certificates must be revoked before they expire — for example, if:
- The private key is stolen.
- The owner leaves the company.
- The system is compromised.
The CA lists revoked certificates in a:
- CRL (Certificate Revocation List) – a list published periodically.
- OCSP (Online Certificate Status Protocol) – a real-time system to check certificate status.
6. Trust Model
PKI works based on trust. The CA is trusted by users and systems.
There are several trust models:
- Hierarchical Model: One root CA and multiple subordinate CAs (most common in enterprises).
- Web of Trust: Used in PGP email encryption, where users verify each other’s identities.
🔷 Key Escrow
What is Key Escrow?
Key escrow is a secure storage of private encryption keys by a trusted third party (or an organization’s key management system).
It ensures that authorized access can be gained if the key owner loses access to their key or leaves the company.
In other words, a backup of private keys is held by a trusted entity for recovery purposes.
Why Key Escrow is Used
- Data recovery:
If a user loses their private key, encrypted data would normally be unreadable.
Key escrow ensures the organization can still decrypt it. - Compliance and investigations:
Some industries and governments require access to encrypted data for legal or auditing purposes. - Continuity:
When employees leave or systems fail, access to critical encrypted files isn’t lost forever.
How Key Escrow Works
- When a key pair is created, a copy of the private key is securely stored (encrypted) in an escrow database.
- Access to that key is tightly controlled — usually only security administrators or compliance officers can retrieve it.
- Recovery is logged and audited to prevent abuse.
Example in IT:
- In Microsoft Active Directory Certificate Services (AD CS), Key Recovery Agents (KRAs) can be configured to recover escrowed keys for encrypted files.
Risks of Key Escrow
While useful, key escrow also comes with risks:
- If the escrow system is compromised, attackers could gain access to private keys.
- It must be protected by strong access control, encryption, and auditing.
🔷 Summary Table
| Concept | Description | Security Role |
|---|---|---|
| Public Key | Shared openly; used to encrypt or verify | Ensures secure communication |
| Private Key | Kept secret; used to decrypt or sign | Provides confidentiality and authenticity |
| CA (Certificate Authority) | Issues and signs digital certificates | Builds trust in identity verification |
| RA (Registration Authority) | Verifies users before CA issues certificates | Adds an identity validation step |
| Digital Certificate | Binds public key to an entity | Enables authentication |
| CRL / OCSP | Systems to revoke certificates | Ensures certificates remain trustworthy |
| Key Escrow | Secure storage of private keys | Allows recovery of encrypted data |
🧠 Exam Tip Summary (for SY0-701)
✅ PKI = framework managing digital certificates and encryption keys.
✅ Public key = used to encrypt or verify.
✅ Private key = used to decrypt or sign.
✅ CA = trusted entity issuing certificates.
✅ RA = validates identity before certificate issue.
✅ CRL/OCSP = revocation methods.
✅ Key escrow = backup of private keys for recovery.
✅ Compromise of private key = immediate certificate revocation.
