A PKI consists of a server that stores public keys used for encryption. Public keys are one half of the public-private key pair used in what is called asymmetric encryption. The two keys are mathematically related but can't be derived from each other. The private key never leaves the system where it's stored, so it is never exposed to possible malicious capture and use.
To send a message to someone, the user encrypts the message with the receiver's public key, which is openly available from a public key store. If the key is captured, the message can't be decrypted without the private key, which is inaccessible. When the legitimate receiver gets the message, he or she can easily decrypt it with their private key, which remains hidden from the world.
A PKI is a complete key management system that creates, manages, stores, deletes and revokes outdated keys. The system also does the same for digital certificates associated with the keys. The digital certificates verify the public key and have a set lifetime, which the PKI keeps close tabs on.
Implementing a PKI architecture can be costly, and it doesn't always operate well with other systems. If the PKI is going to be used for encrypting communications outside of the company, it has to have publicly available digital certificates from an established certificate authority (CA) like Verisign -- and that isn't cheap.
But a PKI can be more cost effective with internal systems. If used within the company, digital certificates can be self-signed at low cost, since they don't have to come from a well-known CA. Their own PKI can generate home certificates for the company systems. The public key infrastructure can, for example, issue keys and certificates that verify an enterprise's mobile devices and prevent malicious access by those that don't have the right keys or certificates.
Another growth area for PKI technologies is in managed security service providers (MSSP). An MSSP can host all the complexities of hardware and key storage, saving a company the headache and cost of doing everything itself. Rather than building a PKI system themselves, subscribers pay an MSSP to manage their enterprise's PKI and its public keys and digital certificates.
This was first published in March 2007