What the heck is PKI, Public Keys, Private Keys, Infrastructure, Security, Sign this Encrypt that..what?!

I’m going to start going over some Core Concepts, a lot of these I ask in interview questions. “What is PKI? How do you Encrypt, Decrypt, Sign and Verify Data?” The Answers I get are quite wrong or not quite right most of the time.

PKI, Public Key Infrastructure

Covered, read the wiki link, TLDR: it’s our ssl chaining system we use for signing and validating certs, except you have no idea what I just said (yet).

Public / Private Keys

Okay, Private key, that’s YOUR secret, do NOT distribute, do not give it to your friends, spouse (OK maybe the spouse in a will or something), definitely not the NSA, China, etc etc (NSA mentioned for the google rank). It’s your key, which you generate on your local system ( or with an HSM – Hardware Security Module if you’re fancy.) This is how you sign and encrypt data, so unless you give out your social #,

Public Key, Give this to EVERYONE, post if on your forums, facebook, keybase, myspace, blogs, MIT’s site for email, give it out freely, it’s how they send you data with encryption and verify your signatures.

Private Key + File = Signed File

So you use your private key to SIGN files, you can do this many ways (openssl is very common but digicert is really handy) and this can be any sort of data (I’ll discuss specifics of code signing certs vs email pgp certs vs http data another time).

Signed File + Public Key = Verified Signature

Sweet, you sent your friend an email with your signature (signed and all) and it was verified! Now we know for sure to send him those well deserved bitcoin for the previous post.

Public Key + File = Encrypted File

Yes, Public keys do encryption and public keys are well, public.  This is why PKI is a much better system than password protected vaults, it’s like anyone could password protect a file without the password, and only you could open it.  Not much different than a door lock, you can lock it from the inside, shut the door.  The house is secure (yeah I know, bad analogy but hey it’s what I thought up when typing this out at 11:30pm), and only someone with a key can open the door to access the house.

Encrypted File + Private Key = Decrypted File

Sweet, so that covers PKI, you can encrypt, decrypt, sign and verify files, If this was helpful or not, comment below and I’ll be happy to add some more details as needed.

What about SSL? TLS? S/MIME? PGP? SSH-Keys? So many more questions…and what is a CSR?

Excellent video from @globalsign about PGP Email

Say Something Nice