PKI and E-mail Encryption - A Brief Explanation

PKI stands for Public Key Infrastructure. PKI is Information Technology infrastructure that enables users of a basically unsecure public network (such as the Internet) to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted Authority.

Public and private keys are like two halves of a single key. PKI encryption algorithms are designed such that a public key is used to encrypt or "lock" a message, and only the complementary private key can "unlock" that message. Think of a bank vault or safe that can only be unlocked by two individuals using two different but complementary keys. Neither of those keys can be used by itself to unlock the vault.

In practice, individuals wishing to exchange encrypted e-mail will agree to mutually trust one or more Certificate Authorities(CA) by downloading and installing each trusted Authority's root certificate on their computers. They will each obtain their own personal digital certificate from a trusted Certificate Authority, and install them on their respective computers. Because they mutually trust the Certificate Authorities, they trust each other's digital certificates. More specifically, they trust the public keys contained within their personal digital certificates which have been digitally signed by a trusted Certificate Authority. They will then exchange their trusted public keys by sending each other digitally signed e-mail messages. Once each party has the other's public key, they may exchange trusted and encrypted messsages.

Public key exchange and encryption is like exchanging notarized documents. One trusts a notarized document because a trusted third party, the Notary Public, has signed it. The Certificate Authority is the Notary Public, and the public keys are the documents.

Remember, having a personal digital certificate alone does not give one the ability to send encrypted e-mail to others, but only allows the receipt of encrypted e-mail. PKI is a cooperative encryption standard. Both parties who are exchanging encrypted messages must have personal digital certificates, they must trust the Certificate Authority which issued the other persons certificate, and they must exchange public keys with each other, as described above.

The process of installing certificates and exchanging public keys is dependent upon the e-mail application one uses, and is beyond the scope of this document.