In the following, I'll give a more detailed explanation of PKI.
To assure secure communication on networks (that is, prevent contract tampering and authenticate business contacts), technology called public key cryptosystems is available. As regards such technology, the main tool for encrypting and decrypting data is called a "key". And in the case of public key cryptosystems, two kinds of key--a "public key" and a "private key"--are used for data encryption and decryption. The private key is held by one person and is, so to speak, for that person's use only; in contrast, the public key corresponding to that private key is open to the general public for widespread use.
In the case of authentication by a public key cryptosystem, the person subject to authentication starts by encrypting the transmitted data with their private key; this encrypted transmitted data cannot be read unless a great deal of complex decryption is done. This transmitted encrypted data cannot even be read by the person who encrypted it.
In the next step, the public key that corresponds to the private key enters the picture.
The person doing the authentication uses the public key to decrypt the transmitted data, and the data returns to readable status. And in the case that the transmitted encrypted data can be decrypted correctly, that person judges that the key used for encrypting the data was the private key that corresponds to their public key; in other words, the person who encrypted the data must be the holder of the private key.
So what happens if the person performing the authentication mistakes the holder of the private key?
Whether the encrypted transmitted data can be decrypted correctly simply depends on the public key corresponding with the private key. This means that in the case the public key is thought to belong to the person undergoing authentication but does not actually correspond to the private key, the encrypted transmitted data cannot be decrypted. On the other hand, in the case that the public key is thought to belong to a complete stranger but does correspond to the private key, it can become possible for the stranger to decrypt the encrypted transmitted data. That is to say, authentication of a legitimate person can be mistaken, and it is possible that someone can pass themselves off as someone else (so-called "spoofing").
The above-described scenario means that in the case of authentication by using a public key cryptosystem, it is extremely important to correctly connect the correct person and the public key. Consequently, it has become essential to devise a system that can certify--by means of utilizing a third-party organization with no direct connection to the person undergoing authentication--whether the person in question is unmistakably the person holding the private key corresponding to the public key or whether that person is a malicious stranger intending to spoof the cryptosystem. And this scheme is called Public Key Infrastructure (PKI): a core technology that configures the security infrastructure for protecting the bare bones of e-commerce.
Related Links
Conference presentation reports written by researchers at SDL.
Technical terms related to research themes at SDL are explained.
