Typically, a PKI relies on public-key (also known as asymmetric key) cryptography as the visible frontline security mechanism for the infrastructure and uses symmetric-key cryptography invisibly behind the scenes to handle the high-volume and some special-purpose cryptographic tasks. This works because a PKI can use the secure, but relatively slow, public-key cryptography between a client and server entity to exchange and authenticate the relatively small symmetric keys that, in turn, are used to provide the actual privacy and integrity for the bulk of the data exchanged between the same client and server. The PKI generates and uses public-key cryptography to secure all symmetric keys without any intervention from users. The users need only have access to their respective private and public-keys to make use of all the services provided by the PKI-generated symmetric keys.
Common uses for public-key cryptography in a PKI include:
Key confidentiality — In all cases where symmetric cryptography is used, the secret keys involved are protected by the frontline public-key encryption and decryption between communicating entities.
Authentication using digital certificates — The authentication services of a PKI typically rely on digital certificates to communicate the public keys between client and server entities for verifying identity. For more information on digital certificates, see Trust relationships and supporting mechanisms.
Nonrepudiation using digital signatures — The authentication services of a PKI typically rely on digital signatures both to verify that a certain piece of information originates from a specific entity and to prevent that entity from repudiating (disavowing) their authorship of that information. For more information on digital signatures, see the Trust relationships and supporting mechanisms.
Key confidentiality — In all cases where symmetric cryptography is used, the secret keys involved are protected by the frontline public-key encryption and decryption between communicating entities.