PKI, Digital Signatures, and SSH: A Practical Guide to Modern Encryption

What Is PKI?

Public Key Infrastructure (PKI) is a framework that uses the theory of public‑key cryptography to provide comprehensive security services for network applications. It is a core technology for information security and e‑commerce.

From Digital Information Encryption

Encryption aims to transmit information safely to a designated target and be correctly interpreted. The process includes encryption and decryption.

Encryption transforms original data into unreadable ciphertext using a key (a number) and an algorithm; decryption reverses the process using the appropriate key.

Current encryption methods fall into two categories based on key type: symmetric encryption and asymmetric encryption .

Symmetric Encryption

Both parties share the same key and algorithm; one encrypts, the other decrypts.

AES

DES

3DES

SM1

SM4

Symmetric encryption is computationally simple, but the shared key must be kept secret. The Diffie‑Hellman key‑exchange (1976) introduced the concept of public‑key cryptography to solve key‑distribution problems.

Asymmetric Encryption

Uses a pair of keys: a public key and a private key. Data encrypted with the public key can only be decrypted with the corresponding private key.

Typical workflow: Party A generates a key pair and publishes the public key. Party B encrypts data with A's public key and sends it to A, who decrypts it with the private key. The reverse process applies for responses.

RSA

ECC

SM2

Asymmetric encryption solves public‑key distribution but is computationally heavier than symmetric encryption.

Digital Signature

A digital signature is the electronic equivalent of a handwritten signature, using public‑key cryptography to ensure data integrity, sender authentication, and non‑repudiation.

The signer hashes the original message, encrypts the hash with their private key, and attaches the result to the message. The receiver decrypts the signature with the signer’s public key, hashes the received message, and compares the two hashes. If they match, the message is authentic and unaltered.

A computes a hash of the email (h1).

A encrypts h1 with their private key to create the digital signature.

The signature is appended to the email.

B decrypts the signature with A’s public key, obtaining h1.

B hashes the received email (h2) and compares h1 with h2.

If the hashes match, the email is verified.

Potential issues:

If a man‑in‑the‑middle alters both the email and the signature, verification fails only if the private key is compromised.

If an attacker replaces A’s public key on B’s system, the signature can be forged; digital certificates solve this problem.

Digital Certificate

A digital certificate, issued by a Certificate Authority (CA), binds a public key to an entity’s identity, enabling secure authentication and encrypted communication.

Certificate issuance process:

A requests certification from a CA; the CA signs A’s public key and related information with its private key, producing a digital certificate.

A includes the certificate with the signed message.

B uses the CA’s public key to verify the certificate, extracts A’s public key, and then verifies the digital signature.

Remaining challenges:

Certificates themselves could be forged; they are therefore also signed by a CA.

Clients would need to store many CA public keys; instead, a single root certificate containing the root CA’s public key is trusted.

Root certificates are self‑signed and rely on the authority of the CA.

SSH Protocol Overview

SSH is a protocol standard for secure remote login and other network services, implemented by OpenSSH and commercial solutions.

SSH uses asymmetric encryption for authentication and symmetric encryption for data transfer.

Server sends its public key to the client.

Client encrypts the password with the server’s public key.

Server decrypts with its private key and validates the login.

To prevent man‑in‑the‑middle attacks, SSH verifies the server’s public key fingerprint on first connection.

The authenticity of host 'www.mapway.cn (12.18.429.21)' can't be established.

RSA key fingerprint is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d.

Are you sure you want to continue connecting (yes/no)?

After confirming, the host is added to known_hosts and the user proceeds with password authentication.

Public‑Key Authentication

Instead of passwords, SSH can use public‑key authentication:

Client places its public key in the server’s authorized_keys file.

Server encrypts a random challenge with the client’s public key and sends it.

Client decrypts the challenge with its private key, combines it with the session key, hashes the result, and returns the digest.

Server performs the same hash and compares the digests; if they match, authentication succeeds.

Digital Certificates in Smart Home and IoT

In IoT, devices need secure authentication without passwords. A self‑built CA can issue certificates to devices, enabling identity verification, encrypted communication, and secure OTA updates.

Self‑Built CA System

Chip Certificate Usage

The Trusted Computing Group (TCG) defines TPM (Trusted Platform Module) chips that store private keys and device certificates, forming a root of trust for hardware platforms.

Device Certificate

Each device receives a unique certificate and private key, stored in a read‑only root certificate store, enabling encrypted communication and authentication.

API Access Certificate

Certificates issued to partners allow authenticated access to APIs, with the server validating the certificate before granting permissions.

Code Signing Certificate

Used for OTA firmware updates to verify the integrity and authenticity of code before installation.