# What is PKI? **Public Key Infrastructure (PKI)** is the framework of tools and practices used to secure digital communications. It underpins email, web browsing, online banking, software signing, encryption, and even smart card authentication. At its core, PKI enables two parties to exchange information securely through end-to-end encryption, typically with the help of digital certificates issued by a trusted third party. ### The Four Main Elements of PKI 1. **Digital Certificates** * Like passports for the digital world, certificates provide electronic identification for websites, organizations, or individuals. * They allow two parties to verify each other’s identity by presenting trusted certificates. * On private networks, certificates can be issued internally. On public networks, they come from trusted **Certificate Authorities (CAs)**. 2. **Certificate Authority (CA)** * The gatekeepers of PKI. * CAs authenticate participants, much like a government issuing passports. * Once a participant is vetted, the CA issues a certificate that other participants trust. 3. **Registration Authority (RA)** * A subdivision of the CA. * Acts as a middle layer to improve efficiency by handling certificate requests locally, instead of overloading the CA directly. 4. **Certificate Store** * A central repository holding certificate records and keys, such as Google Wallet. * Stores both valid and expired certificates along with encryption keys. *** ### The Weaknesses of PKI While PKI has been foundational for internet security, it has critical flaws that attackers exploit: 1. **Single Point of Failure** * If a CA is compromised, the attacker can issue themselves trusted certificates. * This allows them to impersonate any participant in the system without detection. 2. **Centralized Incentive to Attack** * Since certificate stores hold all sensitive information in one place, they become high-value targets. * A single breach can expose every private key on the network. 3. **Encrypted Blind Spots** * Perhaps the most overlooked issue: because PKI encrypts all traffic end-to-end, network administrators can’t actually see what’s being transmitted. * If an attacker convinces a participant to open a secure channel, they can use the participant’s trusted certificate to spread malware or steal data. * This kind of exploit—where malicious data is smuggled through encrypted channels—is known as **“shoveling in the shell.”** * It’s a common vector in today’s cybercrimes, powering ransomware, data exfiltration, and other advanced persistent threats. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hub.bsvblockchain.org/higher-learning/bsv-academy/bitcoin-primitives-hash-functions/double-hashing-and-bsvs-security/what-is-pki.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.