- Powered by Yip Tse & Tang, Solicitors & Notaries 葉謝鄧律師行

HKU Certification Authority (HKUCA)
Certificate Repository

Concept of Public Key Infrastructure (PKI)

PKI covers the use of public key cryptography for authentication and access control of a user, guaranteeing the integrity and non-repudiation of documents signed by the user, and confidentiality of data.
PKI employs a pair of keys for each user: a private key which is known only to the user himself, and a public key which is published by some authority, in the form of a digital certificate (certificate for short).

In signing a document or an e-mail, a user signs using his own private key so that others can use the signer's public key to verify the authenticity and non-repudiation of documents or e-mail. Since only the user has his own private key to sign, non-repudiation is established.

Before sending an encrypted e-mail to a receiver, the sender installs the receiver's certificate in the sender's e-mail program which supports the use of PKI technologies. The program can, on the sender's instruction, encrypt an e-mail using the receiver's public key. The receiver, on receiving the encrypted mail, can use his private key to decrypt the mail. Since only the receiver has his own private key, the encrypted mail will only be readable by him. Others, even if they can get hold of a copy of the encrypted mail over the network, would not be able to read the encrypted mail as they do not have the receiver's private key to decrypt the mail. The use of PKI saves the trouble of maintaining and distributing the same encryption/decryption key between the sender and the receiver.

The e-mail program Netscape Messenger v4.7x supports the signing and encryption of e-mail using 1024-bit RSA keys and certificates.

By using strong public key cryptographic algorithms, such as 1024-bit RSA keys which the HKU CA and Hongkong Post are employing, it is practically impossible for anyone to crack the private key from the public key within the life-time of a private key.