PKI and Digital Certificates:
Public key cryptography has become pervasive as a way to protect users, networks, data, and critical business systems. Whether it is used to encrypt data and ensure privacy, to digitally sign documents and messages to attest to their integrity and authenticity, or to authenticate users and systems and control access, these public key operations are integral to modern operating systems, commercial security products and custom built systems. E-commerce, online banking, internet gaming, smartphones, and cloud computing all rely on the use of digital certificates to represent the digital identity of users, connected devices, web services, and business applications.
Each certificate is based on a pair of cryptographic keys that form a high strength unique credential that is tightly associated with the user or organization in question and that is used to perform secure operations such as encryption or signing. A Certificate Authority (CA) is responsible for issuing digital certificates and performing the various procedural steps to ensure that those certificates embody the appropriate levels of trust for their intended purpose. The CA forms the heart of a public key infrastructure (PKI) that underpins one or many applications and supports anything from a handful of certificates to many millions. Organizations wishing to take advantage of certificates and the security functions that they enable have a choice of building their own PKI or purchasing certificates from external service providers. The latter option is most appropriate if certificates and identities are to be shared and trusted between different organizations or domains. Organizations deploying internal PKIs have the flexibility to define the security models that fit their specific needs, but they face a number of challenges in defining, maintaining, and securing their PKI:
- Because PKIs act as a root of trust, there is more to deploying a PKI than just the technology. Organizations will also need to design human processes carefully in order to build in appropriate checks and balances. Given the increasing need to prove compliance, organizations will need formally documented and certification-audited processes.
- Organizations must decide whether to use a single PKI for all certificate needs or separate PKIs, each tuned to individual applications or use cases and offering the appropriate trust models. The option to use external PKI services rather than build your own can further complicate the picture.
- Unfortunately, PKIs of all types represent an obvious point of attack. If a CA is compromised, digital certificates can be issued for malicious use and the trust of the entire system can be called into question.
- Although discussion about PKI tends to focus on the process of issuing certificates, related processes that support certificate validation and revocation will often have greater impact on system performance and overall capacity.
Risks Associated with PKI and Digital Certificates
- Theft of CA signing private keys or root keys enables bogus certificates to be issued and any suspicion of compromise may force re-issuance of some or all of the previously issued certificates.
- Weak controls over the use of signing keys can enable the CA to be misused, even if the keys themselves are not compromised.
- Theft or misuse of keys associated with online certificate validation processes can be used to subvert revocation processes an enable malicious use of revoked certificates.
- As new applications are brought on line, not attending to the performance aspects of signing activities associated with issuance and validation checking can result in significant business impact.
PKI and Digital Certificates: Thales e-Security Solutions
Products and services from Thales e-Security can help to ensure the integrity, performance, and manageability of your PKI. By securing the process of issuing certificates and proactively managing signing keys, you prevent their loss or theft, thereby creating a high-assurance foundation for digital security. When you add nShield Hardware Security Modules (HSMs) to your PKI, you are deploying independently certified, tamper-resistant devices that are used to secure some of the most sensitive keys and business processes in the organization—a widely recognized PKI best practice. Prominent PKI software solution providers such as Microsoft have published guidance stating that using an HSM to provide strong protection of CA keys or other high value keys is one of the strongest controls you can implement to protect your PKI (“Securing Public Key Infrastructure”, Microsoft IT, Information Security and Risk Management, published June 11, 2014).
Thales performs interoperability testing with leading PKI vendors and publishes comprehensive white papers and integration guides to help your organization understand key security considerations and to accelerate deployment and minimize risk. By taking advantage of products, expertise, and services from Thales, you will be able to operate PKIs confidently across your enterprise.
- Take advantage of easily deployed and independently certified security for all high assurance key management and certificate issuance processes.
- Offload cryptographic processing to accelerate CPU intensive signing operations, boosting performance and enabling applications and business processes to scale.
- Eliminate risky manual key management processes.
- Through tightly enforced key management policies, simplify the task of demonstrating compliance and responding to forensic and auditing requests.
- Choose from a wide range of HSM form factors and performance ratings to suit various deployment scenarios ranging from large enterprise PKIs to localized or application specific CAs.