Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Managed PKI certificates: One step at a time toward securing the IoT

Scott Amyx CEO, Amyx McKinsey

$375 billion?it's more than the GDP of some small countries. That's how much is being siphoned off from unknowing companies and their victimized customers. How much of that was taken from your company and customers?

McAfee's 2014 paper "Net Losses: Estimating the Global Cost of Cybercrime" estimates that a minimum of $375 billion, and perhaps as much as $575 billion, is lost to cybercrime annually. Businesses suffer tremendously from cybercrime. There is, of course, the obligatory, but usually temporary, decrease in the company's stock price once the public is made aware of the breach. Far worse, though, the corporation's most precious possession, its reputation, sustains a shock from which it may never fully recover. And companies may face increased liability and lawsuits over a lack of due diligence.

Now, as more devices are connected online, companies are being exposed to crime in novel, expensive ways. Many industry leaders in the tech industry recognize the importance of security as the Internet of Things (IoT) expands.

Scaling the Internet of Things

Analysts and tech firms estimate that some 50 billion to 200 billion devices could be connected to the Internet in 2020. Because the IoT could quickly become a breeding ground for malicious surveillance and attacks, security and authentication need to be priorities for corporations. But how can they establish trust across connected devices on such a massive scale?

PKI certificates and security

Corporations with their customers' interests at heart will take the lead in creating a protected environment for their own infrastructure, R&D, data, employees, and customers. The expansion of the IoT accentuates the direct relationship between keeping devices and data secure and keeping consumers content. This is where PKI (public key infrastructure) certificates bring real value and peace of mind.

A public key is a coded value that has both a public and private part; it allows information to be encrypted and decoded by one person/object only, and operates as a digital certificate. Algorithms for encryption are evolving, with the most common being RSA (developed in the late '70s and deriving its name from the initials of its creators). Elliptical Curve Cryptography (which deals with algebraic curves) is garnering interest because it is more secure than RSA.

"Public key infrastructure" refers to the entire ecosystem devoted to digital certificates and encryption. This ecosystem encompasses, not just the software and hardware, but all of the people involved with the digital certificates. PKI certificates are issued from a CA (certificate authority), which creates and manages them. Each PKI certificate is a unique identifier and greatly aids in creating trusting relationships between customers and businesses. The creation and management of the PKI can be handled in-house or via a management company.

X.509 digital certificates have gained traction, because they represent identity in a cross-platform, cross-organizational way. Moreover, developers can choose from a myriad of certificate-processing software libraries, some built into the operating system, and others. such as OpenSSL and BouncyCastle, available for free.

Digital certificates are attractive because they do not need to be publicly trusted or purchased from "big box" certificate vendors such as Symantec, GeoTrust, and DigiCert; they can be issued by an organization's in-house PKI. This is a scalable approach; the issued volume of certificates can easily number in the millions or even billions, depending on the implementation.

PKI certificates are an industry standard for cybersecurity, and cryptography has been rapidly evolving to introduce more hacker-proof algorithms. However, while technology is an important part of any cybersecurity infrastructure, corporate leaders need to examine their total corporate ecosystem. PKI certificates cannot solve all security issues, as noted in the meticulous paper "Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure," by Carl Ellison and Bruce Schneier. They note: "Security is a chain; it's only as strong as the weakest link. The security of any CA-based system is based on many links and they're not all cryptographic. People are involved."

There is no perfect system, but we can learn from past mistakes and press forward toward building a more competent, safe PKI that will shield consumers and businesses from at least some problems. SANS author Angela Keith takes on some of these problems in "Common issues in PKI implementations — climbing the 'Slope of Enlightenment'." She highlights the fact that PKIs are not perfect but that there is a sizable number of governing bodies, corporations, and individuals tackling the issues that arise from PKI implementation. (Her work also takes a hard look at the PKI implementations utilized by the U.S. Department of Defense and those used in the nation of Estonia.)

In-house PKI certificates

Handling PKI certificates in-house obviously comes with its own benefits. PKI certificates can be issued and managed very carefully. Your tech team can work closely together to keep the software up to date and ensure that all hardware is secure. The in-house PKI seems like the best in cybercrime prevention; after all, if everything is under one roof (and under your own watchful eyes), efficiency and security reign — or do they? In-house solutions can be great for very small companies, but they can become problematic for those experiencing rapid growth and those big enough to have many more locations, resources, and employees.

How your people handle PKI certificates is just as important as the technology. If you are managing PKI certificates in-house, you may be limiting yourself. "A Business Perspective on PKI: Why Many PKI Implementations Fail, and Success Factors to Consider," from SANS, notes that part of the problem is that there are nontechnical reasons for the failure to successfully implement a PKI. People are not really a system, and they don't behave in prescribed manners, even when policies are implemented to regulate behavior. Of course, training your team to follow the procedures is necessary, but it is undeniable that rules get broken, for reasons of mistrust, laziness, or willful negligence.

Your own team is only part of the issue, too; what about your customers? How seriously are they taking the threat to their connected devices? It all depends on your corporate reputation in regards to the management of the enterprise PKI. Don James' "The Shortcut Guide to Certificates in the Enterprise" highlights the trust issue of going with in-house PKIs: "It's hard to make an argument that an entirely internal PKI is a good solution for producing certificates that must be trusted by the public. ... Attesting to your own identity isn't exactly going to generate a lot of trust with users and customers."

Managed PKI certificates

With the rapid rise of the IoT, managing security issues takes on a new dimension. If Cisco's prediction about the number of devices online is even half right, no company can truly focus on operating its business while managing PKI certificate issues. Consumers want to know that their wearable, home-based, and connected devices are safe from unauthorized access. Corporations need to ensure that the printer sitting in Sally's cubicle isn't the leak in their infrastructure that is going to cost them ten years of research. Managed PKI certificates can ensure a reasonable amount of security and shelter from liability.

Managed PKI certificates are offered by a number of companies. The entity handles all aspects of the certificate security, including the initial rollout and support. Companies that focus only on managing PKI certification can provide enterprise security and equanimity while providing a more cost-effective model than an in-house solution. In SC Magazine's "PKI for the Internet of Things," Richard Moulds (vice president of strategy, Thales e-Security) highlights the fact that "High integrity messaging, secure communications and mutual authentication at an internet scale will be absolutely necessary for IoT to succeed." Dedicated PKI management enterprises bring this to the table via their reputation.

What could a hypothetical managed PKI look like? One example was rolled out by Symantec. Symantec's whitepaper on managed PKI certificates, "Reducing Complexity and Total Cost of Ownership with VeriSign Managed PKI," explores the benefits of utilizing its system of managed PKI versus handling it in-house. Besides the obvious issues, such as maintaining a trained, dedicated staff that has a solid understanding of security issues, a serious infrastructure, and strict policies and procedures that are followed to the letter, handling PKIs in-house can be costly in terms of time and money. Symantec drew a comparison between a typical in-house solution vs. using its own Verisign solution and found that the in-house solution cost about seven times more than its Verisign service.

While money is an essential part of the concern, offloading the headaches associated with security results in less waste and a higher level of public confidence in your business. After all, a managed PKI is supported by a dedicated company that already has a solid reputation in the public mind. Aligning your company with one with a prodigious reputation for trust and security could have a halo effect, enhancing your corporate standing.

Ultimately, your firm has to assess the pros and cons of in-house vs. managed PKI service.

Shortcomings of PKI certificates

However, not everyone is a fan of PKI certificates.

Some of the concerns raised by security experts are:

  • The question of whom we trust, and for what specific purpose. What makes a CA trusted?

  • When a certificate is trusted, that merely means that it handles its own private keys. Itdoesn't mean that others can trust a certificate from that CA for a specific purpose. In other words, who gave the CA the authority to grant such authorization? Who made it trusted?

  • An individual's private signing key might not be truly secure. Who is using the key, and how do you really protect it? Whether that private key resides on your network, computer, smart card, or device, it's vulnerable to attack. And if someone gets hold of your private signing key and causes harm, you're legally responsible, without proving fault.

  • The security of the verifying computer that uses the certificate could be questionable. Certificate verification uses public keys, not a secret key. Therefore, there are no secrets to protect. It does use one or more of the root public keys. If an attacker adds his own public key to that list, then he can issue his own certificates, which will be treated as if they are legitimate certificates.

  • The questions of whether identifiers are truly unique, whether the CA is truly an authority, whether the user is part of the security design, and whether the CA identifies the certificate holder.

Security is a chain; it's only as strong as the weakest link. The security of any CA-based system is based on many links, and they're not all cryptographic as long as people are involved.

The point is that PKI certificates, in-house or managed, are not the solution to all security matters. Vendors want you to think that if you purchase their managed PKI certificate service, then all your security headaches will disappear. This is far from the truth.

Open source projects and certificates

Red Hat, the provider of open source software products to the enterprise, has a public key infrastructure platform called the Red Hat Certificate System that provides enterprises with a scalable, secure framework to establish and maintain trusted identities and keep communications private. Red Hat Certificate System provides certificate life-cycle management: issue, renew, suspend, revoke, archive and recover, and manage single and dual-key X.509v3 certificates needed to handle strong authentication, single sign-on, and secure communications. Detailed Red Hat Certificate System 8.1 documentation on deployment, planning, and installation preparing for a PKI infrastructure can be found on Red Hat Certificate System product documentation page.

Another open source PKI project is EJBCA PKI by PrimeKey. EJBCA Enterprise is OSI Certified Open Source and Common Criteria Evaluation Assurance Level 4+ (EAL4+) certified.

Features include:

  • Multiple CAs and levels of CAs, build a complete infrastructure (or several) within one instance of EJBCA.

  • Unlimited number of Root CAs and SubCAs. Request cross certificates and bridge certificates from other CAs and Bridge CAs. Issue cross certificates to other CAs.

  • Follows X509 and PKIX (RFC5280) standards where applicable.

  • Supports RSA key algorithm up to 8192 bits.

  • Supports DSA key algorithm with 1024 bits.

  • Supports ECDSA key algorithm with named curves or implicitlyCA.

  • Supports multiple hash algorithms for signatures, SHA-1, SHA-2.

  • Compliant with NSA SUITE B algorithms and certificates.

  • Support for X.509 certificates and Card Verifiable certificates (CVC BSI TR-03110 used by EU EAC ePassports) and eIDs.

IoT security groundwork needed

Digital certificates are a common basis for establishing trust between communicating entities, both on the Internet and within private networks. They are increasingly important for securing IoT applications employing wireless sensor networks and smart connected devices, with each endpoint representing a new attack surface. That growing attack surface is critical to consider when designing your security architecture.

Security is difficult to understand and hard to implement. There are no shortcuts to true security, and a corporate ecosystem is only as good as its foundational principles. As IoT expands, no company can discount the tremendous security risks associated with having a multitude of possible infrastructure weaknesses. Digital PKI certificates will not resolve all security problems, but they are an important part of the equation that you need to thoughtfully assess and right-size for your organization.

Keep learning

Read more articles about: SecurityIdentity & Access Management