Getting to Grips with Public Key
Infrastructure (PKI)
What is a PKI?
A Public Key Infrastructure (PKI) is a combination of policies, procedures and technology that forms a trust infrastructure to issue and manage digital certificates. These certificates enable strong cryptographic processes that can provide:
GETTING TO GRIPS WITH PKI2
• Electronic identification of users and devices
• Encryption of data at rest and in transit
• Data integrity
• Electronic signatures and non-repudiation
How the PKI is implemented and controlled, with respect to its policies and procedures, will determine the level of trust you and others will associate with each digital certificate.
What is a PKI used for?
• Secure network log-on• TLS/SSL for secure web transactions• IPSec• Secure site-to-site communication• Digital signing• Email encryption• Hard disk encryption
GETTING TO GRIPS WITH PKI3
Understanding asymmetric encryption• It involves the generation and use of a pair of mathematically linked keys• What one encrypts, only the other can decrypt• One key (private) is kept secret and secure (on a token/HSM) - the other key (public) can be
freely distributed via a digital certificate• Knowing the public key does not reveal the private key
GETTING TO GRIPS WITH PKI4
• Sender uses recipient’s public key to encrypt, recipient uses their private key to decrypt
• Sender signs messages with their private key, recipient verifies the signature using the sender’s public key
• Both encryption and signing can be applied to the same message, providing privacy and authentication to both parties
Understanding asymmetric encryptionKey sizes vary, depending on what they are being used for
GETTING TO GRIPS WITH PKI5
Using the RSA algorithm, 2048 bits is recommended for keys used in certificates for secure messages, webserver authentication or document signing
For a Subordinate CA – also called an Issuing CA - RSA keys from 2048 to 4096 bits are recommended
For a Root CA, a much stronger key is recommended: typically 4096 bits if RSA keys are used
More about asymmetric encryption
While increased computing power drives the requirement for longer keys to maintain security, this slows down processing time. Elliptic Curve Cryptography (ECC) offers shorter keys for equivalent levels of security and, generally, faster processing. For example, signing algorithms such as ECDSA typically use keys of 256 bits, with Root CAs requiring keys of 384 bits and can be nearly an order of magnitude faster than RSA for some operations.
A big advantage of asymmetric encryption is that it eases the historical problem of secret key (or symmetric key) distribution: it is possible to set up a secure exchange of information over an insecure link.
GETTING TO GRIPS WITH PKI6
The core components of a PKI
GETTING TO GRIPS WITH PKI7
Defined certificate policy• Registration process: Who can have a certificate? What checks must be undertaken to verify the
certificate holder’s identity?
• Certification Practice Statement (CPS) How are certificates issued, stored, revoked and
renewed?
• Size and nature of key
• How will the certificate policy be enforced? Subscriber Agreement Relying Party Agreement PKI Disclosure Statement
GETTING TO GRIPS WITH PKI8
A PKI is only as good as your security policy…
Anyone can build a PKI…BUT it has to be managed properly to be effective. The primary cause of many security breaches can be attributed to errors in implementation of a PKI.
GETTING TO GRIPS WITH PKI9
It has to be operated and maintained under secure circumstances
Requires a separation of duties away from Admin/System team to a dedicated security team
It must comply with tScheme (independent assurance that Trust Services meet rigorous quality standards) as well as ISO 27001 standards for information security
Keys need to be stored securely in accordance with internationally-recognised security standards e.g. FIPS 140-2 Level 3 or 4 (robust security that’s tamper-resistant, both physically and electronically)
Checks & balances
A Root CA has an average lifetime of 20 years…
A Sub-CA typically operates for 5-10 years…
An End Entity digital certificate has a lifespan of 1-3 years…
Who takes responsibility and keeps track of all this?
GETTING TO GRIPS WITH PKI10
20 YEARS
5 – 10 YEARS
1 – 3 YEARS
Skills, resources & costs
GETTING TO GRIPS WITH PKI11
PKI is not simply about technology.
Design, structure and management are all equally important.
The expertise required to do this properly demands a highly-specialised skills set which makes it prohibitive to do properly in-house.
The high cost of physically securing the environment: not everyone can afford to build their own Trust Service Centre.
This is why so many organisations choose to outsource itto companies like us.
Trustis: PKI specialists
Trustis has successfully implemented over 100 high-assurance PKIs for organisations such as the NHS, HMRC, utility suppliers, telecommunications companies and financial institutions.At the heart of our organisation is a group of experts who can provide help and advice on PKI and digital certificate solutions, covering everything from design through to full implementation, including compliance with recognised PKI standards.• We can build and deploy a fully-compliant PKI at a fraction
of the cost of doing it in-house. • We can integrate it with your environment and keep you in
absolute control.• You can host the Sub-CA in your own environment or at
our ultra-secure Trust Service Centre.• Trustis is ISO 27001:2013, tScheme and ETSI Certified.
GETTING TO GRIPS WITH PKI12
More about PKI
Further reading:
• New Directions in Cryptography – Whitfield Diffie and Martin E. Hellman
• NIST
• The RSA Patent US 4405829 A: Cryptographic communications system and
methods
• Schneier on Security – Bruce Schneier blog
• Security Engineering – Ross Anderson
GETTING TO GRIPS WITH PKI13
About Trustis
For over 15 years, Trustis has specialised in cryptographic solutions that include large-scale PKIs, managed HSMs, Identity Federation as well as security policy and compliance.We serve both the public and private sectors in the UK and around the world and have been a G-Cloud supplier since its inception. Trustis’ services comply with ISO 27001:2013 as well as tScheme and are ETSI Certified. A product-independent approach ensures that customers get the best solution to meet their requirements. Recent projects include public sector networks, 4G security in telecoms, smart grid and metering rollouts, payment systems in banking and ePassport PKIs.
GETTING TO GRIPS WITH PKI14
Contact details
Trustis Commercial Contact:Robert Hann [email protected] +44 (0) 7818 552411
Trustis LimitedBuilding 273, Greenham Business Park, Thatcham, RG19 6HN
+44 (0) 1635 231361 [email protected] www.trustis.com
GETTING TO GRIPS WITH PKI15