Getting to Grips with Public Key Infrastructure (PKI)
What is a PKI? A Public Key Infrastructure (PKI) is a combination of policies, procedures and technology that forms a trust infrastructure to issue and manage digital certificates. These certificates enable strong cryptographic processes that can provide: Electronic identification of users and devices Encryption of data at rest and in transit Data integrity Electronic signatures and non-repudiation How the PKI is implemented and controlled, with respect to its policies and procedures, will determine the level of trust you and others will associate with each digital certificate. 2
What is a PKI used for? Secure network log-on TLS/SSL for secure web transactions IPSec Secure site-to-site communication Digital signing Email encryption Hard disk encryption 3
Understanding asymmetric encryption It involves the generation and use of a pair of mathematically linked keys What one encrypts, only the other can decrypt One key (private) is kept secret and secure (on a token/hsm) - the other key (public) can be freely distributed via a digital certificate Knowing the public key does not reveal the private key Sender uses recipient s public key to encrypt, recipient uses their private key to decrypt Sender signs messages with their private key, recipient verifies the signature using the sender s public key Both encryption and signing can be applied to the same message, providing privacy and authentication to both parties 4
Understanding asymmetric encryption Key sizes vary, depending on what they are being used for Using the RSA algorithm, 2048 bits is recommended for keys used in certificates for secure messages, webserver authentication or document signing For a Subordinate CA also called an Issuing CA - RSA keys from 2048 to 4096 bits are recommended For a Root CA, a much stronger key is recommended: typically 4096 bits if RSA keys are used 5
More about asymmetric encryption While increased computing power drives the requirement for longer keys to maintain security, this slows down processing time. Elliptic Curve Cryptography (ECC) offers shorter keys for equivalent levels of security and, generally, faster processing. For example, signing algorithms such as ECDSA typically use keys of 256 bits, with Root CAs requiring keys of 384 bits and can be nearly an order of magnitude faster than RSA for some operations. A big advantage of asymmetric encryption is that it eases the historical problem of secret key (or symmetric key) distribution: it is possible to set up a secure exchange of information over an insecure link. 6
The core components of a PKI 7
Defined certificate policy Registration process: Who can have a certificate? What checks must be undertaken to verify the certificate holder s identity? Certification Practice Statement (CPS) How are certificates issued, stored, revoked and renewed? Size and nature of key How will the certificate policy be enforced? Subscriber Agreement Relying Party Agreement PKI Disclosure Statement 8
A PKI is only as good as your security policy Anyone can build a PKI BUT it has to be managed properly to be effective. The primary cause of many security breaches can be attributed to errors in implementation of a PKI. It has to be operated and maintained under secure circumstances Requires a separation of duties away from Admin/System team to a dedicated security team It must comply with tscheme (independent assurance that Trust Services meet rigorous quality standards) as well as ISO 27001 standards for information security Keys need to be stored securely in accordance with internationally-recognised security standards e.g. FIPS 140-2 Level 3 or 4 (robust security that s tamper-resistant, both physically and electronically) 9
Checks & balances A Root CA has an average lifetime of 20 years 20 YEARS A Sub-CA typically operates for 5-10 years 5 10 YEARS An End Entity digital certificate has a lifespan of 1-3 years 1 3 YEARS Who takes responsibility and keeps track of all this? 10
Skills, resources & costs PKI is not simply about technology. Design, structure and management are all equally important. The expertise required to do this properly demands a highly-specialised skills set which makes it prohibitive to do properly in-house. The high cost of physically securing the environment: not everyone can afford to build their own Trust Service Centre. This is why so many organisations choose to outsource it to companies like us. 11
Trustis: PKI specialists Trustis has successfully implemented over 100 highassurance PKIs for organisations such as the NHS, HMRC, utility suppliers, telecommunications companies and financial institutions. At the heart of our organisation is a group of experts who can provide help and advice on PKI and digital certificate solutions, covering everything from design through to full implementation, including compliance with recognised PKI standards. We can build and deploy a fully-compliant PKI at a fraction of the cost of doing it in-house. We can integrate it with your environment and keep you in absolute control. You can host the Sub-CA in your own environment or at our ultra-secure Trust Service Centre. Trustis is ISO 27001:2013, tscheme and ETSI Certified. 12
More about PKI Further reading: New Directions in Cryptography Whitfield Diffie and Martin E. Hellman NIST The RSA Patent US 4405829 A: Cryptographic communications system and methods Schneier on Security Bruce Schneier blog Security Engineering Ross Anderson 13
About Trustis For over 15 years, Trustis has specialised in cryptographic solutions that include large-scale PKIs, managed HSMs, Identity Federation as well as security policy and compliance. We serve both the public and private sectors in the UK and around the world and have been a G-Cloud supplier since its inception. Trustis services comply with ISO 27001:2013 as well as tscheme and are ETSI Certified. A product-independent approach ensures that customers get the best solution to meet their requirements. Recent projects include public sector networks, 4G security in telecoms, smart grid and metering rollouts, payment systems in banking and epassport PKIs. 14
Contact details Trustis Commercial Contact: Robert Hann robert.hann@trustis.com +44 (0) 7818 552411 Trustis Limited Building 273, Greenham Business Park, Thatcham, RG19 6HN +44 (0) 1635 231361 info@trustis.com www.trustis.com 15