Code Signing

Top 10 Supply Chain Attacks that Shook the World

Last updated on

Did you know that between 2019 and 2022, software supply chain attacks skyrocketed by an astounding 742%?

The surge in supply chain attacks is not hypothetical; alarming statistics support this new amount of attacks. Relying on open-source components and third-party software, while crucial for reduced development times and operational agility, introduces significant risks.

Due to this dependency on external code, on different applications, and by multiple organizations, an attack on a base library can quickly escalate into thousands of vulnerable software stacks. 

Supply chain attacks can be considered a sophisticated form of cyber threat. They target the intricate network of relationships between an organization and its vendors, suppliers, and third-party service providers. Due to the interconnected digital supply chains, which often span multiple organizations, geographies, and systems, these attacks exploit loopholes. 

The Attacks

According to a report, the number of documented supply chain attacks involving malicious third-party components burgeoned by 633% within a year, amounting to over 88,000 known instances.

Attack techniques have largely diversified, with typosquatting, dependency confusion, protestware, and malicious code injection introducing new challenges and considerations for cybersecurity specialists. Here, we will explore the latest supply chain attacks that had massive ramifications. 

  1. Discord Bot Platform Attack (March 2024)

    The Top.gg bot community of Discord, with over 170,000 members, has been impacted by a supply chain attack aimed at infecting developers with malware that steals sensitive information. Over the years, the threat actor has used several tactics, procedures, and techniques, including hijacking GitHub accounts, distributing malicious Python packages, using a fake Python infrastructure, and social engineering. Top.gg was infected by an information-stealing malware after downloading a malicious clone of a tool known as Colorama.

  2. Okta Supply Chain Attack (October 2023)

    Okta, an authentication and identity management service provider, reported in October 2023 that threat actors could access private consumer data by obtaining credentials to its customer support management system. In recent support cases, the attackers could view files uploaded by specific customers.

  3. JetBrains Supply Chain Attack (September/October 2023)

    In December, government officials warned that the Solarwind attackers were exploiting a critical vulnerability in JetBrains TeamCity servers. The critical authentication bypass vulnerability raised attention due to its potential impact and high severity.

    Unauthenticated intruders with HTTP(S) access can exploit this flaw to gain administrative control of affected servers and execute remote code, presenting a potential vector for supply chain attacks. This attack was carried out by a Russian threat actor named Cozy Bear, who is linked to the Russian Foreign Intelligence Service (SVR RF).

    In the attack, threat actors gained admin access to the server and employed remote code execution. No user interaction was needed while many large software organizations were using TeamCity servers for their CI/CD, with over 3,000 directly exposed.

  4. MOVEit Supply Chain Attack (June 2023)

    In June, the MOVEit supply chain attack was executed, targeting users of the MOVEit Transfer tool, owned by the US organization Progress Software. MOVEit is designed to transfer sensitive files in a secure manner, and it is popular in the US. The ransomware group Cl0p has been associated with the attack.

    The attackers used EWIs (Exposed Web Interfaces) to cause significant damage. The web-facing MOVEit app was infected with a web shell called LEMURLOOT, which was then used to steal data from MOVEit transfer databases.

  5. 3CX Supply Chain Attack (March 2023)

    n March, the 3CX attack targeted macOS and Windows Desktop applications, raising concern about the security and integrity of the software’s supply chain. The cyber criminals compromised the application using an infected library file, which subsequently downloaded an encrypted file containing command-and-control information. This enabled the attackers to execute malicious activities within the victim’s environment.

  6. Microsoft Supply Chain Attack (February 2023)

    In February 2023, a software supply chain attack also affected Microsoft. The attack exploited a vulnerability in the Jfrog Artifactory, a binary repository manager that Microsoft uses to distribute and store its software components.

    The attackers accessed Jfrog Artifactory and injected malicious code into some of Microsoft’s software components, allowing them to access Microsoft’s network while stealing source code and other confidential information.

  7. Norton Supply Chain Attack (May 2023)

    Norton’s most notable software is its antivirus, which is widely used. They were also attacked in May 2023. The attack used a zero-day vulnerability in MOVEit transfer, an MFT(Managed File Transfer) software that Norton’s parent company utilizes to transfer files between consumers and offices. The attackers accessed Norton’s network and stole employees’ personal information and specific details. The attackers also threatened to release the stolen data if Norton didn’t pay a ransom.

  8. Airbus Supply Chain Attack (January 2023)

    Airbus was also attacked in January 2023 by a threat actor known as USDoD. The organization confirmed that the attack had been carried out through a compromised employee account at Turkish Airlines, one of Airbus’s consumers. The threat actor could access the employee’s account and gain access to Airbus’s systems.

    The data breached included personal information associated with over 3000 Airbus vendors, such as Rockwell Collins and the Thales Group. The data dump included names, phone numbers, and email addresses.

  9. SolarWinds (Late 2020)

    In late 2020, SolarWinds provided software that contained malware that was intended together with sensitive information wherever it was installed. Customers had complete confidence in the signed software they received, and they believed that it was free of malicious code and viruses as it had not been modified since SolarWinds signed, built, and delivered it to them.

    However, attackers placed the Sunspot malware into the Orion IT monitoring system and management software utilized by SolarWinds. SolarWinds digitally signed the resultant, which was then utilized to infiltrate over 18,000 private commercial consumers and the government.

    The malware gathered information from the infected networks and sent data to a remote server. Cozy Bear was again responsible for this attack, which is connected to the Russian Foreign Intelligence Service (SVR).

  10. ShadowHammer/ASUS (2019)

    In 2019, Taiwanese computer manufacturers fell victim to attackers who found critical code signing keys on their web update server. The intruders added malware to legitimate ASUS updates, signed with ASUS’s code signing keys, infecting 1 million ASUS computers.

    The ShadowHammer attacks happened over a period of 6 months. They impacted ASUS notebook customers who enabled the Live Update feature, a utility that automatically searches for and installs new firmware and software updates from ASUS.

Recent Trends in Code Signing Attacks 

Code signing or supply chain attacks have recently witnessed notable trends as attackers continually evolve their tactics. Understanding these trends can enable organizations to stay vigilant and implement effective security measures.

  • Supply Chain Poisoning

    Cybercriminals have increasingly targeted the software supply chain by injecting malicious codes into legitimate software packages during the distribution or build. This poisoning technique allows them to bypass conventional security courses and distribute compromised software to users.

  • Certificate Abuse and Forgery

    Attackers have exploited vulnerabilities in the certificate infrastructure to forge and abuse code-signing certificates. They either steal legitimate certificates from developers or are responsible for creating fraudulent certificates that appear authentic. These tactics enable them to sign malicious software and deceive users into believing it is from an authentic source.

  • Targeted Attacks on High-Value Software

    Cybercriminals have shifted their focus towards high-value software targets, such as widely used Oss, critical infrastructure software, or enterprise applications. Compromising the code signing procedure for such software can have ramifications, allowing intruders to infiltrate numerous organizations and cause significant damage.

Financial and Recovery Time Implications of Supply Chain Attacks 

While the total costs of these data breaches are hard to pinpoint, we certainly know that data breaches are costly. These supply chain attacks and corresponding data breaches cost 4.45 million USD. However, we have seen recent breaches with estimated costs, which may tilt that scale in the future. 

The direct costs of data breaches include remediation efforts and investigations, regulatory fines, litigation, forensic audits, bank reimbursement demands, legal settlements, customer service costs, and damage control measures. 

Lengthy recovery times also impact the total cost of a data breach. A major healthcare provider can certainly feel this pain as their data breach’s recovery time lingers. The cost of catching up would continue to grow in the aftermath of the data breach. That is the reason why it is crucial to only allow the execution of approved code across your organization. 

How can Code-Signing be Leveraged to Protect Organizations from These Threats? 

  1. Origin Verification

    Origin verification in codesigning can be considered a security measure that ensures the code originates from an authentic source before it is signed and distributed. It comprises details regarding the source repository and its validating components, such as build information, commit, and branch.

    This procedure helps reduce the risks of unauthorized access to malicious codes or code modifications. This is responsible for offering an extra layer of security and trust in the software distribution and development process.

    This feature is designed to be used in environments that require high security and need to maintain compliance standards, ensuring safety for both end-users and developers.

  2. Reproducible Build

    Reproducible builds, a fundamental concept in modern software development, ensure application builds’ security, consistency, and reliability. With reproducible builds, any attempt to modify the application’s code can easily be detected, providing robust protection against malicious attacks while ensuring the integrity of the app development solution.

  3. Build Verification

    Build verification tests (BVT) run on every new build to check its stability and readiness for further testing. It consists of test cases that validate the software build’s core features. Any build that fails BVT is rejected and returned to the developers for resolution.

    BVT enables the mitigation of risks associated with the behavior of the system. It identifies potential risks such as data loss, security vulnerabilities, or incorrect functionality by addressing and validating the expected behavior before the system gets deployed to production.

Why Trust CodeSign Secure to Avoid These Attacks? 

There are several reasons why you should opt for CodeSign Secure for performing your codesigning operations:

  • CodeSign Secure helps consumers stay ahead of the curve by providing a secure codesigning solution with tamper-proof key storage, complete control, and visibility into codesigning activities.
  • The private keys of the codesigning certificate can be stored in an HSM, eliminating the risk of corrupted, misused, or stolen keys. 
  • Client-side hashing ensures build performance while avoiding unnecessary movement of files, providing greater security. 
  • It also provides seamless authentication via client-side hashing, device authentication, multi-factor authentication, multi-tier approver workflows, and more. 
  • Support for InfoSec policies to improve solution adoption while enabling different business teams to have their own workflow for codesigning. 
  • It is also embedded with a state-of-the-art client-side hash signing mechanism, resulting in less data traveling over the network. This makes it a highly efficient codesigning system for the complex cryptographic operations occurring in the HSM. 

Conclusion 

As we have explored the ten most impactful supply chain attacks that reverberated worldwide, it is quite clear that the scale and sophistication of these cyber threats are escalating. These incidents mentioned in the blog underscore the vulnerabilities that organizations may face in securing their assets, ranging from injecting malicious codes to exploiting certificate infrastructures.

The response to this growing threat lies in practicing safer codesigning practices and fostering a deeper comprehension of the risks associated with software development and distribution. CodeSign Secure works for you by enhancing your codesigning security posture while maintaining trust, integrity, and security in this evolving digital landscape.

Free Downloads

Datasheet of Code Signing Solution

Code signing is a process to confirm the authenticity and originality of digital information such as a piece of software code.

Download

About the Author

Arpan Roy is a seasoned technical writer with five years of experience specializing in data security. With a keen focus on Public Key Infrastructure (PKI), Certificate Lifecycle Management, and various other aspects of data protection, Arpan has contributed extensively to disseminating knowledge through detailed blogs and informative articles. His work reflects a deep understanding of complex security protocols and demonstrates a commitment to educating others about the importance of digital security measures. Arpan's expertise and ability to distill technical concepts into accessible content make him a valuable asset to the cybersecurity community.

You might also be interested in

Prevent supply chain attacks using Encryption Consulting’s Build Verifier
Prevent supply chain attacks using Encryption Consulting’s Build Verifier September 6, 2023
HLK Signing for Enhanced Windows Compatibility
HLK Signing for Enhanced Windows Compatibility October 18, 2023
Why Every Organization Needs To Follow Code Signing Best Practices
Why Every Organization Needs To Follow Code Signing Best Practices December 24, 2021
Signing Jar Files with Jarsigner using CodeSign Secure
Signing Jar Files with Jarsigner using CodeSign Secure January 9, 2024

Explore More Topics

PKI

Soon to be Deprecated – Are you still using RSA 1024 Bit Keys for Windows?

Last updated on

Microsoft has announced that it will depreciate Windows RSA keys shorter than 2048 bits. This step encourages organizations to avoid weaker algorithms and adopt stronger ones for server authentication.

Rivest-Shamir-Adleman (RSA) keys are cryptographic keys used in the RSA encryption algorithm. RSA utilizes public and private keys to encrypt data for secure communication across enterprise networks. In Windows, RSA keys serve various purposes, including server authentication, data encryption, and ensuring communication and software update integrity.

Microsoft noted that RSA encryption has encountered challenges due to recent advancements in quantum computing and other cryptographic techniques. Consequently, many organizations are transitioning to more secure encryption methods to mitigate risks associated with RSA vulnerabilities.

Microsoft has not provided an ETA for when the Windows RSA keys deprecation process will begin. However, this change will likely affect organizations that use legacy software and network-attached devices that use 1024-bit RSA keys.

Why is this change better for all?

In 2013, internet standards and regulatory bodies prohibited using 1024-bit keys, recommending RSA keys with a length of 2048 bits or longer,” Microsoft explained, “This deprecation aims to ensure that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be deemed valid by Windows.”

Microsoft is adopting a more resilient security ecosystem by mandating stronger encryption methods, such as RSA keys with 2048 bits or longer lengths. This change ensures that data transmission and authentication processes remain robust and resistant to evolving threats.

The deprecation of RSA 1024-bit keys represents a proactive measure to safeguard digital assets, protect sensitive information, and uphold the trust and reliability of digital communication channels. It aligns with industry best practices and regulatory standards, contributing to a safer and more secure online environment for all users.

According to Encryption Consulting’s Chief Executive Officer (CEO), Puneet Singh, “Microsoft’s decision to deprecate RSA 1024 keys is crucial to strengthening the organization’s cybersecurity posture. This proactive step will help reduce vulnerabilities and strengthen the resilience of systems against cyber-attacks for our customers.”

How can you ensure that your organization isn’t caught off guard by Microsoft’s deprecation of 1024-bit RSA keys?

  • Inventory creation

    Develop an all-inclusive inventory of your cryptographic keys. Identify any RSA keys with lengths of 1024 bits and assess the usage and significance within your systems. For an enterprise-level organization, opting for an automated method may be the only effective approach.

    Automation tools for certificate lifecycle management (CLM), such as CertSecure Manager, can play a big role in transitioning away from 1024-bit keys. By leveraging CertSecure Manager, organizations can significantly reduce the manual effort and potential errors associated with certificate management.

    Our CLM solution can continuously monitor certificate inventories, detect deprecated keys, and trigger alerts or remediation actions as needed. CertSecure Manger also has a key feature that lets users renew certificates with just one click when certificates are about to expire.

  • Upgrade the deprecated keys

    Work closely with the IT and security team to develop a plan of action and allocate resources to execute the plan successfully.

  • Testing and coordination

    Careful coordination and testing are required of the upgrade plan to minimize the disruption of your organization’s operations.

How can Encryption Consulting’s CertSecure Manager help you stay up to date?

Encryption Consulting’s CertSecure Manager effortlessly manages and secures your digital certificates, ensuring that your organization’s sensitive information remains protected while complying with regulatory standards.

  • Inventory

    The inventory system is a centralized location for managing digital certificates from public authorities such as DigiCert and Sectigo and private trust CAs like Microsoft PKI. It enables effective management of all digital certificates in one place.

  • Reports

    Intelligent data is generated based on the inventory, with reports such as an inventory report, an expiration report (listing certificates expiring soon), and a key length report (highlighting any certificates that use weaker cryptography keys).

  • Certificate Enrollment

    The system provides a web interface and APIs to request new certificates from registered CAs, creating a more controlled certificate enrollment environment with approvals-based enrollment.

  • Automation

    The system enables automated deployment of new certificates onto web servers such as IIS, Apache, and Tomcat, as well as load balancers like F5, to minimize downtime and prevent outages.

Key Takeaways

  • Microsoft is discontinuing Windows RSA keys shorter than 2048 bits to encourage the adoption of more robust encryption techniques for server authentication. 
  • Since 2013, internet standards and regulatory bodies have prohibited using 1024-bit keys, recommending 2048 bits or longer RSA keys. 
  • Microsoft warns that organizations using legacy software and devices with 1024-bit RSA keys may face disruptions due to this change.
  • Encryption Consulting can help organizations stay updated with the new requirements and best practices.

Free Downloads

Datasheet of Public Key Infrastructure

We have years of experience in consulting, designing, implementing & migrating PKI solutions for enterprises across the country.

Download

About the Author

Parnashree Saha is a cybersecurity professional passionate about data protection, including PKI, data encryption, key management, IAM, etc. She is currently working as an advisory services manager at Encryption Consulting LLC. With a specialized focus on public key infrastructure, data encryption, and key management, she is vital in guiding organizations toward robust encryption solutions tailored to customers' unique needs and challenges. Parnashree leverages her expertise to provide clients comprehensive advisory services to enhance their cybersecurity posture. From conducting thorough assessments to developing customized encryption strategies and implementing relevant data protection solutions, She is dedicated to assisting organizations in protecting their sensitive data from evolving threats.

You might also be interested in

Certificate Authorities
Certificate Authorities March 16, 2020
How to disable Delta CRL
How to disable Delta CRL December 2, 2022
Stay Updated With The Best Practices For Modern Public Key Infrastructure
Stay Updated With The Best Practices For Modern Public Key Infrastructure July 16, 2021
SafeNet KSP: Provider DLL failed
SafeNet KSP: Provider DLL failed November 2, 2022

Explore More Topics

Certificate Lifecycle Management

Why Adapt to the Evolving Matrix of X.509 Certificates with CA/Browser Forum Standards

Last updated on

Did you know that only 46% of organizations secured all their digital certificates and keys?

As the data suggests, organizations need to secure all their digital certificates. On the contrary, there is immense hype around Google’s push to reduce TLS certificate lifespans to 90 days. Hence, it will significantly impact organizations needing to secure digital certificates. However, this move by Google must be ratified by the Certificate Authority/Browser (CA/B) Forum. All of these raise concerns about the impact and influence of the CA/B Forum.

What is CA/Browser Forum, and Why is it Important? 

This Forum was founded in 2005 and comprises CAs and Browsers that use certificates for authentication. However, that focus has changed drastically over time, and now there are two major groups within the CA/B Forum: certificate issuers and their certificate consumers. 

Hence, it can be considered a voluntary organization of Certificate Authorities (CAs), vendors of internet browser software, and other application suppliers that use X.509 digital certificates for SSL/TLS and code signing

From its inception, the Forum has been responsible for defining standards for the CA industry based on best practices. These standards, often called Baseline Requirements, are procedural and technical policies that all public CAs, whether members or not, must adhere to. 

These standards typically improve how SSL/TLS certificates are used, benefiting internet users while securing their communications. 

What is an X.509 certificate? 

An X.509 certificate is immensely significant regarding the security of online environments. It acts as a digital certificate conforming to the universally accepted ITU X.509 standard. 

This standard defines the format and structure of public key certificates. The X.509 certificates are pivotal in identity management while ensuring security. 

The strength of the X.509 certificate lies in its architecture, which utilizes a key pair composed of a public and a private key. This cryptography mechanism encrypts messages using the key pair, ensuring the sender’s authenticity and the confidentiality of the transmitted information. 

Importance of X.509 Certificates 

Did you know that 49% of organizations faced security incidents due to a CA compromise?

The data shows the importance of efficient certificate management in mitigating the risks of security incidents. The primary application of X.509-based Public Key Infrastructure (PKI) is observed in TLS and SSL protocols, which form the foundation of secure web browsing through the widely standardized HTTPS protocol. 

Moreover, the versatility of the X.509 protocol extends beyond web security and digital signatures, encompassing code signing for application security along with various critical internet protocols. 

Recent changes for TLS Certificates

SSL/TLS 1.0 

Previously, SSL certificates could be issued for a period of five years. This was subsequently reduced to three years and, most recently, to two years plus an extra three months. However, in 2020, Apple, Google, and Mozilla announced they would enforce one-year SSL certificates despite this particular proposal being voted down by the CA/B forum. This took effect in September 2020. 

TLS v1.1

TLS 1.1 was specified in RFC4346 in April 2006. It was an upgrade to the TLS 1.0 version and ideal protection against Cipher-Block Chaining (CBC) attacks. TLS 1.1 supports the IANA registration parameters. 

TLS v1.2

TLS 1.2, specified in RFC5246 in August 2008, is a modern authenticated encryption protocol. At present, the TLS 1.2 version is believed and accepted to be free from attack.

TLS v1.3

The most important change in the server certificate working group is the official recognition of a distinction between short-lived and long-lived TLS certificates. In the past, this separation was not very apparent. However, the CA/B Forum recognizes any TLS certificate valid for ten days or less to be short-lived and subject to different requirements.

This recommendation is to be enforced in 2024. By 2026, the lifespan of the TLS certificate can be further reduced to 7 days or less. This distinction does not greatly impact long-lived TLS certificates that will still need CRLs.

However, this distinction will impact short-lived TLS certificates. Because of the large volume associated with these certificates, there will be no revocation. Hence, for TLS certificates with a lifespan of seven days or less, you will not need to attach any revocation information.

This means the CA will no longer be required to revoke short-lived certificates. Another critical change enforced by 2024 is that the OCSP will become optional for short-lived certificates.

Conclusion 

From the above, it can be concluded that digital certificates must be secured in this rapidly evolving digital security era. With an alarming 49% rate of organizations’ security outages due to CA compromise and the recent push of Google towards shortening the lifespans of TLS certificates, the management of complex digital certificate lifecycle is more crucial than ever.

CertSecure Manager can be considered the best solution that streamlines your certificate lifecycle management process while ensuring compliance with evolving standards. Hence, through CertSecure Manager, organizations can strengthen their security posture while mitigating the risks associated with key and certificate management.  

Free Downloads

Datasheet of Certificate Management Solution

Download our datasheet and discover the power of seamless certificate management with our CertSecure Manager

Download

About the Author

Arpan Roy is a seasoned technical writer with five years of experience specializing in data security. With a keen focus on Public Key Infrastructure (PKI), Certificate Lifecycle Management, and various other aspects of data protection, Arpan has contributed extensively to disseminating knowledge through detailed blogs and informative articles. His work reflects a deep understanding of complex security protocols and demonstrates a commitment to educating others about the importance of digital security measures. Arpan's expertise and ability to distill technical concepts into accessible content make him a valuable asset to the cybersecurity community.

You might also be interested in

What to Look for in an Automated Certificate Lifecycle Solution 
What to Look for in an Automated Certificate Lifecycle Solution  January 31, 2024
Optimizing Certificate Management in Healthcare with CertSecure Manager
Optimizing Certificate Management in Healthcare with CertSecure Manager April 26, 2023
Renewing Certificate on Apache Tomcat with CertSecure Manager
Renewing Certificate on Apache Tomcat with CertSecure Manager January 24, 2024
Are your organization’s certificate policies updated?
Are your organization’s certificate policies updated? February 5, 2022

Explore More Topics

Hardware Security Module

Upgrading the Software and Firmware of a PED-Based Thales Network HSM 

Last updated on

 Hardware Security Modules, or HSMs, can be a complicated, but important, piece of security infrastructure to maintain. There are day to day tasks to complete in checking on the functionality of the HSM, and there are also tasks that must be completed to upgrade the HSM to make sure that the latest patches are in place.

This can seem like a daunting task, but it is actually a relatively simple procedure. One of the more complicated parts of this is taking care of the pre-requisite tasks for the other pieces of the infrastructure that are integrated with the HSM.

Today, we will go over how to upgrade the firmware and software of a Thales Luna Network HSM. In this example, we will pretend you have an Issuing Certificate Authority integrated with your HSM, and that the HSM in use is a PED-Based HSM.

Pre-Requisite Tasks

There are a number of pre-requisite tasks that must be completed before updating the Network HSM software and firmware, especially if your HSM in question is connected to a client in a production environment. For this example, we will assume your HSM is connected to a Certificate Authority (CA) in a production environment.

The first step to complete any hardware upgrade is to ensure it is done at a non-intrusive time, with the proper safety precautions in place. If the upgrade somehow fails, then this could cause significant damage to the organization.

Safety precautions like ensuring that the HSMs and CAs are in a high availability cluster, which ensures that if one upgrade fails, the other CAs/HSMs can take over while the issue is diagnosed. Additionally, a backup of the HSM should be taken, and the proper teams should be notified about the potential for CA or HSM non-connectivity for a short period of time. 

After these tasks are taken care of, certain HSM and Public Key Infrastructure tasks must be completed. A Certificate Revocation List, or CRL, should be generated or updated before the upgrade occurs. This will protect the Public Key Infrastructure, or PKI, from any issues that may occur during the upgrade process while the issue is diagnosed and fixed.  The below steps are an example of how to issue a CRL from a Microsoft PKI.

  • First, we must make sure the Certificate Authority is running by checking PKIView.msc.
  • Next, we open the Certificate Authority from PKIView.msc.
  • Now, navigate to the revoked certificates folder.

  • Right-click the revoked certificates folder and then select All Tasks and Publish

  • Then, select CRL and Publish.

    select CRL and Publish

  • Finally, to check if the CRL has been renewed correctly, open a command prompt and run PKIView.msc, expand the Issuing CA tab and check the CDP point’s expiry date.

    check if the CRL has been renewed correctly
    Issuing CA tab and check the CDP

    Additionally, there must be a system with the ability to transfer the software package to the HSM for the upgrade. This includes any firewall rules that must be in place to allow the transfer of the software package to the HSM. If that step is impossible, a team member must have direct physical access to the HSM, along with a crossover cable, to allow the transfer of the software package to the HSM for the upgrade.

    Upgrading Planning

    When planning to upgrade your HSM, having a correct path in place is important. Ensuring all pre-requisites are met and are a part of your plan should be your first step. After this, the proper upgrade path should be determined. What this means is that if you are on a very old version of the HSM software, say 6.0, there is a specific path in place that must be done to get to the latest version of the software.

    You cannot go directly from version 6.0 to version 7.7, you must first upgrade to version 6.5, then version 7.0, and then you can go to version 7.7. This is just an example of how the upgrade path could look.

    Finally, a rollback plan should be in place so that if the software upgrade fails, you can rollback to a proper build of the HSM. Additionally, a Disaster Recovery plan should already be designed before upgrading, as if there is a major issue when upgrading, that HSM will need to be recovered.

    Upgrading from a Network Connection

    Now that the pre-requisite steps have been taken care of, we can focus on the actual upgrade itself. This section focuses on the upgrade process if the network has been setup for HSM properly and you have a client or system that can reach the HSM to transfer the files for the upgrade. If you need to use the crossover cable method, skip to the next section. Below are the series of steps required to upgrade your HSM’s software and firmware.

    1. Transfer the. spkg update file to the HSM using the following command: C:\Program Files\SafeNet\LunaClient>: pscp lunasa_update-7.7.0-317.spkg admin@<HSM IP>:
    2. Log into the HSM via SSH: C:\Program Files\SafeNet\LunaClient>: ssh admin@<HSM IP>
    3. Login as the HSM Security Officer (SO): lunash>: hsm login
    4. Follow the prompts on the PED to log in as SO.
    5. Check that the package was successfully transferred to the HSM: lunash>: package listfile
    6. Verify the package using the authorization code in the file lunasa_update-7.7.0-317.auth: lunash>: package verify lunasa_update-7.7.0-317.spkg -a <authentication code string>
    7. Update the software: lunash>: package update lunasa_update-7.7.0-317.spkg -a <authentication code string>
    8. If the software update does not automatically reboot the HSM, run the following command: lunash>: sysconf appliance reboot
    9. SSH back into the HSM: C:\Program Files\SafeNet\LunaClient>: ssh admin@<HSM IP>
    10. Upgrade the firmware: lunash>: hsm firmware upgrade
    11. Verify the firmware has been upgraded: lunash>: hsm show

    Upgrading from a Direct Connection

    This section focuses on the upgrade process if the network has not been setup for the HSM. If this is the case, then a crossover cable will be necessary to transfer the files to the HSM. This will require a direct connection to the HSM. Below are the series of steps required to upgrade your HSM’s software and firmware.

    1. Connect the crossover cable to any of the eth ports.

      Crossover Cable

    2. Setup the IP address on your computer: Control Panel > Network and Internet > Network and Sharing Center > Left Click the Ethernet Connection > Properties > Internet Protocol Version 4 (TCP/IPv4). Select the Properties button and update the static IP address of your computer. Use the below images as a guide.

      Step 2 of setupping IP Address on your PC
      Step 3 of setuping IP Address on your PC
      Step 4 of setuping IP Address on your PC

      Step 5 of setuping IP Address on your PC

      Step 6 of setuping IP Address on your PC

    3. Serially connect to the HSM as admin:

      Step 7 of setuping IP Address on your PC
    4. Setup the IP address of the HSM using the same gateway and netmask: lunash>: network interface static -device eth0 -ip 192.168.1.3 -netmask 255.255.255.0 -gateway 192.168.1.1
    5. Reboot the HSM: lunash>: sysconf appliance reboot
    6. Download the lunaclient software version from Thales.

    7. Using 7zip, untar the file and you should see four files within:

      Using 7zip, untar the file
    8. Open an Administrator Command Prompt and go to the LunaClient directory: C:\>: cd C:\Program Files\SafeNet\LunaClient
    9. Transfer the. spkg update file to the HSM: C:\Program Files\SafeNet\LunaClient>: pscp lunasa_update-7.7.0-317.spkg [email protected]:

    10. Log back into the HSM serially as admin:

      log back to HSM as Admin
    11. Login as the HSM Security Officer (SO): lunash:> hsm login
    12. Follow the prompts on the PED to login as SO.
    13. Check that the package was successfully transferred to the HSM: lunash:> package listfile
    14. Verify the package using the authorization code in the file lunasa_update-7.7.0-317.auth: lunash:> package verify lunasa_update-7.7.0-317.spkg -a
    15. Update the software: lunash:> package update lunasa_update-7.7.0-317.spkg -a
    16. If the software update does not automatically reboot the HSM, run the following command: lunash:> sysconf appliance reboot
    17. Log back into the HSM as admin and login as the SO (Blue key) after: lunash>: hsm login
    18. Follow the prompts on the PED.
    19. Upgrade the firmware: lunash:> hsm firmware upgrade
    20. Verify the firmware has been upgraded: lunash:> hsm show

    Post Upgrade Tasks

    Now that the HSM has been upgraded in both its firmware and software, a few post upgrade tasks are required. First, we must log back into the HSM via SSH and check that the upgrade has gone successfully with the following command: Lunash>: Hsm show

    Another vital step after upgrading the HSMs is to issue a CRL, to ensure that the CRL can be properly deployed after the upgrade process.

    • First, we must make sure the Certificate Authority is running by checking PKIView.msc.
    • Next, we open the Certificate Authority from PKIView.msc.
    • Now, navigate to the revoked certificates folder.

    • Right-click the revoked certificates folder and then select All Tasks and Publish

    • Then, select CRL and Publish.

      select CRL and Publish

    • Finally, to check if the CRL has been renewed correctly, open a command prompt and run PKIView.msc, expand the Issuing CA tab and check the CDP point’s expiry date.

      check if the CRL has been renewed correctly
      Issuing CA tab and check the CDP

    Along with these specific post upgrade tasks, there are a number of different tasks that should continuously be done across the lifetime of the HSM being in use. Monitoring the HSMs is a vital task that must be done at all times.

    The team in charge of the HSM should be ensuring every day that there is no outage with it that would impact production services. Additionally, the HSM monitoring team should also stay up to date on the latest versions of software and firmware for the HSM that Thales releases. This will ensure that the HSMs in use will always be upgraded with the latest security patches and bug fixes that Thales may provide.

    Conclusion

    As you can see, the process of upgrading a Thales Network HSM is not as difficult as it may seem. These steps can be followed any time you need to upgrade software or firmware, with minor changes in the pre-requisite and post upgrade steps, depending on what types of applications or other infrastructure pieces may be integrated with your HSM.

    If you are in need of HSM configuration, DR planning, or application on-boarding to HSMs, visit our website at www.encryptionconsulting.com. At Encryption Consulting, we have a focus on encryption advisory services, PKI Design and Implementation, and HSM Design and Implementation. Encryption Consulting provides roadmaps and recommendations for future upgrades to HSMs, allowing your company to stay informed and ensure you align with all standard IT strategies.

    Free Downloads

    Datasheet of Encryption Consulting Services

    Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

    Download

    About the Author

    Riley Dickens is a graduate from the University of Central Florida, who majored in Computer Science with a specialization in Cyber Security. He has worked in the Cyber Security for 4 years, focusing on Public Key Infrastructure, Hardware Security Module integration and deployment, and designing Encryption Consulting’s Code Signing Platform, Code Sign Secure. His drive to solve security problems and find creative solutions is what makes him so passionate about the Cyber Security space. His work with clients has ensures that they have the best possible outcome with encryption regulations, implementations, and design of infrastructure. Riley enjoys following his passion of penetration testing in his spare time, along with playing tennis.

    You might also be interested in

    HSM as a Service (HSMaaS)
    HSM as a Service (HSMaaS) October 25, 2022
    What causes NTE_Provider_DLL failure?
    What causes NTE_Provider_DLL failure? November 25, 2022
    Cloud HSMs – Overview and Use Cases
    Cloud HSMs – Overview and Use Cases December 15, 2018
    HSMs – Key Management
    HSMs – Key Management April 22, 2020

    Explore More Topics

    Certificate Lifecycle Management

    Google’s 90-Day Certificates: Quick and Effective Transition to 90-Day TLS/SSL Certificates

    Last updated on

    The validity period of Transport Layer Security (TLS) certificates has long been a topic of interest among cybersecurity professionals. Google’s recent proposal to limit the validity of TLS certificates to 90 days has generated discussion regarding the benefits and drawbacks of such a change.

    The current industry standard is generally a one-to two-year validity span, or 398 days. However, this extended validity period can leave organizations vulnerable to outdated encryption techniques and undiscovered breaches. In this article, we will try to dive deep into how to tackle shorter validity certificates and what shorter validity certificate management demands from organizations.

    By reducing the validity period of TLS certificates, Google aims to promote enhanced security and encourage more frequent certificate renewals.

    The proposed change would require organizations to renew their certificates more frequently, thereby ensuring that they stay up to date with the latest security measures. This would also reduce the window of vulnerability, making it more difficult for attackers to exploit undiscovered vulnerabilities.

    While Google’s proposal has been met with some resistance, many experts agree that increasing the frequency of certificate renewals is a positive step towards better cybersecurity practices. By implementing this change, organizations can reduce their risk of exposure to cyberattacks and ensure that they are always using the latest security measures.

    How Could Google’s Proposed Change Impact Your Organization?

    Google’s proposal to reduce the validity of TLS certificates to 90 days carries significant implications for organizations reliant on manual certificate management processes. Manual certificate management already poses various challenges, and this proposed change further amplifies the difficulties organizations face.

    With the shortened validity period, organizations will need to renew their certificates more frequently, potentially exacerbating the complexities and risks linked with manual management. The shorter validity window burdens IT teams, who must diligently track expiration dates, initiate renewal processes, and ensure the timely deployment of updated certificates across various domains, subdomains, and servers.

    Manual certificate management typically includes tedious tasks like tracking expiration dates through spreadsheets, manually installing and configuring certificates, and ensuring compliance requirements are met. These manual processes are prone to errors, consume significant time, and may result in problems such as expired certificates, misconfigurations, and compliance breaches.

    Furthermore, the proposed change requires increased attention to security updates and patches. Organizations must remain vigilant in staying abreast of the latest security vulnerabilities and encryption algorithms to ensure their certificates adhere to evolving best practices.

    Neglecting to keep pace with these updates may expose organizations to potential compromises and exploitation of outdated encryption standards.

    Given Google’s proposal, organizations dependent on manual certificate management processes will encounter heightened pressure to modify their workflows and embrace automated certificate lifecycle management solutions.

    What will be the advantages of shorter validity TLS/SSL Certificates?

    • Enhanced Security

      In the event of a compromise, a shorter validity certificate period shrinks the window of vulnerability. Because a compromised certificate expires sooner and requires regular renewals and cryptographic key refreshes, the impact is minimized even in cases when the certificate is compromised.

    • Enhanced Conformance

      Short validity certifications motivate companies to adhere to industry norms and laws. Frequent certificate updates guarantee that security protocols are current and efficiently satisfy regulatory requirements.

    • Adaptability and Agility

      Short validity certificates facilitate adaptability in the face of changing cryptographic standards and security risks. Without being locked into long-term certificate commitments, organizations can quickly implement new security measures and encryption technique

    • Decreased Risk of usage

      Unauthorized certificate usage is less likely with short validity certificates. Because certificates expire more quickly, there is a reduced chance that they will be used maliciously, improving overall security posture.

    • Effective Key Management

      Short validity certificates make key management procedures more effective. Organizations can rotate cryptographic keys more frequently with more frequent renewals, lessening the impact of possible key compromises and improving overall cryptographic security.

    • Simplified Certificate Lifecycle Management

      Short-validity certificates make the process of managing certificates easier. To minimize administrative costs and guarantee more seamless certificate operations, organizations can optimize the procedures for certificate issuance, renewal, and revocation.

    • Enhanced Assurance and Trust

      Users’ Assurance and Trust can be bolstered with short validity certificates. Frequent certificate updates show proactive steps to safeguard sensitive data and indicate a commitment to security.

    How to deal with short validity Certificates?

    The answer is simple. Certificate Automation is the key! Although a shorter certificate validity period presents notable benefits, it also carries drawbacks that, if not managed effectively, can lead to adverse consequences. Waiting until the last moment to renew a certificate and failing to meet the deadline can result in severe repercussions.

    An expired certificate can cause numerous issues that harm the organization :

    • Data Breaches

      The expiration of SSL Certificates renders a site vulnerable to external attacks, as the secure connection is terminated upon certificate expiry. Once breached, attackers can access sensitive information like credit card details transmitted over the connection.

    • Service Interruption

      Expired certificates result in site downtime, preventing user access and potentially causing financial and reputational losses. Error messages indicating an unsafe site deter users from engaging with the site, leading to revenue loss.

    • Search Engine Penalties

      Expired SSL certificates may lead to search engine penalties, adversely affecting website rankings and traffic. Search engines like Google prioritize secure websites and penalize those with expired certificates, impacting visibility and credibility.

    • Reputation Damage

      Expired certificates diminish the organization’s reputation, eroding user trust. Rebuilding trust after such an incident can be challenging and may take significant effort.

    Pros of Certificate Renewal Automation

    Automation in certificate renewal offers great advantages over manual certificate renewals. Automation not only affects your productivity and resources but also greatly streamlines your certificate management.

    The list of pros offered by automation is endless, but if I have to point out a few of the major advantages of automation, they would be :

    1. Time and Cost Savings

      Automation streamlines the certificate management workflow, eliminating the need for manual intervention and switching between systems to enforce the certificate. This significantly reduces the time and resources required to manage certificates, allowing IT teams to focus on more strategic initiatives.

    2. Minimizing Human Errors

      Manual Certificate Renewal is too prone to human error which can prove to be very fatal to organizations. A single misconfiguration/typo may lead to inappropriate certificate renewal and downtime. Additionally adding another tedious job of manual certificate renewal.

    3. No last-minute renewals

      Automated certificate renewal takes out the risk of impending certificate expirations. Keeping manual track of every certificate in your environment is a very tough job and forgetting the renewal of a few among many certificates can always be a case. Also Waiting till the last moment for certificate renewal is always a bad idea. Automation takes care of last-minute renewals.

    4. Enhanced Security

      The risk of expired certificates and potential security flaws is decreased by automatically renewing certificates on schedule. Organizations can enhance the security of their confidential information and fend off intrusions by keeping their certificates current.

    Tackling the 90-day renewal challenge

    90-day renewal may seem to be big of a challenge for a company where proper certificate management is missing and the certificate inventory is too large to handle manually.

    Risks associated with expired certificates, whether we talk about financial losses, reputational damage, service downtime, or data breaches, are too grave to ignore; therefore, a prominent action plan is needed to avoid such accidents.

    Here are a few steps which can help you tackle the risks and challenges associated with 90 day renewal.

    Implement a Certificate Lifecycle Management(CLM ) solution

    Implementing a CLM solution is the one-stop way to manage your internal and external facing certificates as well as to take care of any other factors like cryptographic compliance, certificate inventory, reports, and other essential must-haves when certificate management is concerned.

    Deploying a full-fledged CLM solution, like CertSecure Manger, will empower you to have minute details that, under any manually supervised certificate management, takes lots of effort and is very cumbersome to get.

    CLM enables users to get the following features that mitigate the risk of certificate outages and ease their management:

    • Inventory

      The CLM solution provides a complete inventory of certificates deployed on your organization’s environment. Having a complete inventory is more than crucial to identifying and flagging certificates that need to be worked upon along with identifying the owners of the certificates. Inventory is of grave importance for organizations where the certificate count is too large for manual handling and monitoring.

    • Monitoring and Reports

      To manage 90-day certificate lifespans, you must manage an ongoing stream of temporary certificates. Therefore, you must spot anomalies or instances when certificate usage deviates from expected behavior right away. Continuous Monitoring of the certificate allows us to see through such anomalies at the right time and take appropriate actions.

      Reporting also enables organizations to do in-depth analysis of certificates via audit reports and other crucial reports like the expiration, key length reports, etc.

    • Automation

      Automating renewals not only saves time but also ensures that your certificates remain current and prevents downtime from expired ones. You may create a sequence of notifications for expiring certificates after determining the locations and owners of your TLS/SSL certificates.

      But when certificate lifetimes go shorter, it becomes riskier and impracticable to rely solely on manual renewal, which means you have to manually follow up with certificate owners for days or weeks at a time.

    • Certificate Discovery

      Certificate Discovery is one of the greatest things that you can add to your environment. Certificate Discovery provides you with the hidden certificates that may be deployed in your environment which you are unaware of and many times these certificates are generally self-signed certificates which are potential points of compromise.

      Certificate discovery enables the true power of certificate inventory providing true worth of certificate information.

    • Workflows and Policies

      To ensure certificates adhere to most stringent attributes, global policies should be implemented. Centralized workflows should be created to enforce compliance for shorter certificate lifespans. The renewal process should be aligned with shorter lifespans by setting correct validity periods for new certificates.

    • Integrations with DevOps tools

      DevOps teams consume the largest number of certificates, especially in CI/CD environments. Considering the risk of improper certificate renewals and the tedious way through which certificate request needs to be performed, DevOps teams may find themselves in a pinch regarding management and issuance of certificates.

      Integrating your certificate lifecycle management solution with your developers’ current tools will make their lives easier.

      API-driven interfaces allow certificates to be automatically provisioned in continuous deployment settings, guaranteeing that the validity periods of certificates used in both new and old applications are strictly adhered to.

    CertSecure Manager

    Encryption Consulting’s CertSecure Manager is an advanced solution designed to address the challenges of manual certificate management and assist organizations in meeting these upcoming requirements.

    With its comprehensive features, including lifecycle management, certificate discovery, inventory management, issuance, deployment, renewal, revocation, and reporting capabilities, CertSecure Manager streamlines the entire certificate management process through end-to-end automation.

    Additionally, CertSecure Manager’s built-in alerts provide timely notifications for critical events such as upcoming certificate expirations, allowing organizations to take proactive measures and prevent service disruptions. With a focus on security and compliance, CertSecure Manager helps organizations meet the highest industry standards, such as NIST, HIPAA, and GDPR, CA/B, ensuring a secure and compliant certificate infrastructure.

    By leveraging CertSecure Manager, organizations can effectively manage their certificates, enhance security, save time and resources, and maintain a strong online presence while aligning with Google’s proposed TLS certificate validity reduction.

    Conclusion

    Google has proposed reducing the validity of TLS certificates to 90 days. This change will significantly impact organizations, particularly those that rely on manual certificate management processes. To ensure a secure and streamlined online environment, organizations must adapt their certificate management practices. This involves careful planning, investing in automated certificate management tools like CertSecure Manager, and making changes to processes and procedures.

    Adapting to shorter SSL certificate lifecycles can be challenging, and mishandling this transition could have serious consequences. However, the benefits of improved security, compliance, and agility make it worth the effort to adapt.

    Writing in Plain English means considering the needs of different audiences. The text should be organized logically, with the most important information presented first. It should be concise, direct, and easy to read. Plain English requires familiar, simple vocabulary and an active voice, which increases clarity.

    Free Downloads

    Datasheet of Certificate Management Solution

    Download our datasheet and discover the power of seamless certificate management with our CertSecure Manager

    Download

    About the Author

    Akashdeep Kashyap is a cybersecurity enthusiast who views the field not just as a profession, but as a pathway to unlocking the true essence of technology. His journey in cybersecurity is driven by a profound belief that understanding and securing digital systems illuminates our understanding of the broader tech landscape. Akashdeep approaches cybersecurity as a means of enlightenment, constantly seeking to unravel the complexities of digital security while embracing the ever-evolving world of technology.

    You might also be interested in

    Exploring the Underbelly of Digital Certificate Growth: Rogue Certificates and Shadow IT
    Exploring the Underbelly of Digital Certificate Growth: Rogue Certificates and Shadow IT June 10, 2023
    Are your organization’s certificate policies updated?
    Are your organization’s certificate policies updated? February 5, 2022
    A Detailed Guide to Preventing SSL Stripping
    A Detailed Guide to Preventing SSL Stripping April 19, 2021
    Why Adapt to the Evolving Matrix of X.509 Certificates with CA/Browser Forum Standards
    Why Adapt to the Evolving Matrix of X.509 Certificates with CA/Browser Forum Standards April 18, 2024

    Explore More Topics

    PKI

    What is a Trust Store and the Issues Associated with It

    Last updated on

    Secure communication is essential in today’s world, and Trust stores play an important role in ensuring this. A trust store is a digital repository that stores certificates from verified sources.

    When we visit a website and see a secure lock icon, it’s a sign that we are connected to a secure network. It’s because a complex system works behind the scenes. A trust store makes this system possible. But what exactly is a trust store, and how does it function?

    Think of our friends on social media as a trust store. We only accept a friend request from someone we know or recommended by a trusted connection. Likewise, a trust store is a repository that holds onto digital certificates issued by the Certification Authority (CA) that our operating system or browser trusts. These certificates are like digital identification of the websites we visit and tell us whether the website is trustworthy or not.

    Now, to get a better understanding, let us understand how the process of verification works:

    1. Websites send digital certificates

      When we visit a website, it sends a digital certificate to the browser.

    2. Trust Store Checks the Certificate

      The Trust store comes into play here; it verifies the digital certificate.

    3. Is the certificate trustworthy?

      If any CA signs the digital certificate on the trust store list, then the certificate is deemed trustworthy and hence the connection is secure.

    4. Connection is Not Secure

      However, if the certificate doesn’t match a known CA, the trust store throws up a red flag. This is when we see the “connection not secure” message.

    Now, Operating systems and web browsers maintain a list of these certificates called trust stores. This helps implement strict criteria to determine which CA certificates are deemed trustworthy. Trust stores enable secure communication by referencing these certificates during any online interaction and help you avoid connecting with potentially malicious entities. 

    To see trusted root certificates on your Windows machines, follow these steps:

    1. Open Control Panel. 
    2. Click on “Network and Internet”. 
    3. Select “Internet Options”.
    4. In the Internet Properties window, go to the “Content” tab. 
    5. Click on the “Certificates” button.
    6. In the Certificates window, move to the “Trusted Root Certification Authorities” tab.
    Microsoft Root Certificate Purpose

    So now the question arises where this trust store comes from. There are four major organizations that maintain such trust stores.

    1. Microsoft root certificate program that is used by Windows. 
    2. Apple root certificate program is used by all Mac devices. 
    3. The Mozilla root certificate program is used by Mozilla itself and most Linux distributions. 
    4. Google root certificate program used by google chrome and other applications. 

    Each of these entities has its standards and requirements for including a Root certificate in its trust store, but they all require a CA to undergo one or more audits before their Root certificate can be included.

    Now, there are hundreds of CAs that are trusted by the CA/Browser Forum Baseline Requirements, which sets the rules that the trusted certificate authorities (CAs) are supposed to follow before issuing certificates.

    Moreover, CAs are audited for compliance checks with these rules and protocols as part of the WebTrust audit program, which is required by some root certificate programs like Mozilla for inclusion in their trust stores.

    The following table provides a breakdown of key aspects of the trust store. 

    Aspect Description Example
    Number of Trusted Root CAs The number of Certificate Authorities (CAs) whose certificates are pre-installed and trusted by a specific trust store.
    • Windows 10 typically trusts around 100-150 Root CAs.
    • Mozilla Firefox uses a more selective approach, trusting around 50-60 Root CAs.
    Frequency of Updates How often the trust store is updated with new or revoked certificates? Trust stores are updated on a weekly or monthly basis.
    Types of Certificates Stored The different types of certificates a trust store might contain, beyond just website certificates.
    • Website certificates(SSL/TLS)
    • Code signing certificates (used to verify the authenticity of software)
    • Email signing certificates (used to digitally sign emails)
    Common Verification Errors Examples of errors a user might encounter if a website’s certificate doesn’t validate against the trust store.
    • Certificate Not Valid” – This is a warning about an expired certificate or one issued by an unknown CA.
    • “Connection Not Secure” – This is a general warning that the website’s certificate couldn’t be validated.

    In this scenario, certificate authorities are considered trustworthy third parties when issuing digital security certificates like SSL, code signing, etc. They handle public keys and other encryption-related credentials. They also authenticate and associate websites, email addresses, businesses, and others with cryptographic keys.

    The CA is responsible for verifying and issuing the organization’s data with distinctive certificates. These CAs are trusted to verify a website’s / organization’s legitimacy, and some researchers have pointed out that their role in this overall system could be a single point of failure. Moreover, if a CA is compromised, this essentially means that, theoretically, any attacker could issue fake certificates and exploit the trust store verification process. 

    Now, managing the intricate web of keys and certificates can be complex. Security researchers highlight this complexity as a potential vulnerability. Any errors or vulnerabilities in this process could create opportunities for attackers to exploit. 

    In order to resolve these issues, intricate solutions are generally in place, such as a certificate lifecycle management solution (CLM). A CLM could potentially help an organization manage its certificates.

    Implementing a centralized CLM allows for better and centralized oversight and control over the entire certificate lifecycle. It helps the organization have better visibility of certificates, enforces standardized processes, tracks certificate usage, and promptly identifies and addresses any issues.  

    Conclusion

    In Conclusion, Trust stores play a crucial role in establishing a secure connection for any online interaction. They are like a secure vault that stores certificates from verified sources (Certification Authorities). This vault is used to verify a website’s identity. The process is like a digital handshake with confirmed credentials to ensure a secure and encrypted connection.

    However, we must acknowledge that this process has inherent complexities. The high dependency on CA creates the potential for a single point of failure. Additionally, managing the web keys and certificates can create complexity and lead to vulnerabilities.

    Moreover, to overcome these challenges, our CLM CertSecure could help manage these certificates and potentially solve the issues with oversight and complexities.

    How can Encryption Consulting help? 

    Encryption Consulting provides specialized services tailored to identify vulnerabilities and mitigate risks by providing PKI Services. Our strategic guidance aligns PKI solutions with organizational objectives, enhancing efficiency and minimizing costs. By partnering with Encryption Consulting, organizations can unlock the full potential of PKI solutions, realizing tangible financial benefits while maintaining robust security measures. 

    CertSecure Manager has a comprehensive suite of lifecycle management features. From discovery and inventory to issuance, deployment, renewal, revocation, and reporting. CertSecure provides an all-encompassing solution. Intelligent report generation, alerting, automation, automatic deployment onto servers, and certificate enrollment add layers of sophistication, making it a versatile and intelligent asset. 

    Free Downloads

    Datasheet of Public Key Infrastructure

    We have years of experience in consulting, designing, implementing & migrating PKI solutions for enterprises across the country.

    Download

    About the Author

    Divyansh is a Consultant at Encryption Consulting, specializing in Public Key Infrastructures (PKIs) and cloud applications. With extensive experience developing software applications, he is adept at working with clients to develop specialized solutions. His expertise in PKIs and certificate lifecycle management enables him to develop Encryption Consulting's CLM solution, adding a valuable dimension to his skill set. His work with clients has ensured they achieve the best possible outcomes with encryption regulations and PKI infrastructure design.

    You might also be interested in

    Insight Into TLS Handshake For Building Secure Communications Over The Internet.
    Insight Into TLS Handshake For Building Secure Communications Over The Internet. June 13, 2022
    How to disable Delta CRL
    How to disable Delta CRL December 2, 2022
    What are Object Identifiers (OIDs) in PKI
    What are Object Identifiers (OIDs) in PKI March 14, 2024
    Fixing Expired SSL Certificates – Why and How?
    Fixing Expired SSL Certificates – Why and How? December 19, 2020

    Explore More Topics

    Code Signing

    The New Era of Supply Chain Attacks: Python Developers Hacked in Sophisticated Supply Chain Attack

    Last updated on

    Did you know that, according to Verizon’s 2022 Data Breach Investigation Report, supply chain attacks were responsible for 62% of system intrusion incidents?

    The data shows that supply chain attacks can be considered one of the most effective ways to compromise organizations, as they target the weakest links in the security chain. Supply chain attacks usually begin by compromising a supply chain partner, such as a distributor, developer, or supplier.

    Once inside the organization, attackers may steal sensitive data, damage systems, or even shut down whole organizations. In this blog, we will examine one of the most recent events of a supply chain attack that took down multiple Python developers.

    The Supply Chain Attack: Explained

    Software Supply Chain Attack

    Cloning a Popular Tool

    Multiple Python developers, which included the maintainer of Top.gg, were infected by information-stealing malware after downloading a malicious clone of a highly popular tool.

    The tool is called Colorama, a utility that makes ANSI escape character sequences (a standard for in-band signaling to control cursor location, font styling, color, and other options on video text terminals and terminal emulators) work on Windows and has been downloaded more than 150 million times.

    The attackers embed software with malware, which is distributed among users. This way, the malware infects the user’s system. This step is akin to creating a counterfeit product that looks identical to the real thing but contains harmful components.

    Setting Up a Fake Mirror Domain Through Typo Squatting

    To execute their supply chain attack, the hackers cloned Colorama, inserted malicious code into it, and placed the malicious version on a fake mirror domain, which relied upon typo squatting  (registering a domain that closely resembles a legitimate domain) to trick Python developers into mistaking it for the legitimate “files.pythonhosted.org” mirror.

    For example, if the legitimate domain is “example.com”, the attackers might register “example1e.com” or simply “example.co”, preying on users who mistype the URL.

    Hijacking High-Profile Accounts

    The intruders created malicious repositories under their accounts to spread the malware package while hijacking high-profile accounts. These included the GitHub account “editor-syntax,” which maintains the Top.gg search and discovery platform for Discord, a community with over 1,700,000 members.

    Using the “editor-syntax” account, the intruders made a malicious commit to the top-gg/python-sdk repository, adding instructions to download the malicious clone of Colorama and starting malicious GitHub repositories to increase their visibility.

    The account was hacked via stolen cookies, which the intruders used to bypass authentication and perform malicious activities without knowing the password. As a result, multiple Top.gg community members were compromised. For instance, they could alter the repository of a popular software project to include a dependency that downloads the malicious code instead of the legitimate package.

    Hiding Malicious Code

    To hide malicious code in Colorama, the cyber-attackers added numerous white spaces, pushing the snippet off-screen so it wouldn’t be visible during quick reviews of the source files. In addition to that, they set the code to be executed every time Colorama was imported. This technique can be considered similar to hiding fine print in a contract by pushing it off the visible page, hoping no one scrolls down to read it.

    Infection Procedure

    Once the malicious code was executed, the infection procedure continued with several additional steps, such as executing and downloading additional Python code and fetching necessary libraries while establishing persistence.

    In the end, the developers’ systems were infected with malware capable of logging keystrokes while stealing data from multiple browsers, including Chrome, Edge, Brave, Opera, Vivaldi and Yandex, Discord, Cryptocurrency wallets, Telegram Sessions, computer files, and Instagram. This is akin to a thief breaking into a house, searching through rooms (applications) and stealing valuable items (data credentials).

    Code Signing Vulnerabilities and Mitigation Measures

    1. Certificate Theft

    Cyber attackers target codesigning certificates through different means, including phishing, social engineering, or compromising CAs (Certificate Authorities). Once the attacker possesses a stolen certificate, they can sign malicious software, ensuring its legitimacy to unsuspecting users.

    Developers must adopt strong certificate management practices to mitigate this risk efficiently, which includes safe storage, certificate audits, and two-factor authentication.

    Suppose there is an organization called Fintech Innovations Inc.; safe storage of certificates prevents unauthorized access to its code-signing certificates. The organization also conducts regular certificate audits to ensure that each certificate is used as intended. In addition, it uses two-factor authentication for certificate access, which significantly reduces the risks of unauthorized access through compromised credentials.

    2. Compromised Build Environment

    Supply chain attacks often target software development enterprises’ built environments. By compromising these systems, they can inject malicious code into the final product. Hence, developers must adopt robust security measures for built environments, including continuous monitoring, secure access controls, and vulnerability assessments.

    The organization mentioned above implements a continuous monitoring solution that tracks real-time activities within its development and build environments. It also enforces strict access controls on its build environments. Fintech Innovations Inc. also conducts regular vulnerability assessments on the built environment to remediate and identify potential weaknesses.

    Secure Code Signing Best Practices

    To mitigate the risks of code signing and to protect against supply chain attacks, enterprises must implement the following best practices:

    • Secure Key Management

      Organizations must safeguard the private keys used for code signing, ensuring their secure storage and accessibility to the authorized user. They must employ strong encryption, HSMs (Hardware Security Modules), and regular key rotation to minimize the impact of a compromised key. For instance, Google is a well-known organization that uses secure key management for codesigning, which helps it keep cyber attackers at bay.

    • CLM, or Certificate Lifecycle Management

      Organizations must establish a robust structure for certificate issuance, revocation, and renewal procedures. They must implement stringent verification processes when renewing or requesting certificates. In addition, they must monitor and audit certificates in use and promptly revoke any expired or compromised certificates.

    • Build System Security

      Organizations must also strengthen security measures around the built environment, including intrusion detection systems, secure access control, and continuous monitoring. They need to regularly update and patch build tools and dependencies to mitigate known vulnerabilities.

    • Supply Chain Integrity

      Organizations must implement strict controls throughout the software development lifecycle, including continuous integration and deployment (CI/CD) pipelines, secure code repositories, and regular security audits. They must also validate the integrity of third-party libraries and components before incorporating them into software projects.

    • User Awareness and Education

      They need to educate users about the importance of code signing and how to verify the software’s authentication. They also need to promote awareness about potential risks and common attack vectors, such as phishing attempts or social engineering.

    Conclusion

    The recent surge in supply chain attacks, such as the sophisticated attack on Python developers, underscores a crucial vulnerability in our digital ecosystem. Organizations can implement comprehensive strategies to mitigate these risks, from secure certificate storage and regular audits to continuous monitoring and strict access controls in build environments.

    Moreover, adopting best practices in secure code signing is essential in fortifying defenses against these insidious threats. CodeSign Secure ensures that there is no tampering from unapproved parties and that the published software is from the original publisher. It also keeps you safe from supply chain attacks.

    Free Downloads

    Datasheet of Code Signing Solution

    Code signing is a process to confirm the authenticity and originality of digital information such as a piece of software code.

    Download

    About the Author

    Arpan Roy is a seasoned technical writer with five years of experience specializing in data security. With a keen focus on Public Key Infrastructure (PKI), Certificate Lifecycle Management, and various other aspects of data protection, Arpan has contributed extensively to disseminating knowledge through detailed blogs and informative articles. His work reflects a deep understanding of complex security protocols and demonstrates a commitment to educating others about the importance of digital security measures. Arpan's expertise and ability to distill technical concepts into accessible content make him a valuable asset to the cybersecurity community.

    You might also be interested in

    Why your code signing certificate will not work for Play App Signing?
    Why your code signing certificate will not work for Play App Signing? September 5, 2022
    How to Integrate a GitHub Actions CI/CD Pipeline with CodeSigning?
    How to Integrate a GitHub Actions CI/CD Pipeline with CodeSigning? May 1, 2023
    A Healthcare Success Story with CodeSign Secure
    A Healthcare Success Story with CodeSign Secure December 20, 2022
    Top Code Signing tools for 2024
    Top Code Signing tools for 2024 March 7, 2023

    Explore More Topics

    Education Center, Public Key Infrastructure (PKI)

    What is PKI (Public Key Infrastructure)? How does it work?

    Last updated on

    Key Sections

    Public Key Infrastructure (PKI) is a solution where, instead of using Email ID and Password for authentication, certificates are used. PKI also encrypts communication, using asymmetric encryption, which uses Public and Private Keys. PKI deals with managing the certificates and keys and creates a highly secure environment that can also be used by users, applications, and other devices. PKI uses X.509 certificates and Public Keys, where the key is used for end-to-end encrypted communication, so that both parties can trust each other and test their authenticity.

    PKI is mostly used in TLS/SSL to secure connections between the user and the server, while the user tests the server’s authenticity to make sure it’s not spoofed. SSL certificates can also be used to authenticate IoT devices.

    Why do we use PKI?

    PKI offers a way to identify people, devices, and apps, while providing robust encryption so that communication between both parties can remain private. Besides authentication and identification, PKI provides digital signatures and certificates to create unique credentials for the certificate holder and to validate the certificate holder.

    PKI is used all over the Internet in the form of TLS/SSL. When a client (in this case, a web browser) communicates with a server, the client gets ahold of the certificate and validates it to ensure its authenticity. Next, it employs asymmetric encryption to encrypt the traffic to and from the server. The digital certificate contains information such as the validity period of the certificate, issuer of the certificate, certificate holder, public key, signature algorithm, etc.

    It also contains a certification path. A certification path is an ordered list consisting of the issuer’s public key certificate and more, if applicable.

    A certification path must be validated before it can be relied upon to establish trust in a subject’s public key. Validation can consist of various checks on the certification path’s certificates, such as verifying the signatures and checking that each certificate has not been revoked. The PKIX standards define an algorithm for validating certification paths consisting of X.509 certificates.

    Apart from being used as SSL over the internet, PKI is also used in digital signatures and sign software. PKI is also being used in smart devices, phones, tablets, game consoles, passports, mobile banking, etc. To overcome compliance challenges and follow all regulations and maintain security at its best, organizations are using PKI in more than a few ways to keep all things secure.

    PKI In Detail

    What are the encryptions used in PKI?

    PKI makes use of both symmetric and asymmetric encryption to keep all its assets secure.

    Asymmetric Encryption

    Asymmetric encryption or Public Key Cryptography uses two separate keys for encryption and decryption. One of them is known as a public key, and the other is a private key. The public key can be generated from the Private key, but the Private key cannot be generated from the Public key. The private key and vice versa can only decrypt encryption done by the public key. Together, these keys are called “Public and Private Key Pair”.

    is pki symmetric or asymmetric

    Asymmetric encryption offers a way to encrypt data in public channels by distributing the public key. As it doesn’t require exchange of secret keys thus we don’t face the key distribution issue that we generally do in symmetric encryption. 

    These keys use a high level of randomness to ensure enhanced security. Algorithms like RSA, EDSCA, DSA, and Diffie-Hellman, with a key size of 1024 to 2048 or more, are typically used. Generally, the longer the key size, the more secure the encryption method. For context, if 2048-bit encryption is used to generate the key, then there are about 2^2048 combinations possible. It would take hundreds of years to go through these many combinations. 

    Now, because the keys are longer and there is always a need to generate two different keys for encryption and decryption, this process becomes time consuming. Moreover, here we also use more complex algorithms. These are some of the many reasons why the Asymmetric encryption is slower as compared to symmetric encryption. 

    In SSL certificates used for encrypted communication between a client and a server, a public key is attached to the certificate, which will initiate secure communication between two parties.

    Asymmetric encryption is used to exchange a secret key, which is done during the initial handshake between the two parties.

    The secret key exchanged is used to establish symmetric encryption for further communication. Symmetric encryption is faster than asymmetric one, so the combination of them both provides robust end-to-end security.

    Symmetric Encryption

    Symmetric encryption, unlike Asymmetric encryption, uses only one key for both encryption and decryption. This shared key is crucial for secure communication, but securely exchanging it between the communicating parties presents a notable challenge in symmetric encryption, commonly known as the “key distribution problem.” To address this, various techniques have been developed, such as key derivation functions and trusted third-party key distribution centers.

    is pki symmetric or asymmetric

    Now, both the entities that are communicating via symmetric encryption (sender and receiver) should exchange the key so that it is used at the time of decryption. Here, the data is encrypted in a seemingly random and unintelligible form (ciphertext) and can only be recovered to the original form by the secret key. 

    Symmetric encryption is the most widely used type of encryption, and it is commonly used in applications such as email, file sharing, and virtual private networks (VPNs). Some examples of symmetric encryption include AES (Advanced Encryption Standard) , DES(Data Encryption Standard) , RC4(Rivet Cipher 4). Though this is faster than asymmetric encryption, but if the key is compromised, anyone can decrypt the contents encrypted. Therefore, asymmetric encryption is used to ensure the secret key is not compromised, and the connection remains secure.

    Now as we know the use case of both of these encryptions depends on the advantages they bring to the table. In the cases where speed is the priority over increased security, we use symmetric encryption. Some of the most common cases include: 

    • Banking

      In Payment applications, sensitive user data like account number or partial credit card info needs to be encrypted so that it is protected from malicious actors. This helps to reduce the risk of daily transactions without compromising the speed of transactions.

    • Data Storage

      Encrypting data that is at rest i.e, when storing large amounts of sensitive data companies prefer to encrypt the entire storage medium.

    In the cases where advanced security is of priority over speed or there is a need for identity verification, we use asymmetric keys

    • Digital Signatures

      They maintain the authenticity and integrity of the data being transferred. Moreover, they are of use in email, data interchange, etc.

    • Public key infrastructure (PKI)

      Using asymmetric keys for issuance and management of digital certificates.

    Now there are also several cases where Symmetric and Asymmetric encryption is used together, messaging apps and SSL certificates use a combination of both these encryptions.

    Messaging apps like whatsapp use this to achieve end to end encryption. Asymmetric encryption on one hand establishes a secure channel initially, with users’ public keys stored on the server and private keys remaining on their personal devices. This allows secure exchange of a session key, which on the other hand is then used for efficient symmetric encryption of the actual message.

    SSL certificates use asymmetric encryption to authenticate the server and establish a secure channel for exchanging a session key. This session key then uses symmetric encryption for the website data you access. In both scenarios, both encryption methods are utilized efficiently: asymmetric for secure key exchange and initial setup, and symmetric for efficient data encryption during actual communication.

    What are Digital Certificates? What is its role?

    Digital certificates are widely used in PKI. A digital certificate is a unique form of identification for a person, device, server, website, and other applications. Digital certificates are used for authentication as well as validating the authenticity of an entity. It also makes it possible for two machines to establish encrypted communication and trust each other without the fear of being spoofed. It also helps in verification, which allows in the Payment Industry, which allows e-commerce to grow and be trusted.

    The certificate can be of two types.

    1. Self-signed certificate Users can create their certificates, which can be used for internal communication between two trusted parties.
    2. Signed by Certification Authority A Certification Authority issues a certificate which can be used for TLS/SSL on the website. Customers can validate the certificate from the third-party issuer, which would validate the server’s authenticity.

    Before a Certification Authority issues a certificate, the issuer makes sure that it is given to the right entity. Several checks are made, such as if they are the domain name holders, etc. The certificate is issued only after the checks are complete.

    What is X.509 Standard?

    Most public certificates use a standard, machine-readable certificate format for certificate documents. It was initially called X.509v3. The format is used in many ways, such as

    • Internet Protocols (TLS/SSL, which makes secure HTTP connections)
    • Digital Signatures
    • Digital Certificates
    • Certificate Revocation Lists (CRLs)

    What does PKI consist of? Where are the certificates created and stored?

    PKI or Public Key Infrastructure use multiple elements in their infrastructure to ensure the security it promises. PKI uses digital certificates to maintain and validate people, devices, and software accessing the infrastructure. Certification Authority or CA issues these certificates. A Certification Authority issues and validates certificates issued to a user, device, software, a server, or another CA. CA ensures the certificates are valid and also revokes certificates and maintain their lifecycle.

    All certificates requested, received, and revoked by CA are stored and maintained in an encrypted certificate database. A certificate store is also used, which stores certificate history and information.

    What is a Certification Authority?

    Certification Authority certifies the identity of the requestor. The requestor can be a user, application, etc. Depending upon the type of CA, security policies, and requirements for handling requests, the identification mode is determined.

    While setting up, a certificate template is being chosen, and the certificate is issued based on the given information upon request. CA also release revoked lists called CRLs, which ensure invalid or unauthorized certificates cannot be used anymore.

    Root CA is a trusted certificate authority, has the highest hierarchy level, and serves as a trust anchor. While validating a certificate path, the root certificate is the last certificate that is checked. For the most part, Root CA remains offline and should stay air-gapped to make sure it is never compromised. Root CA signs certificate for issuing CA and other subordinate CA, which is used around the network. If an issuing CA fails, another can be created, but if a Root CA fails or gets compromised, the whole network needs to be recreated.

    Subordinate CA is under Root CA but is above endpoints. They help in issuing certificates, managing policies, etc. Their main objective is to define and authorize types of certificates that can be requested from root CA. Example: Subordinate CA may differ by location, or one CA may handle RSA keys, and the other may handle ECC keys.

    Who decides if CA can be trusted? 

    Trust in CAs is established through membership programs where each CA must meet strict criteria and protocols to be accepted as a member. Browsers and Operating Systems have a limited set of approved CAs. They must follow strict guidelines and security practices to ensure the integrity and trustworthiness of the certificates they issue.

    For example, a Domain Validated (DV) SSL Certificate confirms domain ownership, while an Extended Validation (EV) SSL certificate goes further. EV certificates involve thorough company checks by the CA, resulting in additional information displayed in the browser bar, like the company name. This extra verification adds to the trustworthiness of the website and the issuing CA. 

    Process of certificate creation

    Step 1: Key Generation

    This is done by the user. The public key is sent to the registration auth and private key is held by the user.

    Step 2: Create a CSR

    Using a private key we generate a CSR which includes the public key and necessary details required for certificate like domain and organization information.

    Step 3: Submit to CA

    The CSR is then submitted to a trusted CA for certificate issuance.

    Step 4: CA verification

    Upon receiving the certificate CA starts the verification process before granting the certificate i.e., based on the type of requested certificate type ( Domain Validated, organization validated,etc.)

    Step 5: Certificate Issuance

    After the process of verification a corresponding certificate is issued.

    Certificate_creation_process

    What are CRLs?

    Certificate Revocation Lists is a list of all digital certificates that have been revoked. A certification authority populates CRLs as CA is the only entity to revoke certificates that it issues.

    Without a Revocation list, it is harder to enquire if a certificate has been revoked or not before it’s expiration period. The revocation list is similar to a list of unauthorized entities.

    A certificate can expire due to the end of the lifecycle of the certificate. While the certificate is created, it is also set for how long the certificate would remain valid.

    If, however, within that time frame, if the key is compromised, or the user resigns, or for more such reasons, the certificate is revoked, so it can’t be used to get access. The certificate would be flagged as unauthorized and then cannot be used by someone else.

    Moreover, these CRLs act as a checkpoint within the PKI infrastructure. When our browser establishes a connection with a website that we visit, it validates the digital certificate issued by the website. These certificates contain one or more links which the browser can access to retrieve CRL. Depending on the response, the browser will either consider the certificate as trustworthy or alert us about the revoked certificate. 

    Thus, in this whole process CRL functions as a blacklist, containing information on certificates that have been revoked before their expiry date due to security compromises or other issues. 

    What_is_crl

    What is a Delta CRL?

    In a large organization, CRLs can grow to be quite massive. Since a certificate must remain in CRL until it expires, they can stay on for several years. To transfer the whole CRL from one server to another can take a while. To make this process quicker, CA, delta CRL, is issued, which only includes the changes made since the last CRL update. This makes the transfer much shorter and updating of CRLs much quicker.

    What is an ARL?

    Authority Revocation List is a derivation of CRL. It contains revoked certificates issued to Certificate Authorities rather than users, software, or other clients. ARL is only used to manage a chain of trust.

    What is OCSP?

    Online Certificate Standard Protocol described in RFC 6960 is used to confirm a digital certificate’s revocation status. OCSP is a simpler and faster way to check revocation than CRLs since CA’s checks are performed instead of PKI. The data transferred is less, which helps the CA to parse the data.

    However, OCSP is less secure than CRLs. Reasons include:

    • OCSP is less informative. The only information CA sends back is either “good”, “bad” or “unknown”.
    • OCSP does not have requirements for encryption.
    • Possible where a “good” response can be captured, and replaying back to another OCSP request is possible.

    Trusted Root Certificates 

    Trusted certificates establish a chain of trust that verifies other certificates signed by the trusted roots. They are primarily the top-level certificates in the hierarchy of certificates. When we  visit a secure website (using HTTPS), our browser checks the website’s SSL/TLS certificate against a list of trusted root certificates stored locally. If the certificate presented by the website is signed by one of these trusted root certificates, the connection is deemed secure and encrypted. 

    One such example is Microsoft root certification Authority. This certificate is issued by Microsoft Corporation, and it is included in the trusted root certificate store of Windows operating systems and Microsoft products. It is used to establish trust for various Microsoft services, applications, and websites. 

    Trusted Root Certificates

    What is a two-tier Architecture in PKI?

    A two-tier architecture is a layout that would meet the requirements for most organizations. The root CA lies on the first tier, which should remain offline and air-gapped. Subordinate Issuing CA should be online under it. Since we separate the role of Root CA and Issuing CA, the security does increase. The Root CA being offline protects its private keys better and reduces the chances of being compromised.

    Two-tier architecture also increases scalability, flexibility and thus also increases fault tolerance. Since we separate the roles, multiple issuing CA can be created and placed under a load balancer. This also enables us to remember CA in different regions and to use different security levels depending upon the region. Manageability also increases as CAs are separate, and Root CA needs to be brought online only to sign CRLs.

    Two Tier Architecture is the highly recommended design for most PKI solutions.

    What is a three-tier Architecture in PKI?

    Like two-tier architecture, three-tier also has an offline root CA on the top and online issuing CA on the bottom, but intermediate tier is now placed which holds CA which should remain offline. Intermediate CA may act as policy CA which dictates what policies to be followed while issuing a certificate. Any authenticated users can get a certificate, or the user may need to appear in person for certificate approval.

    However, if an issuing CA face compromise or something similar, the second-level can revoke the certificates while keeping the rest of the branches alive.

    Three-tier PKI does increase security, scalability, flexibility but comes with increased cost and manageability. If an organization does not implement administrative or policy boundaries, then the middle tier may remain unused, so three-tiers are not usually recommended or used.

    Implementation of PKI

    What are the Challenges solved by PKI?

    1. Trust

      PKI helps users confirm the validity of devices and websites. This ensures that users are connecting to the right website. Also, the communication between the user and the server remains encrypted. This removes the chances of being spoofed or a man-in-the-middle attack.PKI also help customers trust e-commerce website and make online payments securely. PKI ensures the authenticity of all parties involved and also encrypts communication between them, which allows them to grow a sense of trust.

    2. Authentication

      Passwords have been weak since people tend to share, write on a post-it, etc. PKI creates digital certificates that validate their identity, and since identity is validated, it works to authenticate users, devices, and applications.

    3. Security

      PKI does improve security, as when trust is increased and authentication is implemented, the only attack vector that remains is PKI itself. People tend to be the weakest links in security, and when PKI is implemented, users are not left with much control. PKI ensures all policies are maintained, security is in place, and digital certificates (in the form of smart cards) help ensure that users would not be using passwords or pin which can be easily compromised. The only variable remain would be PKI, which can be secured, thus protecting the network.

    PKI for Internet

    Browsing the internet is often done using HTTPS, a secure version of HTTP that is the primary way to visit websites. While we use HTTPS, our connection to the server is encrypted. To ensure we connect to the correct server, our browser initially accepts a certificate from the server. Then it validates the certificate and uses the public key in the certificate to establish a secure connection.

    That certificate proves the server’s authenticity, increases security, encrypts the connection, and lets the user trust the website.

    If the certificate is invalid or expired, the browser will notify the user not to trust the website and often may not even allow the user to visit that particular website. The browser may also stop the user from visiting sites that are not using HTTPS connections.

    PKI for Authentication

    PKI provides digital certificates that prove the authenticity of the user. Since the user is authentic, if the user is authorized, it acts to authenticate users onto an area using smart cards or onto the network. PKI extends far beyond just user authentication. It allows users and systems to verify their identity and communicate over the air like in the cases of certificate-based Wi-Fi authentication.PKI also.

    Using those digital certificates can also authenticate other devices and servers to have access and privilege to the network. This can also include Intrusion Detection Devices or other network devices such as routers. PKI also plays a big role in VPN authentication. Moreover. as there is highly sensitive data that is accessed through VPN, certificates are considered the preferred method for authentication. Generally, the CA is stored on the firewall of the device and once the user is authenticated. A secure tunnel is created between both the communicating entities.

    PKI for Communication

    PKI can be used for communication, where both parties can check each other’s authenticity, which would lead them to trust each other’s identity and then also encrypt their conversation. This highly increases the security and trust among the parties participating in the communication. A prime example of PKI in communication is secure email. S/MIME (Secure/Multipurpose Internet Mail Extensions) uses digital certificates to encrypt emails. Both sender and recipient need a trusted CA-signed certificate. S/MIME utilizes these certificates to ensure authenticity of the sender and encrypt the email content that only the intended recipient can access using the public key.

    PKI in IOT

    Earth has more devices than people. In the US, there are 11 connected devices on average in each household. To be able to manage and to have enough IP for all the devices has been a challenge. In November 2019, Europe ran out of IPv4. For this reason, IPv6 came out in 2012 and is being in play ever since.

    The number of devices is only bound to increase due to the boom in IoT. With increasing smart devices, it becomes a challenge to confirm these devices’ digital identity and provide proper network security.

    PKI provides a way to assign digital certificates to smart devices and secure a connection to the server. This helps OEMs to track the smart devices, push updates, and monitor and even fix them if necessary. It also keeps IoT devices secure from any attack, which can be catastrophic as it can affect our homes and our personal space.

    Encryption Consulting – PKI Advisory Services

    Encryption Consulting with its top of the line consultants provide a vast array of PKI services for all customers. Our services include:

    • PKI Assessment  The assessment will identify gaps & provide recommendations as part of a comparative study of the current and future state of customer’s PKI. This study will provide customers with a valuable risk report, a roadmap to improvement, and a way to prioritize data security investments.
    • PKI Design/Implementation  Designing and implementing a successful PKI needs expertise. This is where we can help customers. To assist you in this, we design PKI and supporting processes. Post design, we help you with implementing/ migrating PKI technology and infrastructure, including the root & issuing CAs. We develop PKI policies, rules and operational processes in alignment with your business needs.
    • PKI CP/CPS Development The CP and CPS documents describe the architecture of your specific PKI, and include sections on certificate uses, naming, identification, authentication, key generation, procedures, operational controls, technical controls, revocation lists, audits, assessments, and legal matters. Encryption Consulting will work collaboratively with customer stakeholders to develop a Certificate Policy (CP) / Certificate Practice Statement (CPS) document following the template provided in Request for Comment (RFC) #3647.
    • PKI As A Service Encryption Consulting’s PKI As A Service offers you a customizable, high-assurance Microsoft PKI designed and built to the highest standards. It’s a low risk managed solution that gives you full control of your PKI without having to worry about the complexity.
    • PKI Training Encryption Consulting offers PKI training for anyone using or managing certificates, designing, or deploying a PKI enterprise solution, or evaluating & selecting a commercial PKI Technology Solution

    Tags:

    Free Downloads

    Datasheet of Encryption Consulting Services

    Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

    Download

    About the Author

    Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

    You might also be interested in

    Microsoft Intune Design Models 
    Microsoft Intune Design Models  January 27, 2024
    What is Secret Management?
    What is Secret Management? September 24, 2020
    What is TLS/SSL?
    What is TLS/SSL? April 5, 2024
    How To Renew Expired SSL Certificates?
    How To Renew Expired SSL Certificates? April 8, 2024

    Explore More Topics

    Education Center, Public Key Infrastructure (PKI)

    What is Public Key Cryptography?

    Last updated on

    Key Sections

    Asymmetric cryptography or public key cryptography is where 2 keys are used to establish a secure connection between 2 entities in a network. Public key cryptography utilizes asymmetric encryption. The private key is kept only with the owner of the website, the server, or with whom you want to communicate. The public key is distributed among the clients and the userbase. The private key can only decrypt the data encrypted using the public key. Asymmetric cryptography thus protects against Man in the Middle attacks and attacks where the data-in-transit might be compromised or modified.

    Functions of Public-key cryptography

    The major functions of public-key cryptography are encryption, decryption, digital signatures, and key exchange.

    Encryption

    Public-key cryptography facilitates the encryption of messages or data to ensure secure communication over untrusted networks.The recipient’s public key is used for encryption, and only the corresponding private key can decrypt the message. This process ensures that only the intended recipient can decipher the information.

    Decryption

    Decryption is the process of reverting encrypted data back to its original form, and public-key cryptography allows this process securely.The recipient uses their private key to decrypt messages that were encrypted with their corresponding public key. This ensures that only the authorized recipient can access the original information.

    Digital Signatures

    Public-key cryptography enables the creation and verification of digital signatures to authenticate the origin and integrity of messages or documents. The sender signs the message with their private key, and the recipient can verify the signature using the sender’s public key. This process ensures that the message has not been tampered with and was indeed sent by the claimed sender.

    Key Exchange

    Public-key cryptography facilitates secure exchange between parties to establish shared secret keys for symmetric encryption. Parties can exchange public keys and derive a shared secret key without exposing their private keys. This shared key is then used for symmetric encryption, enhancing the security of subsequent communication.

    A high-level real-world example of public-key cryptography is the secure transmission of information over the internet, particularly during online transactions, like shopping or banking.

    Example of public-key cryptography

    Imagine you are making an online purchase:

    Encryption (Sender – User’s Browser):

    The user’s browser (sender) has the public key of the website. Before transmitting sensitive information (e.g., credit card details), the browser uses the website’s public key to encrypt the data.

    Transmission:

    The encrypted data (cipher text) is sent over the internet to the website.

    Decryption (Recipient – Website):

    The website (recipient), which possesses the corresponding private key, decrypts the received information. Only the website, with the private key, can successfully decrypt and access the transmitted data.

    Decryption Of Private Key

    Advantages

    • Authentication Assurance

      Public key cryptography strengthens authentication by enabling the verification of message authenticity through digital signatures. This ensures that recipients can confidently validate the origin of messages, enhancing the overall security of communication channels.

    • Simplified Key Distribution

      Public key cryptography addresses the complexities of key distribution by encouraging users to openly share their public keys. This eliminates the need for secure pre-shared key channels, offering a more convenient and scalable approach to managing encryption keys.

    • Non-Repudiation via Digital Signatures

      Public key cryptography introduces non-repudiation features comparable to physical signatures. Messages digitally signed serve as unequivocal acknowledgments, preventing senders from disowning their communications. This strengthens the accountability and trustworthiness of digital interactions.

    Disadvantages

    • Security Risks of Private Key Exposure

      If an attacker gains access to your private key, there is a significant security risk as they can decrypt and read all your messages. The confidentiality of your communication becomes compromised, emphasizing the importance of safeguarding private keys.

    • Impact of Private Key Loss

      The loss of a private key poses a critical challenge, as it renders you unable to decrypt received messages. This loss of access can result in the permanent inability to retrieve or understand sensitive information, underscoring the need for secure key management practices.

    • Performance Considerations

      Public key cryptography tends to operate at a slower pace compared to symmetric cryptography. This method may not be suitable for decrypting bulk messages efficiently, highlighting a potential drawback in terms of speed and performance, particularly in scenarios where large volumes of data need decryption.

    Conclusion

    In conclusion, public key cryptography is a fundamental technology that underpins the security of digital communication in our interconnected world. Its ability to provide secure encryption, digital signatures, and key exchange mechanisms has made it indispensable for securing online transactions, authenticating users, and ensuring data integrity. As cyber threats continue to evolve, public key cryptography remains a powerful tool in safeguarding sensitive information and fostering trust in the digital realm.

    Free Downloads

    Datasheet of Encryption Consulting Services

    Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

    Download

    About the Author

    Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

    You might also be interested in

    Types of Tokenization: Vault and Vaultless
    Types of Tokenization: Vault and Vaultless April 5, 2024
    Key Features of Microsoft Intune
    Key Features of Microsoft Intune January 27, 2024
    What services does Amazon Web Services (AWS) Provide?
    What services does Amazon Web Services (AWS) Provide? September 23, 2020
    What are Plaintext and Ciphertext? How do they interact?
    What are Plaintext and Ciphertext? How do they interact? April 5, 2024

    Explore More Topics

    Explore the full range of services offered by Encryption Consulting.

    Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

    Request a demo