PKI – Uses and Risks

A false sense of security can be much more dangerous than the absence of security. A researcher in a large-scale enterprise while sharing files using Azure’s SAS tokens, but due to some misconfigurations, accidentally granted access to the entire storage unit rather than specific files.

When it comes to security, implementation is more important than awareness. The goal of Public Key Infrastructure (PKI) is to attain trust by issuing and managing Digital Certificates where secure trust is created within an environment.
Certificates act as a driver’s license displaying all the information needed to ensure identification of the user, server, or issuing authority and ownership of the public key.

Secrets of PKI: Risks you must be aware of while Implementing PKI

1. How can we trust Certificate Authorities (CA)?
   

   Even though a CA may follow the Certificate Practice Statement (CPS) it is a document that often includes disclaimers that shift the responsibility away from the CA, stating that they hold no responsibility of how certificates are used. This means that just because a certificate is issued correctly it does not guarantee it can be trusted for all applications.

2. What goes wrong with trusting Identity (ID) certificates?
   

   The flawed logic in trusting an Identity certificate goes like this- if you have an identity certificate, it gives you the name of the keyholder, knowing the keyholder’s name means you know who they are, and this is all you need. However, this reasoning is incorrect, as knowing someone’s identity doesn’t guarantee their authorization or trustworthiness for specific actions.

3. How securely is your private key stored?
   

   This concern ties closely to the concept of “non-repudiation” PKI vendors addresses this term in legal context, pushing for laws that states if someone is using your private signing key. You cannot deny responsibility for the resulting signature. In some jurisdictions such as Utah and Washington, if your private signing key has been certified by an approved CA you are legally responsible for any actions taken with that key, regardless of whether a virus or someone else accessed your device.

 Top 4 Use Cases of PKI from our Experience:

1. PKI for Web Applications
   

   We often come across HTTPS when browsing the internet, but how is it different than HTTP? HTTPS is a secure version of HTTP that is the primary way to visit websites. The difference of “Secure” indicates that the connection to the server is encrypted.Let’s understand how Hypertext Transfer Protocol Secure works. To ensure we connect to the authenticated server, our browser initially accepts a certificate from the server. Then it validates the certificate and uses the public key in the certificate to establish a secure connection. That certificate proves the server’s authenticity, increases security, encrypts the connection, and lets the user trust the website. If the certificate is invalid or expired, the browser will notify the user not to trust the website and often may not even allow the user to visit that particular website. The browser may also stop the user from visiting sites that are not using HTTPS connections.

2. Zero-Touch
   

   Zero-Touch Email Encryption automates S/MIME (Secure/Multipurpose Internet Mail Extensions) email PKI deployment across the enterprise. Using S/MIME for email allows both the sender and recipient to use their existing S/MIME-capable email applications, as opposed to other approaches that require users to open a second email application or web portal and disrupt the users’ experience.When it comes to deployment, users typically go through a cumbersome and error-prone process of downloading and installing S/MIME certificates onto their email client. In contrast, Zero-Touch Email Encryption enables users to deploy PKI with a single click. It automatically publishes certificates to the corporate global address list, eliminating the need for users to back up their keys and removing certificate renewal headaches.

3. Code Signing
   

   Code Signing certificates enable developers to digitally sign applications and software programs to verify the source of the file and ensure that it has not been altered in any way. Unlike some other code-signing products, the entire software lifecycle is supported, from managing approval to signing operations to subsequent maintenance. Code Signing supports 32-bit or 64-bit code and all file types, including drivers, firmware, scripts, and applications. With enterprise-scale issuance, management, and renewal/revocation/replacement features, development teams gain greater cryptographic flexibility and improved time to market.

4. IoT (Internet of Things)
   

   The IoT Platform combines comprehensive hardening technology for embedded devices with third-party certificate issuance and management purpose-built for the Internet of Things. The IoT Platform includes embedded security solutions for device hardening, such as secure boot, embedded firewalls, TPM integration, and secure firmware updates with alerts. It also includes certificate issuance and management from cloud-native or on-premise CAs, specifically designed for IoT.

How can Encryption Consulting help?

Encryption Consulting’s PKI Services and PKI-as-a-service can help you manage your PKI and secure the digital network of your organization. We can design, implement, manage, and migrate your PKI systems according to your specific needs. Managing PKI can seem daunting with the increase in the number of cyber threats. But you can rest assured because our experienced staff will help you build and monitor your PKI. We can assess your PKI based on our custom framework, providing you with best practices for PKI and HSM deployments.

Conclusion

Understanding both the potential risks and wide-ranging use cases is crucial for maximizing the benefits of Public Key Infrastructure (PKI) while safeguarding against its inherent vulnerabilities. By issuing and managing digital certificates, PKI facilitates secure authentication, encryption, and communication, enhancing overall cybersecurity posture. However, effective implementation of PKI necessitates meticulous key management, vigilant certificate issuance practices, and robust security measures to mitigate risks such as key compromise and rogue certificate issuance.