Getting to Grips with Public Key

Infrastructure (PKI)

What is a PKI?

A Public Key Infrastructure (PKI) is a combination of policies, procedures and technology that forms a trust infrastructure to issue and manage digital certificates. These certificates enable strong cryptographic processes that can provide:

GETTING TO GRIPS WITH PKI2

• Electronic identification of users and devices

• Encryption of data at rest and in transit

• Data integrity

• Electronic signatures and non-repudiation

How the PKI is implemented and controlled, with respect to its policies and procedures, will determine the level of trust you and others will associate with each digital certificate.

What is a PKI used for?

• Secure network log-on• TLS/SSL for secure web transactions• IPSec• Secure site-to-site communication• Digital signing• Email encryption• Hard disk encryption

GETTING TO GRIPS WITH PKI3

Understanding asymmetric encryption• It involves the generation and use of a pair of mathematically linked keys• What one encrypts, only the other can decrypt• One key (private) is kept secret and secure (on a token/HSM) - the other key (public) can be

freely distributed via a digital certificate• Knowing the public key does not reveal the private key

GETTING TO GRIPS WITH PKI4

• Sender uses recipient’s public key to encrypt, recipient uses their private key to decrypt

• Sender signs messages with their private key, recipient verifies the signature using the sender’s public key

• Both encryption and signing can be applied to the same message, providing privacy and authentication to both parties

Understanding asymmetric encryptionKey sizes vary, depending on what they are being used for

GETTING TO GRIPS WITH PKI5

Using the RSA algorithm, 2048 bits is recommended for keys used in certificates for secure messages, webserver authentication or document signing

For a Subordinate CA – also called an Issuing CA - RSA keys from 2048 to 4096 bits are recommended

For a Root CA, a much stronger key is recommended: typically 4096 bits if RSA keys are used

More about asymmetric encryption

While increased computing power drives the requirement for longer keys to maintain security, this slows down processing time. Elliptic Curve Cryptography (ECC) offers shorter keys for equivalent levels of security and, generally, faster processing. For example, signing algorithms such as ECDSA typically use keys of 256 bits, with Root CAs requiring keys of 384 bits and can be nearly an order of magnitude faster than RSA for some operations.

A big advantage of asymmetric encryption is that it eases the historical problem of secret key (or symmetric key) distribution: it is possible to set up a secure exchange of information over an insecure link.

GETTING TO GRIPS WITH PKI6

The core components of a PKI

GETTING TO GRIPS WITH PKI7

Defined certificate policy• Registration process: Who can have a certificate? What checks must be undertaken to verify the

certificate holder’s identity?

• Certification Practice Statement (CPS) How are certificates issued, stored, revoked and

renewed?

• Size and nature of key

• How will the certificate policy be enforced? Subscriber Agreement Relying Party Agreement PKI Disclosure Statement

GETTING TO GRIPS WITH PKI8

A PKI is only as good as your security policy…

Anyone can build a PKI…BUT it has to be managed properly to be effective. The primary cause of many security breaches can be attributed to errors in implementation of a PKI.

GETTING TO GRIPS WITH PKI9

It has to be operated and maintained under secure circumstances

Requires a separation of duties away from Admin/System team to a dedicated security team

It must comply with tScheme (independent assurance that Trust Services meet rigorous quality standards) as well as ISO 27001 standards for information security

Keys need to be stored securely in accordance with internationally-recognised security standards e.g. FIPS 140-2 Level 3 or 4 (robust security that’s tamper-resistant, both physically and electronically)

Checks & balances

A Root CA has an average lifetime of 20 years…

A Sub-CA typically operates for 5-10 years…

An End Entity digital certificate has a lifespan of 1-3 years…

Who takes responsibility and keeps track of all this?

GETTING TO GRIPS WITH PKI10

20 YEARS

5 – 10 YEARS

1 – 3 YEARS

Skills, resources & costs

GETTING TO GRIPS WITH PKI11

PKI is not simply about technology.

Design, structure and management are all equally important.

The expertise required to do this properly demands a highly-specialised skills set which makes it prohibitive to do properly in-house.

The high cost of physically securing the environment: not everyone can afford to build their own Trust Service Centre.

This is why so many organisations choose to outsource itto companies like us.

Trustis: PKI specialists

Trustis has successfully implemented over 100 high-assurance PKIs for organisations such as the NHS, HMRC, utility suppliers, telecommunications companies and financial institutions.At the heart of our organisation is a group of experts who can provide help and advice on PKI and digital certificate solutions, covering everything from design through to full implementation, including compliance with recognised PKI standards.• We can build and deploy a fully-compliant PKI at a fraction

of the cost of doing it in-house. • We can integrate it with your environment and keep you in

absolute control.• You can host the Sub-CA in your own environment or at

our ultra-secure Trust Service Centre.• Trustis is ISO 27001:2013, tScheme and ETSI Certified.

GETTING TO GRIPS WITH PKI12

More about PKI

Further reading:

• New Directions in Cryptography – Whitfield Diffie and Martin E. Hellman

• NIST

• The RSA Patent US 4405829 A: Cryptographic communications system and

methods

• Schneier on Security – Bruce Schneier blog

• Security Engineering – Ross Anderson

GETTING TO GRIPS WITH PKI13

About Trustis

For over 15 years, Trustis has specialised in cryptographic solutions that include large-scale PKIs, managed HSMs, Identity Federation as well as security policy and compliance.We serve both the public and private sectors in the UK and around the world and have been a G-Cloud supplier since its inception. Trustis’ services comply with ISO 27001:2013 as well as tScheme and are ETSI Certified. A product-independent approach ensures that customers get the best solution to meet their requirements. Recent projects include public sector networks, 4G security in telecoms, smart grid and metering rollouts, payment systems in banking and ePassport PKIs.

GETTING TO GRIPS WITH PKI14

Contact details

Trustis Commercial Contact:Robert Hann robert.hann@trustis.com +44 (0) 7818 552411

Trustis LimitedBuilding 273, Greenham Business Park, Thatcham, RG19 6HN

+44 (0) 1635 231361 info@trustis.com www.trustis.com

GETTING TO GRIPS WITH PKI15