Building a Private PKI
What is a Private PKI?
In the digital world, digital certificates and the public key infrastructure (PKI) that generates and maintains them is the backbone of the trust relationships we use everyday. PKI and digital certificates are fundamental to these digital security pillars.
A private PKI is a PKI that is not publicly trusted. It has its trust limited to the organization or a group of organizations sharing a common purpose or goal.
Authentication
To ensure the authenticity of an individual, application or device
Confidentiality
Ensuring that information can be kept private
Integrity
That information cannot be manipulated without this being obvious to the recipient
Non-Repudiation
The creator or sender cannot disown the information or claim they did not create or send the information
Why limit TRUST?
It’s all about maintaining CONTROL
Physical Controls
There are many physical controls place on a PKI’s operations. Often the service is physically segregated from other services and systems. It is also operated out of separate physical zones. Cogito for instance uses Remote Management Centers (RMCs) as the only locations outside of the Cogito Datacenters where our core PKI components can be administered from.
Personnel Controls
Many high security PKIs will have two-person control on PKI components and restrict the administration of the service to what are known as no-lone-zones. No-lone-zones are dedicated areas where more than one person must be present to operate a capability. Operating with a primary operator and a secondary operator acting as a witness is a core tenant of a secure PKI, as it ensures no one person can modify the system or service without at least one other person knowing about this modification.
Logical Controls
Many high security PKIs adapt a Zero Trust architecture. In a zero-trust architecture nothing gets automatic trust. Every service, application, device and user must prove itself to everything it connects to. Cogito has embraced a zero-trust architecture even at a software subcomponent level.
Personnel Controls
Many high security PKIs will have two-person control on PKI components and restrict the administration of the service to what are known as no-lone-zones. No-lone-zones are dedicated areas where more than one person must be present to operate a capability. Operating with a primary operator and a secondary operator acting as a witness is a core tenant of a secure PKI, as it ensures no one person can modify the system or service without at least one other person knowing about this modification.
Offline CA
A key control for highly secure PKI’s is to limit the access to critical components like CA components. One way this is done is by having Root of trust CAs (Root CAs) offline (i.e. they are not network accessible in any way). When combined with personnel controls, offline CAs become very difficult to compromise. Issuing CAs on the other hand are usually online to increase their usefulness such as allowing methods for automating certificate requests and delivery.
Non-exportable private keys
Many PKIs store CA private keys in Hardware Security Modules (HSMs). These devices provide not just strong key protection but can also accelerate the use of these keys when performing key generation, encryption and signature functions. While some HSM manufactures allow export of keys, best practice for asymmetric CA keys is to mark the private keys as non-exportable. Another best practice is to select a manufacturer that has certifications such as FIPS 140-2 or the newer FIPS 140-
Algorithm type and size
The algorithm used is one key factor in determining how hard it is to compromise the PKI and another is key size. The larger the key the harder it is to compromise. However just selecting the largest key can have both performance and compatibility impacts on the systems to be supported by the PKI. Common key sizes for RSA keys for instance are now 4096-bit keys for a CA and 2048 bit keys for an end entity. For ECC, which is newer and has smaller bit lengths for relatively the same level of protection, a 384-bit length key pair is often used
It is all about managing certificates and protecting the private keys, the basis of trust
Good policies, procedures, documentation and the people that create and follow them, are crucial to maintaining and operating a secure and trusted PKI.
This involves physical and specialised security measures to generate and store the private keys:
-
- Scripted and paper documented key ceremonies
- Two-person controls
- Secure handling of keys
- Hardware storage modules (HSMs
This is not hard to do in theory, however most organisations struggle to implement and maintain the fundamentals of a trustworthy PKI.
This is why Cogito Group provides PKIaaS…
Download our Building a Private PKI White Paper below
