In 2016, the need for trusted digital identities will become paramount to the overall security within the global Internet. As businesses continue to brace against cyber-adversaries and look to secure the Internet of Things (IoT), Public Key Infrastructure (PKI) is making a resurgence as an economical, reliable, and proven technology that delivers a secure and high-performance solution.
Prediction 1: PKI is growing exponentially and emerging as the de facto standard for digital identification, authentication, and encryption.
Why do we believe this? While SSL/TLS continues to be widely used for secure web browsing, CSS has seen widespread use of “home-grown” PKI for commercial applications to authenticate data, devices, applications, and users. With companies offering access to cloud-based products, services, and tools, the need for SSL/TLS continues to be strong. The Thales Ponemon 2015 PKI Global Trends Study indicates that the biggest trends driving the use of PKI in 2015 were cloud-based services, mobile device management, and mobile applications. Despite vulnerabilities identified in the last two years, including Heartbleed, FREAK, POODLE, and Apple man-in-the-middle, PKI still continues to be the trusted backbone for issuing strong cryptographic keys for SSL/TLS certificates.
What does this mean for businesses? Every organization needs to be proactive in the usage, issuance, monitoring, and reporting of SSL/TLS/PKI environments. CSS Research identified that nearly 12% of all certificates published to the Internet belong to devices and not websites. A properly implemented and managed PKI contains a highly secure, cost-effective framework to issue trusted certificates for a variety of use cases. Because of these reasons, organizations are routinely establishing their own internal PKI and many are managing millions or more certificates to offer digital identity authentication, encryption, and signing for cloud services, mobile devices, and mobile applications.
Prediction 2: PKI will emerge as the best practice for identification, authentication, and secure communications for IoT devices.
Why do we believe this? Companies continue to launch IoT innovations to customize client products and services in an attempt to make things faster, better, and more accessible. These innovations help companies increase revenue, improve operational efficiency, meet regulatory requirements, improve safety, and protect assets. Verizon’s State of the Market The Internet of Things 2015 predicts that the IoT market is expected to grow from 1.2 billion connections in 2014 to 5.4 billion connections in 2020. If not properly identified, authenticated, and secured, IoT devices can open and magnify multiple threats to businesses. Cyber threats, outages and data breaches are on pace to have a significant impact on the revenue and reputations of growing businesses worldwide.
What does this mean for businesses? Secure authentication for IoT devices must be scalable and cost-effective. Traditional methods of digital authentication may not be as secure, cost-effective, or efficient for the type and volume of devices, data, people, and applications that need to be authenticated, encrypted, or signed. And, purchasing third-party certificates contribute immensely to product/service expense. “At the end of the day, there is an increasing need to bind identity and keys together, and digital certificates still provide a highly scalable way to do that,” states CSS CTO Ted Shorter. While it may seem relatively easy to set up a CA, the resources and expertise necessary to plan, implement, and manage a high trust PKI environment are rare and expensive. Additionally, companies issuing a large number of certificates are recognizing the need for solutions to monitor and manage certificates to mitigate risk of expirations and malicious usage.
Prediction 3: Certificate Authority (CA) breaches, implementation flaws, and man-in-the-middle (MiTM) attacks will get worse before they get better.
Why do we believe this? As digital certificate usage increases, so do the opportunities for malicious attempts to access and apply them to breach data and systems. Several high profile examples exist in which hackers breached a CA to issue fraudulent certificates. Malware can be used to compromise certificates, as happened with Superfish where its adware installed a self-generated root certificate into the Windows certificate store and resigned SSL certificates presented by HTTPS sites with its own certificate, potentially giving hackers access to sensitive data and activities. Additionally, new and creative examples of MiTM attacks applied to browsers, the cloud, apps, mobile devices, WiFi, and IoT continue to be launched. With the advent of readily-available, inexpensive tools, even unsophisticated cyber criminals have been able to conduct these kinds of attacks.
What does this mean for businesses? This is a sophisticated environment that needs a proactive approach. As a rise in the potential for breaches puts consumers and organizations at risk, increased regulatory and compliance requirements are emerging as well, driving companies to reconsider the importance of security in product design. Organizations are becoming hyper-vigilant in the implementation, management, and monitoring of PKI policies, processes, and technologies to protect critical assets, customers, and revenue. Establishing and maintaining strong policies around the PKI environment are critical, especially related to securing PKI keys. Organizations with direct control over their certificates will be better able to identify and respond to certificate-related vulnerabilities. Companies that maintain their own centralized inventory, monitoring, and management of all certificates will have significantly less exposure and risk to their operations. Finally, established and adhered to PKI protocols, Hardware Security Modules (HSM) key management appliances, certificate management software, and managed PKI services can help avoid implementation issues, as well as reduce breaches, outages, and fraud.
Prediction 4: Google’s Certificate Transparency and Certificate Pinning will help identify certificate misuse.
Why do we believe this? The industry needs new tools and technologies to help identify certificate misuse. Google's Certificate Transparency project is an open, public framework that makes it possible to build on or access its basic components to monitor and audit SSL certificates. Monitoring in nearly real time helps detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates.
When establishing an SSL connection, the SSL session checks that a server’s certificate for a valid chain of trust back to the root certificate and that the hostname matches what’s requested, the SSL session does not verify that the certificate is indeed the one that was originally installed on the server by the legitimate owner. Certificate pinning offers a solution to improve verification of a certificate’s legitimacy by pinning the server’s certificate (eliminates the need to validate the CA chain or trust) or pinning the CA certificate used to sign the server’s certificate (limits the trust to certificates signed by a limited set of CAs) to help minimize the chance of trusting a certificate from a compromised CA. Essentially establishing the option to either trust “this certificate only” or trust “only certificates signed by this certificate.”
What does this mean for businesses? CISOs must ensure that their organizations are staying current with initiatives from leading vendors. The main benefits of Google’s Certificate Transparency project offer improved industry conformance and oversight for both publically- and privately-rooted CAs. The tool has already proved its worth by discovering unauthorized certificates issued by Symantec that allow for the possibility of certificate holders to fraudulently pose as secure Google web pages. Organizations can use these kinds of tools to conduct research and create monitoring tools to help with industry adherence and oversight, as well as to protect critical assets – data, devices, applications, and people. As for certificate pinning, mobile application developers have started to embrace the method to help reduce the risk of third-party traffic intercepting connections.
Prediction 5: SHA-1 will be exploited to make a “fully-valid” fake certificate from a real one.
Why do we believe this? Research continues to offer proof of why the SHA-1 signing algorithm is weak and when it is likely to be cracked by a hash collision. Projections of the computational and financial costs and time needed to crack SHA-1 have significantly lowered over the years. While hashing different messages should result in unique hashes, actual collisions can lead to the same hash value being produced for different messages, which can be exploited to create fake certificates. Back in 2012, the estimate was that a SHA-1 collision could occur by 2015 at a cost of $700,000. Now, the same experts are estimating it could occur by 2018 at a cost of only $173,000. Another estimate believes that a freestart collision could be accomplished in a few months using computer power similar to Amazon’s EC2 cloud at a cost between $75,000 and $120,000, though this particular attack places restrictions on formatting that would be difficult to meet within an X.509 certificate.
What does this mean for businesses? Both large and small organizations are vulnerable today, and reacting after a breach can prove costly and quickly reach into the millions of dollars. Remediation can reach into the millions of dollars. $173,000 and/or a few months of computing power is well within the reach of cyber-criminals. With a lower cost and increasing advancements in computing power and cryptanalysis, it’s a matter “when,” not “if,” a SHA-1 collision will occur. But, it’s not enough to just match a hash, the real magic will be in creating an “exact replica” of a certificate. Once it’s been proven that a “fully-valid” fake certificate has been created from a real one and is living in the wild, the industry will accelerate the migration to SHA-2. CSS Research indicates the percentage of certificates signed with SHA-1 at over 51% of the total certificates published to the Internet. Shorter notes, “While we have yet to see a SHA-1 certificate collision attack in the wild, it’s clear that the SHA-1 algorithm is extremely vulnerable, and getting weaker all the time. Organizations should be done with, or in the midst of their migration to SHA-2. This risk to continued use of SHA-1 certificates is too great for any business to ignore.”
Prediction 6: PKI Managed Services will increase and be adopted as the best practice.
Why do we believe this? According to the Thales Ponemon 2015 PKI Global Trends Study, a majority of companies are saying they don’t know how – or don’t want – to manage all the complexities of PKI. Shorter states, “We’re seeing an increase in the number of PKI use cases that are being driven by compliance and security, although companies don’t know where to turn for PKI expertise."
What does this mean to businesses? PKI will move to be a core asset that requires both professional management and specialized services. PKI experts with the specific knowledge of technology, policies, and processes needed to establish and maintain high levels of trust are rare and many organizations don’t want to (or aren’t able to) staff such specific talent. Lack of experienced staff puts the PKI and its dependent applications, data, devices, and people at risk. Cloud-based Security as a Service options are becoming more popular as companies seek to balance their needs, internal expertise, and budgets – often choosing to offload the management of complex or non-core technologies to experts.
Have digital identity questions?
As you weigh the options for implementing and managing PKI, consider talking with CSS. Our CSS Research, professional services, and development teams feature experts in the field of digital identity. For over a decade, we’ve been trusted security advisors to more than half of the Fortune 500.