As PKI practitioners, we’ve been asked the question for years: “What’s the best way to get a digital certificate on _____?” What gets filled into the blank has expanded dramatically over time, however. Ten years ago, certificates landed primarily on what I’d describe as “traditional” IT infrastructure – servers, desktops, laptops, smart cards, RADIUS servers, or VPN concentrators. But since then, things have gotten much more interesting. Handheld scanners. Surgical robots. VOIP phones. Set-top boxes. Cable modems. Even heart monitors and IV pumps.
And more recently, the Bring Your Own Device (BYOD) trend has brought the need for certificate issuance to an increasingly diverse collection of mobile phones, tablets, and the mobile applications residing in isolated containers on those devices.
What’s driving all of this new use?
In short, it’s the devices themselves. For a variety of reasons, all sorts of new devices that we had never considered as “networkable” are being given network connectivity and TCP stacks. And the trend doesn’t just include corporate IT; it also includes networkable consumer devices, such as home security systems, garage door openers, sump pumps, and thermostats. A relative of mine is now able to send Tweets from their refrigerator. And these network-connected systems are getting smaller and more ubiquitous, as the so-called “Internet of Things” becomes a reality.
With all of this new connectivity comes a need for authentication: manufacturers want to assure themselves that when their devices “phone home” the device is legitimate, and not some sort of spoof. An assured, electronically-verifiable means of representing a device, model, or serial number is needed.
X.509 digital certificates have already gained a lot of traction for this purpose. And it makes sense: by design, certs represent identity in a cross-platform, cross-organizational way. And there are a multitude of implementations of cert-processing software libraries for developers to use – some are built into the OS platform, and others available for free, such as OpenSSL or BouncyCastle.
What also makes digital certificates attractive is that these certificates don’t need to be publicly trusted, or purchased from “big box” cert vendors such as Symantec, GeoTrust, or DigiCert – they can be issued by an organization’s in-house PKI. And this is a very good thing, since the issued volume of these certificates could easily become enormous; numbering in the millions or even billions, depending on the situation. PKI software such as Microsoft’s Active Directory Certificate Services (AD CS) is a good building block for situations such as this, because most organizations already own plenty of Windows Server licenses, and because there’s no per-certificate cost, regardless of how many certificates are issued.
But PKI deployments of this type and magnitude do come with their share of challenges… including the following:
Achieving a Sufficient PKI Assurance Level: With PKI it’s all about assurance – which ultimately comes down to private key protection, and ensuring that only the entities that the certificates represent have access to the private keys. This includes not the actual devices, but more importantly the private keys of the CAs in the hierarchy as well. PKI texts are full of descriptions of mechanisms for controlling and documenting the policies and procedures needed to reach a desired assurance level, but suffice to say, just “clicking next” on a default installation of the Microsoft CA isn’t going to cut it.
High-volume Issuance: If we’re talking about adding a certificate issuance step to a manufacturing process, great care must be taken to ensure that this effort does not adversely affect that process. Having to halt a production line because a CA went down, for example, would be a very bad thing.
Securing the Issuance Process: As mentioned above, private key protection is vitally important; to that end, on-device key generation, where the key is created on the device itself, and can never be exported, is a common PKI best practice. But this can be difficult, given the potential limitations of the devices, as well as the requirements mentioned above around speed and volume. Couple this with an outsourced / offshore manufacturing facility, and the challenge becomes even greater.
Certificate Management: All PKIs require certificate management, but an “Internet of Things” (IoT) PKI poses unique challenges. For example, many situations dictate that the certificates can never be updated or replaced, either due to lack of accessibility, or because the certificate and key are stored in a permanent manner. This means that IoT certificates often have substantially longer lifespans than what would be recommended for conventional PKI. As such, revocation at a very high scale can become extremely important as well. It also puts even more emphasis on private key protection.
CSS is committed to solving these sorts of challenges for our customers, and has been for years. Our goal is to combine existing hardware and software with our own collection of software, services, and managed services, to provide high-value solutions without adding risk or undue operational burden.