Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

Encryption as Protection

Data breaches have become part of our daily news. We only have to mention Anthem, Sony, Staples, UPS, Kmart, Target, Neiman Marcus, eBay, Home Depot, Apple iCloud, J.P. Morgan Chase and most of us know that those company names are also associated with widely published cyber-attacks.

encryption_1_1

Recently, news broke about the Superfish an SSL man in the middle adware that can produce self-signed certificates.

Most of us know about how to check if a dollar bill is real or fake but do we know how to check when a website with its certificate is fake?

The ability to recognize a secure web connection is extremely important as online fraud cases have increased substantially from year to year.

One of the basic things any user can do is to check the padlock icon in the status bar of the browser and understand the certificate presented. When you look at certificates of the websites we tend to trust and use the most such as Google, Yahoo, PayPal etc., you can see the chain of trust of with a minimum of two or three authorities. It is important to check whom the certificate was issued by.

Certificates are issued from an authority and the question becomes would you trust the authority that issued the certificate?

One of the main functions of the root, the top authority, is to issue chain certificates to subordinate certificate authorities which establishes the first link in the chain of trust. Then there is a link of trust between the end entity certificate and the subordinate CA. In the case of an SSL certificate, the end entity certificate represents the linkage between a website owner and the website domain name. The SSL certificate is installed on the Web server along with the chain certificate. When a user browses to the website protected by the SSL certificate, the browser initiates the verification of the certificate and follows the chain of trust back to the embedded root.

It isn’t technically difficult to create an SSL certificate but the hard part is that you need it to be signed by something authorized which is one of the trusted set of root certificates.

Those belong to the various certificate authorities, and are protected by strong cryptographic authentication. So, the trick isn’t making the certificate, it is getting someone to trust it. This is why Root CA is the most important and vulnerable part of a Public Key Infrastructure (PKI) deployment. Not surprisingly CAs have become the focus of targeted attacks.

Since a fake certificate is not signed by trusted certificate authorities, none will be regarded as valid by mainstream web browser software; however, an increasing amount of online banking traffic now originates from apps and other non-browser software which may fail to adequately check the validity of SSL certificates. Therefore there is a need to protect any device accessing the network traffic and professional PKI deployment is the answer for that.

Cybercrime is essentially a way for hackers to show off their abilities, cracking the code even as the technology progresses and seemingly strengthens. Therefore, encryption of data is the primarily chosen protection method as adpoted by the US financial sector this year. Digital security has become such an issue that the United States is adopting chip cards and POS terminals that conform to the Europay, MasterCard, Visa standard.

As of October, 2015 a card issuer or merchant that does not support EMV assumes liability for fraud that results from compromised magnetic-stripe card transactions. Apparently, a major shift in thinking has already been established that the future will be in encryption. Why is a chip more secure then magnetic stripe?

First, the obvious way the chip is protecting you is eliminating cloning by for example, if you are paying for your meal at a restaurant and using your magnetic stripe card, you typically hand your card to the waiter after he brings the check. He then usually processes your transaction at the cash register, which means your card leaves your sight for several minutes, ample time to clone your card if anyone in the restaurant staff is a crook. With a chip card, a portable POS device is needed, or the customer goes to the cash register, the card being in his or her sight the whole time.

Secondly, chip cards are the standard in most parts of the world because they’re not only harder to clone as the data on chip cards is constantly changing, making it extremely hard to isolate and extract and counterfeit than their magnetic-stripe predecessors, but also because chip cards are different mainly in that they have sophisticated encryption built right into the chip. When you dip a chip card instead of swiping it talks back and forth with the payment terminal in a secret language to make sure it’s actually you who’s paying.

Apparently, encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on especially in payment transactions and also in protecting the rest of your stored and sent data.

So what kind of encryption do we want to choose? For any cipher, the most basic method of attack is brute force; trying each key until the right one is found. The length of the key determines the number of possible keys, and hence the feasibility of this type of attack. Encryption strength is directly tied to key size. Any realistic algorithm is considered “strong enough” if it will take longer to decrypt the material than the information is worth with the available resources at the time. For example, if the information includes my dinner plans for tomorrow, it’s likely that my encryption algorithm may only need to delay an attacker 24 hours, by which time, the event will be over.

Since we need to account for the affordability of computer capacity advances with time that may reduce the effort to successfully attack the algorithm method, the safe rule of thumb for most businesses is that you want any encryption that you use to remain strong 20 years from now.

Regardless, whether we need to comply with various federal and state laws in the US for example data privacy or whether we want to avoid great financial loss, recognizing the great need for appropriate encryption protection is paramount. Microsoft offers users built-in disk encryption on certain Windows editions and there are many other great products out there to solve your encryption needs.

If a company cares about the integrity of its data and systems, it must either deploy a PKI with an appropriate set of checks and balances or use a third party service it can trust. Failure to do so leaves an organization exposed and increasingly vulnerable.

The Root CA is the top of the certificate hierarchy. Since it contains the keys that will be used for the whole certificate infrastructure these keys need to be protected. If an attacker gained access to these keys the whole certificate infrastructure would be compromised.

Therefore it is paramount the Root CA is installed on a stand-alone server with no network card or the network card disabled. Certificates from the root CA must be transported using removal media. Since the Root CA is not connected to the network, this helps protect the root CA certificates from attack.

Additionally for the highest security, Root CA Keys can be protected by a Hardware Security Module (HSM) and stored in a safe after the Root Key Ceremony was completed and signed by all parties involved.

During PKI engagements with CSS, we choose the right encryption for your type of business. For example SHA is a popular hashing algorithm used by the majority of SSL certificates. As computing power has increased the feasibility of breaking the SHA1 hash, CSS uses and recommends to use only SHA 256 from now on. We choose hardware security modules that comply with Federal Information Processing Standard such as FIPS 140 Level 2 and Level 3.

Our PKI deployment solution is offered to businesses as a service that will allow them to be worry-free when it comes to encrypting and securing their data. In this service we include our unique product called Certificate Management System (CMS) which is the leading product for issuing and managing certificates across devices and services. CMS uses a feature Validated SCEP™ (VSCEP) service that received a patent for highly secure PKI certificate issuance and is using a column-level encryption within MS SQL database that plays an essential role in securing your data.