Crypto is a mess inside enterprises

Public Key Infrastructure, the system used to create, manage and store the mathematical keys and digital certificates used for encryption, is under stress in many companies and agencies, according to a new Ponemon survey.

Nearly three-quarters of enterprises don’t have clear ownership of the PKI function, meaning no one is in charge. And more than a third don’t have any procedures for revoking certificates — meaning they have no way of recovering from an attack that compromises their certificate authority.

Add to the mix that PKI systems built to provide encryption for one or two applications — perhaps the “padlock in the browser” on a public facing website and a virtual private network — are now supporting an average of eight different apps.

The picture is one of PKI systems bursting at the seams.

More than 1500 IT and IT security professionals from 11 countries were surveyed by the Ponemon Institute for their 2016 PKI Global Trends Study. 

“These PKI systems just were not designed to bear the loads they are now bearing,” explained John Grimm, senior director of security strategy at Thales e-Security, which sponsored the research.

“That’s the inflection point we’re hitting right now.”

He urged companies to plan ahead and try to “forecast the level of need a year or two ahead.”

“There are a broad range of levels of security and … assurance” available, based on “different amounts of rigor” in the system.

Businesses need to make sure “that the level of assurance they have matches the business risk” they’re exposed to, said Grimm.

Keys, certificates and the “chain of trust”

Encryption is a mathematical process that transforms data into strings of unidentifiable text. They can only be decoded with a special numeric key. In asymmetric or dual-key encryption, there are two keys — a public encoding key and a private decoding one. Data is encoded with the public key, and then can be decoded only with the matching private key.

If Alice wants to send Bob a message, she can encode it with Bob’s public key, but then it can only be decoded with his private key.

Anyone can have Bob’s public key — he wants everyone to have it, so they can send him encrypted messages. But if Bob’s private key is stolen, his privacy will be compromised.

The private keys are thus the crown jewels of any PKI encryption system.

For federal employees, their private keys are stored on smartcards. While the card is plugged into a device, the key can be used to decrypt their email and any other data coded with their public key. But the key itself never leaves the smartcard. Pull it out of the computer, or the special reader attached to the computer, and Bob’s email will become unintelligible gibberish again.

“The storage and management of private keys is important in any PKI system,” said Grimm, explaining that many companies kept their most important keys offline in special hardware security modules that can only be deployed when several executives plug their own smartcards in.

But in addition to ensuring the privacy of messages or data, encryption can also provide assurance about identity. Alice knows it’s really Bob’s public key she is using because the key is contained in a special digital certificate that binds Bob’s public key to his identity. In this example, Bob can be a server or a software program just as easily as he can be a person.

The digital certificate that proves Bob is Bob, and provides his public key so encrypted messages can be sent to him, is produced by a certificate authority.

Almost half of the companies in the Ponemon survey used an internal certificate authority, or CA — which issues its own digital certificates signed with its own cryptographic key.

Alice trusts Charlie, the CA, and therefore she can trust that Bob is Bob, because his certificate is signed with Charlie’s key. This is known as the chain of trust.

It means that the CA’s keys are really important. If Bob’s key is stolen, Alice can’t be sure it’s Bob anymore. But if Charlie’s key is stolen, Alice can’t be sure about the identity of anyone in the organization.

The CA has its own certificate, of course, and this is issued and signed by the so-called root key. Root keys are the kind of keys that might be stored in a special hardware module, said Grimm, because if they are stolen the whole chain of trust is compromised.

Cloud and IoT pressure building

The cloud revolution and the explosion of digital devices connected via the Internet of Things is adding to the load PKI systems must bear, pointed out Larry Ponemon, founder of the Ponemon Institute.

“This rapidly escalating burden of data sharing and device authentication is set to pile an unprecedented level of pressure onto existing PKIs,” he said.

“PKI has failed in the enterprise,” PKware CEO Miller Newton told CyberScoop.

When his company, which provides enterprise encryption services, starts working with a new client, he said, they will often find multiple keystores — online storage facilities for cryptographic keys — sometimes as many as 10.

“They’re not interconnected,” he said, adding, “It’s frequently the case that the IT staff [themselves] don’t know about every keystore the company is using.”

But “how you generate and manage the keys determines how successful you’ll be,” at protecting your data, Newton said.