SlideShare a Scribd company logo

Reconsidering Public Key Infrastructure and its Place in Your Enterprise Strategy

O
Omlis

Gartner's statement that certificates can no longer be blindly trusted; coupled with Microsoft VP of Trustworthy Computing, Scott Charney declaring “PKI is under attack” seems increasingly prophetic as the digital world relentlessly develops its capabilities. Undeniably, PKI plays a key role in internet security, but SSL (Secure Sockets Layer) / TLS (Transport Layer Security) systems are proving increasingly vulnerable under the weight of the latest digital ecosystem.

Technology
1 of 8
Download to read offline
Reconsidering PKI and its Place in Your Enterprise Encryption Strategy 150821_oml_v1p | Public | © Omlis Limited 2015
1150821_oml_pki_v1p | Public | © Omlis Limited 2015 Contents Introduction 2 Smartphone, IoT and Fragmented Platforms Bring Challenges and Inconsistencies to PKI 3 Inherent Security Flaws Associated with Interoperability 3 Cost and Complexity 4 Transitioning into the Future 5 References 6 Contributors 6
2150821_oml_pki_v1p | Public | © Omlis Limited 2015 Introduction Three years ago, Gartner made the claim that certificates can no longer be blindly trusted; a statement which seems more and more prophetic as the digital world relentlessly develops its capabilities at a pace which digital certificates is struggling to maintain. In an era of SDNs (Software-defined Networks), cloud implementation and lightweight agile solutions, many modern deployments of the certificate-based security methodology known as PKI (Public Key Infrastructure) are beginning to look increasingly outmoded, representing a very manual and increasingly unmanageable approach. PKI has undoubtedly formed an integral part of internet security, but the SSL (Secure Sockets Layer) / TLS (Transport Layer Security) based system is proving increasingly vulnerable under the weight of the latest digital ecosystem. Whilst PKI was at best acceptable for desktops and laptops operating over closed networks inside corporate firewalls, the mobile revolution has exposed existing cracks, making the commonly accepted methodology look cumbersome and ultimately, unsecure. PKI still has a role to play in the less ‘mission critical’ aspects of internet security, and to start describing it as a legacy architecture is premature, but within an increasingly connected world, it clearly needs to narrow the scope of its usage. According to research from Ponemon’s paper entitled “2015 Cost of Failed Trust Report” the average number of keys and certificates in use has grown at a rate of over 34% to 24,000 per enterprise 1 . For PKI to remain effective it must rein-in these levels of expansion and learn to co-exist with powerful, secure and more versatile forms of encryption. To provide context, it’s often stated that we’re at the third of the internet’s biggest evolutionary stages: we began with the era of mainframes and terminals, before moving to the second evolutionary platform which constituted the client / server model thereby introducing us to internet / LAN (Local Area Network), or “Web 2.0” as it was often labeled in the media. This was the climate in which PKI began to thrive, lasting until around 2005 when the net began to take on new dimensions. We’re now fully submerged in “Platform 3.0”, which is defined as an era of mobile, cloud, big data, IoT (Internet of Things), M2M (Machine- to-Machine), and BYOD (Bring Your Own Device) which brings with it a unique set of security demands.
3150821_oml_pki_v1p | Public | © Omlis Limited 2015 Smartphone, IoT and Fragmented Platforms Bring Challenges and Inconsistencies to PKI If PKI reached its practical zenith under the narrow platform of laptops and desktops, the IoT and the smartphone could represent the beginning of its demise due to an abundance of devices and operating systems all having different security requirements and equally different capabilities. Connected cars and other pervasive devices, smart cities and especially the smartphone have meant PKI has struggled to maintain any consistent level of security. Security applications and protocols such as SSL / TLS and the hashing functions associated with the SHA (Secure Hash Algorithm) family have become particularly complicated in the delivery of safe and secure mobile commerce. On the Android platform, TLS 1.1 is available from version 4.1 (Jelly Bean) and SHA-256 is only available from version 5.0 (Lollipop) onwards, which is currently deployed on less than 10% of Android devices. At the same time, banks, service providers and software vendors are expected to deliver secure mobile applications to the broadest possible audience on the most Android operating systems. In the most extreme cases some mobile banking apps are still intended to run on Android version 2.3, which only supports SSL3.0 and SHA-1. Aging protocols represent a critical problem in both a commercial and a security sense with Google announcing that they will start penalizing secure HTTP (Hypertext Transfer Protocol) sites where certificate chains are using SHA-1 with validity past January 2017 2 . Inherent Security Flaws Associated with Interoperability As a byproduct of PKI’s need to incorporate a range of algorithms and protocols via the server / client handshake, the system becomes susceptible to a number of exploits and attacks whereby security protocols are renegotiated depending on the client device. This is exemplified by the likes of POODLE and FREAK where server and client “rollback” to less secure protocols. Then there’s threats such as CA (Certificate Authority) compromise, impersonation, side-channel attacks and MitM (Man in the Middle). As a security methodology, PKI’s hybrid cryptographic nature means that side-channel attacks are worthy of special mention. PKI combines asymmetric and symmetric cryptography, exchanging symmetric session keys over public networks following asymmetric authentication. Millions of these session keys are exchanged over public networks each year and this poses a huge attack vector for cybercriminals. Earlier this year the Royal Bank of Scotland claimed that their busiest branch is the 7.01am commuter train between Paddington and Reading, emphasizing how the risk profile of the average customer has changed and also how many more opportunities may have arisen for hackers targeting the PKI methodology. Even if the crypto algorithms themselves aren’t under attack, it’s logical that hackers will take the easiest path, which means they’ll seek to exploit a system through buffer overflows, SQL (Structured Query Language) injections, XSS (Cross-site Scripting), or by using packet sniffers which will seek to detect and use session keys which have been pilfered over open networks.
4150821_oml_pki_v1p | Public | © Omlis Limited 2015 Cost and Complexity Even if PKI users can iron out its most obvious algorithmic weaknesses such as migrating their applications to TLS 1.2 and SHA-2, the limiting factor all PKI schemes inevitably share is that they naturally incur a high degree of cost and complexity. This cost is represented not just in the initial capital expenditure, but also in the ongoing total cost of ownership. PKI relies on a variety of moving parts thus vastly reducing the service provider’s autonomy over their own security network. Certificate authorities become trusted third parties, providing the actual certificates and offering additional services such as hosted solutions; expensive third party administration is often needed due to the complexity and ongoing needs of the admin process. At the heart of the system, mission critical PKI implementations rely on costly HSMs (Hardware Security Modules) to store and generate keys, which are derived through equally costly and elaborate key generation ceremonies, requiring intensively manual implementation and maintenance programs. This is a particular pain point for companies, as evidenced in Thales’ “2015 Global Encryption and Key Management Trends Study”. 51% of respondents perceived key management to be the most important feature of an encryption technology solution, with 33% finding the ongoing management of these keys to be one of the biggest challenges in planning and executing an encryption strategy 3 . On top of this, PKI bears the burdensome cost of secure facilities, installation and configuration, complicated audits and a consistent level of staffing for continued maintenance, operation and monitoring. The blind use of PKI as a fix-all solution makes these costs an ongoing expense, leaving an obvious gap in the market for a rapidly deployable, low complexity, high security solution. A company with a PKI infrastructure can attempt to reduce complexity by using self-signed certificates but this in turn reduces levels of security and has a negative effect on the company’s security profile itself. If a web server detects a self-signed certificate, it’ll often display a security alert which is obviously bad public relations. Self-signed certificates once again demonstrate the mismatch of open networks and PKI. Hackers can attempt techniques such as ARP (Address Resolution Protocol) spoofing and DNS (Domain Name System) tampering to intercept traffic and redirect banking users to illegitimate sites or as the basis for DoS (Denial of Service) attacks. Alarmingly, a recent study by IOActive discovered that 40% of the global banking apps which they tested didn’t validate the authenticity of SSL certificates 4 . According to Ponemon, the total impact of an exploited enterprise mobility certificate is valued at $126m 5 . The prevalence of these attacks and the stratospheric costs associated with them have led NIST (National Institute of Standards and Technology) to publish actual industry guidelines entitled “Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance.”
5150821_oml_pki_v1p | Public | © Omlis Limited 2015 Transitioning into the Future PKI resembles a heavyweight and complex machinery in a world where security solutions are becoming far more fluid. Evolving threats and the perils of open networks mean that the next generation of internet usage demands modular and agile solutions which can be deployed from the cloud, are adaptable in nature and have a number of delivery methods such as EaaS (Encryption as a Service). As much as delivery models need to be adaptable to cross-platform usage, security needs to be consistent, using the most secure protocols and the most suitable key exchange methods. As we move towards network developments such as 5G and concepts such as Li-Fi, the digital world demands a perfectly fluid, adaptable and low cost solution to everyday encryption, working instead of, or in tandem with a PKI architecture. As much as this forward thinking approach is essential, tying together an expanding network of both legacy and cutting-edge devices is also key to interoperability and inclusion. The ability to unite a disparate set of legacy components with consistent, cross-platform security protocols is imperative in building the most inclusive network. The message is clear. Over the last few years PKI has been charged with the increasingly impossible task of absorbing a fragmented range of devices with a common set of encryption protocols. Rather than settling for patchwork variations of PKI and commissioning improper deployments across the IoT, we need to rethink how we implement security across a range of devices.
6150821_oml_pki_v1p | Public | © Omlis Limited 2015 1. https://www.venafi.com/assets/pdf/wp/ Ponemon_2015_Cost_of_Failed_Trust_ Report.pdf 2. http://blog.chromium.org/2014/09/gradually- sunsetting-sha-1.html 3. https://www.thales-esecurity.com/company/ press/news/2015/april/2015-global- encryption-and-key-management-trends- study-release 4. http://blog.ioactive.com/2014/01/personal- banking-apps-leak-info-through.html 5. https://www.venafi.com/assets/pdf/wp/ Ponemon_2015_Cost_of_Failed_Trust_ Report.pdf References Contributors The following individuals contributed to this report: Stéphane Roule Senior Technical Manager Nirmal Misra Senior Technical Manager Paul Holland Analyst Jack Stuart Assistant Analyst
Omlis Third Floor Tyne House Newcastle upon Tyne United Kingdom NE1 3JD +44 (0) 845 838 1308 info@omlis.com www.omlis.com © Omlis Limited 2015

Recommended

Reconsidering PKI and its Place in Your Enterprise Encryption Strategy
Reconsidering PKI and its Place in Your Enterprise Encryption StrategyReconsidering PKI and its Place in Your Enterprise Encryption Strategy
Reconsidering PKI and its Place in Your Enterprise Encryption Strategy
Nirmal Misra
 
150819_oml_pki_v1p
150819_oml_pki_v1p150819_oml_pki_v1p
150819_oml_pki_v1p
Stéphane Roule
 
Public Key Infrastructure (PKI) Market 2021 - Regional Outlook and Competitiv...
Public Key Infrastructure (PKI) Market 2021 - Regional Outlook and Competitiv...Public Key Infrastructure (PKI) Market 2021 - Regional Outlook and Competitiv...
Public Key Infrastructure (PKI) Market 2021 - Regional Outlook and Competitiv...
PiyushHipparkar
 
SecureMAG Vol 3
SecureMAG Vol 3SecureMAG Vol 3
SecureMAG Vol 3
Chin Wan Lim
 
E-commerce Security
E-commerce SecurityE-commerce Security
E-commerce Security
Lindsey Landolfi
 
Implementing High Grade Security in Cloud Application using Multifactor Auth...
Implementing High Grade Security in Cloud Application using Multifactor Auth...Implementing High Grade Security in Cloud Application using Multifactor Auth...
Implementing High Grade Security in Cloud Application using Multifactor Auth...
IJwest
 
MIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the CloudMIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the Cloud
Kumar Goud
 
SecureMAG Volume 6 - 2014
SecureMAG Volume 6 - 2014SecureMAG Volume 6 - 2014
SecureMAG Volume 6 - 2014
Chin Wan Lim
 

Recommended

Reconsidering PKI and its Place in Your Enterprise Encryption Strategy
Reconsidering PKI and its Place in Your Enterprise Encryption StrategyReconsidering PKI and its Place in Your Enterprise Encryption Strategy
Reconsidering PKI and its Place in Your Enterprise Encryption Strategy
Nirmal Misra
 
150819_oml_pki_v1p
150819_oml_pki_v1p150819_oml_pki_v1p
150819_oml_pki_v1p
Stéphane Roule
 
Public Key Infrastructure (PKI) Market 2021 - Regional Outlook and Competitiv...
Public Key Infrastructure (PKI) Market 2021 - Regional Outlook and Competitiv...Public Key Infrastructure (PKI) Market 2021 - Regional Outlook and Competitiv...
Public Key Infrastructure (PKI) Market 2021 - Regional Outlook and Competitiv...
PiyushHipparkar
 
SecureMAG Vol 3
SecureMAG Vol 3SecureMAG Vol 3
SecureMAG Vol 3
Chin Wan Lim
 
E-commerce Security
E-commerce SecurityE-commerce Security
E-commerce Security
Lindsey Landolfi
 
Implementing High Grade Security in Cloud Application using Multifactor Auth...
Implementing High Grade Security in Cloud Application using Multifactor Auth...Implementing High Grade Security in Cloud Application using Multifactor Auth...
Implementing High Grade Security in Cloud Application using Multifactor Auth...
IJwest
 
MIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the CloudMIST Effective Masquerade Attack Detection in the Cloud
MIST Effective Masquerade Attack Detection in the Cloud
Kumar Goud
 
SecureMAG Volume 6 - 2014
SecureMAG Volume 6 - 2014SecureMAG Volume 6 - 2014
SecureMAG Volume 6 - 2014
Chin Wan Lim
 
SURVEY OF TRUST BASED BLUETOOTH AUTHENTICATION FOR MOBILE DEVICE
SURVEY OF TRUST BASED BLUETOOTH AUTHENTICATION FOR MOBILE DEVICESURVEY OF TRUST BASED BLUETOOTH AUTHENTICATION FOR MOBILE DEVICE
SURVEY OF TRUST BASED BLUETOOTH AUTHENTICATION FOR MOBILE DEVICE
Editor IJMTER
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Davide Cioccia
 
Efficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant MessengerEfficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant Messenger
TELKOMNIKA JOURNAL
 
DEVELOPMENT OF SECURE CLOUD TRANSMISSION PROTOCOL (SCTP) ENGINEERING PHASES :...
DEVELOPMENT OF SECURE CLOUD TRANSMISSION PROTOCOL (SCTP) ENGINEERING PHASES :...DEVELOPMENT OF SECURE CLOUD TRANSMISSION PROTOCOL (SCTP) ENGINEERING PHASES :...
DEVELOPMENT OF SECURE CLOUD TRANSMISSION PROTOCOL (SCTP) ENGINEERING PHASES :...
ijcisjournal
 
Efficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant MessengerEfficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant Messenger
Putra Wanda
 
Emerging Threats to Digital Payments - Is Your Business Ready
Emerging Threats to Digital Payments - Is Your Business ReadyEmerging Threats to Digital Payments - Is Your Business Ready
Emerging Threats to Digital Payments - Is Your Business Ready
Chukwunonso Okoro, CFE, CAMS, CRISC
 
Blockchain in telecom industry
Blockchain in telecom industryBlockchain in telecom industry
Blockchain in telecom industry
Celine George
 
PKI_in_Depth__TATT__Niza_Ben_Neji__TMGC
PKI_in_Depth__TATT__Niza_Ben_Neji__TMGCPKI_in_Depth__TATT__Niza_Ben_Neji__TMGC
PKI_in_Depth__TATT__Niza_Ben_Neji__TMGC
Nizar Ben Neji
 
CTO-CybersecurityForum-2010-RonWilliams
CTO-CybersecurityForum-2010-RonWilliamsCTO-CybersecurityForum-2010-RonWilliams
CTO-CybersecurityForum-2010-RonWilliams
segughana
 
Enabling privacy and_traceability_in_supply_chains_using_blockchain_and_zero_...
Enabling privacy and_traceability_in_supply_chains_using_blockchain_and_zero_...Enabling privacy and_traceability_in_supply_chains_using_blockchain_and_zero_...
Enabling privacy and_traceability_in_supply_chains_using_blockchain_and_zero_...
Cláudia Alves
 
TGC12 e book
TGC12 e bookTGC12 e book
TGC12 e book
Sadiq Malik
 
Data Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicData Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus Pandemic
Ulf Mattsson
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
Felipe Prado
 
Construction Project Collaboration 030210
Construction Project Collaboration 030210Construction Project Collaboration 030210
Construction Project Collaboration 030210
Alasdair Kilgour
 
Keyloggers A Malicious Attack
Keyloggers A Malicious AttackKeyloggers A Malicious Attack
Keyloggers A Malicious Attack
ijtsrd
 
IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...
IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...
IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...
IRJET Journal
 
IRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic ReviewIRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET Journal
 
IRJET- An Approach to Authenticating Devise in IoT using Blockchain
IRJET- An Approach to Authenticating Devise in IoT using BlockchainIRJET- An Approach to Authenticating Devise in IoT using Blockchain
IRJET- An Approach to Authenticating Devise in IoT using Blockchain
IRJET Journal
 
2015 - 2016 IEEE Project Titles and abstracts in Java
2015 - 2016 IEEE Project Titles and abstracts in Java2015 - 2016 IEEE Project Titles and abstracts in Java
2015 - 2016 IEEE Project Titles and abstracts in Java
Papitha Velumani
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
Prathan Phongthiproek
 
Формирование лояльных клиентов, Павел Соболев, руководитель отдела продаж UIS
Формирование лояльных клиентов, Павел Соболев, руководитель отдела продаж UISФормирование лояльных клиентов, Павел Соболев, руководитель отдела продаж UIS
Формирование лояльных клиентов, Павел Соболев, руководитель отдела продаж UIS
CoMagic
 
11 iz s
11 iz s11 iz s
11 iz s
YchebnikRU1
 

More Related Content

What's hot

SURVEY OF TRUST BASED BLUETOOTH AUTHENTICATION FOR MOBILE DEVICE
SURVEY OF TRUST BASED BLUETOOTH AUTHENTICATION FOR MOBILE DEVICESURVEY OF TRUST BASED BLUETOOTH AUTHENTICATION FOR MOBILE DEVICE
SURVEY OF TRUST BASED BLUETOOTH AUTHENTICATION FOR MOBILE DEVICE
Editor IJMTER
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Davide Cioccia
 
Efficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant MessengerEfficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant Messenger
TELKOMNIKA JOURNAL
 
DEVELOPMENT OF SECURE CLOUD TRANSMISSION PROTOCOL (SCTP) ENGINEERING PHASES :...
DEVELOPMENT OF SECURE CLOUD TRANSMISSION PROTOCOL (SCTP) ENGINEERING PHASES :...DEVELOPMENT OF SECURE CLOUD TRANSMISSION PROTOCOL (SCTP) ENGINEERING PHASES :...
DEVELOPMENT OF SECURE CLOUD TRANSMISSION PROTOCOL (SCTP) ENGINEERING PHASES :...
ijcisjournal
 
PKI_in_Depth__TATT__Niza_Ben_Neji__TMGC
PKI_in_Depth__TATT__Niza_Ben_Neji__TMGCPKI_in_Depth__TATT__Niza_Ben_Neji__TMGC
PKI_in_Depth__TATT__Niza_Ben_Neji__TMGC
Nizar Ben Neji
 
CTO-CybersecurityForum-2010-RonWilliams
CTO-CybersecurityForum-2010-RonWilliamsCTO-CybersecurityForum-2010-RonWilliams
CTO-CybersecurityForum-2010-RonWilliams
segughana
 
Enabling privacy and_traceability_in_supply_chains_using_blockchain_and_zero_...
Enabling privacy and_traceability_in_supply_chains_using_blockchain_and_zero_...Enabling privacy and_traceability_in_supply_chains_using_blockchain_and_zero_...
Enabling privacy and_traceability_in_supply_chains_using_blockchain_and_zero_...
Cláudia Alves
 
Data Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicData Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus Pandemic
Ulf Mattsson
 
Construction Project Collaboration 030210
Construction Project Collaboration 030210Construction Project Collaboration 030210
Construction Project Collaboration 030210
Alasdair Kilgour
 
Keyloggers A Malicious Attack
Keyloggers A Malicious AttackKeyloggers A Malicious Attack
Keyloggers A Malicious Attack
ijtsrd
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
Prathan Phongthiproek
 

What's hot (20)

SURVEY OF TRUST BASED BLUETOOTH AUTHENTICATION FOR MOBILE DEVICE
SURVEY OF TRUST BASED BLUETOOTH AUTHENTICATION FOR MOBILE DEVICESURVEY OF TRUST BASED BLUETOOTH AUTHENTICATION FOR MOBILE DEVICE
SURVEY OF TRUST BASED BLUETOOTH AUTHENTICATION FOR MOBILE DEVICE
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server
 
Efficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant MessengerEfficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant Messenger
 
DEVELOPMENT OF SECURE CLOUD TRANSMISSION PROTOCOL (SCTP) ENGINEERING PHASES :...
DEVELOPMENT OF SECURE CLOUD TRANSMISSION PROTOCOL (SCTP) ENGINEERING PHASES :...DEVELOPMENT OF SECURE CLOUD TRANSMISSION PROTOCOL (SCTP) ENGINEERING PHASES :...
DEVELOPMENT OF SECURE CLOUD TRANSMISSION PROTOCOL (SCTP) ENGINEERING PHASES :...
 
Efficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant MessengerEfficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant Messenger
 
Emerging Threats to Digital Payments - Is Your Business Ready
Emerging Threats to Digital Payments - Is Your Business ReadyEmerging Threats to Digital Payments - Is Your Business Ready
Emerging Threats to Digital Payments - Is Your Business Ready
 
Blockchain in telecom industry
Blockchain in telecom industryBlockchain in telecom industry
Blockchain in telecom industry
 
PKI_in_Depth__TATT__Niza_Ben_Neji__TMGC
PKI_in_Depth__TATT__Niza_Ben_Neji__TMGCPKI_in_Depth__TATT__Niza_Ben_Neji__TMGC
PKI_in_Depth__TATT__Niza_Ben_Neji__TMGC
 
CTO-CybersecurityForum-2010-RonWilliams
CTO-CybersecurityForum-2010-RonWilliamsCTO-CybersecurityForum-2010-RonWilliams
CTO-CybersecurityForum-2010-RonWilliams
 
Enabling privacy and_traceability_in_supply_chains_using_blockchain_and_zero_...
Enabling privacy and_traceability_in_supply_chains_using_blockchain_and_zero_...Enabling privacy and_traceability_in_supply_chains_using_blockchain_and_zero_...
Enabling privacy and_traceability_in_supply_chains_using_blockchain_and_zero_...
 
TGC12 e book
TGC12 e bookTGC12 e book
TGC12 e book
 
Data Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicData Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus Pandemic
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
 
Construction Project Collaboration 030210
Construction Project Collaboration 030210Construction Project Collaboration 030210
Construction Project Collaboration 030210
 
Keyloggers A Malicious Attack
Keyloggers A Malicious AttackKeyloggers A Malicious Attack
Keyloggers A Malicious Attack
 
IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...
IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...
IRJET- Graphical Secret Code in Internet Banking for Improved Security Transa...
 
IRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic ReviewIRJET- Blockchain Technology in Cloud Computing : A Systematic Review
IRJET- Blockchain Technology in Cloud Computing : A Systematic Review
 
IRJET- An Approach to Authenticating Devise in IoT using Blockchain
IRJET- An Approach to Authenticating Devise in IoT using BlockchainIRJET- An Approach to Authenticating Devise in IoT using Blockchain
IRJET- An Approach to Authenticating Devise in IoT using Blockchain
 
2015 - 2016 IEEE Project Titles and abstracts in Java
2015 - 2016 IEEE Project Titles and abstracts in Java2015 - 2016 IEEE Project Titles and abstracts in Java
2015 - 2016 IEEE Project Titles and abstracts in Java
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
 

Viewers also liked

Функционал и ежедневная отчетность отдела продаж. влияние и роль собственника...
Функционал и ежедневная отчетность отдела продаж. влияние и роль собственника...Функционал и ежедневная отчетность отдела продаж. влияние и роль собственника...
Функционал и ежедневная отчетность отдела продаж. влияние и роль собственника...
Тетервак Дмитрий
 
Fire Prevention Planning Training by EHSS Virginia Tech
Fire Prevention Planning Training by EHSS Virginia TechFire Prevention Planning Training by EHSS Virginia Tech
Fire Prevention Planning Training by EHSS Virginia Tech
Atlantic Training, LLC.
 

Viewers also liked (20)

Формирование лояльных клиентов, Павел Соболев, руководитель отдела продаж UIS
Формирование лояльных клиентов, Павел Соболев, руководитель отдела продаж UISФормирование лояльных клиентов, Павел Соболев, руководитель отдела продаж UIS
Формирование лояльных клиентов, Павел Соболев, руководитель отдела продаж UIS
 
11 iz s
11 iz s11 iz s
11 iz s
 
Vanderbilt University Medical Center: My Southern Health: A "content-first" a...
Vanderbilt University Medical Center: My Southern Health: A "content-first" a...Vanderbilt University Medical Center: My Southern Health: A "content-first" a...
Vanderbilt University Medical Center: My Southern Health: A "content-first" a...
 
Mihailov 11klass1
Mihailov 11klass1Mihailov 11klass1
Mihailov 11klass1
 
Methodist Le Bonheur Healthcare: Storytelling: Using strong storytelling to i...
Methodist Le Bonheur Healthcare: Storytelling: Using strong storytelling to i...Methodist Le Bonheur Healthcare: Storytelling: Using strong storytelling to i...
Methodist Le Bonheur Healthcare: Storytelling: Using strong storytelling to i...
 
Андрей Бадин. Проектные сервисы. Ускоренный метод внедрения проектного управл...
Андрей Бадин. Проектные сервисы. Ускоренный метод внедрения проектного управл...Андрей Бадин. Проектные сервисы. Ускоренный метод внедрения проектного управл...
Андрей Бадин. Проектные сервисы. Ускоренный метод внедрения проектного управл...
 
Функционал и ежедневная отчетность отдела продаж. влияние и роль собственника...
Функционал и ежедневная отчетность отдела продаж. влияние и роль собственника...Функционал и ежедневная отчетность отдела продаж. влияние и роль собственника...
Функционал и ежедневная отчетность отдела продаж. влияние и роль собственника...
 
11 ayst b
11 ayst b11 ayst b
11 ayst b
 
Etihad Airway’s Product Offerings, Key Success Factors, Critical Issues, Miss...
Etihad Airway’s Product Offerings, Key Success Factors, Critical Issues, Miss...Etihad Airway’s Product Offerings, Key Success Factors, Critical Issues, Miss...
Etihad Airway’s Product Offerings, Key Success Factors, Critical Issues, Miss...
 
Artsofte for b2 b
Artsofte for b2 b Artsofte for b2 b
Artsofte for b2 b
 
8 mkh s
8 mkh s8 mkh s
8 mkh s
 
10 l kur
10 l kur10 l kur
10 l kur
 
10 l2 k
10 l2 k10 l2 k
10 l2 k
 
6 mtt b
6 mtt b6 mtt b
6 mtt b
 
Red Lobster: Mapping the journey to Crabfest, presented by Carl Allen
Red Lobster: Mapping the journey to Crabfest, presented by Carl AllenRed Lobster: Mapping the journey to Crabfest, presented by Carl Allen
Red Lobster: Mapping the journey to Crabfest, presented by Carl Allen
 
9 lh2 k
9 lh2 k9 lh2 k
9 lh2 k
 
Fire Safety Training by
Fire Safety Training byFire Safety Training by
Fire Safety Training by
 
Emergency Action Plans Training by NMED
Emergency Action Plans Training by NMEDEmergency Action Plans Training by NMED
Emergency Action Plans Training by NMED
 
Fire Prevention Planning Training by EHSS Virginia Tech
Fire Prevention Planning Training by EHSS Virginia TechFire Prevention Planning Training by EHSS Virginia Tech
Fire Prevention Planning Training by EHSS Virginia Tech
 
Creative, Digital and Design Business Briefing - June 2016
Creative, Digital and Design Business Briefing - June 2016Creative, Digital and Design Business Briefing - June 2016
Creative, Digital and Design Business Briefing - June 2016
 

Similar to Reconsidering Public Key Infrastructure and its Place in Your Enterprise Strategy

Reinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of ThingsReinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of Things
Nirmal Misra
 
151022_oml_reinventing_cybersecurity_IoT_v1p
151022_oml_reinventing_cybersecurity_IoT_v1p151022_oml_reinventing_cybersecurity_IoT_v1p
151022_oml_reinventing_cybersecurity_IoT_v1p
Stéphane Roule
 
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGBIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
IJNSA Journal
 
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGBIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
IJNSA Journal
 
Securing Digital_Adams
Securing Digital_AdamsSecuring Digital_Adams
Securing Digital_Adams
Julius Adams
 
An Identity-Based Mutual Authentication with Key Agreement
An Identity-Based Mutual Authentication with Key AgreementAn Identity-Based Mutual Authentication with Key Agreement
An Identity-Based Mutual Authentication with Key Agreement
ijtsrd
 
TURNING THE DISRUPTIVE POWER OF BLOCKCHAIN IN THE INSURANCE MARKET INTO INNOV...
TURNING THE DISRUPTIVE POWER OF BLOCKCHAIN IN THE INSURANCE MARKET INTO INNOV...TURNING THE DISRUPTIVE POWER OF BLOCKCHAIN IN THE INSURANCE MARKET INTO INNOV...
TURNING THE DISRUPTIVE POWER OF BLOCKCHAIN IN THE INSURANCE MARKET INTO INNOV...
IJNSA Journal
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technology
Ulf Mattsson
 
Security issues in cloud
Security issues in cloudSecurity issues in cloud
Security issues in cloud
Wipro
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity Slides
Jim Kaplan CIA CFE
 

Similar to Reconsidering Public Key Infrastructure and its Place in Your Enterprise Strategy (20)

150819_oml_pki_v1p
150819_oml_pki_v1p150819_oml_pki_v1p
150819_oml_pki_v1p
 
Reinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of ThingsReinventing Cybersecurity in the Internet of Things
Reinventing Cybersecurity in the Internet of Things
 
151022_oml_reinventing_cybersecurity_IoT_v1p
151022_oml_reinventing_cybersecurity_IoT_v1p151022_oml_reinventing_cybersecurity_IoT_v1p
151022_oml_reinventing_cybersecurity_IoT_v1p
 
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ..."Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
 
Securing Tomorrow Unveiling the Future of Digital Trust with PKI - DrySign
Securing Tomorrow Unveiling the Future of Digital Trust with PKI - DrySignSecuring Tomorrow Unveiling the Future of Digital Trust with PKI - DrySign
Securing Tomorrow Unveiling the Future of Digital Trust with PKI - DrySign
 
Communications Technologies
Communications TechnologiesCommunications Technologies
Communications Technologies
 
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGBIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
 
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGBIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTING
 
Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)
 
Improve network safety through better visibility – Netmagic
Improve network safety through better visibility – NetmagicImprove network safety through better visibility – Netmagic
Improve network safety through better visibility – Netmagic
 
Secure ip payment networks what's available other than ssl - final
Secure ip payment networks what's available other than ssl - finalSecure ip payment networks what's available other than ssl - final
Secure ip payment networks what's available other than ssl - final
 
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
Blockchain Defined Perimeter (BDP) - Maximum cybersecurity for critical syste...
 
Securing Digital_Adams
Securing Digital_AdamsSecuring Digital_Adams
Securing Digital_Adams
 
Debunking the Myths of SSL VPN Security
Debunking the Myths of SSL VPN SecurityDebunking the Myths of SSL VPN Security
Debunking the Myths of SSL VPN Security
 
An Identity-Based Mutual Authentication with Key Agreement
An Identity-Based Mutual Authentication with Key AgreementAn Identity-Based Mutual Authentication with Key Agreement
An Identity-Based Mutual Authentication with Key Agreement
 
TURNING THE DISRUPTIVE POWER OF BLOCKCHAIN IN THE INSURANCE MARKET INTO INNOV...
TURNING THE DISRUPTIVE POWER OF BLOCKCHAIN IN THE INSURANCE MARKET INTO INNOV...TURNING THE DISRUPTIVE POWER OF BLOCKCHAIN IN THE INSURANCE MARKET INTO INNOV...
TURNING THE DISRUPTIVE POWER OF BLOCKCHAIN IN THE INSURANCE MARKET INTO INNOV...
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technology
 
VET4SBO Level 2 module 6 - unit 4 - v0.9 en
VET4SBO Level 2 module 6 - unit 4 - v0.9 enVET4SBO Level 2 module 6 - unit 4 - v0.9 en
VET4SBO Level 2 module 6 - unit 4 - v0.9 en
 
Security issues in cloud
Security issues in cloudSecurity issues in cloud
Security issues in cloud
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity Slides
 

Recently uploaded

Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
ScyllaDB
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 

Recently uploaded (20)

Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 

Reconsidering Public Key Infrastructure and its Place in Your Enterprise Strategy

  • 1. Reconsidering PKI and its Place in Your Enterprise Encryption Strategy 150821_oml_v1p | Public | © Omlis Limited 2015
  • 2. 1150821_oml_pki_v1p | Public | © Omlis Limited 2015 Contents Introduction 2 Smartphone, IoT and Fragmented Platforms Bring Challenges and Inconsistencies to PKI 3 Inherent Security Flaws Associated with Interoperability 3 Cost and Complexity 4 Transitioning into the Future 5 References 6 Contributors 6
  • 3. 2150821_oml_pki_v1p | Public | © Omlis Limited 2015 Introduction Three years ago, Gartner made the claim that certificates can no longer be blindly trusted; a statement which seems more and more prophetic as the digital world relentlessly develops its capabilities at a pace which digital certificates is struggling to maintain. In an era of SDNs (Software-defined Networks), cloud implementation and lightweight agile solutions, many modern deployments of the certificate-based security methodology known as PKI (Public Key Infrastructure) are beginning to look increasingly outmoded, representing a very manual and increasingly unmanageable approach. PKI has undoubtedly formed an integral part of internet security, but the SSL (Secure Sockets Layer) / TLS (Transport Layer Security) based system is proving increasingly vulnerable under the weight of the latest digital ecosystem. Whilst PKI was at best acceptable for desktops and laptops operating over closed networks inside corporate firewalls, the mobile revolution has exposed existing cracks, making the commonly accepted methodology look cumbersome and ultimately, unsecure. PKI still has a role to play in the less ‘mission critical’ aspects of internet security, and to start describing it as a legacy architecture is premature, but within an increasingly connected world, it clearly needs to narrow the scope of its usage. According to research from Ponemon’s paper entitled “2015 Cost of Failed Trust Report” the average number of keys and certificates in use has grown at a rate of over 34% to 24,000 per enterprise 1 . For PKI to remain effective it must rein-in these levels of expansion and learn to co-exist with powerful, secure and more versatile forms of encryption. To provide context, it’s often stated that we’re at the third of the internet’s biggest evolutionary stages: we began with the era of mainframes and terminals, before moving to the second evolutionary platform which constituted the client / server model thereby introducing us to internet / LAN (Local Area Network), or “Web 2.0” as it was often labeled in the media. This was the climate in which PKI began to thrive, lasting until around 2005 when the net began to take on new dimensions. We’re now fully submerged in “Platform 3.0”, which is defined as an era of mobile, cloud, big data, IoT (Internet of Things), M2M (Machine- to-Machine), and BYOD (Bring Your Own Device) which brings with it a unique set of security demands.
  • 4. 3150821_oml_pki_v1p | Public | © Omlis Limited 2015 Smartphone, IoT and Fragmented Platforms Bring Challenges and Inconsistencies to PKI If PKI reached its practical zenith under the narrow platform of laptops and desktops, the IoT and the smartphone could represent the beginning of its demise due to an abundance of devices and operating systems all having different security requirements and equally different capabilities. Connected cars and other pervasive devices, smart cities and especially the smartphone have meant PKI has struggled to maintain any consistent level of security. Security applications and protocols such as SSL / TLS and the hashing functions associated with the SHA (Secure Hash Algorithm) family have become particularly complicated in the delivery of safe and secure mobile commerce. On the Android platform, TLS 1.1 is available from version 4.1 (Jelly Bean) and SHA-256 is only available from version 5.0 (Lollipop) onwards, which is currently deployed on less than 10% of Android devices. At the same time, banks, service providers and software vendors are expected to deliver secure mobile applications to the broadest possible audience on the most Android operating systems. In the most extreme cases some mobile banking apps are still intended to run on Android version 2.3, which only supports SSL3.0 and SHA-1. Aging protocols represent a critical problem in both a commercial and a security sense with Google announcing that they will start penalizing secure HTTP (Hypertext Transfer Protocol) sites where certificate chains are using SHA-1 with validity past January 2017 2 . Inherent Security Flaws Associated with Interoperability As a byproduct of PKI’s need to incorporate a range of algorithms and protocols via the server / client handshake, the system becomes susceptible to a number of exploits and attacks whereby security protocols are renegotiated depending on the client device. This is exemplified by the likes of POODLE and FREAK where server and client “rollback” to less secure protocols. Then there’s threats such as CA (Certificate Authority) compromise, impersonation, side-channel attacks and MitM (Man in the Middle). As a security methodology, PKI’s hybrid cryptographic nature means that side-channel attacks are worthy of special mention. PKI combines asymmetric and symmetric cryptography, exchanging symmetric session keys over public networks following asymmetric authentication. Millions of these session keys are exchanged over public networks each year and this poses a huge attack vector for cybercriminals. Earlier this year the Royal Bank of Scotland claimed that their busiest branch is the 7.01am commuter train between Paddington and Reading, emphasizing how the risk profile of the average customer has changed and also how many more opportunities may have arisen for hackers targeting the PKI methodology. Even if the crypto algorithms themselves aren’t under attack, it’s logical that hackers will take the easiest path, which means they’ll seek to exploit a system through buffer overflows, SQL (Structured Query Language) injections, XSS (Cross-site Scripting), or by using packet sniffers which will seek to detect and use session keys which have been pilfered over open networks.
  • 5. 4150821_oml_pki_v1p | Public | © Omlis Limited 2015 Cost and Complexity Even if PKI users can iron out its most obvious algorithmic weaknesses such as migrating their applications to TLS 1.2 and SHA-2, the limiting factor all PKI schemes inevitably share is that they naturally incur a high degree of cost and complexity. This cost is represented not just in the initial capital expenditure, but also in the ongoing total cost of ownership. PKI relies on a variety of moving parts thus vastly reducing the service provider’s autonomy over their own security network. Certificate authorities become trusted third parties, providing the actual certificates and offering additional services such as hosted solutions; expensive third party administration is often needed due to the complexity and ongoing needs of the admin process. At the heart of the system, mission critical PKI implementations rely on costly HSMs (Hardware Security Modules) to store and generate keys, which are derived through equally costly and elaborate key generation ceremonies, requiring intensively manual implementation and maintenance programs. This is a particular pain point for companies, as evidenced in Thales’ “2015 Global Encryption and Key Management Trends Study”. 51% of respondents perceived key management to be the most important feature of an encryption technology solution, with 33% finding the ongoing management of these keys to be one of the biggest challenges in planning and executing an encryption strategy 3 . On top of this, PKI bears the burdensome cost of secure facilities, installation and configuration, complicated audits and a consistent level of staffing for continued maintenance, operation and monitoring. The blind use of PKI as a fix-all solution makes these costs an ongoing expense, leaving an obvious gap in the market for a rapidly deployable, low complexity, high security solution. A company with a PKI infrastructure can attempt to reduce complexity by using self-signed certificates but this in turn reduces levels of security and has a negative effect on the company’s security profile itself. If a web server detects a self-signed certificate, it’ll often display a security alert which is obviously bad public relations. Self-signed certificates once again demonstrate the mismatch of open networks and PKI. Hackers can attempt techniques such as ARP (Address Resolution Protocol) spoofing and DNS (Domain Name System) tampering to intercept traffic and redirect banking users to illegitimate sites or as the basis for DoS (Denial of Service) attacks. Alarmingly, a recent study by IOActive discovered that 40% of the global banking apps which they tested didn’t validate the authenticity of SSL certificates 4 . According to Ponemon, the total impact of an exploited enterprise mobility certificate is valued at $126m 5 . The prevalence of these attacks and the stratospheric costs associated with them have led NIST (National Institute of Standards and Technology) to publish actual industry guidelines entitled “Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance.”
  • 6. 5150821_oml_pki_v1p | Public | © Omlis Limited 2015 Transitioning into the Future PKI resembles a heavyweight and complex machinery in a world where security solutions are becoming far more fluid. Evolving threats and the perils of open networks mean that the next generation of internet usage demands modular and agile solutions which can be deployed from the cloud, are adaptable in nature and have a number of delivery methods such as EaaS (Encryption as a Service). As much as delivery models need to be adaptable to cross-platform usage, security needs to be consistent, using the most secure protocols and the most suitable key exchange methods. As we move towards network developments such as 5G and concepts such as Li-Fi, the digital world demands a perfectly fluid, adaptable and low cost solution to everyday encryption, working instead of, or in tandem with a PKI architecture. As much as this forward thinking approach is essential, tying together an expanding network of both legacy and cutting-edge devices is also key to interoperability and inclusion. The ability to unite a disparate set of legacy components with consistent, cross-platform security protocols is imperative in building the most inclusive network. The message is clear. Over the last few years PKI has been charged with the increasingly impossible task of absorbing a fragmented range of devices with a common set of encryption protocols. Rather than settling for patchwork variations of PKI and commissioning improper deployments across the IoT, we need to rethink how we implement security across a range of devices.
  • 7. 6150821_oml_pki_v1p | Public | © Omlis Limited 2015 1. https://www.venafi.com/assets/pdf/wp/ Ponemon_2015_Cost_of_Failed_Trust_ Report.pdf 2. http://blog.chromium.org/2014/09/gradually- sunsetting-sha-1.html 3. https://www.thales-esecurity.com/company/ press/news/2015/april/2015-global- encryption-and-key-management-trends- study-release 4. http://blog.ioactive.com/2014/01/personal- banking-apps-leak-info-through.html 5. https://www.venafi.com/assets/pdf/wp/ Ponemon_2015_Cost_of_Failed_Trust_ Report.pdf References Contributors The following individuals contributed to this report: Stéphane Roule Senior Technical Manager Nirmal Misra Senior Technical Manager Paul Holland Analyst Jack Stuart Assistant Analyst
  • 8. Omlis Third Floor Tyne House Newcastle upon Tyne United Kingdom NE1 3JD +44 (0) 845 838 1308 info@omlis.com www.omlis.com © Omlis Limited 2015