EBOOK

Crypto-Agile PKI for the Future

   eBook | Crypto-Agile PKI for the Future 2

Table of Contents
THE NEED FOR CRYPTO-AGILITY: How to Know When Your Cyber Security Is Past
Its Expiration Date .............................................................................................................................. 3

STAYING AHEAD OF THE CURVE......................................................................................................... 3

ENSURING BUSINESS CONTINUITY.....................................................................................................5

EXECUTING WITH CRYPTO-AGILITY.................................................................................................... 6

KNOWING WHAT YOU HAVE BEFORE IT’S GONE.. .............................................................................. 6

EVERY CERTIFICATE MATTERS . . ........................................................................................................... 7

ANY AGENT BENEFITS. . ........................................................................................................................ 8

CODE SIGNING CERTIFICATES . . ........................................................................................................... 8

SECURE CERTIFICATE MANAGEMENT AT SCALE . . ............................................................................. 9

PREPARING CRYPTOGRAPHY FOR A POST-QUANTUM ERA. . ........................................................... 10

ABOUT KEYFACTOR™. . ..........................................................................................................................11

©2018 Keyfactor  |  All Rights Reserved  |  keyfactor.com

   eBook | Crypto-Agile PKI for the Future 3

The Need for Crypto-Agility: How to Know When

Your Cyber Security Is Past Its Expiration Date
In an evolving cyber security landscape, defenses must continually evolve. Static systems are not only
inherently insecure, they actually become less secure with every passing day. This principle applies to
cryptography as much as to other types of cyber-defenses. And with the advent of quantum computing,
most analysts agree that common cryptographic algorothims will eventually become ineffective.

For nearly all hardware and software used in traditional IT predictable evolution of computing power will ultimately
environments and burgeoning Internet of Things ecosys- erode the defenses of cryptography.
tems, the scale of potential threat is immense. It’s very like-
ly that many IoT devices’ lifespans will extend well beyond To be even more proactive, organizations must become
the effectiveness of their cryptographic keys. agile in their readiness to respond to high-level crypto risk.
The ability to act before threats become serious becomes
One strategy to counter these threats is to make it difficult an innate part of the lifecycle, resulting in a condition
for cyber criminals to crack cryptography through what- where crypto-agility is fundamental.
ever computing resources are accessible. However, the

Staying Ahead of the Curve

If you’re contemplating swapping out encryption keys, upgrading crypto libraries, or re-issuing digital
identities, it’s likely you are responding to a critical security threat. You’d be right to respond swiftly for
the ramifications of not responding can be grave. The consequences of not reacting to the evolving
threat landscape through crypto-agility are equally severe.

COMPROMISE OR BREACH OF ROOT ALGORITHM DEPRECIATION

When a Root of Trust (RoT) is breached, all trust is lost. In Similar to a compromised RoT, a complete replacement
the case of a certificate authority issuing certificates, a is required. Any keys using the affected algorithm are
breach renders the chain of trust and all public and private insecure. Rogue actors can break their encryption easily,
keypairs moot, or even dangerous, as they can be issued rendering communication insecure while making data
and used maliciously. The immediate replacement of that readily accessible.
RoT is required, along with the updating of all certificates
and keys used by devices.

©2018 Keyfactor  |  All Rights Reserved  |  keyfactor.com

   eBook | Crypto-Agile PKI for the Future 4

CRYPTO LIBRARY BUG QUANTUM COMPUTING

Discovery of a bug in crypto libraries may result in the need According to Gartner analysts Mark Horvath and David
to generate new keys and reissue certificates according to Anthony Mahdi, most public-key algorithms in use today will
the technology used in patching or replacing it. be susceptible to attack by quantum computing processors
within the next five to eight years.

This looming expiration date for trusted crypto­

This would severely compromise
graphy algorithms will require the immediate re-
moval of certificates, keys and trust stores, along
the confidentiality and integri-
with the swift installation of replacements from ty of digital communications on
a quantum-resistant cryptography root. In their the Internet and elsewhere.
2016 Post-Quantum Cryptography report, The
National Institute of Standards and Technology —
NISTIR 8105 – REPORT ON POST-QUANTUM
(NIST) described in no uncertain terms, the pro-
CRYPTOGRAPHY, PUBLISHED: APRIL 2016
jected effects of inaction:

CERTIFICATE EXPIRATION

When certificates are used past their shelf life, they can fail years to avoid any chance of it expiring while in service and
at authentication or establishing secure communication tun- requiring replacement. Certificate expiration is an important
nels. Certificate expiry on its own is not necessarily a secu- mechanism to ensure certificates are regularly re-issued. It
rity response incident like the scenarios mentioned above. offers a check and balance system, in the form of workflow
However, the method used to avoid such interruption of and approvals, to verify current legitimacy and authorization.
service is such a case. It is common to see organizations ex- Experts recommend applying validity periods of two to three
tend the validity period of a certificate to 25, 50, or even 99 years for this reason.

©2018 Keyfactor  |  All Rights Reserved  |  keyfactor.com

   eBook | Crypto-Agile PKI for the Future 5

Ensuring Business Continuity

Maintaining crypto-agility is also vital for operations to ensure that the business is not adversely affect-
ed or interrupted completely, as a result of cryptography-based disruptions. Here are three scenarios
requiring special consideration:

CHANGE OF DEVICE OWNERSHIP INTRODUCTION OF NEW OPERATORS MERGERS AND ACQUISITIONS

Devices that you own today may be In addition to transferring a device’s Any change in business ownership
sold or transferred to another party in ownership, there are cases when a or structure may result in the need to
the future. This is especially common new entity is introduced to support modify access policies within the IoT
with devices that have long lifespans a fleet of devices and handle their ecosystem. Such scenarios require
and high price tags in industrial envi- maintenance or servicing. There are modifying device identities, similar to
ronments. Sending such devices back also situations where a new business the cases mentioned above, as well as
to the manufacturer for reprogram- partner requires interaction with the modifying crypto keys and certificates
ming is not an option, nor is expand- device alongside its existing process- located on servers and appliances
ing the private chain of trust to include es and communication. It’s not advis- within on-premise or cloud-hosted
new owners. Regardless, for devices able to share a private RoT, extending infrastructures.
to communicate with the proper sys- its chain from one organization to an-
tems, there is a need to reconfigure. other as relationships are formed as
the device’s identity. This is achieved it presents a future threat if/when re-
by generating new keys and issuing lationships disband. A better practice
new certificates, along with updating is to adjoin additional identities to the
the trust stores that define who the device issued from a different RoT, al-
device trusts and who trusts it. lowing all parties to trust and commu-
nicate with it independently.

Frequently in enterprise IT environments, responding to changes in business structure can take months
if not years to complete. The same principle applies to IoT, where the quantity, diversity, and geogra-
phic distribution of connected devices poses additional potential hurdles. In both cases, it is vital that
crypto-agility be a priority, even when business changes occur at a slow pace.

©2018 Keyfactor  |  All Rights Reserved  |  keyfactor.com

   eBook | Crypto-Agile PKI for the Future 6

Executing with Crypto-Agility

The above scenarios all have one thing in common: they require that all devices holding certificates and
keys be reachable, and those elements be replaceable. It is not enough to simply swap out certificates
and keys. Instead, it is imperative to have the ability to do so in a manner that is:

01 02 03

NON-DISRUPTIVE TO CUSTOMERS ATTAINABLE WITHIN MISSION ACHIEVABLE WITHIN ECOSYSTEMS

AND BUSINESSES COMMENSURATE TIMEFRAMES CONSISTING OF HUNDREDS
OF MILLIONS (OR MORE)
DISTRIBUTED DEVICES

Knowing What You Have Before It’s Gone

The basic principle of having a crypto-agile digital certificate/PKI management solution is knowing what
you have and how to deliver secure updates at scale. The following questions can help drive priorities:

01 05

How many digital certificates do you have? When will they expire?

02 06

Where are they? Who owns them?

03 07

What are they used for? How are you protecting valuable
code-signing certificates?

04 08

What hash algorithm are they using and Do you have a centralized method
what is their overall health? to securely update each one?

©2018 Keyfactor  |  All Rights Reserved  |  keyfactor.com

   eBook | Crypto-Agile PKI for the Future 7

Every Certificate Matters

Don’t create blind spots in your IT networks. You must ensure that you are monitoring every certificate,
wherever it may reside, and from wherever it may have been issued.

What you can see doesn’t always amount to what you have.
Network discovery is a basic means to assemble a collection
of certificates after they’ve been issued and deployed - but
is often too little and too late. With the ability for individual
application and networking teams to issue, purchase, and
KEYFACTOR COMMAND CA
deploy their own certificates, control over certificate policies
is easily lost. The result is certificates deployed on the in- Gateways allow for direct integration with your certifi-
ternal network — and often on the public Internet — that do cate authority, or multiple CAs in parallel. This capabili-
not conform to security policy, and whose configuration and ty enables you to ascertain every issued certificate, and
expiration can lead to costly downtime or security breaches. coordinate every lifecycle management action taken.
Certificates issued by these CAs are automatically syn-
Additionally, without any centralized database of these chronized, allowing you to inventory, renew, reissue, and
troublesome certificates, tracking them down, replacing re-enroll with one-step automation from within your single
them, and mitigating the risk they pose becomes a signifi- Keyfactor Command console.
cant time-consuming challenge. Only direct synchronization
with your Certificate Authorities (CAs) results in a complete
view of your certificate inventory, comprehensive certificate
lifecycle management capabilities, and infrastructure-wide KEYFACTOR COMMAND ANY AGENT
enforcement of security policy. When you are in control of Built to satisfy wider spread adoption of public key infra-
certificate issuance processes, and are aware of all new cer- structure (PKI), Any Agent allows for customized connec-
tificates as they are issued and deployed, you can success- tions into any agent to serve as the centralized manager
fully build a digital identity foundation that is manageable, for certificates located in disparate keystores.
scalable, and secure.

©2018 Keyfactor  |  All Rights Reserved  |  keyfactor.com

   eBook | Crypto-Agile PKI for the Future 8

Any Agent Benefits

After a complete inventory is in place and issuance work-
flow is synchronized with the certificate authorities, network
• FLEXIBLE • INTEROPERABLE
discovery can be used to monitor the deployment and pres-
ence of certificates, setting the stage for proper evaluation
of policy compliance and alerting of all anomalies. • EXTENDABLE • CUSTOMIZABLE

Code Signing Certificates

The demand for trust in today’s uber-connected digital soci-
ety is unprecedented. Consumers of software require proof
that the application they are using is legitimate. Secure code
signing validates the author of the software and proves that
the code has not been altered or tampered with after it was
KEYFACTOR COMMAND SECURE CODE SIGNING MODULE
signed. Trusted code signing certificates are used to veri-
fy authenticity, but what is preserving the integrity of those The Keyfactor Command secure code signing module
certificates? locates and transfers all code signing certificates from
enterprise network locations (including all networked
Code signing certificates can be sold or used to create PC, storage, and thumb drives) to a secure vault. Once
signed malware. Developers must take extreme care in pro- inside, the certificates never leave the vault. A user with
tecting private keys mapped to code signing certificates to appropriate access presents the code to be signed to
avoid complications. A streamlined, secure code signing the module where it’s signed and returned to the user.
process safeguards your business and provides inherent Access controls are in place to ensure that only those
trust to your software consumers. with the right privileges can sign software and firmware.

©2018 Keyfactor  |  All Rights Reserved  |  keyfactor.com

   eBook | Crypto-Agile PKI for the Future 9

Secure Certificate
Management at Scale
Removing the manual and error-prone elements of com-
mon certificate management actions such as enroll-
KEYFACTOR COMMAND ONE-STEP AUTOMATION
ment, re-issuance, renewal, renovation and inventory,
Keyfactor Command provides a central console responsi- Alleviates the costs and burdens of manual, partial, and
ble for all certificate management tasks. Manual processes, decentralized certificate tracking, elevating security to re-
spreadsheets and advanced monitoring tools may work well quired levels. Leveraging agents for device, server and
for small certificate counts and environments with limited is- network appliance endpoints and CA gateways for direct
suance capabilities, but most large organizations have come synchronization with a range of certificate authorities,
to recognize that there are more certificates deployed than one-step automation provides a platform for comprehen-
they can track or even know about. The result is an increase sive monitoring and full lifecycle management of all enter-
in efforts and costs to stay on top of them, with the risk of prise certificates.
security degradation from error and omission.

Keyfactor Command removes the manual and error-prone

Keyfactor Command reporting, bol- elements of common certificate management actions
such as enrollment, re-issuance, renewal, revocation, and
stered by configurable certificate inventory, providing a central console responsible for all
metadata, provides comprehensive certificate management tasks, along with direct connec-
tivity to network endpoints including: devices, computers,
reporting from a single-pane-of-glass. servers, and network appliances. The platform allows ex-
Reports include granular insight into ecution of routine tasks remotely on either individual cer-
tificates or custom-defined collections of certificates to
certificate status, deployment and establish crypto-agility.
usage. This data can be leveraged
Custom metadata and extended attributes, bound to certif-
for customizable alerts including icates but without requiring certificate modification, allow
workflows that integrate via open for custom collections. Such collections can be defined by
variables such as certificate types, expiration date ranges,
APIs to business applications such as encryption strength, device types, location, owner, or any
Splunk, ServiceNow, and Remedy. other variable that leads to action being taken on a group
of certificates jointly.

Whether it is finding and replacing all SHA-1 SSL certifi-

cates in one action, or updating the trusted root stores
of all network firewalls and load balancers in one shot,
Keyfactor Command one-step automation reduces the time
and effort required while ensuring uniform, successful and
secure results across the infrastructure with the confidence
of a futureproof, crypto-agile PKI and digital certificate man-
agement solution.

©2018 Keyfactor  |  All Rights Reserved  |  keyfactor.com

   eBook | Crypto-Agile PKI for the Future 10

Preparing Cryptography for a Post-Quantum Era

Post-Quantum Cryptography. In another example of crypto-agility, Keyfactor and our partner ISARA
announced the release of the world’s first quantum-safe, full-stack public key infrastructure solution.
With the new PKI technology, devices deployed today and updated in the future, are secure against
conventional attacks and potential attacks leveraging quantum computers.

Many experts believe that quantum computing will pose ISARA is preparing for a “post-quantum” world by creating
a legitimate threat somewhere between 2025 and 2035. crypto algorithms designed to withstand the coming on-
When it does, today’s cryptographic algorithms such as RSA slaught of quantum computers. ISARA has been refining
and ECC will become easily breakable. While 2025 may these quantum-resistant algorithms and working with stan-
seem like a long way off, many systems being designed dards bodies such as the International Telecommunication
and deployed today will still be around then — especially Union and Cisco to ensure that tomorrow’s protocols and
“long-life” cryptographic systems such as industrial-focused data formats can accommodate the new algorithms.
IoT devices, cryptocurrencies, and PKIs. Savvy product engi-
neers have already begun to plan for this event by design-
ing crypto-agility directly into their products, with the help of
the Keyfactor platform.

PARTNERSHIP

Keyfactor and ISARA have joined forces to make this tech- Sun Tzu wrote in Art of War that “To … not prepare is the
nology usable today. By combining the power and flexibility greatest of crimes; to be prepared beforehand for any con-
of our Keyfactor platform with ISARA’s cryptographic know- tingency is the greatest of virtues.” In our quickly changing
how, we’ve created an easy way to generate and man- computing environment, the risk of not being ready for this
age certificates at massive scale, which are dual-signed — post-quantum era is potentially calamitous.
once with a conventional signature, and once with a quan-
tum-resistant algorithm.

This combination provides crypto-agility  — 

the ability to
thwart current threats while preparing for the post-quan-
tum cryptography attacks of the future. These certificates
follow a newly-proposed standard that can serve as a tran-
sition from today’s algorithms to the post-quantum future on
the horizon.

©2018 Keyfactor  |  All Rights Reserved  |  keyfactor.com

   eBook | Crypto-Agile PKI for the Future 11

ABOUT

Keyfactor™, formerly Certified Security Solutions (CSS), is a CONTACT US

leading provider of secure digital identity management solu-
tions that enables organizations to confirm authenticity, and   keyfactor.com
ensure the right things are interacting in the right ways in  216.785.2990
our connected world.

From an enterprise managing millions of devices and appli-

cations that affect people’s lives every day, to a manufactur-
er aiming to ensure its product will function safely through-
out its lifecycle, Keyfactor empowers global enterprises with
the freedom to master every digital identity. Its clients are
the most innovative brands in the industries where trust and
reliability matter most.

©2018 Keyfactor  |  All Rights Reserved  |  keyfactor.com