Expanding Use of PKI in Variety of Devices Holds Challenges

LAS VEGAS–One of the longest running jokes in the security industry is that each coming year finally will be The Year of PKI. While that one huge year never materialized, the use of PKI and digital certificates has become an integral part of how the Internet works today. But there are some challenges on the horizon that will need some innovative solutions.

PKI was developed at a time when having digital certificates in TVs and cars would have seemed absurd. But it’s no longer just Web servers, mail servers and the core network infrastructure that’s in play. Now, the range of devices that use digital certificates includes WiFi routers, mobile devices and many others.

As the use of certificates expands, so too do the challenges for managing the keys associated with them and possibly revoking or replacing them in the event of a compromise or event such as Heartbleed. Jeremy Rowley, vice president of business development and legal at DigiCert, a major certificate authority, said the new reality of embedded, mobile and other devices needing certificates is making life interesting.

“You have PKI expanding into WiFi routers and all these other places that we never thought it would be,” he said at the company’s security summit here Friday.

One of the problems that has faced CAs and their customers in recent years is the rash of mis-issued or stolen certificates that have been used in attacks and malware campaigns. Attackers have been able to compromise a number of CAs, including Comodo and DigiNotar, and have issued themselves valid certificates for high-value domains such as Gmail and Yahoo. Rowley said that the issue is one that CAs think about constantly.

“I think the idea of key protection is going to become even more important,” he said. “I think you’ll see more keys moving into hardware modules so they can’t be extracted.”

Another challenge that’s looming is the move by browser manufacturers such as Mozilla and Microsoft to force organizations to upgrade to certificates with longer key sizes. Both companies are in the process of deprecating certificates with key lengths of 1024 bits or shorter and in September Mozilla removed several root certificates from the Firefox trusted store because they used 1024-bit keys.  Rowley said this process would likely be difficult for some organizations, but the payoff is better security for users and site owners.

“Updating all of these can be painful, but it’s better for all of us,” he said.

Suggested articles