What is the role of the key management infrastructure in the objects Internet security?
For their day-to-day operations, companies rely on secure digital communications with PKI (Public Key Infrastructure) based digital certificates. These certificates are typically used for device and user authentication, secure communications via TLS/SSL (Transport Layer Security/Secure Sockets Layer), inter-program and inter-machine communication (including Object Internet), digital signature and code signing.
Due to its versatility and evolving capability, PKI should play a crucial role in providing a secure foundation for device authentication and identity, along with hardware security. Yet, the PKI as we know it today is focused primarily on business use cases. To be able to work well with the Objects Internet, PKI will require adaptations, here are 5.
Dimensioning: The PKI must be able to support the issuance of certificates in large volumes, with varying life cycles. In some cases, this may also require high speed (eg in the case of manufacturing lines) and/or short-term certificates. If an on-site PKI can successfully adapt to the needs of the Internet of objects (especially for low-latency applications), managed PKIs and hosted PKIs in the cloud will likely offer businesses an easier implementation and economies of scale.
Long-term Certificates: Digital certificates have defined lives and, as such, have expiry dates. Traditionally, the latter are measured in years. In the Internet of objects, some uses may require short-term certificates, while many others will require certificates of a much longer duration. This is the case, for example, with a consumer device configured with a long-term certificate at the time of manufacture, to enable long-term certificate authentication. Customers should be aware that, even if they require little change over time, they may be problematic in the case of compromises by the PKI or the certification authority. Those responsible for object Internet projects will need to determine the life expectancy of these digital certificates, weighing the pros and cons. This may vary, but so far studies have seen a greater interest in long-term certificates.
PKI hardware interoperability: The PKI must be able to communicate directly with a hardware security environment (for example, secure element, TPM "Trusted Platform Module", or trusted runtime) to properly generate cryptographic keys and store certificates. One of the major problems paralyzing mobile device environments is that these secure environments are inaccessible to the software stack. This leads a number of developers to store cryptographic key items in software, which are considered less secure than hardware security. As a result, Object Internet project managers must ensure that their hardware security environments are accessible via secure mechanisms. These can be automated using the Object Internet Platform or the PKI.
Secure deployment of certificates: Traditional methods, such as the Simple Certificate Registration Protocol (SCRP), are efficient in the enterprise, especially when extending the PKI to provide device authentication and identity for Mobile devices. The SCRP protocol may work for some devices on the Objects Internet, but will generally be insufficient for organizations with limited devices and/or open network environments. This gap in the SCRP protocol is due to the fact that it was designed for traditional enterprise networks, where every device behind the firewall was supposed to be trustworthy. In contrast, the more recent secure protocol of registration via layer transport exploits the benefits of the SCRP protocol. However, it addresses many weaknesses, in this case confidence in the devices. This protocol uses secure mechanisms, such as TLS, to establish a good level of trust and thus creates a secure certificate issuance environment. It is still very recent, that is why the provision of commercial PKI providers is currently not very widespread.
Certificate life cycle management: Certificates have lifecycles that need to be managed. Manual processes for tracking and identifying certificates will therefore not evolve and will not suffice in the Objects Internet. If solutions exist on the corporate side, an increasing number of certificate management solutions providers are proposing the development of scalable management platforms to manage cases to use Internet of Objects. Object Internet project managers who are considering authentication and identity methods based on X.509 certificates for the Objects Internet should seek solutions with integrated or interoperable certificate management systems.
While there are some early examples of how PKI improves device authentication and identity for inter-machine communication and Objects Internet deployments of early-stage (such as smart meters and enclosures set-top boxes), they merely touch the surface. As Objects Internet project managers recognize the need for hardware security for these devices, it is likely that their security architecture will require a PKI to promote device identity, authentication and global security.
However, project managers should note that this is a new area for PKI and PKI technology providers. Solutions and standards must still merge and reach critical mass. Therefore, customers should question their potential PKI providers and Objects Internet security solutions to find out their roadmap and whether they currently have customers of reference.
No comments:
Post a Comment