• Richard Blech

The Disconnection of PKI



Public key infrastructure, or PKI, is widely used because it can both encrypt data and confirm that the party with whom a user, device or application is exchanging encrypted messages is who they say they are. Many organizations are relying on PKI to serve as the mechanism to verify and securely exchange data between servers and users and create a trusted and secure business environment. It is used a matter of routine for a wide range of use cases, from securing emails and digitally signing applications to authenticating smart cards.

However, as expensive information breaches, ransomware attacks and cyber-security failures increase in scale and frequency, it is apparent that there are vulnerabilities PKI cannot overcome to be an effective cyber security measure in the current cyber landscape, or in the future. The urgency of having the most effective cybersecurity solutions and practices in place has also been underscored by the Executive Order on Improving the Nation’s Cybersecurity and guidance by the NIST regarding the adoption stronger encryption. Organizations of all industries have to adopt the encryption and cryptography solutions, like those from XSOC CORP, that can help them counter the current and future cyber threats head on.

PKI IS NOT SUITED FOR THE HYPERCONNECTED AGE

PKI collectively refers to the components necessary handling digital certificates and managing asymmetric, public-key encryption. Its framework, which includes certificate authorities, registration authorities, certificate database and certificate policies facilitate the use of digital certificates to secure end-to-end communications, safeguard data and deliver unique digital identities.

But today’s networks are highly connected and centralized. Hyper connectivity, including the Internet, IoT, IIoT, mobile devices, tec., has changed the landscape of IT and OT systems. It is a now critical component of the digital transformation of industries and how organizations of all sectors operate. 5G networks, IoT and IIoT are multiplying the endpoints that extend beyond the effectiveness of an organization’s firewall but that still have to be securely managed. Network architecture has become increasingly more sophisticated and complex.

At the same time, cybercriminals are able to use their access to substantial computing power and to execute wide-scale attacks. And in many organizations, this is being countered by encryption that was developed in the 1980s.

PKI IS LEGACY ENCRYPTION TECHNOLOGY

PKI was specifically created to encrypt communications between computers over analog modems in the very early days of the internet. It was not intended for a hyper-connected environment in which it is necessary to protect vast numbers of hyper-connected devices. There have been efforts to bolster PKI systems, but they have resulted in piecemeal software with security gaps that hackers can leverage to launch attacks.

For example, consider the SSL/TLS protocol, one of the most prevalent use cases of PKI. The most recent version, TLS 1.3 boasts better speed and security that the previous version. However, it is still susceptible to MITM attacks and is unable to protect against attacks that target the processes on the application layer.

CERTIFICATE AUTHORITIES AND DIGITAL CERTIFICATES ARE NOT INFALLIABLE

The root CA is intended to be the trusted third party for all of the certificates issued across and organization’s IT or OT environment. However, too many organizations assume that their root CA and digital certificates are secure and can be trusted. The truth is that the security of CAs are far from fail-safe. For example, in 2017, Apple had to revoke a valid certificate that was being used by hackers to eavesdrop on HTTPS traffic. In 2018, certificates issued through the CA owned at the time by Symantec were distrusted by multiple browser vendors.

Another issue with digital certificates used in PKI systems is that they can be compromised and used in malware and phishing attacks if they have excessive lifetimes. To mitigate this risk, browser vendors, including Mozilla, Apple and Google, capped certificate lifetimes to 398, down from 825 days. However, encryption solutions like, XSOC’s UL Certified SOCKET, which optimizes cryptographic keys and can rotate keys on very short cycles, can completely eliminate the issue of certificates with excessive validity dates while reducing the attack area of network environments.

QUANTUM TECHNOLOGY WILL BREAK PKI ENCRYPTION

The public key cryptography that is the foundation of PKI systems only works because of the math being used. There are already quantum computers in existence with some computing power. Organizations should be preparing now for when quantum technology has evolved enough to perform the math factorization necessary to crack the private keys used in PKI systems. This is a very real threat as certain foreign-state actors, including China, are suspected of engaging in wide scale data harvesting in anticipation for when the power of quantum computers is advanced enough to decrypt the data they have harvested. Organizations can curtail such threats by adopting post quantum-safe encryption and cryptography solutions now. For example, the XSOC Cryptosystem generates by default a base key length of 512-bit with the capabilities to randomly increase key lengths without impacting performance, while providing post-quantum safe security.

ACHIEVE BETTER CYBER PROTECTION WITH XSOC CORP SOLUTIONS

The current wave of cyberattacks is not happenstance. It is a logical development in which bad actors take advantage of the overreliance on legacy cyber security solutions that have failed to remain in step with the growth of computing power and tech. XSOC CORP provides alternatives to PKI that are easily scalable, enables multi-factor authentication, provides post quantum-safe cryptography and more. Contact us today to learn how our encryption and cryptographic solutions can improve your organization’s cybersecurity infrastructure.