nCipher Security Blog

The Conundrum of Offline Certificate Authorities

A common application for hardware security modules (HSMs) is to protect the keys that are associated with a Public Key Infrastructure (PKI). At the core of any PKI is the Certificate Authority (CA) that actually issues the credentials managed by the PKI.

Companies utilizing smart cards for strong authentication of employees or online customers often rely on an in-house PKI to issue and manage the credentials (digital certificates) that are stored on the cards before handing out to the employee or customer in question.

The level of trust that can be placed in these credentials is to a great degree determined by the trustworthiness of the PKI itself and therefore the CA that constitutes its ‘anchor of trust’. If for some reason that trust is lost, it is likely that all or at least a proportion of the credentials issued by the PKI will need to be re-issued and replaced. If many thousands of employees are impacted, the cost of this re-issuance could run into the millions, not to mention the potential system down-time and sheer operational headache.

To mitigate this risk, CAs are often regionalized or separated into layers of hierarchical CAs to limit the impact of an individual CA issuance (signing) key being compromised. But still, if you follow that path right back to the trusted anchor you will almost always find a single “root CA” that underpins everything---maintaining the trust of the entire infrastructure.

Organizations are rightly paranoid about the security of the root CA and typically mandate that it is off-line and physically isolated from the rest of the PKI and subject to stringent administrative policies. Root CAs often require dual controls or several administrators to perform operations. These are some of the most valuable keys in any enterprise and best practices dictate that they are protected in HSMs.

Traditional HSMs are a perfect fit for online CAs that perform the bulk of the issuance task and therefore require the high performance signing capabilities of an HSM. However, the same is not always true for the offline root CA. Companies very often build the root CA on a dedicated server or desktop machine and store that machine containing the offline CA---along with the HSM---in a physical safe for protection.

Storing this machine and the HSM in a safe, given the physical space constraints, presents logistical challenges. A solution to these challenges is to use an embedded HSM, a PCI card that fits within the host machine in a PCI slot.

However, even reducing the footprint by embedding the HSM can still be impractical. To reduce size even further many companies prefer to build the offline CA on a laptop platform. However laptops do not have PCI slots, meaning they cannot easily play host to an HSM. What they really need is a small, portable, USB connected HSM to plug into the laptop, just like an external hard drive or DVD drive.

More recently, companies are going a step further to reduce the size of the safe they need and are building their offline CA as a virtual machine, storing just the VM image on a CD in the safe. In this way, they don’t even need to worry that the physical machine still works when it’s brought into the day light. However, most PCI cards cannot easily be accessed by virtualized applications, meaning that PCI-card based HSMs are not a good fit even if a slot is available.

The security industry needs to respond to this conundrum with new forms of HSMs that provide more flexibility and choice when dealing with these tricky deployment challenges; seems that we already have!