Public Key Infrastructure (PKI) assurance engagements

The Challenge

As e-commerce continues to grow and more online transactions are conducted, consumers need comfort with the online technology used to ensure their interactions over the internet are secure.    A Public Key Infrastructure (PKI) is the technology that can help secure online transactions.  A PKI is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates (an electronic file that is tied to a cryptographic key pair and authenticates the identity of a website, individual, organization, user, device or server) and manage public key encryption.  PKI allows for the secure electronic transfer of information fore-commerce, internet banking, and confidential email.  PKI enables parties (such as individuals, companies/businesses) to identify one another by providing authentication (the process or action of verifying the identity of a user) with digital certificates and allows reliable business communications by providing confidentiality through encryption, authentication data integrity, and a reasonable basis for nonrepudiation through digital signatures.  Being able to rely on digital certificates from legitimate companies/businesses allows for consumers to have greater confidence that their online transactions are secure.  However, how can an online consumer or relying party trust that digital certificates are issued to legitimate companies/businesses or individuals for secure transmission of confidential or sensitive information when performing transactions?

The Consequences

Below are some risks associated with online transactions that consumers and relying parties need to be aware of.  Without a proper PKI in place, the following may occur:

Identity theft:  Involves cybercriminals hacking into online shopping or e-commerce sites and stealing users’ credentials like their usernames and passwords.  This allows the hackers to impersonate users and fraudulently make purchases online using stolen credentials.

Fake e-commerce sites: Cybercriminals can create fake e-commerce websites that look like legitimate online shopping sites that trick users into thinking they are purchasing goods or services from an authentic online store.  Instead, cyber thieves have received payment for goods or services that these unsuspecting users may or may not receive.

Online data breaches: If cybercriminals gain unauthorized access to e-commerce sites, there is a risk that banking information, such as credit card information, may be exposed during a data breach.

Unsecure Wi-fi:  If online consumers make purchases online using public wi-fi that is insecure, hackers can potentially access these insecure wi-fi points and steal your confidential/sensitive information such as the personal information that you submit such as home address, phone number, user credentials, and banking and/or credit card information.

Unsecure transmission of confidential/sensitive information:  Some websites don’t securely transmit data from a user’s browser to the e-commerce server they are communicating or transacting.  To ensure secure transmission of confidential/sensitive data,  well-designed e-commerce sites use what’s known as SSL Certificates.  SSL stands for ‘Secure Socket Layer’, an online security protocol that secures the channel between the user’s browser and the e-commerce server by encrypting (i.e., making the data secret) the data between the two.  The SSL Certificate is a digital certificate that authenticates a website’s identity and allows for encryption.

Why Secure Socket Layer (SSL) certificates are required for e-commerce websites

E-commerce websites need SSL certificates to secure any data transferred between users and websites and between two systems using encryption so that the data remains impossible to read.  SSL certificates allow online consumers to verify ownership of the e-commerce website, prevent cybercriminals from creating fake e-commerce sites and overall allow trust for online transactions.

What is a Certificate Authority?

One crucial question must be answered for these technologies to enable parties to communicate securely.  How will we know in the digital world that an individual or company/business or the entity’s public key belongs to that individual or company/business of an e-commerce website?  A digital certificate, an electronic document containing information about an individual or owner of an e-commerce website and their public key, is the answer.  This document is digitally signed by a trusted organization referred to as a Certification Authority (CA).  The CA is vouching for the link between an individual’s identity and their public key.  The Certification Authority guarantees that the public key contained in the certificate belongs to the person/individual/company/business (i.e., owner of an e-commerce website) named in the certificate.  The CA’s digital signature on the public key certificate provides the cryptographic binding between the person/individual/company/business ‘s public key, the entity’s name, and other information in the certificate, such as a validity period.  To determine whether a legitimate CA issued the certificate, the user or relying party must verify the issuing CA’s signature on the certificate.  The public keys of many common Root CAs are pre-loaded into standard desktop and mobile operating systems and Web browsers (for example, Apple macOS, iOS, and Safari, Google Android and Chrome, Microsoft Windows and Internet Explorer, and Edge, Mozilla Firefox, etc.).  A Root CA is the top level of a given PKI and represents the ‘trust anchor’ for the chain of trust.  Root CA certificates are generally self-signed (i.e., the Root CA signs a certificate that names itself as the certificate subject).

PKI Importance

PKI provides a means for online consumers or relying parties (meaning, recipients of certificates who rely on those certificates and/or digital signatures verified using those certificates) to know that another individual’s or entity’s public key (i.e., owner of an e-commerce website) belongs to that individual/entity.  CA organizations and/or CA functions have been established to address this need.  Cryptography is critical to establishing secure communications and transactions.  However, it must be coupled with other security protocols to provide a comprehensive security solution.  Several cryptographic protocols require digital certificates (electronic credentials) issued by an independent, trusted third party (the CA) to authenticate the transaction.  CAs have assumed an increasingly important role in providing this security.  Although there is a large body of existing national, international, and proprietary standards and guidelines for the use of cryptography, the management of digital certificates, and the policies and practices of CAs, these standards have not been applied or implemented uniformly.  The WebTrust Principles and Criteria for Certification Authorities (CA) address user (meaning online consumers, subscribers, and relying parties) needs and concerns.  They are designed to benefit users and providers of CA services by providing a standard body of knowledge that is communicated to such parties.

How WebTrust Principles and Criteria can be used

The WebTrust Principles and Criteria for CAs can be used as a control framework to assess the adequacy of the CA systems, policies, and procedures.  It provides a basis for self-assessment for developing or maintaining robust PKI systems.

Richter is an enrolled WebTrust practitioner who can support preparing WebTrust engagement assurance reports under Canadian, U.S., and international assurance standards.  We have performed these types of engagements for clients in the aerospace, aviation, and software (i.e., email encryption) industries.

How Richter can help

Richter can use the framework as a benchmark for performing an internal or independent assessment as an internal auditor or an external, independent practitioner as supported by the CA/Browser Forum.  Source: https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria.

Our team is qualified.  Richter understands the importance of having the right team of professionals who can deliver quickly and with the right experience to provide efficient and effective execution of activities.  Our services will be provided by a team of seasoned PKI specialists with more than 16 years of PKI audit expertise and a strong background in IT controls audit to provide the highest quality standards.

Root Key Generation Witnessing

At the heart of any PKI is the Root CA.  The Root CA is the most critical component of a PKI infrastructure.  Ensuring the integrity of the Root CA is of utmost importance.  The Root CA issues certificates and establishes the Root of trust between identities to which it issues a digital certificate.  The Root CA also issues certificates to Issuing CAs, giving them the power to issue certificates for the Root CA, as it is typically kept offline.  As a best practice, any PKI established should have its Root CA key pair generation witnessed by an independent auditor such as Richter.  The Root Key Generation ceremony that Richter witnesses establishes evidence of the integrity of the creation of the Certificate Authority (typically Root CA) keys.  The Root Key Generation ceremony:

• Produces the private/public key pair upon which a Root CA service can be based
• Provides formal, detailed evidence of signing key creation
• Allows the PKI to be auditable from birth to death
• Allows external end-entities to trust the service
• Provides backup to possible litigation
• Demonstrates adherence to industry standard practices
• Is witnessed by an independent third-party/external audit firm, i.e., Richter, to provide independent assurance regarding the integrity of the processes and the resulting keys
• Can be video recorded for integrity purposes

Root Key Generation Witnessing Use cases

Richter can formally witness and document the creation of the Root CA’s private signing key and issue a formal, independent assurance report to the CA organization.   This helps to assure the non-refutability of the integrity of the Root CAs’ key pairs, particularly the private signing keys.  Clients use Richter because we conform to industry best practices and deliver reports with the highest quality.   We have witnessed Root Key Generation ceremonies for clients in the aerospace, aviation, and software (i.e., email encryption) industries.  Root Key Generation witnessing requires a very niche skillset, and Richter’s team of experienced PKI practitioners has over 16 years of experience witnessing many Root Key Generation ceremonies worldwide.

Other ways Richter can help with PKI

CertiPath Annual Assurance engagements

Richter appreciates various Certification Authority models and the need for trust amongst Root CAs from one or more PKIs that enter into cross-certifications with other CA companies.  The need for trust is critical.  In a cross-certified model, the Root CAs from one or more PKIs issue certificates naming each other as the subject.  This allows trust to be established across separate PKIs when relying parties may only have one of the Root CAs in their trust store.  A cross-certified model’s advantage is that it allows one or more PKIs to establish mutual trust.  However, the model is not easily scalable as it requires each PKI operator to have a direct relationship with another.

Richter has performed assurance attestations for Certificate Authorities who wish to cross-certify with other Certificate Authorities through a ‘Bridge CA’ model.  The Bridge CA model builds off of the cross-certified model.  The main difference is that rather than each Root CA cross-certifying each other, an independent Bridge CA issues one-way cross-certificates to each Root CA.  Relying parties need only trust the Bridge CA and will then automatically trust any certificate from any PKI that has a cross-certificate from the Bridge CA.  This allows for a more flexible hierarchy, as the Bridge CA can add new PKIs without requiring any actions from existing PKIs. As the actions of the Bridge CA impact all relying parties, Bridge CAs often impose various compliance requirements (i.e., annual assurance engagements) and a standard Certificate Policy.

Richter can satisfy the compliance requirements imposed by CA companies such as CertiPath and can perform these annual assurance engagements who wish to cross-certify with them.  One typical cross-certification relationship that many of our PKI clients seek is a cross-certification with CertiPath.  CertiPath is a company whose technology aims to identify whether a digital identity validly represents a person or ‘thing’ requesting access to a network.  Certipath creates innovative, scalable products and services that ensure the highest level of validation for digital identities that attempt to access customers’ networks.

Many different CAs choose to cross-certify with the CertiPath PKI Bridge, which enables cross-organizational trust for its members, who operate high assurance identity credentialing systems known as Enterprise PKIs and several of whom are providers of Personal Identity Verification – Interoperable (PIV-I) credentials to other organizations. This Bridged trust is characterized by a hub-spoke peer-to-peer environment where all members retain control over their trust domain policies and technical solutions but agree to a common set of overarching requirements embodied in Federated Trust.

As part of CertiPath’s cross-certification requirements, they request that each CA that cross-certifies with them or wishes to cross-certify with them undergo an annual attestation engagement by an independent auditor, such as Richter, to issue the following:

• Third-Party Auditor Certificate Practice Statement Compliance Analysis letter asserting that the Principal CA’s *Certification Practices Statement (CPS) implements the **Certificate Policy (CP)
• Third-Party Auditor Operational Compliance Analysis letter asserts that the Principal CA’s operations meet the requirements in the associated Certificate Policy/Certificate Practice Statement.

* A Certification Practice Statement (CPS) defines the measures taken to secure CA operations and the management of CA-issued certificates.  You can consider a CPS to be an agreement between the organization managing the CA and the people relying on the certificates issued by the CA.  While the CP tells a user or maintainer what to do, the CPS tells them how to do it.  The CA’s CPS is a public document that should be readily available to all the participants so that a relying party can determine whether the certificates issued by that CA meet its security requirements.

** A Certificate Policy describes the measures taken to validate a certificate’s subject before certificate issuance and the intended purposes of the certificate.  For many organizations, the certificate-issuance policy determines whether the presented certificate will be trusted.  The CP also lets users, and PKI maintainers know how to apply for a certificate, the naming standards for certificates, and more.

Richter helps its PKI clients assess the controls associated with its CA operations.  This is done by 1) ensuring the Certificate Practice Statement implements the CA organization’s Certificate Policy and 2) the CA is operated in conformance with the requirements of the CAs CPS over a period of time.  Richter prides itself in delivering quality audit services and leveraging its vast technical experience to provide value add recommendations based on PKI best practices.  Our professionals receive ongoing training on best practices in the market.  We often attend various forums explicitly organized for our profession as participants or guest speakers.  We enhance our professional development process using multiple strategies, in particular by obtaining a multitude of recognized professional designations (e.g., CISA, CRISC, CGEIT, CISSP, CPA, CCSK, PMP) and taking courses offered by leading institutions or universities (e.g., Harvard Business School, McGill University, and others).

CertiPath Annual Assurance engagements Use cases

Richter has performed several annual CertiPath assurance engagements for many clients in the aerospace and aviation industries who wish to enter into a cross-certification relationship with CertiPath or need to demonstrate compliance annually to retain their cross-certification.

Adobe Approved Trust List (AATL) assurance engagements

The Adobe Approved Trust List is a program that allows millions of users worldwide to create trusted digital signatures whenever the signed document is opened in Adobe® Acrobat® or Reader® software.  Acrobat and Reader have been programmed to reach out to a web page to periodically download a list of trusted “root” digital certificates.  Any digital signature created with a credential that can trace a relationship (“chain”) back to the high-assurance, trustworthy certificates on this list is trusted by Acrobat and Reader.

How Richter Can Help

As part of AATL’s technical requirements, an audit must be performed regularly on the Issuing CA (ICA), or upper level or Root CA, and all the (I)CAs that inherit trust from that upper or Root CA under the AATL.  They must have successfully passed within the past 24 months, and continue to pass at least on a 2-years basis, an audit.  The audit aims to prove that the potential member wishing to join the AATL program implements what is stated in its documentation, in particular, the CPS (Certificate Practice Statements) and CP (Certificate Policies), and that it achieves the level of security specified by the audit scheme which can be any of the following:

(a) ETSI EN 319 411-1 NCP (ETSI TS 102 042 is accepted until 31 December 2017);

(b) ETSI EN 319 411-2 QCP-n or QCP-l (ETSI TS 101 456 accepted until 31 December 2017);

(c) WebTrust for CA v.2.0 or later;

(d) ISO 21188:2006

Richter has leveraged the WebTrust for CA audit scheme for an aviation industry client to perform an audit as a prerequisite for them to join the AATL program.

ATA Spec 42 specification engagements

There is an increasing need to ensure that only legitimate communication between aircraft, ground stations, and the overall operating environment is secure as the aviation industry moves towards ‘connected aircraft.’  How does one ensure that a legitimate aircraft engineer has performed

authentic maintenance to an aircraft and hasn’t installed malicious software? To answer this, identifying individual components to a high level of assurance is becoming increasingly crucial to the security of the aircraft and its operating environment.  This also holds true for the identities of the people that interact within the aircraft environment, such as pilots, mechanics, engineers, and food service employees. It is essential to verify the integrity and the origin of data (including software) loaded onto the aircraft.  The ATA Spec 42 specification aims to guide the deployment of identity management solutions based on regulatory guidance such as FAA Advisory Circular 120-78A.  These solutions may use digital signatures based on Public Key Infrastructure (PKI) technology with a “chain of trust” to a Certification Authority (CA) or other non-PKI electronic signature means to satisfy the identity assurance and data integrity requirements of the civil aviation industry.

Spec 42 includes policies for aviation-specific digital credentials called PIV-AV, based on the Personal Identity Verification – Interoperable (PIV-I) credential standard. PIV-AV will be recognized in the global aviation industry as a secure and reliable standard for enabling electronic user verification. Using PIV-AV, a single identity badge using standard certificate profiles can be used across companies to perform a variety of functions independent of the application provider or system owner, such as employees of other airlines or a third-party performing maintenance for another airline. Verification is performed based on the chain of trust.

How Richter Can Help

As part of the ATA Spec 42 requirements, PKI operators (including airlines) or vendors who operate a CA must have an annual compliance audit performed by an independent, competent compliance auditor.  This audit ensures that the requirements of their CP/CPS and the provisions of the contracts with any cross-certified CAs are being implemented and enforced. All CAs, Certificate Management Systems (CMS), and Registration Authorities (RAs) are included as part of the annual compliance audit.  The compliance audit aims to verify that a component operates in accordance with the Entity’s CP, the applicable CPSs, and any other applicable agreement that governs the Entity PKI.  The compliance audit includes an assessment of the applicable CPS against the CP, to determine that the CPS adequately addresses and implements the requirements of the CP.

Richter can perform these audits based on our experience with other PKI industry audits performed.