Vertrauen. Integrität. Skalierbarkeit.

Technology Security

PKI Security Services

Kyrio Security Services is the foundation of network security for some of the largest networks in the world. We provide managed PKI and Custom PKI Services for standards groups and OEM device manufacturers globally including:
  • Energy
  • Healthcare
  • Industrial and commercial IoT sectors
As a managed service provider we design, govern and administer large PKI ecosystems to:
  • Ensure device identity
  • Brand and manufacturer integrity
  • Access control for networks supporting millions of connected devices

Ecosystems We Serve

OpenRoaming™ Service Security

We have partnered with The Wireless Broadband Alliance (WBA) to ensure that the new WBA OpenRoaming™ service will be granted enterprise-level security. The WBA OpenRoaming Service, which removes the barriers to connectivity typically associated with public Wi-Fi, such as the need to constantly re-register or re-enter log-in credentials, will now greatly increase the level of security.

Kyrio joins Google and Cisco as an Issuing Intermediate Certificate Authority (ICA), providing innovative agent and registration authority services to the broader WBA family, including networks, operators, hubs and identity providers. We will also enable management and attribution of the WBA Unique Organization Identifiers that are critical for their partner identification on the OpenRoaming system. This information is centralized on a WBA global database to guarantee system harmony and enhanced security.

In order to get End Entiry certificates, you must have a WBA ID. To obtain a WBA ID please contact WBA at contactus@wballiance.com

Interested in becoming an RA Agent for WBA end entity certificate issuance? Enter into an agreement with the WBA.

Strategic Alliance

Kyrio has formed a strategic alliance with Sectigo, a global industry leader in network and device security, to provide best-of-breed PKI device security to arm enterprises and ecosystems with a robust, certificate-based identification method to ensure IoT network and device security.

Through this strategic alliance, Kyrio and Sectigo help manufacturers, enterprises and standards bodies navigate the complexities of controlling which network devices are permitted to connect, the level of privacy and security required and how to deploy and manage PKIs in a cost-effective way without affecting production.


null
Häufig gestellte Fragen zur Public Key Infrastructure (PKI)

Was ist Public Key Infrastructure (PKI)?

PKI is used to identify devices to go on to a network and provide a secure means of communication between those devices. Devices are given a cryptographic credential (a digital certificate) that identifies the device and its manufacturer.

Reicht ein Passwort nicht aus, um meine Internet of Things-(IoT-)Geräte zu sichern?

Usernames and passwords were intended for human users and have numerous security issues, particularly when they are involved with security management at a large or medium scale. Entering a username and password for 10 devices is manageable; doing so for 10,000 devices is not. In addition, passwords can be more easily compromised than digital certificates.

Worin besteht der Unterschied zwischen einem PKI-Testzertifikat und einem PKI-Produktionszertifikat?

A test certificate can be used only within the domain of a test environment. Test certificates are generated using the same format and algorithms as the production PKI, but they do not have the documentation and security rigor necessary for a production PKI. The purpose of test certificates is to test functionality before devices go to production. It is a best practice for any company using PKI to test before production.

Welche Aufgabe hat ein Richtlinienexperte (Policy Authority, PA)?

The PA is generally the owner of the PKI implementation and defines the policies and requirements for entities and their devices that will be members of the ecosystem. The PA can be a standards group or a large manufacturer.

Welche Aufgabe hat ein Registrierungsexperte (Registrierung Authority, RA)?

The RA acts on behalf of the PA to implement and enforce the policies and requirements of the PKI for that ecosystem. The RA will verify the company information and identity of users enrolling in the ecosystem and will also verify the certification status (if required) of companies and products that will connect to the ecosystem. The RA is the administrative management of the ecosystem PKI.

Welche Aufgabe hat ein Zertifikatsexperte (Certificate Authority, CA)?

A CA acts in concert with the RA to implement the PKI and security infrastructure to create the digital certificates that ecosystem members will use to gain access to the ecosystem. The CA is the operations and engineering function of the ecosystem PKI.

Kann ich SSL/TLS-Zertifikate für IoT-Geräte verwenden?

You could, but SSL/TLS certificates are designed for the specific use case of browser-to-server authentication for web commerce, not for the security of IoT devices. These certificates have short lifetimes (1–2 years) and generally use RSA encryption, which uses key lengths of 2,048 or 4,096 bits. IoT devices generally do not have the storage or compute power for these types of certificates and typically use Elliptic Curve Cryptography (ECC), which produces much shorter key lengths. ECC with a 256-bit key length is roughly the same as RSA with 3,072-bit keys.

Ich muss Tausende (oder Millionen) von Geräten sichern. Kann ich hierfür die PKI nutzen?

PKI was designed with scalability in mind. For example, the cable television industry has used PKI for almost 20 years in hundreds of millions of devices. These PKI certificates are used to cryptographically verify everything from DOCSIS standards compliance to user eligibility for services. Unlike symmetric keys as used in the mobile industry, PKI requires a fairly simple key management structure, even for large multi-vendor ecosystems containing millions of devices.

Was sind öffentliche und private Root-Zertifikate?

Public roots are used for SSL/TLS certificates where you have a public/open ecosystem like the World Wide Web for web browsers and web hosts. Private roots are created by standards groups or private companies where access to the ecosystem is closed or restricted based upon meeting specified requirements. Depending on the ecosystem, compliance certification testing may be required before receiving certificates that allow access to private PKI ecosystems.

Sollte ich meine eigene PKI hosten?

The answer to this question depends upon your internal resources and the PA’s security policy requirements. In most cases, it is much more economical and more secure to outsource your PKI operation to a company that specializes in this function. Properly deploying and operating a PKI requires a substantial amount of documentation and process management to ensure that access to signing keys and certificate generation systems is tightly controlled. In some ecosystems, submission to third-party audits is required to provide substantiation of compliance with security policy. For most companies, this function would require substantial overhead to maintain over a long period time, and that is why so many companies outsource PKI.

Was bedeutet Ende-zu-Ende-Verschlüsselung?

Network connections between two entities are rarely direct. Most of the time, connections are made over several “hops” among servers and switches between the two parties. Many times, the connection between “hops” is encrypted and secured, but at each “hop” the data is decrypted, re-encrypted and sent to the next “hop.” End-to-end encryption and security involves a layer above the network/TLS layer where additional authentication occurs, so the encryption layer is established between the two end points. While in transit, the data is double-encrypted so that even when it is decrypted at each “hop,” there is still another layer of encryption.

Worin besteht der Unterschied zwischen Authentifizierung und Verschlüsselung, und welche Aufgaben erfüllen sie?

The terms “encryption” and “security” are often used interchangeably, but they are in fact quite different. Encryption has a very specific cryptographic function, which is to prevent eavesdropping on transmissions between parties. What encryption does not do well is identify whom you are communicating with. Authentication performs a separate cryptographic function, which is to verify identity. Through the use of PKI (above), a trusted chain of digital signatures can be established so that when a device presents its certificate, you can cryptographically be certain of whom your device is communicating with.

Ist der Widerruf bezüglich einzelner Geräte mit PKI möglich?

One of the key benefits of a managed PKI is that every certificate is uniquely identifiable, and access control can be managed down to the individual device. Revocation and individual device management represent one of the primary benefits of using a managed PKI.

Was ist eine Zertifikatsrichtlinie (CP)?

A CP is a document that describes the security and process requirements around the management of an ecosystem’s PKI. The CP specifies everything from the format of the certificates (Certificate Profile) to the physical security involved with the protection of the root and sub-CA private keys. In addition, the CP defines the process and requirements around revocation of certificates, as well as the certificate lifetimes and lifecycle. The purpose of a CP is to ensure that a consistent set of policies and procedures can be applied across all members of an ecosystem and that compliance with those processes can be independently audited and verified.

Was ist Kryptoagilität?

Cryptoagility is the ability to apply good security practices across a wide range of applications and industries. Each use case and industry vertical has its own manufacturing requirements, supply chain and market needs.

Worin besteht der Vorteil des PKI-Lifecycle-Managements?

As with a passport or driver’s license, a digital certificate provides proof of identity and a means of access control. Similarly, these credentials all have a finite life, so they will age out after a period of time and require the bearer to reconfirm their identity and conformance to spec before they are issued a new credential, much like how the DMV requires you to get a new driver’s license. The management of the issuance and renewal of digital certificates is critical to the maintenance of the integrity of the ecosystem.

Inwiefern wird die PKI in den Compliance-Anforderungen berücksichtigt?

PKI is a means to enforce compliance with ecosystem requirements. In many ecosystems, you cannot access the production PKI and receive certificates until your company and product have passed certification. As a result, the digital certificate not only serves as proof of identity for a device; it can simultaneously serve as proof of conformance with specification. In addition, it is very possible for a single device to carry multiple certificates that are used to verify identity or eligibility for different services.

Worin besteht die strategische Allianz von Kyrio und Sectigo (in Bezug auf die PKI)?

Kyrio and Sectigo are in a strategic alliance to combine the strengths of Kyrio’s experience in ecosystem management and hardware manufacturing, with the scale of Sectigo’s certificate and security infrastructure.

Inwiefern nützt mir die strategische Allianz von Kyrio und Sectigo?

The Kyrio and Sectigo alliance enables device manufacturers to implement strong security into their network ecosystem in a way that aligns with their existing manufacturing flows. Using Kyrio’s existing PKI allows manufacturers to deploy certificates in their devices for strong authentication-based security, but not have to bear the cost of creating and hosting their own PKI to do it.

Kann ich die Geschäftsbeziehung zu Kyrio und Sectigo über einen einzigen Ansprechpartner pflegen?

Yes, Kyrio is the primary point of contact.

Kann ich den Evaluierungs- und Verkaufsprozess bei dieser Allianz mit einem einzigen Ansprechpartner regeln?

Yes, Kyrio is the primary point of contact.

An wen wende ich mich, wenn ich Kundensupport benötige?

Kyrio is the primary point of contact at pkiops@kyrio.com. However, for production portal technical support, Sectigo is available during off-hours to ensure continuity of certificate generation for production.

Sie müssen ganz genau wissen, was Ihr Ökosystem beinhaltet. Kyrio-Sicherheitsdienstleistungen zeigen Ihnen, wie das geht.