Security Services

PKI is used to identify devices to go on to a network and provide a secure means of communication between those devices. Devices are given a cryptographic credential (a digital certificate) that identifies the device and its manufacturer.

Usernames and passwords were intended for human users and have numerous security issues, particularly when they are involved with security management at a large or medium scale. Entering a username and password for 10 devices is manageable; doing so for 10,000 devices is not. In addition, passwords can be more easily compromised than digital certificates.

A test certificate can be used only within the domain of a test environment. Test certificates are generated using the same format and algorithms as the production PKI, but they do not have the documentation and security rigor necessary for a production PKI. The purpose of test certificates is to test functionality before devices go to production. It is a best practice for any company using PKI to test before production.

The PA is generally the owner of the PKI implementation and defines the policies and requirements for entities and their devices that will be members of the ecosystem. The PA can be a standards group or a large manufacturer.

The RA acts on behalf of the PA to implement and enforce the policies and requirements of the PKI for that ecosystem. The RA will verify the company information and identity of users enrolling in the ecosystem and will also verify the certification status (if required) of companies and products that will connect to the ecosystem. The RA is the administrative management of the ecosystem PKI.

A CA acts in concert with the RA to implement the PKI and security infrastructure to create the digital certificates that ecosystem members will use to gain access to the ecosystem. The CA is the operations and engineering function of the ecosystem PKI.

You could, but SSL/TLS certificates are designed for the specific use case of browser-to-server authentication for web commerce, not for the security of IoT devices. These certificates have short lifetimes (1–2 years) and generally use RSA encryption, which uses key lengths of 2,048 or 4,096 bits. IoT devices generally do not have the storage or compute power for these types of certificates and typically use Elliptic Curve Cryptography (ECC), which produces much shorter key lengths. ECC with a 256-bit key length is roughly the same as RSA with 3,072-bit keys.

PKI was designed with scalability in mind. For example, the cable television industry has used PKI for almost 20 years in hundreds of millions of devices. These PKI certificates are used to cryptographically verify everything from DOCSIS standards compliance to user eligibility for services. Unlike symmetric keys as used in the mobile industry, PKI requires a fairly simple key management structure, even for large multi-vendor ecosystems containing millions of devices.

Public roots are used for SSL/TLS certificates where you have a public/open ecosystem like the World Wide Web for web browsers and web hosts. Private roots are created by standards groups or private companies where access to the ecosystem is closed or restricted based upon meeting specified requirements. Depending on the ecosystem, compliance certification testing may be required before receiving certificates that allow access to private PKI ecosystems.

The answer to this question depends upon your internal resources and the PA’s security policy requirements. In most cases, it is much more economical and more secure to outsource your PKI operation to a company that specializes in this function. Properly deploying and operating a PKI requires a substantial amount of documentation and process management to ensure that access to signing keys and certificate generation systems is tightly controlled. In some ecosystems, submission to third-party audits is required to provide substantiation of compliance with security policy. For most companies, this function would require substantial overhead to maintain over a long period time, and that is why so many companies outsource PKI.

Network connections between two entities are rarely direct. Most of the time, connections are made over several “hops” among servers and switches between the two parties. Many times, the connection between “hops” is encrypted and secured, but at each “hop” the data is decrypted, re-encrypted and sent to the next “hop.” End-to-end encryption and security involves a layer above the network/TLS layer where additional authentication occurs, so the encryption layer is established between the two end points. While in transit, the data is double-encrypted so that even when it is decrypted at each “hop,” there is still another layer of encryption.

The terms “encryption” and “security” are often used interchangeably, but they are in fact quite different. Encryption has a very specific cryptographic function, which is to prevent eavesdropping on transmissions between parties. What encryption does not do well is identify whom you are communicating with. Authentication performs a separate cryptographic function, which is to verify identity. Through the use of PKI (above), a trusted chain of digital signatures can be established so that when a device presents its certificate, you can cryptographically be certain of whom your device is communicating with.

One of the key benefits of a managed PKI is that every certificate is uniquely identifiable, and access control can be managed down to the individual device. Revocation and individual device management represent one of the primary benefits of using a managed PKI.

A CP is a document that describes the security and process requirements around the management of an ecosystem’s PKI. The CP specifies everything from the format of the certificates (Certificate Profile) to the physical security involved with the protection of the root and sub-CA private keys. In addition, the CP defines the process and requirements around revocation of certificates, as well as the certificate lifetimes and lifecycle. The purpose of a CP is to ensure that a consistent set of policies and procedures can be applied across all members of an ecosystem and that compliance with those processes can be independently audited and verified.

Cryptoagility is the ability to apply good security practices across a wide range of applications and industries. Each use case and industry vertical has its own manufacturing requirements, supply chain and market needs.

As with a passport or driver’s license, a digital certificate provides proof of identity and a means of access control. Similarly, these credentials all have a finite life, so they will age out after a period of time and require the bearer to reconfirm their identity and conformance to spec before they are issued a new credential, much like how the DMV requires you to get a new driver’s license. The management of the issuance and renewal of digital certificates is critical to the maintenance of the integrity of the ecosystem.

PKI is a means to enforce compliance with ecosystem requirements. In many ecosystems, you cannot access the production PKI and receive certificates until your company and product have passed certification. As a result, the digital certificate not only serves as proof of identity for a device; it can simultaneously serve as proof of conformance with specification. In addition, it is very possible for a single device to carry multiple certificates that are used to verify identity or eligibility for different services.

Kyrio and Sectigo are in a strategic alliance to combine the strengths of Kyrio’s experience in ecosystem management and hardware manufacturing, with the scale of Sectigo’s certificate and security infrastructure.

The Kyrio and Sectigo alliance enables device manufacturers to implement strong security into their network ecosystem in a way that aligns with their existing manufacturing flows. Using Kyrio’s existing PKI allows manufacturers to deploy certificates in their devices for strong authentication-based security, but not have to bear the cost of creating and hosting their own PKI to do it.

Yes, Kyrio is the primary point of contact.

Yes, Kyrio is the primary point of contact.

Kyrio is the primary point of contact at pkiops@kyrio.com. However, for production portal technical support, Sectigo is available during off-hours to ensure continuity of certificate generation for production.