Public Key Infrastructure (PKI) authenticates the identity of users and devices. It includes a Certificate Authority (CA), which verifies an identity and issues a trusted certificate.. It also includes the management of key pairs—the public and private keys that allow secure digital transactions.
Hardware Security Modules (HSMs) securely generate, manage and store the critical keys. These devices are physically protected and tamper-resistant, and may be operationally isolated from other systems. HSMs don’t share space with servers storing emails, documents, or system back-ups. Whether physical or cloud-based, HSMs have just one job: to manage and secure keys.
Certificates are often likened to your passport or driver’s license. They’re issued by a trusted party—or a “CA”. They verify your identity. And they’re hard to fake. Other people can rely on them to identify you.
But that analogy doesn’t explain keys particularly well. For a simplified example, consider a Post Office.
The Post Office checks your identification and issues you a PO Box. In this way, the Post Office is like a CA. It verified your identity and tied your name to a PO Box, which acts somewhat like a certificate. Your box number then serves as your public key. You can share it with others, or they can find it. Once they know it, they can communicate with you. And you can send information to people whose public keys—mailboxes—you know.
But you also have a private key to access your mail. Without this private key, no one can get to the contents of your mailbox. To keep your information safe, you must protect that key. To keep it really secure, you might store it in a wall safe—which acts as the HSM in this example—rather than in your kitchen catch-all drawer, where this key gets jumbled with junk and others might come across it inadvertently or purposefully.
While this example is extremely oversimplified, it offers a basic sense of how PKI and HSMs secure data and transactions.
In reality, PKI and HSMs provide more than mere authentication of identity and secure access via your private key.
PKI also provides encryption…imagine a magical envelope that renders the contents unreadable until you retrieve the correspondence from your mailbox. And it ensures the integrity of sent information, preventing alteration in transit by any other party. HSMs generate these private keys using advanced cryptography and protect user information, data confidentiality, and authentication of networks.
To be secure, blockchain and DLT solutions must still meet standard cybersecurity practices and requirements. Key management—making sure that keys are kept confidential, their integrity is protected, and they are always readily available—is critical.
Without this key management, you may as well make copies of your PO Box key and hand them out to anyone who wants one, with the knowledge that they’ll make their own copies to pass around.
Understandably, key management is a constant challenge for companies. They don’t have just one set of keys to secure or a few documents to protect. Enterprises can generate many hundreds of key pairs an hour—and each key contains from 2048 to 3072 bits.
With remote employees and partners, multiple devices accessing networks, and secure email and document exchange, enterprises authenticate identities, encrypt data, and verify the integrity of documents and communications countless times a day.
That’s a lot of information to manage and secure. It requires a robust platform for certificate, key, and identity management; and it requires a way to generate, manage and store the private keys.
Yet blockchain by itself does not provide all of these requirements.
And this is where DigiCert and Thales come together.
DigiCert, a leading provider of PKI, and Thales, a leader in data protection, have a decade’s long partnership helping their clients authenticate and encrypt communications, systems, emails, documents, websites and servers.
They’ve also been co-members of Hyperledger for several years. A number of their industry partners, including IBM, Oracle, financial service providers, and others, use Hyperledger Fabric. The companies wanted to support the demands of their industries on Hyperledger Fabric, so a collaboration was only a matter of time.
DigiCert and Thales believe in security by design—a principal in which a solution is designed to include established security principles from the beginning, rather than relying on reactive add-ons. Consider the difference between building a bank from the ground up versus converting an old primary school into a bank. The former would have a vault integrated into the foundation, hardened walls, and limited access points. The latter’s retrofits would never reach the same quality standards.
Both DigiCert and Thales have seen companies take the latter approach with blockchain solutions or services and then given up because “it didn’t work.” They would like to address that for users of Hyperledger Fabric.
“The fundamentals of security have not changed, just because we’re going to a cloud-based or highly distributed blockchain environment,” says Cates. “The same principles of protecting those keys apply. We don’t need to pivot into a new architecture. We can use the same principles financial institutions have been using for decades.”
Over those decades, performance improvements and efficiencies developed. These refined principles now allow infrastructure to scale while maintaining performance. And whether on-premises or cloud-based, the approaches to key authentication and management are the same.
Public trust requires trust within internet browsers. This means browsers trust that “you are who you say you are”, so when users access your site, those users can also trust this to be true. This is where certificates and CAs come in.
Private trust, on the other hand, could be IoT devices in a closed environment not accessed by the public. For private trust, there are emerging security compliance requirements, though security best practices are making a significant impact.
For public trust, however, a CA must meet several compliance requirements. These are mandated by the Certification Authority Browser (CA/B) Forum. All publicly trusted CAs and browsers belong to it.
One of the CA/B compliance requirements is an HSM to manage private keys.
And while HSMs are not strictly required for all situations, it’s a best practice to use one “I get asked all the time: ‘Can’t we do this without HSMs?’ And yes, technically you can,” explains Cates. “But why would you? Why would you take the risk of leaving those keys unsecured when you could have the comfort of knowing the keys are protected at all costs in a hardware root of trust?”
“Anytime you have a public or private key,” adds Hojjati, “you want an HSM to increase your security.”
DigiCert, which focuses only on PKI, operates at the highest level of compliance for publicly trusted certificates. Using its easy-to-set-up and scalable solutions, organizations can manage digital certificates, user enrollments and implement strong authentication, encryption, and data integrity across all use cases.
Storing certificates and private keys in a Thales Luna HSM adds critical levels of security. Luna HSMs are FIPS 140-2 Level 3 validated, which is one of the highest levels of government certified assurance available on the market. Additionally, Luna HSMs are also Common Criteria EAL4+ certified.
When both are incorporated into the blockchain, the integrity of the blockchain is heavily assured and protected.