Certificates are used to prove the authenticity and identity of users or devices on the Internet, in emails, for machine-to-machine communication, and elsewhere. A commonly used certificate is an X.509 which is an International Telecommunications Unition standard defining the format of public key certificates. An X.509 certificate is based on asymmetric cryptography. Each certificate uses a pair of encryption keys. One key is public and confirmed by a neutral authority, the Certificate Authority, to belong to the person, device, or digital object, and the other is private and secure.
Typical uses of X.509 certificates include:
Establishing encrypted https connections and sharing data between web server and web browser
Encrypting and signing emails with the S/MIME standard
Digitally signing digital documents
Digitally signing software
Authenticating a participant in communication
Establishing a Virtual Private Network (VPN) and encrypted file sharing
Proving identity (digital ID cards)
In theory, with a certificate signed with the private key and the private key stored safely away from prying eyes, there should be no way to tamper with or steal the identity it confirms.
However, cyber attackers are always looking for vulnerabilities and ways to disrupt the digital eco-system. According to Venafi, a machine identity management company, digital certificates are attractive to attackers for a variety of reasons, but mainly because they are trusted; they require payment and proof of identity to tie the code, document, or application to the legitimate organization or person. In essence, they verify that the person or organization is real, and that the certificate belongs to them. As such, this usually makes end-users believe that the session protected by the digital certificate is a trusted environment where they can part with personal details, including financial information.
One of the most critical aspects of X.509 certificates is the ability to effectively administer them at scale, but as such, they are commonly thought to be complex to manage and implement. In particular, the set-up and configuration of digital certificates requires specific subject matter expertise as it is important to keep them up-to-date and ensure that they are properly configured to provide effective transactional security.
What it all boils down to is that the public and private keys must remain secure. In essence, certificates are just pieces of digital data, contained in a file in the file system or in the computer’s working memory. All certificates are issued for a specific key pair in an asymmetric cryptographic process, with the public key of that pair stored in the certificate. Its counterpart, the private key, is kept apart from it, usually in a separate file on the certificate holder’s device. And this is where the security of the system can break down: The private key must never be accessed by anyone but the certificate’s holder. Even if the place of storage is secure, the private key must regularly leave that safe environment for cryptographic operations in the CPU, making it again vulnerable to would-be attackers.
In our ongoing focus on perfecting the art of software licensing and software protection, Wibu-Systems has a solution designed to maintain the integrity and security of private keys, called CodeMeter Certificate Vault. With CodeMeter Certificate Vault, the certificates and keys are stored on secure hardware elements (CmDongles) via a specially protected route, going through CodeMeter License Central, Wibu-Systems automated license lifecycle management tool. There is no need for the end user to be concerned about the technical details in managing requests, updates, or signed certificates. All of this complex administration happens in the background for the user, including the CA (Certificate Authority) if need be. Once the keys are stored there, no sensitive information ever leaves the secure area.
CodeMeter Certificate Vault supports mainstream interfaces such as PKCS#11, openSSL, and KSP which makes it easy to integrate into existing software environments and significantly reduces implementation effort. Seamless customization and the many routes available for securely moving certificates and keys into CodeMeter Certificate Vault make it a universal and versatile tool for a range of circumstances and client requirements.
Let’s look at how it works in a few real-world use cases:
Use Case 1: Certifying a Person
In this case, a service engineer needs to be able to authenticate themselves and get access to the devices they are responsible for by showing the right certificate and proving their identity. That certificate and related key can be stored on a CmDongle or similar container. This solution is used e.g. by the technicians servicing ATMs, a highly secure task where every step needs to be recorded and only trained and approved technicians are qualified for the job.
Use Case 2: Identifying a Machine for Secure Communication
This use case needs a certificate that is bound to a specific device. Ideally this is done with a CodeMeter ASIC, with its security chip permanently fixed into the device’s inner workings. For this use case, a specific hardware entity should be uniquely identifiable in a network and be able to communicate securely. Examples of this include PLCs or smart sensors that are part of larger industrial networks via a standard protocol like OPC UA. That protocol uses the OpenSSL framework to handle X.509 certificates and protect communication in the network. In that setup, CodeMeter Certificate Vault provides secure certificate storage and a secure engine for cryptographic operations with the private key.
Use Case 3: Creating a Public Key Infrastructure (PKI)
In this case, CodeMeter Certificate Vault protects the signer’s private key when creating and signing certificates for use with VPN connections, mail signatures, or as proof of authenticity in process documentation.
Since 2013, Marco Blume has been with WIBU-SYSTEMS AG as Product Manager/R&D Manager Embedded. His work covers the range of protection concerns for embedded systems and includes the development of custom concepts for manufacturers and contributions to active research ventures. He has spent his entire career with different embedded systems, including 11 years as product manager for the security of ATMs and checkout systems and previous responsibilities as embedded specialist for video systems and industrial automation.