As told by Jack Byrnes ("Meet the Parents"), who should you trust and why?
When I hear people reference “connected” devices, trust management is always part of that discussion. The questions I ask; How do I know which device is part of that system? What device am I talking to? Can I trust that “Device A” is who they claim to be? Is there a way for me to verify “Device A?” One very good way to answer these questions is to have an authoritative intermediary that knows and is trusted by both parties (and systems). I have been struggling to figure out how to explain these answers until one night I was watching “Meet the Parents” and a light bulb popped up above my head. I said, “Of course, who knows better about trusting people or things than Robert De Niro!” Unknowingly, Jack Byrnes was explaining a few of the tenets of Public Key Infrastructure (PKI) and what we consider Root of Trust (RoT). After that, the movie took on a life of its own. I felt like I was attending a presentation by Whitfield Diffie at the RSA conference on public key cryptography.
To explain this further, let me inject my interpretation of some very meaningful lines from the movie “Meet the Parents.” Ready to have a little fun?
Certificate Authority that Issues Identity and Trust:
- What is it: In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. By using digital certificates issued by a CA. The CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. Basically, browsers and devices trust a CA by accepting the Root Certificate into its root store (common root of trust)
- From the movie: Jack said, “With the knowledge you have been given Greg, you are now within the Byrnes family circle of trust”
- Anthony’s interpretation: This is an obvious example of Jack (the certificate authority), allowing Greg (the device), to be trusted (the certificate authority issues the device a client authentication digital certificate). Since everyone within the Byrnes family (other devices that share the common root of trust) trust Jack then they now trust Greg (now a trusted device).
Certificate Authority Managing the Trust Chain
- What is it: The certificate authority (CA) is responsible for a number of things such as certificate inventory management, issuance of certificates and most importantly revocation of those certificates. There are plenty of reasons why a certificate would need to be revoked. The management of the revocation is very important to keep at a high assurance of trust.
- From the movie: Jack said, “If I can’t trust you Focker, then I will have to put you back right outside the circle of trust!”
- Anthony’s interpretation: Another great example of trust management. In this case Jack (certificate authority), was going to distrust trust Greg (device in question). In order for the device to no longer be trusted, Jack must revoke Greg’s client certificate. Because Greg’s client certificate is no longer valid (revoked), the other devices (Byrnes family) within the “circle” cease to trust Greg. If Greg wants back into the “circle,” then Jack is the authority that determines whether or not to let him back in (example of digital certificate reenrollment).
How Big Should Your “Circle” Be?
As it relates to certificate authorities, there are 2 distinctive ways that you can implement your root of trust.
- Public Certificate Authority – These are public organizations responsible for the vetting and validations of organizations requesting certificates. They manage all aspects of a certificate lifecycle (issuance, approval, revocation, and validation). The public root of trust is distributed based on policies and guidelines mandated by the CA/B forum. This makes using public endpoint certificates easy to implement as the most common devices and systems have the public CA trust roots installed. The drawback is that practically everyone trusts these certificates which creates a large trust circle. Of course, there is a cost factor involved as well.
- Private Certificate Authority – These are CAs that manage certificates in the same fashion as public CAs with the exception being that the organization itself manages it. This gives the organization total control on the governance and policies of those certificates as well as distribution of the root of trust. The control of the CA makes implementation more flexible. It also allows the organization to determine the scope of the “circle.” The drawback to total control is the responsibility of the management of the certificate authority. To keep high assurance of trust, an organization must be diligent on management of the CA along with the certificates it issues.
To determine which option you decide to take will depend on how you plan to use your certificates. There is no easy answer to this although you should be able to answer the following questions:
- Who or what needs to be trusted?
- What controls do I have over those devices or systems?
- What resources do I have to manage this?
Once you decide on the type of CA to issue the certificates, you need to choose the type of certificate implementation that best suits your security needs.
PKI and root of trust are certainly options you must consider for your IoT ecosystem. As mentioned earlier, there are no easy answers, but questions to be asked. If you need some additional advice, do yourself a favor and rent “Meet the Parents” tonight!
For more information on security for connected devices, register for LiveWorx 2018, June 17-20 in Boston!