Prioritizing Trust: Certificate Authority Best Practices

Transcription

1 WHITE PAPER: PRIORITIZING TRUST: CERTIFICATE AUTHORITY BEST PRACTICES White Paper Prioritizing Trust: Certificate Authority Best Practices A Policy for Commercial Certificate Authorities

2 Prioritizing Trust: Certificate Authority Best Practices A Policy for Commercial Certificate Authorities CONTENTS Abstract / Executive Summary... 3 Introduction... 3 Certificate Authorities Are the Guardians of Trust Online... 4 CA Security Breaches Have Undermined the Public Trust... 5 CAs Should Not be Granted Equal Trust Without Providing Equal Assurance... 6 Security IS the Bottom Line... 6 Setting a New Baseline for the CA Industry... 7 Maintaining a Secure IT Infrastructure... 7 Enforcing Rigorous Identify Validation Practices... 8 Demonstrating Compliance with Policies and Regulations... 9 Going Beyond the Baseline Requirements... 9 Governance Design Implementation Conclusion

3 Abstract / Executive Summary SSL certificates form the basis of trust on the public Internet, and for more than a decade, CAs have acted as brokers of trust. But in 2011, a string of highly publicized CA security breaches sparked a debate as to whether SSL certificate technology (and the entire CA industry) is fundamentally broken. Fortunately, the answer is unequivocally no. However, these security breaches are proof-positive that while commercial CAs are generally trusted equally by browsers, CAs do not all follow the same strict security practices, and not provide equal levels of assurance. This fundamental problem of equal trust without equal assurance must be addressed. Symantec and other members of the CA/Browser Forum took the first step towards a more robust, sustainable PKI ecosystem in December 2011 with the release of Baseline Requirements for the Issuance and Management of Publicly- Trusted Certificates, the first international baseline standard for the operation of Certification Authorities (CAs) issuing organization and domain validated SSL/TLS digital certificates natively trusted in browser software. 1 And further work is being discussed in the CA/Browser Forum, specifically on Certificate Authority security practices. This white paper will discuss the urgent need for all commercial CAs to implement better security standards, starting with these CA/Browser Baseline Requirements, and the steps that Web browser developers, SSL certificate subscribers, and relying parties can to do hold CAs accountable for complying with these requirements. This document will also give you insight into Symantec s rigorous security and authentication practices lead the industry in reputation qualification measures to establish an online business credibility. Introduction For more than a decade, commercial Certificate Authorities (CAs) have acted as trusted third parties, protecting the exchange of private information over the public Internet. But in recent months, there has been a cloud of controversy hanging over the head of commercial certificate authorities. A string of highly publicized CA security breaches of 2011 sparked a debate as to whether SSL certificate technology and the entire CA industry that distributes it are fundamentally broken. 2 Fortunately, the answer is categorically and unequivocally no. Digital certificates and PKI still provides excellent protection against evolving cybersecurity threats. With the right tools and processes, CAs are fully capable of providing the greatest assurance possible that their certificates and the websites that use the certificates are genuine and safe for online business

4 The most significant challenge facing the PKI ecosystem is not a technological flaw or limitation, but rather the way it is being implemented and the practices around it specifically Certificate Authority practices. To address this problem, Symantec and other members of the CA/Browser Forum took the first step towards a more robust, sustainable PKI ecosystem in December 2011 with the release of Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, the first international baseline standard for the operation of Certification Authorities (CAs) issuing organization and domain validated SSL/TLS digital certificates natively trusted in browser software. 3 These baseline requirements are just the beginning, however, Symantec is working with CA/Browser forum on a set of guidelines for defining better CA security practices and advocates for many CAs to embrace higher standards for their security practices. Certificate Authorities Are the Guardians of Trust Online A Certificate Authority (CA) is an organization that issues digital certificates to individuals and organizations. CAs are responsible for securing each certificate with strong encryption using the SSL/TLS protocol. But perhaps the most important responsibility that commercial CAs have is to authenticate the identity of each certificate holder, which forms the basis for trust on the Internet. For more than a decade, CAs have acted as trust brokers between entities on the Internet, and it is estimated that more than 4.5 million sites are using SSL certificates issued by a certificate authorities 4 such as Symantec more than double the number in As the #1 provider of trust online, Symantec operates a certificate-based PKI (public key infrastructure) to enable the worldwide deployment and use of these certificates. By operating a world-class certificate infrastructure and protecting it with robust security measures and top-down policy governance, Symantec is able to provide the greatest assurance possible that its certificates and the organizations that use the certificates are genuine and secure. The core or kernel of trust in the PKI system rests the assumption that commercial CAs maintain a commitment to security that is beyond reproach. Digital certificates are verified using a chain of trust, and root CAs act as trust anchors for each certificate. Consequently, Web browser developers must be able to trust that CAs will do the following: Verify the identity of the requester. Ensure that there is no way to issue a certificate without a permanent record. Keep unalterable logs of all certificates they have signed. Audit those logs frequently for evidence of unauthorized issuance. Proactively communicate security events and certificate revocations. Protect their infrastructure to prevent intrusion or fraudulent certificate issuance Netcraft February 2012 SSL Survey 5 4

5 When browser developers feel confident that a CA is living up to these responsibilities, they include that CA s root certificate in the browser s Root CA store. All certificates in a browser s root store are trusted equally. CA Security Breaches Have Undermined the Public Trust There is a common misperception that CAs and other businesses in the security space are more secure, but in reality, they face the same security challenges as other organizations. The number of commercial CAs has grown quickly in the past decade, from a handful then to hundreds now. Netcraft data 6 indicates that there are nearly 300 CAs in operation today, and according to a report from the Electronic Frontier Foundation s SSL Observatory project, there were at least 650 organizations that function as CAs with roots trusted directly or indirectly by Mozilla or Microsoft Web browsers. 7 Browsers utilize third-party audits such as WebTrust as one qualification point to get into the browser root store, but these audits don t get into the details of how CAs operate. In the past, there was no overarching system or authority to govern how CAs operate or verify that they can truly provide equal levels of assurance about their security and authentication practices. There are a number of CA practices that have identified as being potentially problematic, 8 but the full extent of these problems only came to light in 2011 after several highly publicized attacks on CAs: In March 2011, an attack compromised the access credentials of a Comodo partner in Italy and used the partner s privileges to generate fraudulent SSL certificates. In May, It was reported that another Comodo partner was hacked: ComodoBR in Brazil. In June, StartCom, the CA operating StartSSL was attacked unsuccessfully. In July, an internal audit discovered an intrusion within DigiNotar s infrastructure indicating compromise of their cryptographic keys. The breach of these keys resulted in the fraudulent issuance of public key certificates to a several dozen domains, including the domain Google.com. On August 28, 2011 a false DigiNotar wildcard SSL certificate issued for Google was discovered still in the wild. In September 2011, Dutch government and other Diginotar customers suddenly had to replace all Diginotar certificates as the major Web browser vendors removed Diginotar from their trusted root stores. DigiNotar files for bankruptcy. 6 Netcraft report, May

6 March Italian Comodo partner breached June Unsuccessful attack on StartSSL August Fraudulent Diginotar certificate for Google found in the wild May Brazilian Comodo partner breached July Discovery of Diginotar breach September Diginotar roots removed; company files bankruptcy Figure 1. Timeline of Attacks on CAs in 2011 CAs Should Not be Granted Equal Trust Without Providing Equal Assurance Frameworks for assessing the adequacy and effectiveness of the controls employed by Certification Authorities (CAs) have existed since at least the year However, there is historically been no binding requirements or standards to govern the implementation of rigorous security and identity verification practices followed by CAs that provide SSL certificates and associated trust services. The events of 2011 are proof-positive that CAs do not follow the same strict security practices, and not provide equal levels of assurance. At the same time, all CAs are trusted equally once they have been added to a browser s root list. This fundamental problem of equal trust without equal assurance must be addressed in order to ensure the future of the PKI ecosystem. Security is the Bottom Line Not surprisingly, the 2011 CA breaches sparked a debate as to whether SSL technology and the entire CA industry that distributes it are fundamentally broken. 10 Fortunately, the answer is categorically and unequivocally no. SSL certificates still provide excellent protection against evolving cyber security threats. With the right tools and processes, CAs are fully capable of providing the greatest assurance possible that their certificates and the websites that use the certificates are genuine and safe for online business. But last year, we witnessed a variety of bad actors targeting CAs ranging from recreational hackers to serious cyber terrorists, and we see no indication that these threats will slow down or go away. Over the next several years, it is critical that CAs develop business strategies and top-down security policies that address the following key needs: 1. Diligent investment in and upkeep of a secure application and network infrastructure 2. Rigorous and consistent authentication and identity validation processes 3. Comprehensive auditing and responsible breach notification practices

7 Focusing their operational planning efforts around these and other strategic objectives will help CAs to make security-conscious decisions and ensure the long-term sustainability of their business models. Browser developers also have an important part to play by being more selective about trusting CA roots, implementing stricter online revocation controls, and insisting that CAs maintain compliance with the CA/Browser Baseline Requirements and other standards that may come out in the future. Setting a New Baseline for the CA Industry The CA/Browser Forum is a voluntary organization of Certification Authorities (CAs) and web browser vendors. The CA/B Forum s mission is to enable secure connections, establish online business identity, and help prevent online fraud. In response to the problem of uneven CA security practices, the CA/Browser Forum has developed a set of Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates that went into effect on July 1, The initiative to develop baseline requirements for all publicly trusted certificates has been ongoing for the better part of two years, and this standard is a first for governing the operation of Certification Authorities (CAs) issuing SSL/TLS digital certificates that are natively trusted in browser software. Maintaining a Secure IT Infrastructure Certificate authorities need to invest in infrastructure, which includes deploying up-to-date malware-protection systems, conducting regular third-party audits, running vulnerability assessments to ensure no holes exist that can be exploited, implementing multiple layers of security, and continuously monitoring the environment so that breaches can be detected as quickly as possible and stopped. Here are some of the many design considerations that CAs must account for: Segregation of security zones CA certificate infrastructures should be completely isolated from normal business operations, and segment certificate systems into networks based on the functions that those systems perform. Root CA Systems should be maintained in a High Security Zone, either in an offline state or air-gapped from all other networks. Network defense in depth Emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method. This should include the deployment of regularly updated firewalls, as well as gateway antivirus, intrusion detection, intrusion protection systems, and Web security gateway solutions throughout the network. Verification practices CAs should confirm that applicants either have the right to use, or had control of, the Fully-Qualified Domain Name(s) and IP address(es) listed in the Certificate, or was authorized by a person having such right or control (e.g. under a Principal-Agent or Licensor-Licensee relationship) to obtain a Certificate containing the Fully-Qualified Domain Name(s) and IP address(es). Personnel security Prior to the engagement of any person in the Certificate Management Process, whether as an employee, agent, or an independent contractor of the CA, the CA should verify the identity and trustworthiness of such person. 7

8 Password policies Weak passwords are a huge risk, and a good CA will utilize strong password policy across their entire data center production infrastructure. Passwords should be changed regularly, at least once every 90 days, and users should not be permitted to use their previous 4-5 passwords. Physical security Physical security is often overlooked, but it is critically important to protecting network, server and storage equipment, as well as the keys themselves. All Network and server equipment should reside in a data center that meets or exceeds the criteria for a Tier 3, ANSI/TIA-942, facility. Ideally, the most sensitive areas of the certificate infrastructure, such as the root private key storage, should be air-gapped as an additional layer of defense to complement logical boundaries. Access to the building should be controlled and limited on an as-needed basis. All key-related activity should take place in a access-controlled area that requires no fewer than three individuals and multiple authentication factors for access, with audio/video monitoring equipment to record all activities. Secure application development All systems and applications should be developed in a secure, change-controlled environment and follow a secure development process from system architecture design all the way through QA and security testing. Symantec develops and implements applications in accordance with our systems development and change management policies. All such software, when first loaded, provides a method to verify that the software on the system originated from Symantec, has not been modified prior to installation, and is the version intended for use. Enforcing Rigorous Identify Validation Practices In addition to securing their critical information assets, CAs must consistently follow rigorous identity validation practices to ensure that the organizations and individuals they issue certificates to are genuine and safe to do business with. In accordance with the CA/Browser requirements, CAs should confirm that all applicants currently have the right to use the fully-qualified domain name(s) and IP address(es) listed in their Certificate. CAs should also take care to identify high risk certificate requests, conduct additional verification activity, and take any additional precautions that are reasonably necessary to ensure that such requests are properly verified under the CA/Browser requirements. When a certificate is issued by the Root CA, it should require an individual authorized by the CA (i.e. the CA system operator, system officer, or PKI administrator) to deliberately issue a direct command in order for the Root CA to perform a certificate signing operation. Verifying the revocation status of existing certificates is also another critical activity. CAs should maintain a continuous 24x7 ability to accept and respond to revocation requests and related inquiries. This is not easy to accomplish without making a significant investment in a robust and reliable infrastructure that can scale to handle millions of requests each day, with complete, geographically distributed redundancy for backup, high availability, and rapid disaster recovery. In accordance with the Baseline Requirements, CA must operate and maintain their CRL and OCSP capabilities with resources sufficient to provide a response time of 10 seconds or less under normal operating conditions. If the subscriber certificate 8

9 is for a high-traffic domain, the CA may rely on OSCP stapling to distribute its OCSP responses. In this case, the CA should ensure that the subscriber staples the OCSP response for the certificate in its TLS handshake. Demonstrating Compliance with Policies and Regulations Without properly demonstrating compliance with internal policies and the CA/ Browser Forum Requirements, there is no way to determine whether a CA has actually implemented the policies set forth in their Certification Practice Statement (CPS) documents. For this and many other reasons, it is critical that CAs undergo an audit in conformance with WebTrust guidelines and other comparable audit schemes at least once each year. Here are some of the many items that CAs must allow to be audited in order to ensure proper implementation of security policies and controls: Key ceremony It is essential that the key ceremony produces an unbroken evidentiary path demonstrating that every aspect of the certificate-generation process occurred in accordance with methods and procedures that comply with SAS-70 standards. You must ensure that sufficient evidentiary material is generated to demonstrate in any legal proceeding that proper practices were followed during the ceremony. For this reason, you conduct every key ceremony from a written script. To achieve a high degree of confidence, each ceremony step must be witnessed, documented, and certified. Monitoring and alerts It is vital that CAs monitor their network for intrusions, propagation attempts and other suspicious traffic patterns, and identify attempted connections to known malicious or suspicious hosts. System and event logging CAs should record details of the actions taken to process a certificate request and to issue a certificate, including all information generated and documentation received in connection with the certificate request; the time and date; and the personnel involved. The CA should make these records available to its auditor as proof of compliance with these Requirements. Vulnerability management Most software vendors work diligently to patch exploited software vulnerabilities; however, such patches can only be effective if adopted in the field. Be wary of deploying standard corporate images containing older versions of browsers, applications, and browser plug-ins that are outdated and insecure. Wherever possible, automate patch deployments to maintain protection against vulnerabilities across the organization, and work to keep your systems as close to the most recently released patch level as possible. Going Beyond the Baseline Requirements The importance of establishing a common baseline standard for CA practices cannot be overstated. However, baseline requirements do not address all of the issues relevant to the issuance and management of publicly-trusted certificates, and are intended as a starting point of what is an ongoing effort to improve security practices. Symantec s core business is information security and we take the security of our own infrastructure very seriously. Running the world s largest certificate authority, Symantec constantly monitors our networks, both online and offline, in 9

10 search of threats and vulnerabilities. Symantec has invested-in and built likely the most robust and scalable certificate authentication, issuance, management and hierarchy infrastructure in the industry. We believe that the security strength of our operations is an important part of the value our customers get when they buy their certificates from us. We are diligent about monitoring our networks and continuously work to ensure that our infrastructure remains the gold standard. Our ability to maintain a strong security posture is based on the definition and enforcement of strong, effective security policies through an ongoing process that revolves around three activities: 1. Policy governance Security policies should be planned, managed and supported at the highest level of the organization. They should cover every aspect of digital certificate life cycle and all associated trust services, not just for the CA but also for all partners, affiliates, and subscribers. 2. Policy design The application and network infrastructure, along with all business processes, should be designed to meet the security audit requirements in support of the CAs policies. 3. Policy implementation CAs must be able to demonstrate the implementation of rigorous policies and disciplined operation of the CA through monitoring, logging, and third-party audits. By following this approach, Symantec is able to ensure that their entire organization is aligned around security from the top down, and that the policies they define are rigorous, detailed, and consistently implemented. CA Security Policy Management The Symantec Approach IMPLEMENTATION Relentless Discipline DESIGN Physical, Locical, Network GOVERNANCE Security First 10

11 It is also important that CAs should also hold their partners and affiliates accountable for adhering to the same standards and audit requirements, as demonstrated by the March 2011 attack that compromised the access credentials of a Comodo partner in Italy. Governance The CA/Browser Forum Baseline Requirements state that all CAs must develop, implement, enforce, and annually update a Certificate Policy and/or Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements, and that CAs must publish the document and commit to comply with it. 11 At Symantec, we take our responsibility as a CA very seriously, and decisions about security or authentication cannot be made by individuals, or for business convenience. Symantec s Certificate Policy and Certification Practices Statement (CPS), which delineates the practices underlying the Symantec Trust Network public CA services, is an extremely detailed and comprehensive document and is used internationally as a foundation for PKI practices. 12 The problem with many CP or CPS documents published by other CAs is that they are vague and lack details, thus making them very open to interpretation and not a strong model for defining and maintaining strict security policies. Granularity and detail are critically important in the context of policy creation. It is one thing to define a policy that states, the CA must have a disaster recovery system in place and another thing altogether to define specific operational goals for that system, such as time-to-recovery targets. Separation of duties is another important principle to follow. At Symantec, a cross-functional policy working group, with a voting member structure comprised of individuals from separate departments who do not report up to the same chain of management, must approve all changes to the Symantec CP, CPS, design, and implementation. Symantec has implemented technical and procedural mechanisms that require the participation of multiple trusted individuals to perform sensitive CA cryptographic operations. Symantec uses Secret Sharing to split the activation data needed to make use of a CA private key into separate parts called Secret Shares which are held by trained and trusted individuals called Shareholders. A threshold number of Secret Shares (m) out of the total number of Secret Shares created and distributed for a particular hardware cryptographic module (n) is required to activate a CA private key stored on the module. Design The physical construction of our Operations Center is comparable to Governmentgrade protection of military and intelligence services communications. Our operations use a tiered approach to our physical environment comprised of 5 tiers with increasing levels of security. Individuals are granted selective access to tiers on only a need to know basis. The highest tiers require two or more authorized

12 people to enter or remain. Use of video monitoring is employed throughout our Operations Center. In addition, we use a layered approach to our security architecture that isolates sensitive signing servers and certificate databases from business operations. This architecture provides defense in depth, as an intruder must pass through or compromise multiple firewalls and air gaps just to reach the back-end infrastructure. Implementation Implementing a secure design based on robust policies requires a high degree of skill, experience, and discipline. CAs must regularly have their systems tested and audited to ensure ongoing compliance with internal policies and external requirements. Symantec s rigorous security and authentication practices, audited annually by KPMG, set a very high standard in reputation qualification measures to establish an online business credibility. We actively monitor our systems for any signs of intrusion on a non-stop basis. Every component of our infrastructure is monitored for security compromises or attempted security compromises. In the event of a detected compromise, our monitoring system is able to notify the appropriate personnel for action. Notification is by multiple methods, such as alert, pager alert, and console monitoring. Logs are generated for routers, firewalls and network machines; database activities and events; transactions; operating systems; access control systems; and mail servers. These logs are archived and retained in a secure location for a minimum of 12 months. We also log all key life cycle management events, certificate life cycle management events, and security-related events such as firewall activity and facility visitor entries. To ensure constant vigilance of security in the environment, we constantly perform assessments. Daily vulnerability scans and audits are performed to ensure that adequate security measures are in place. The vulnerability scans are performed by trained individuals who understand the impact as well as assess the results. These scans are performed both internal and external to the network. Any findings of sufficient security vulnerability are remediated within 24 hours. We also regularly perform penetration tests: a series of exercises performed from outside the system to determine if there are any exploitable openings or vulnerabilities in the network. In particular, it uses the known techniques and attacks of hackers to verify that the network is safe from unauthorized penetration. We employ an independent third party to conduct penetration tests on our network. 12

13 Conclusion The security breaches of 2011 demonstrated that not all CAs are created equal, and that we have to raise the bar and do the right thing to ensure the long-term sustainability of the CA industry, and to protect the trust model that the Internet relies on every single day. No security infrastructure is immune to breaches, but CAs must be willing to invest in infrastructure and commit to making security their first priority. At Symantec, protecting against online threats isn t just a business. It is our mission. Symantec secures more than one million web servers worldwide, more than any other Certificate Authority. 75 percent of the 500 largest e-commerce sites in North America, and 93 of the 100 largest financial institutions worldwide use SSL Certificates sold by Symantec (including all subsidiaries, affiliates, and resellers). These organizations trust Symantec because of our unwavering commitment to security. At Symantec, we strongly believe that security by convenience is no security at all. Developing and maintaining a strong security posture is not easy and it s not convenient for our employees. It also takes time and experience; you can t build a global trust model overnight. But in times like these, it s good to know that that policy remains a good practice. 13 The threat landscape is rapidly evolving as CAs come under increasing pressure from external attacks. Now, more than ever, it is critical to partner with a CA vendor who has network infrastructure security measures in place to defend itself, and your data from emerging cyber-threats. Symantec is the world s largest data security company and the best suited CA to ensure the highest level or root protection and encryption of data in transit

14 More Information Visit our website To speak with a Product Specialist in the U.S. Call 1 (866) or 1 (650) To speak with a Product Specialist outside the U.S. For specific country offices and contact numbers, please visit our website. About Symantec Symantec is a global leader in providing security, storage, and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. Symantec World Headquarters 350 Ellis Street Mountain View, CA USA 1 (800) Copyright 2012 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, BindView, Enterprise Security Manager, Sygate, Veritas, Enterprise Vault, NetBackup and LiveState are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. UID:125/7/2012