Keeping Private Keys Secure & Non-Exportable, But Easily Accessible
Public key cryptography can be found everywhere in enterprises today. It secures data in transit (TLS), authenticates users to remote servers (SSH & VPN), protects data at rest (TDE), ensures the authenticity of software (code signing), safeguards email (S/MIME and PGP), and more.
While there is no doubt that asymmetric cryptography plays a vital role in the enterprise workplace, it also presents several major challenges. In particular, InfoSec leaders must manage and secure private keys, without sacrificing performance or usability. With hundreds or even thousands of clients requiring signing access to private keys, this is no easy task.
Challenges With Private Key Protection
Arguably, the most critical aspect of any PKI system is the security placed on its private keys. The consequences of failing to protect the keys range from bad to downright catastrophic. While one could simply lock the private keys away in a secure offline box, this would make it difficult to use those keys in any meaningful way.
Indeed, this is a problem facing most organizations today. How can you balance the security and efficient use of the enterprise private keys? How do you make the private keys available to all of the clients that need signing access, while ensuring that the keys are never exposed? The primary challenge of InfoSec leaders across various industries is to achieve an optimal balance of security, performance, and usability.
Private Key Protection: Software vs. HSM
Private key protection mechanisms generally come in two flavors: hardware and software-only.
Software-Based Private Key Protection
Software-only protection mechanisms store the keys in a file or system registry, often protected by password and stored in a particular format (e.g. PKCS12). Software keys are exportable and the raw key bytes are usually directly consumed by other tools or the operating system those tools run on. This offers some benefits, such as faster signing and simplicity of use for both administrators and signing clients, but these advantages come with the major drawbacks of weakened security and a lack of centralized management.
Hardware Security Modules (HSM)
Hardware protection is typically achieved via Hardware Security Modules (HSM), with the sensitive keys usually never leaving the protected hardware (in plaintext format). From a security perspective, hardware protection is the preferred approach. However, due to a limited number of HSM integrations and other challenges, companies have had performance and usability challenges when trying to deploy HSMs for enterprise-wide applications. It is not uncommon to see an HSM used for some applications like code signing, while a software-based solution is used for other use cases like SSH and S/MIME.
The ideal scenario is to keep all private keys securely stored within your HSM, while giving all signing clients proxy access to the private keys without hampering the speed of signing or ease of use. This is made possible with a remote digital signature platform like GaraSign.
Solution: A Remote Digital Signature Platform
At Garantir, we envision a different world— one where all private keys remain non-exportable in the corporate HSMs and users only get proxied access to those keys.
Our solution, GaraSign, was carefully designed to balance security, performance, and ease of use.
By restricting clients to proxied access to private keys, GaraSign ensures your keys remain secure in your HSMs. GaraSign is compatible with multiple HSM and key-manager vendors, whether on-premise or in the cloud, and can even work with several HSMs from different vendors simultaneously. This provides flexibility for large enterprises while maintaining maximum security.
With client-side hashing, GaraSign limits the amount of data sent over the network for signing, ensuring optimal performance. Local hashing accelerates the digital signature process across all use cases, including code signing, SSH, S/MIME, TLS, and more.
Lastly, GaraSign is easy to use for both administrators and clients. With dozens of client-side integrations, including Microsoft, MacOS, Java, and GPG, GaraSign is easily placed directly into any enterprise environment. In addition, GaraSign is built at the primitive-level, so it can provide proxied key access for all digital signature applications.
While some HSMs have complex client software that would be painful to put on everyone's computer in the enterprise, GaraSign’s architecture avoids this requirement altogether. Since the GaraSign proxy sits between the client and the HSM, the client software only needs to be installed on the proxy, as opposed to thousands of end users machines.
If you’re ready to learn more about how GaraSign can fit into your environment, contact us today.