PrimeKey Tech Days: From the Foundations of PKI to Post-Quantum Encryption

Our field, applied cryptography, is beneficial to society, government, and private enterprises alike. The technologies that we deliver as an industry are omnipresent – from organizations large and small, across the internet and into our homes. It was with intention to show many aspects of where and how some leading practitioners and industry leaders make new advances, that we brought an all-star lineup to PrimeKey Tech Days 2021. If you happened to miss it live, the registration will be open until EOB today and the content will be available until the end of September 2021. On the day of the live broadcasted event, we had more than 600 people – thank you all for your time and participation in discussions. We hope to see you next year live in Stockholm!

Hardcore crypto and ways to master it

We kicked off our PrimeKey Tech Days with a presentation by David Hook, a founder of the Bouncy Castle Project. For those of you that don’t know, the Bouncy Castle Project is an open-source cryptographic API that has been in development for more than 20 years. This API, “the BC” as we call it, serves as the security foundation in many modern applications, including our own EJBCA. David gave us an update on where we are with quantum safe cryptographic algorithms, in the context of Bouncy Castle, as well as some recent developments of this rich API.

If you are a science fiction fan like I am, you might understand how I consider David Hook to be a Jedi master of cryptography. For those in attendance, David also led a two-hour workshop focused on PKI at the edge. It was sort of like Obi Wan Kenobi and young Luke Skywalker (played by our Bastian Fredriksson) showing us how to harness the power of The Force, if you will indulge my allegory. In this well documented self-study workshop, David and Bastian demonstrated how to use the Bouncy Castle PKI APIs to generate certification requests and certificates and how even system administrators or integrators without much programming experience can make use of the Kotlin scripting language for key generation, certification, and storage. They also discussed quite a few standards, algorithms, and protocols, which are important when implementing your own PKI-at-the-edge-product.

There is also a second workshop available – “EJBCA DevSecOps with Ansible”, where our colleagues Sven Rajala and Alfredo Neira shared their experiences from deploying EJBCA in an automated fashion. Why is this important? Well, following best practices, you want to deploy and integrate EJBCA with other technologies and be able to test in a, say, pre-prod or test & development environment, prior to going to prod. Furthermore, you would want to make this a repeatable and automated process. Not only can we save tons and tons time this way, but it also helps us avoid unintentional human omissions. The approach taken here is using Ansible. Sven and Alfredo talk trough playbooks that you can reuse in your own environments.

Industrial IoT Security is Critical

We see an uptake in demand for robust implementations of IoT edge products, for instance for industrial IoT and operational technology (OT) environments. These have become hot button issues for critical infrastructure protection. For example, industrial IoT and OT environments are often air-gapped – then how can you enforce security controls when they are offline? There are many questions and few good answers to make things right so that everything works all the time and everything is safe and secure. In that context of critical infrastructure protection, I would like to bring your attention to presentations from speakers at Siemens Energy and achelos, who are both experts in this field.

First, Prashanth AC, a product and solutions security expert at Siemens, discussed how digital transformation trends have reached critical infrastructure. IoT devices can serve as a pivot point into OT environments. This IT-OT convergence is a challenge. One industry standard, ISA/IEC 62443 provides a path for organizations and security professionals to address availability, integrity, confidentiality, safety, and reliability, across the dimensions of people, process, and technology. In fact, the 62443 specifically mentions PKI. For what it is worth, I think that Prashanth’s presentation is a compendium about a multitude of standards and technologies we need to be at least familiar with, in order to tackle IIoT.

Dr. Michael Jahnich, a director of business development at achelos, continued this discussion of PKI and the importance of certified cybersecurity. Industrial PKIs have become an essential building block to connect industrial devices and machines. Michael and his colleagues are experts who can help organizations realize their Industry 4.0 strategy. They have a proven track record and they know what will work today and what will need careful consideration and planning – since many (read – all!) times, we do not have the luxury of “upgrading” on a test system – a manufacturer seldom has a “test factory” spare for us to test and debug. 😉

The Post-Quantum Promise Requires a Longview

It is important that organizations focus on PKI for industrial IoT and OT environments now because many manufacturing devices have a lifespan of 10 or even 20 years, yet they want to bring their businesses into “Industry 4.0” or transform their business processes. Yet, there are estimations that within this decade we may have advances with quantum computers to make them capable of breaking current crypto. With that happening, all the transformations may go badly south. Further, “quantum safe” algorithms, when compared to the classical crypto algorithms, will require more resources – be it more memory, or more computing power, or there will be more latency.

Speakers from D-Trust, a qualified trust service provider, and Thales both shared their perspective on this topic. Speaking for Thales, Marko Bobinac suggested that organizations may not need to rip-and-replace their existing approach, advocating on behalf of agile crypto devices that many organization have in place today. I really appreciate that Thales, being an HSM vendor, says “don’t panic” instead scaring us into a buying spree. Marko advocates for a sensible approach, while helping us plan for the future.

Dr. Kim Nguyen, a managing director at D-Trust, and his colleague Dr. Klaus-Dieter Wirth gave a very interesting take on how to handle quantum algorithms in practice. As you may know, there are currently more than a half-dozen post-quantum algorithms in competition with NIST, which each have their own trade-offs. DTrust contends that we will see the co-existence of these algorithms with the classical ones. Their proposed concept, Intelligent Composed Algorithms (ICAs) could be used to combine multiple algorithms into something stronger and more agile. A key benefit of ICAs is that they do not require modifying well-known standards, such as X.509, RFC 5280, RFC 6960, RFC 2986, RFC 4210, and RFC 5652. Excellent idea, in my humble opinion, coming from the team that are experts in crypto and have broad experience in running trust infrastructure, so their insights cover both theory and practice.

Everything “else” – but just as important

Speaking of standards, another one of the most important presentations was delivered by Dimitris Zacharopoulos, PKI Manager of HARICA, the Hellenic Academic and Research Institutions Certification Authority. Dimitris is the former CA/Brower Forum Chair, but he is of course still very much involved and informed in what CAB is doing. Dimitris touched on the latest news in Code Signing workgroup, refreshed us on S/MIME certificate profiles, then updated on QWACs (Qualified Web-Authentication Certificates), and what might be coming with eIDAS 2.0. Dimitris brought up an important role auditors have – they are a “necessary pain” (my quote) for most any certified deployment. For many years, you would look for a good, knowledgeable auditor, only by word of mouth. Now there is an ACAB-C (Accredited Conformity Assessment Bodies – Council). Not only are there set baselines for the work, now there is more structure, common ways to interpret standards… a bunch of needed stuff. Finally, we got a short update on PKI Consortium, where PrimeKey is also a member.

When things get deployed on cloud-scale, certain, “minor” things get magnified. Rashmi Jha, Principal program Manager at Microsoft, has expertise and unique experience to talk about things that, when magnified, can raise to frankly speaking a spectacular failure to serve the customer. What striked me about Rashmi’s presentation – is that in some sense she is also helping us think differently from traditional on-site architectures, primarily from those designed with a set capacity and set performance objectives. That way of thinking is valid in many circumstances, of course, but I think it will be more and more delegated to IoT- or other “edge” cases, while engineers will need to architect products to deliver on “en masse” user experience. Further, Rashmi’s reasoning extends also to standards – something might be a wonderful idea in a relatively constrained context, only to turn a major headache when rolled out in the cloud. To illustrate this, Rashmi brought our attention to challenges with inline acquisition of certificates, say when a service is “spawned” and we need to get 10.000 or 100.000 certificates to virtual machines. A single 20 millisecond latency is acceptable (unnoticeable) for us humans, but you can imagine what happens if we multiply this by one or two in orders of magnitude – support hotlines hear from zillions of angry customers. Next Rashmi discussed the safe rollout of PKI and impact on all other systems that depend on PKI. Traditionally, we would have test, pre-prod and prod environments, but can we capture all that may go wrong? As a third consideration, Rashmi brought up Certificate Pinning – and discussed some consequences. In conclusion, the certificate pinning is here to stay, but we need to look for a solution to provide pinning from the “freshest” set of CAs, instead of denying them.

The Full Stack: PrimeKey and Keyfactor

While we select our guest speakers with primary criteria to give something new to our audience, allow me to touch on other presentations from PrimeKey and Keyfactor – we do many new things. The biggest news this year was the merger between Keyfactor and PrimeKey. I am convinced that we are an excellent fit and it makes sense from an industrial perspective. Opening remarks from Magnus Svenningson, CEO of PrimeKey and now also Chief Strategy Officer at KeyFactor reflected on this. Our CEO, Jordan Rackie, reinforced this, including our strong commitment to open source and community. I hope that next year during an event onsite, you get a chance to meet and talk with Jordan – he is great businessman who truly appreciates the “mission” we are on, but he is also very much attentive to corporate culture. I point this out to you, our customers, and partners, just to give you another reason why this merger makes us an even better vendor and even better partner.

Ted Shorter, our CTO, gave a presentation about simplifying PKI in complex IT environments. For many of us – crypto nerds – it is part of the job to make it easier to “consume PKI” by whoever are users in specific use-cases. As the technology landscape grows more complex, we need to maintain governance, visibility and control in modern hybrid and multi-cloud environments. Today, it is often required to have Zero-Trust architecture, but what does this mean? Another hot topic is to have Sec in DevOps, making it DevSecOps – where there can be many workflows, yet organizations need both sound governance and control. Ted reflected also on what crypto agility is and is not; and how it is addressed from a PKI perspective.

Presentations by my colleagues Martin Oczko and Harry Haramis gave us a look at trends and what we think will be important in the coming years. Martin focused on everything but cloud, while Harry on cloud only. The reason for this is that we wanted to emphasize that we look at many trends and make sure our product matches well what the market demands. Cloud can be seen as a big divider, not the least from the considerations brought up by Rashmi, as I mentioned earlier on. In the chat during the presentations, we saw opinions that cloud will not be the right delivery model for certain types of solutions – and we hear you well! This is where Martin outlined what we are doing product-wise, to assure we serve well and even better, all non-cloudies. However, the cloud trend is enormous, and we see very healthy growth there. In fact, even some traditionally “conservative”, or well-regulated verticals are moving to cloud. Harry and his team have focused for several years to bring our offering to cloud and make it work for customers in a cloud context. I am very proud of what this team is doing.

Last but most certainly not the least – the presentation by our Tomas Gustavsson, the founder of EJBCA and now Chief PKI Officer at Keyfactor. For several years now, Tomas gives the presentation with the title “Hardcore PKI”, bringing up some topics that are of interest for a closer look and consideration. Each year, Tomas would have told us why some standards are incomplete in some senses; then zoom in to some very nitty gritty details of specific implementations; and often humbly say where his thinking has evolved. He can do it, I know first-hand being his partner in crime for more than 25 years now, but it is not only me – Tomas is a widely respected expert in the field. This year, he had us think of how some well thought out standards, that have been proven in practice, could be used in delivering services one did not initially consider – for instance (non withstanding conspiracy theorists) nobody making standards for biometric passports would have thought that this can be reused in the context of the global pandemic. Jokes aside, the moral here is that sometimes we build new, which is not better. Only truly excellent and experienced engineers have that delicate “sense of taste” to know when something has served its purpose, or conversely, when we can safely build upon and make new improvements. It was cool to hear from Tomas about complex eco-systems in the years to come, since our field touches most everything IT, and we need folks to make sure we are attuned to risks with too complex systems, while we bring the benefits of rich integrations. The only thing I missed is after the presentation on stage, when people approach Tomas to chat more about topics he discussed. But hey, we aim to be next year on-site!

Allow me to send a thank you, again, to all of you who attended – we truly appreciate that you chose to spend some of your time to participate in Tech Days. Many thanks to our invited speakers, who not only shared their expertise, but also gracefully came online to be available for the Q&A. Without you, this would be a one-company show, and I cannot express enough my respect to people that share their knowledge – to me this is true thought leadership.

Finally, I would also like to thank the production team, and especially my colleagues Malin Ridelius and Lindsey Oredsson who worked many hours to arrange for this successful event.

If you are registered for the event, you can access the event portal for the rest of the month and check out the recordings.