PrimeKey Wiki
Find your answers here

or

Acronyms

IIoT stands for Industrial Internet of Things.

Go to page

HTTPS stands for Hypertext Transfer Protocol Secure.

HTTPS is an extension of HTTP and is used for secure communication over a digital network, most often the Internet.

Https

Learn more about IT security and PKI (Public Key Infrastructure), the backbone of most IT security solutions today:

About PKI solutions

Go to page

SSL stands for Secure Sockets Layer.

Go to page

TLS stands for Transport Layer Security.

Go to page

MRTD stands for Machine Readable Travel Document.

Go to page

PKCS stands for Public Key Cryptography Standards.

Go to page

CSR stands for Certificate Signing Request.

Go to page

CRL stands for Certificate Revocation List.

Go to page

VA stands for Validation Authority.

Go to page

RA stands for Registration Authority.

Go to page

PKI stands for Public Key Infrastructure.

Learn more about PKI:

About PKI and our PKI Solutions

Go to page

Concepts

Android application signing is based on certificates and RSA or ECDSA keys.

Android application signing is an essential part of securely developing, distributing and installing android applications and it is a pre-requisite for any application that is to be installed on an Android device. The technology used for Android application signing has continuously evolved by the introduction of new signing schemes. The core idea here is that, while developing and distributing apps within the Android eco system, security and trust for the signing schemes should be maintained by a crypto agile code signing approach. In addition to the original v1 signing schema that is identical to JAR signing, Android applications may now be signed with v2, v3 and v4 signing schemes.

Android versions until Android 6 used Android v1 signing scheme. Android 7 introduced v2 signing scheme. Android 9 introduced v3 signing scheme and Android 11 introduced v4 signing scheme. For maximum compatibility and security, Android developers are recommended to sign their applications with all signing schemes. Features in the later signing schemes also improve user experience when installing Android applications.

Read our Tech Update to learn more:

Android signing schemes, compliance and crypto agility

Go to page

Crypto Agility is a principle for gradually improving security and attack resistance in a secure infrastructure based on cryptography. Any cryptographic algorithm has weaknesses. As cryptographic research and computing power evolves the ability of existing algorithms to protect data privacy and integrity is reduced.

In an eco system for distribution and deployment of code, the use of multiple code signatures in parallel enables the code signing system to be crypto agile. New cryptographic algorithms are introduced and new deployment environments are set up to require signatures with stronger cryptography. By increasing the lowest cryptographic strength supported in any target environment where the code is deployed, the use of legacy algorithms may be phased out and the security of the eco system is kept strong enough to resist attacks.

Learn more:
Code signing solution

Go to page

A digital certificate is a digitally signed document and can be compared with the physical identity card or a passport in the analog world. A digital certificate is used to provide and prove the identity of a user, server or thing when communicating over untrusted networks.

Go to page

X.509 is a PKI standard for digital certificates and public key certificates. It verifies that a public key belongs to a specific user, server or other digital entity.

Go to page

A PKI Validation Authority (VA) provides validation of PKI certificates.

Certificate validation services can include access to Certificate Revocation Lists (CRL), Online Certificate Status Protocol (OCSP) and CA chain certificate downloads.

The validation of certificates is one of the cornerstones of PKI

Since certificates can not only be issued, but also revoked, it is necessary that the certificate validity is confirmed before trusting a certificate. That is where the Validation Authority comes in.

How the Validation Authority works with the Certificate Authority

The issuing Certificate Authority is responsible for feeding the Validation Authority with certificate status updates based on the defined policy.

With CRLs, you are dependent on the issuance of a list of the revoked digital certificates by each related certificate authority (CA).

For true online certificate validation, an OCSP Responder service can be more convenient. Using a back-end-storage, a Validation Authority can request the certificate status and update it immediately upon certificate revocation.

Read more about Validation Authority:
EJBCA® Validation

Validation Authority hardware appliance

Go to page

A Certificate Authority manages the certificate lifecycles for people, servers or things. A Certificate Authority (CA) issues, renews, manages and revokes digital certificates.

A CA signs certificates with its private key and is the trust anchor for the issued certificates. The Certificate Authority private key is normally stored in a Hardware Security Model (HSM).

Go to page

A Certificate Authority usually operates in hierarchies where a Root CA certifies itself (self signed) and a subordinate CA is certified (signed) by a superior CA. Most Certificate Authority software solutions work with standard interfaces and protocols so that interoperability can be guaranteed.

A Certificate Authority works together with a Registration Authority where the RA issues a certificate request to the CA via a user-friendly GUI or via integration friendly APIs and standard protocols.

PrimeKey offers an industry-first solution, Identity Authority Manager, for implementing an RA directly into a smart manufacturing environment.

Go to page

The Network and Information Systems (NIS) directive is an initiative developed to protect the economy of the European Union from major cyberthreats.

The NIS Directive was adopted by the European Parliament on July 6th, 2016, and entered into force in August 2016. Member states had to transpose the directive into their national laws by May 9th, 2018 and identify operators of essential services by November 9th 2018.

For organizations to meet the obligations of NIS, the task can be separated into administrative and technical measures. Administrative measures are implemented through the accordance of security standards like ISO/IEC 27001 Information Security Management System (ISMS). These are supported by administrative actions and risk management measures including ongoing user training, security audits and ethical hacking to ensure security competency and to improve organization’s level of cyber readiness from both business and regulatory perspectives.

Technical solutions include the implementation and continuous development of cyber situational awareness solutions such as SIEM (Security Incident and Event Management), secure identity confirmation tools, and data communications security solutions. Only a combination of administrative and technical measures is enough to comply with the NIS authoritative requirements.

PKI & code signing help meet NIS compliance

To meet the fundamental requirement under NIS for “appropriately authenticated and authorized” access, organizations need a method of defining and enacting controls that is both secure and can be deployed across disparate infrastructure and processes.

Public Key Infrastructure (PKI) is the most widely adopted form of technology for establishing the identity of people, devices, and services – enabling controlled access to systems and resources, protection of data, and accountability in transactions. PKI includes a set of hardware, software, policies, processes, and procedures required to create, manage, distribute, use, store, and revoke digital certificates and public keys.

Certificates are issued to entities such as users, devices, web servers, passports, smartcards and IoT devices. The provisioning of certificates to either devices or tokens enables two benefits. Firstly, it gives a device or a token an identity, and secondly, it provides the means to setup a secure encrypted communication channel. PKI and certificates deliver a method as required by the NIS directive to identify, trust and securely communicate with any entity throughout an entire organization, partners, and customers.

PKI also underpins technologies, such as digital signatures and encryption for use cases as diverse as e-commerce and the growing Internet of Things (IoT). Digital signatures can secure additional activities, such as signing PDFs, code or other information assets, to ensure the origin of the document/code or to ensure that a transaction was in place at a certain time. Digital Signatures can allow an organization to track who exactly performed the signature and at what time.

To learn more, download our white paper:

PrimeKey’s take on the NIS Directive

 

 

Go to page

The directive on security of Network and Information Systems (NIS) ensures member states are prepared, and provides legal measures to boost the overall level of cybersecurity in the EU. NIS requires member states to be appropriately equipped in several ways, including Computer Security Incident Response Teams (CSIRT) and a competent national NIS authority.

Businesses that are identified as Operators of Essential Services (OES) have to take appropriate security measures and notify serious incidents to relevant national authority. Key digital service providers including search engines, cloud computing services and online marketplaces also have to comply with the security and notification requirements under the NIS directive.

Go to page

Code signing is a digital signature that ensures that software on devices and computers is trusted and unmodified. Code signing is used to sign scripts and executables – it confirms the software author and guarantees the code has not been altered since it was signed.

Code signing and code signing software are most commonly used to provide security when deploying software, such as installing and updating applications on your computer, smart phone, tablet or home appliances.

Go to page

When building new solutions for IoT, it is important that you can trust each component in the solution from the cradle all the way to when it is being revoked or discontinued. This process begins with establishing one or several secure identities within each IoT component.

A digital birth certificate starts the trust chain and can be leveraged during the lifecycle of the component to enable secure automatic on-boarding – when changing the owner of the component or when a factory reset is required.

Go to page

A Registration Authority (RA) is a function for certificate enrollment used in Public Key Infrastructures. It is responsible for receiving certificate signing requests – for the initial enrollment or renewals – from people, servers, things or other applications. The Registration Authority verifies and forwards these requests to a Certificate Authority (CA).

A Registration Authority is also responsible for receiving other certificate lifecycle management functions. For example, revocation. The RA implements business logic to accept requests, including methods for verifying the origin of the requester and the party that should have the certificate.

A Registration Authority is usually separated from the Certificate Authority for accessibility and security reasons. The RA is accessed via a user-friendly GUI or via integration friendly APIs and standard protocols.

Go to page

A PKI certificate is a digitally signed document that is comparable with a physical identity card or a passport used in the analog world.

A PKI certificate is a trusted digital identity. It is used to identify users, servers or things when communicating over untrusted networks, to sign code or documents and to encrypt data or communication. A PKI certificate is also called a digital certificate.

Public-key cryptography uses private and public keys, where the certificate is used to prove the ownership of the public key, by storing it together with information about the owner and some administrative data. The certificate is signed by the issuing CA and the signature is attached in the certificate. X.509 is the standard for the most commonly used digital certificate formats.
The purpose of PKI certificates is to create a secure digital world where each certificate works as gatekeeper for secure sharing of digital information.

How to get a PKI certificate

Certificate authorities, such as PrimeKey’s EJBCA, can issue and manage PKI certificates in various formats and for many different use cases. The type of certificate depends on how it will be used. Ideally, choose a flexible CA that supports any required formats and protocols and that is scalable to grow with your needs.
For signing code, documents or ePassports, there are other available tools, such as PrimeKey’s SignServer.

What to use a PKI certificate for

Here are some use cases for PKI certificates:

  • Secure network communication, using TLS certificates
  • Code and document signing
  • Email signing and encryption
  • IoT certificates
  • Personal authentication

Read more about PKI

 

Go to page

PKI stands for Public Key Infrastructure and is the set of roles, policies, hardware, software and procedures that build a framework to issue trusted digital identities to users, servers and/or things.

The PKI framework is governed by a set of policies and procedures that defines the level of security.

A PKI typically includes a combination of software and hardware components, and together they implement functions for Certificate Authorities, Registration Authorities and Validation Authorities. These, in turn, are then responsible for issuing and lifecycle manage trusted identities for users, servers and things.

In everyday life, you use PKI when doing things online such as:

  • Logging in to your bank account
  • Shopping on an e-commerce site
  • Using an e-passport.

PKI illustration

Go to page

How can we help?

    I accept that PrimeKey stores my information, and I accept cookies for analysis and business identification. Read more about cookies and privacy policy here.
Contact us