Q&A: How the ‘PKI ecosystem’ could be the answer to securing the Internet of Things

By Byron V. Acohido

Google is making a big push to compel website publishers to jettison HTTP and adopt HTTPS Transport Layer Security (TLS) as a de facto standard, and it’s expanding use of this important encryption technology.

Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are the underpinnings of secure online transactions. They come into play in the form of digital certificates issued by Certificate Authorities (CAs) —  vendors that diligently verify the authenticity of websites, and then also help the website owners encrypt the information consumers type into web page forms.

This robust protection gets implemented by leveraging an encryption and authentication framework called the public key infrastructure (PKI.) This all happens in the blink of an eye when you visit  an HTTPS web page and fill out a form, and goes largely unnoticed by the average Internet user. There is a visual confirmation. It comes in the form of a tiny lock icon, usual green, preceding the web page HTTPS address in the browser’s URL bar.

Google is all about the green lock. The search giant is in the process of significantly broadening the criteria by which it will flag HTTP pages as “Not Secure” in Chrome’s URL bar. In doing so, Google is definitively affirming that the PKI ecosystem is scalable, reliable and trustworthy.

Securing IoT

Google’s vote of confidence also reinforces a concept gaining steam in tech circles — that PKI might also just happen to be the solution to one of the biggest security challenges on the immediate horizon: how to secure the Internet of Things.

Consider that the CAs and the browser vendors have done a lot of heavy lifting over the past 15 years or so to stitch together the PKI ecosystem as we know it today. While many of us might take website authentication and encryption for granted, PKI has, in fact, engendered a level of trust without which Internet commerce would not be what it is today.

So could PKI accomplish something similar in the realm of IoT?  Might SSL/TLS and PKI be the right mechanisms, in the right place, at the right time? Could they be the catalyst that ignites the full blossoming of IoT devices and services?  I recently had a fascinating discussion with Dan Timpson, CTO of DigiCert, a leading CA, on these notions. Here are excerpts from that interview:

LW: What lies in the immediate future for PKI?

Timpson: PKI ecosystems actually are in the process of changing. If you look ahead we’re on our way to something like 50 billion connected devices, more devices than people by several times.  Each of these devices has the same fundamental problem to solve, ‘How do we know that we can trust this device?’

We’ve gotten to where website encryption and the security ecosystem are robust on the browser side, but we’re morphing pretty rapidly into a state where there are new devices and use cases that don’t use browsers anymore. Yet these devices need the same kind of implicit trust that public PKI brought in the browser context. So, going forward, PKI has the opportunity to truly be a building block in making IoT devices and services secure.

LW: So you’re talking about somehow extending the browser-based PKI ecosystem to IoT devices?


Timpson: Yes, you said it very well. The only difference is that the browsers won’t be the primary root store or trust store. The trust stores will be more owner-controlled. So you might be a maker of devices, and you want your users to know that your devices are authentic, and they’re built by you, and that the services they interact with are built by a trusted company.

Let’s say you’ve got iPhones, or any other type of device, going down the production line. How do you know that it was really made by Apple? With PKI, we can cryptographically sign elements of the device’s software to give the user the assurance that they’ve got a legit product and it wasn’t spoofed. The key point is that PKI solves device authentication problems much the same way that we’ve been solving the web authentication problem.

LW: What’s another example?

Timpson: So what’s happening is that the devices are catching up, in terms of being able to do hardware-based cryptographic functions. So for devices that are closer to a computer, as far as capability, we’re already seeing certificates and private keys that are being generated for these devices. One example is the Plex media server. We’ve generated tens of millions of certificates embedded in Plex servers and devices that play back digital media, like movies and music and pictures. So when you log in to your Plex device, it’s trusted by the browser and you don’t get any warnings that there’s something wrong.

LW: How do mobile devices fit into this?

Timpson: Great question. Let’s take Android. So inside the Android operating system there’s a root store that’s very similar to the browser. These are roots of trust that are granted complete trust by the Android operating system. DigiCert roots are already trusted by your Android smart phone since the early releases of Android.

We, as a publicly trusted Certificate Authority, worked with Google and Android to embed our roots in those early releases. That’s actually the challenge that any publicly-trusted CA has in front of them. Before devices and operating systems and software gets made, you want to embed that root of trust up front.  Not all the publicly-trusted CAs have good ubiquity.

LW: What can you point to that most affirms PKI will remain relevant as we move deeper into the Internet of Things?

Timpson: I’d say just how pervasive this technology is becoming. For instance, big companies like Google are saying we want everything to be encrypted by default. Where that’s coming from is that everyone is worried about keeping their information safe. And the way to keep your information safe is to encrypt.

There is a big push to say that all of our communications and transactions across the board should be encrypted. And there’s a desire to assure the authenticity of each of our conversations, so if you send me an email, I want to know it’s from the real Byron, and you want to know it’s from the real Dan. The good news is that we can do that with this technology, and we can apply it to IoT devices. We already are with many companies.

LW: How so? Beyond the web and IoT, how does PKI come into play?

Timpson: Let’s use email as an example. I can cryptographically sign my email with a certificate. And you, in turn, can say, ‘Oh, here is a message from Dan Timpson, CTO of DigiCert, and I know it’s from him because I can verify it cryptographically.’

Another quick example is in your Android phone. If you open an app that you bought off the Google Play Store, you can know that Google and Android have a system through Google Play that only allows you to download and use an app that is cryptographically signed, from a code signing certificate, so that your operating system implicitly trusts it. In the case of an application that isn’t signed, users receive a warning that advises them against downloading the app. In this way, Google and Android are using PKI in the background to provide assurances and protections to their users.

So that really comes back to PKI as the building block. The trust ecosystem is the tool and the software all working together to give you this seamless thread of security, whether it’s an email or an online transaction or, an interaction with your new shiny Internet of Things device. They’ll all have that in common.

LW: So some of this is actually already is going on when I go to my Gmail inbox on my Samsung S8?

Timpson: Yes, that’s right. In fact, Google is now giving priority to sites that do HTTPS, or secured by default. They’re actually indexing them and giving them more weight in search results.  And on email, depending on what you’re using your Gmail or something else, you can get indicators inside that say, ‘Oh look, this email is cryptographically signed or is actually encrypted.’ All of this is happening already.


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone