The Public Key Infrastructure (PKI) has been the backbone of IT security for several years. It lies at the heart of SSL, Cloud encryption, digital signatures, and the vast majority of IT security tools and techniques around the world.
But now we know that it has been compromised. In fact, we now know that it has always been compromised.
But not by any run-of-the-mill hacker. Not by some nefarious foreign government or terrorist organization.
No, PKI has been compromised by our very own National Security Agency (NSA).
In a chilling article in the New York Times, we recently learned that the NSA has long been influencing the policies that have driven PKI standards. Perhaps from the very beginning – with the goal of introducing back doors that only they know about.
But the very nature of PKI suggests that this vulnerability is far more than a back door. PKI is nothing more than a house of cards.
At the center of PKI is the notion of a digital certificate. Every browser, every security tool, every server has at least one. Each certificates inherits its authority from the certificate of the tool that issued it, known as a Certificate Authority (CA). Each CA, in turn, inherits its authority from the CA above it in the Certificate Chain – all the way up to the self-signed root CA.
Root CAs, therefore, are the keys to the PKI kingdom. The Root CAs for public Certificate Chains belong to the most secure of security companies, like Verisign and Entrust, who must keep them secure.
Except now we know the NSA has their fingers all over PKI. Including, we presume, the root CAs. And if the root CAs are compromised, then all of PKI is compromised.
I wonder if the whole idea for root CAs was NSA’s to begin with? Perhaps, perhaps not. Either way, we can assume the US government can crack any PKI-secured technology without lifting a finger.
As a result, there’s no place to hide. There are no more secrets – assuming, of course, that there ever were.