EU key management in 2022
It was reported that the private key used to sign EU Digital Covid certificates (aka “vaccine passports”) was leaked and circulated on messaging apps and online data breach marketplaces. The key was misused to generate certificates for Adolf Hitler, Mickey Mouse, and Sponge Bob that were, for a short time, recognized as valid by official government apps.
Fortunately, it turned out that the cryptographic keys used to sign certificates had not been compromised – the European Commission stated that their investigation has shown that those forged certificates were generated “by persons with valid credentials to access the national IT systems, or a person misusing such valid credentials.”
But the incident underscores a growing issue for 2022 and beyond: the ever-increasing demand for digital identities (and therefore, public key infrastructure) from governments and issuing bodies. Unfortunately, time, resources, and skilled people to address these requirements are limited.
When a key compromise that can have an impact on thousands or even millions of users occurs, we – as identity providers – reiterate the vital need for proper key agility and key rotation, which forms the base of any healthy key management practice.
It’s no longer enough to just manage keys. You need to be ahead of the game and be prepared for any potential disaster. How? By being agile and responsive.
Cryptographic agility acts as a safety measure or an incident response mechanism when a cryptographic primitive of a system is discovered to be vulnerable.
Rotating keys, on the other hand, help meet industry standards and cryptographic best practices.
PKI is a set of roles, procedures, policies, and technologies which are needed to create, manage, distribute, use, store, and revoke digital certificates, which are used to secure communication, verify identities, and encrypt or sign data.
By putting all these pieces together, governments and enterprises can provide “trust services” to their citizens or employees. The result is that users – as well as servers, devices and software – can be authenticated in a seamless way.
This is a well-known method that has been around for many years and is viewed as a reliable, trusted method to verify identities and communicate securely.
However, this strong but brittle construction is only as strong as its weakest link, so even with the best intentions, the greatest precautions, and the most expensive technology, you may still fall victim to a hack. One misstep can make that house of cards fall apart.
And with the growing number of PKI certificates in use and ever-changing regulation, more and more companies and governments struggle to get this right, and might get caught in a scandal of key compromise sooner or later due to oversight, imprudence or lack of knowledge.
But let’s be pragmatic. The important thing is not the fall, because the fall is inevitable nowadays. The critical thing is to know how to get up and restore your ecosystem/structure quickly.
If you’re able to restore your entire infrastructure in a matter of days (instead of weeks or months), you will undoubtedly define how your case is being reported on by newspapers and magazines. It could literally turn you and your organization into a hero instead of a zero.
“They managed to get their systems back in no time,” makes a much better read than “Their systems are still not recovered after three weeks.”
It doesn’t take away the fact that a mistake has been made, but it shows your ability to address a critical issue and limit the impact on your business. And that’s the crucial element – how you react.
Besides this, it will also enable you to save a decent amount of money because of business interruption and brand damage. Which is, I’m sure you will agree, a non-negligible detail.
I think you got the message: Hope for the best but prepare for the worst.
If it happens, you know what to do and you’ve got a plan in place. And if you really don’t want to take any risk, outsource your PKI to those that build their expertise around it.