OCSP – Give your certificate’s status in real time!
Nowadays, the security of computerized data is a foremost concern for any organization. To protect your company against data theft and potential attacks, technology based on public key methodology is available in a solution known as a Public Key Infrastructure, or PKI. The PKI’s role is to deliver digital certificates in order to ensure the confidentiality of the data contained in the system. The validity of a PKI certificate is managed by a certificate authority (CA), which checks to make sure an individual is authorized to possess the certificate in question.
Once a certificate has been validated, the CA signs that certificate using its root certificate. Root certificates are identified on a list that is available in each system that uses the PKI. This allows you to easily check whether a certificate has been approved by a certificate authority. You must nevertheless be cautious when verifying the certificate! If you only check the certificate’s signature without paying attention to the revocation date, the certificate will remain valid, and this could pose a problem in certain cases.
That’s why certificate revocation lists – CRLs for short – were invented! In most situations the CRL is sufficient, but limitations do exist in some cases, which led to the emergence of the Online Certificate Status Protocol (OCSP). So, there are two ways to find out a certificate’s status – by querying the CRL or using an OCSP responder – but what’s the difference?
CRL vs. OCSP – What’s the difference?
A Certificate Revocation List (CRL) is a blacklist containing the IDs of certificates that are no longer trustworthy because they have been revoked or are invalid. However, even if these lists are correctly managed by the relevant tools, the server’s response after processing the certificate contains a flaw: CRLs are generally refreshed approximately every 24 hours, resulting in a period of “uncertainty” between the certificate status query and the list’s publication date.
Here is an example:
- CRL publication time: 01:00:00
- Time a valid certificate’s status was queried in the previous CRL: 06:00:00
- Uncertainty regarding certificate status: 5 hours
With today’s increasingly large number of high-value transactions that use certificates, coupled with the need to legally recognize electronic signatures, experts had to develop a service that would provide real-time information about a certificate’s status. This new protocol, named OCSP for Online Certificate Status Protocol, was designed to be a more effective and precise alternative to CRLs.
OCSP’s goal is to instantaneously verify the serial number of the certificate sent by the issuer in order to determine its validity using a whitelist. This alternative solution employs a query-response mechanism that asks the CA for very specific information. OCSP reduces the period of uncertainty between CRL publication dates and times to a minimum.
In practice, an OCSP request contains: the protocol version – the service requested – information about the certificate to determine its status – the extension supported by OCSP server as the signer of the request.
The signed response from the responder contains: the version of the protocol used to build the response – the response about the status of the certificate requested – the signature block – the certificate of the OCSP server queried – the time the response was produced – the exact time the response was provided (this information depends on whether the information is given in real time).
If the information is not sent instantaneously, additional information about the next update will appear, indicating when the certificate status can be verified. Depending on the client’s need, the OCSP service deploys different mechanisms to ensure the “freshness” of the information available to the responder being used.
Compared to traditional CRLs, OCSP offers several advantages, like providing information on the status of a certificate that is no longer up to date, and simpler processing which lightens network traffic.
OCSP in practice at IDnomic
The idea is clear: an OCSP service gives a certificate’s revocation status in real time. But this can be done in different ways, and IDnomic implements a range of options:
- Option 1: Directly from the database;
- Option 2: The server gives the certificate’s revocation status as indicated in the CRL, if the certificate number is included in the CRL;
- Option 3: High capacity OCSP in the case of a request for several SSL certificates:
- It is possible to put a cache on the application in order to respond to high demand from the platform without compromising response times (e.g. for OCSP requests concerning a frequently used certificate);
- Option 4: Authenticated OCSP:
- OCSP can be implemented via an authenticated access between the client and the platform;
- Option 5: OCSP for eIDAS-referenced certificates:
- The “archive cutoff” extension is directly incorporated into the platform and can be used to meet the requirements of qualified certificates;
- Referenced cryptographic material that is eIDAS-compatible;
For optimal service, IDnomic combines OCSP with the Time Stamping Protocol (TSP). Used with a digital signature system and a time source, TPS delivers proof of time to the end client. This protocol can be used, for example, to attest to a document’s existence at a specific moment in time. In practice, a client sends a time stamp request to the platform – records the exact date and time – signs and transmits this information. The responses are signed using cryptographic material featuring an interface that complies with the PKCS#11 standard.
The verification of certificate statuses is a crucial phase in any process employed for signature authentication control or validation. Armed with this knowledge, at IDnomic we offer our customers a platform featuring both OCSP and TSP services: “Time Stamping Protocol!”En voir plus
3 key steps for migrating to a trusted cloud solution
No matter how simple a cloud migration project might be, figuring out how to accomplish it is not always easy. Companies are increasingly tempted by the SaaS approach, which in itself is not surprising because these solutions offer many advantages. Indeed, the cloud has become an integral part of the landscape, winning over countless Information System Divisions (DSI) which are increasingly willing to externalize their security system. So what are the exact reasons for this?
Financially, SaaS is often advantageous because it consists in a subscription that is relatively easy to cancel. Time savings is another benefit of SaaS, because maintenance is managed directly by your PKI provider from a datacenter outside your company, meaning you no longer have to worry about logistical aspects, system updates or storage issues. By delegating some of your responsibilities, you make room for the expertise of your trusted partner!
Should your needs change, you gain in agility because your subscription can be easily modified, as opposed to an investment in equipment on company premises. The applications and services you use in the cloud are accessible no matter where you are, as long as you have a terminal and an internet connection.
Before migrating to the cloud, certain variables must be considered to make sure you ask the right questions at the right time. Below we have shared with you the three main steps you’ll need to take for a successful migration to the cloud.
Step 1: Define the scope of your cloud migration project
Deciding to migrate to the cloud is a step in the right direction, but before going any further, we recommend that you carefully plan each step of the process and define all of your needs. Start by asking yourself questions such as: What goal do I hope to accomplish by transitioning to the cloud? – What will the migration encompass: security aspects only, other transversal projects, links to other existing cloud-based tools…? – What impact will this change have on my teams and structure? – What is my budget? – What are my priorities?
Equipping a single company or an entire country are obviously two different things. In the latter, rollout quickly takes on huge proportions, but defining the project in both scenarios requires the same amount of effort, with the possible addition of a few variables to consider.
Project size depends first and foremost on whether you already have a trusted architecture. If you don’t, then let’s start there. Working with your trusted partner, you should identify:
- Project players: First, determine your project manager or IS security manager, depending on your infrastructure. This person, who may be an in-house employee or a subcontractor, is an essential information system player and one of the most important contributors in terms of your company’s security. Next, assign trusted roles based on the level of security to which the other identified contributors are assigned.
- Security-related risks and threats: Pay special attention to the security requirements of the information system and the other systems to which it is connected. List your procedures for accessing sensitive data, in order to identify potential intrusion and compromise vectors.
- Physical and virtual trust zones: Divide your information system to reduce exposure to attacks and the ensuing consequences.
The work accomplished upstream with your trusted provider will allow you to effectively determine identification and authentication procedures as well as administration rights. It also gives you an overview of the administration IS secure data exchange systems that best suit your needs. This preliminary assessment also helps you to better pinpoint your needs, so you can acquire the most appropriate solutions for your business.
Sample legacy trusted architecture migration with IDnomic
You now have a complete picture of how to roll out your cloud migration project. The next step is crucial to the success of your transition…
Step 2: Choose your trusted provider
A migration requires certain steps, and the underlying processes are not always easy to manage. That’s why it is highly recommended that you get support from a specialized service provider who will give you the guidance you need.
Partnering with a cloud service provider is a long-term investment. The partner’s strategy, financial stability and ability to accompany customers that are expanding internationally are aspects that should be considered from the very beginning of the partnership.
To avoid mistakes and choose the best trusted partner for your company, here are a few suggestions to help you make your decision. First of all, examine the experience of the cloud migration service provider. There are several ways to do this, but be sure to check whether they describe their SaaS offering on their website. The provider’s past customers are also proof of the quality of its services, all the more so if the provider in question has partnered with companies in the same sector as yours. Also try to find out what certifications the service provider has obtained.
For example, the required qualifications for a cloud migration service provider are compliance with the “RGS” French general security guidelines and eIDAS, a regulation concerning electronic identification and trust services, renewed annually following an audit of the provider’s platforms by LSTI, an independent French certifying organization. SecNumCloud, a set of standards issued by ANSSI (the French national IS security agency) in 2017, also contributes to this compliance, as it applies only to cloud IT service providers. Ideally, the products offered by the provider should also have proven credentials. CC EAL4+ certification offers a high level of quality assurance for civil applications. It is also the highest evaluation level attainable, and is recognized by all the signatories to the Common Criteria Recognition Arrangement.
You can also consider feedback from customers. If you know any, don’t hesitate to contact them and investigate questions such as: Did they maintain a good relationship with their provider? – Did the level of customer service meet their expectations? – Were they responsive when problems arose? and so forth. Another tip is to find out who the service provider works with. In this field, it is very common to maintain a network and collaborate with third parties. It’s a good sign when the provider in question is surrounded by leading industry players. Your best option is to contact a pre-sales team member who can present the most relevant solution(s) to you and identify the resources you’ll need to successfully carry out your project.
Since you want to switch to SaaS, it would be useful to know where your data will be hosted and the associated guaranteed security level. Most of the time this information is easy to find, but if it isn’t, ask your candidate partner directly. To give you an idea, datacenters are ranked according to their level of security: Tier 1, 2, 3 or 4.
IDnomic’s datacenter has a Tier 4-equivalent ranking, based on criteria issued by the French Caisse des Dépôts et Consignations, and features 24/7 on-site security surveillance by our technical teams. This is the highest guaranteed level a datacenter can obtain if it has several circuits for electrical supply and cooling systems.
By choosing a provider that has obtained certification for this high level of security, you benefit from the full guaranteed protection of your stored data. Servers that are stored in compliance with Tiers 4 criteria benefit from a redundant power supply – two processors – hotswap capability (a failed component such as a hard drive can be replaced while the server in question continues to operate).
Step 3: Prepare for the transition phase
Once the scope of your migration project has been defined and your PKI provider selected, but before you begin the migration, you should consider how this deployment will impact your company internally, especially the teams that will be affiliated with a new structure.
The secret to success lies partly in achieving perfect cohesion between the layers and business lines that are directly involved. It is crucial to accurately determine each participant’s role. Designate someone to be in charge of the cloud migration who will make functional choices and help spread the word to your users. Don’t hesitate to share important deadlines with all players involved, to ensure flawless coordination.
In addition, it is important to bear in mind that most of the time, we are afraid of the unknown, and so tend to stick to what we already know. This attitude can hinder your cloud transition project. That’s why involving all contributors from the outset of the project is essential! After drawing up an exhaustive list of needs, it is useful to involve these players when choosing your solution. Human and technical cohesion among teams is the cornerstone of a smooth transition phase. It would be a mistake not to take users into account.
This process not only provides an opportunity for your users to develop new skills, but is also the best way to alleviate their fears. You can hire new talents for this adventure while also giving everyone an opportunity to participate, which will help to speed up your transition to the cloud.
Good communication throughout the project is essential to ensure the buy-in and motivation of each user. You will have to take the time to assist and check up on the team regularly to ensure that systems are being properly used.
Lastly, training is another must for the everyday tracking of operations. IDnomic is a training organization certified by the Paris area DIRECCTE (regional department of companies, competition, consumption, work and employment), registered under number 11 92 19072 92. We offer a range of trainings designed to meet the needs of your users. This period of change management is what will contribute to the success of your project – don’t underestimate it!
Now you have an overview of how to roll out your migration project and the steps you should follow to make your digital transition a success. Good luck!En voir plus
THE FIVE IOT TRENDS OF 2019
C-ITS,Internet of things,News
The Internet of Things (IoT) market continues to expand in terms of revenue and innovative capacity. As a result, spending on IoT solutions and services is expected to increase by more than 55 per cent by 2022(1). To harness the benefits of this thriving market, companies will have to rely on new technologies which are going to gain a stronger foothold this year in the ecosystem of connected things. IDnomic, a central player when it comes to securing these new smart devices, takes a closer look at the five trends to watch for in 2019.
(1)Source: IDC – Worldwide Semiannual Internet of Things Spending Guide
1- EDGE COMPUTING: A NEW APPROACH TO ARCHITECTURES
Edge computing consists in putting data on the periphery, or edge, of an IoT infrastructure where it can be collected by sensors. The goal is to process and analyze data as close to the device as possible without having to send it to the cloud. This method speeds up the flow and real-time processing of data, which can be valuable in many use cases where latency is an issue. Edge computing therefore reduces data congestion by processing large amounts of information close to the source. By extension, it also lowers storage costs since data no longer needs to travel to the cloud to be processed. Lastly, edge computing improves IoT infrastructure security by storing data locally or in micro data centers close to where the data is being used. This type of distributed architecture should see strong growth in 2019 and the years that follow, because it offers a solution to many issues linked to data usage, particularly for large infrastructures or those involving a high number of objects, such as smart cities or buildings. The distributed architecture should also be used in medicine and the Industrial IoT where real-time data processing is crucial.
2- CYBERSECURITY: MORE ATTACKS, BUT AWARENESS THAT WILL PAY OFF
2018 was a prolific year for hackers, who developed countless variations of botnets to strike new targets. Commonly used for DDoS attacks, botnets are increasingly being employed to exploit connected objects, which have been lacking in security until now. 2019 could see the emergence of IoT cryptojacking attacks which allow the perpetrator to steal computing power from devices to mine for cryptocurrencies.
Fortunately, IoT manufacturers and users today are ready to face the rising number of attacks. Connected objects “secured by design” – meaning security is built in from the start – are being produced, and users themselves are increasingly integrating cybersecurity as an add-on to their IoT projects. Industry is also moving toward the convergence of IT and OT, with teams from IS Security Management and Business working together to improve the security of the Industrial IoT. These initiatives are just the start of a major undertaking that should intensify in 2019. Higher cybersecurity budgets, exponential growth in the number of devices deployed and the resulting increase in attack surface should make IoT security a major topic this year.
3- AUTOMOBILE: AUTONOMOUS DRIVING, ON-BOARD PAYMENT AND SMART VEHICLES
The car industry is harnessing the potential of new vehicle-to-vehicle and vehicle-to-infrastructure communications to lessen the environmental impact of transportation, make roads safer and reduce traffic congestion. As smart transportation systems undergo full scale implementation and driving becomes automated (driverless cars are expected in 2025), the IoT will play a more crucial role than ever in tomorrow’s cars. New Cooperative Intelligent Transport Systems use communication among vehicles and with the roadside to share essential information, thus optimizing traffic flow and increasing road safety. This technology can serve to warn users, for example, of an approaching priority vehicle, a collision or an emergency braking situation. Projects are currently being rolled out on roads in France and Europe.
On-board payment systems that have been under evaluation by manufacturers for several years should also reach maturity, enabling drivers to pay for fuel from inside their car. One electric car manufacturer offers Plug & Charge functionality on several of its models, in compliance with the ISO 15118 vehicle to grid communication interface, and large-scale implementation should begin this year.
4- ARTIFICIAL INTELLIGENCE AND IOT: A WINNING COMBINATION
The IoT generates phenomenal amounts of data that is given meaning through analytics, thereby placing data at the core of companies’ value chain. Artificial Intelligence (AI) is the technology that will augment this analytical capacity.
Because connected things will be learning from each other, they will be able to adapt to situations in real time and make the appropriate decisions, as necessary, within automated systems. For a patient receiving at-home treatment, for instance, AI will consist in understanding their habits in order to detect any abnormal behavior. In industry, predictive maintenance will use AI to anticipate a machine’s level of wear before it breaks down, by analyzing its configuration and detecting any dysfunction. In oil exploration, companies already use AI to detect the risk of leaks. Robots equipped with cameras film several hundred kilometers of pipeline. The resulting hours of video footage can be quickly analyzed thanks to AI to identify any damaged material. It is the combination of IoT and AI technologies, known as AIoT, which will transform current economic business models while ushering in a new era of AI applied to objects.
5- 5G: ADAPTING CELLULAR NETWORKS TO THE IOT
The fifth generation of cellular network communications is on its way! The first 5G smart phones and IoT equipment will be available in 2019. Telecom providers have announced early release in several major European cities, and consumer subscriptions should be available 2020. IoT players are especially looking forward to 5G, as it will eventually resolve a number of communication issues. 5G – more reliable and available with practically no latency and speeds ten times higher than 4G – should also preserve the batteries of connected devices, thus extending their lifespan. Today we can imagine new use cases such as 4K drone video, which requires high levels of bandwidth and availability, smart vehicles, which depend on real-time communication, or the 4.0 industry and critical industrial systems, which require flawless reliability and coverage. 5G technology will bring a revolution perfectly in sync with our changing needs and will facilitate the emancipation of the IoT by creating new use cases and providing solutions to industry players who are still wary today.En voir plus
PKI AND IOT: ARE THEY COMPATIBLE?
IoT ECOSYSTEMS ARE NOW AN INTEGRAL PART OF CORPORATE INFORMATION SYSTEMS AND BUSINESS AREAS. REQUIREMENTS relating to their environment COUPLED WITH A LACK OF STANDARDIZATION IMPACT THE INTRODUCTION OF CONTROLLED SECURITY FOR THESE ECOSYSTEMS.
In the face of these challenges, deploying a PKI (Public Key Infrastructure) – a reliable and recognized technology – to establish a trust platform and guarantee the digital identity of people, devices and things is widely considered to be the best solution.
But how do we adapt PKIs to these new forms of communication? How do we manage the risks to ensure a successful transition to the world of IoT? Who will assist users as they implement their projects?
Answers below from Guillaume Richard, Manager of IDnomic’s newly created Consulting Department.En voir plus
IDnomic secures V2X communications for Cooperative Intelligent Transport Systems
C-ITS,Internet of things,News
The car industry is leveraging the potential of new vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications to lessen the environmental impact of transportation, make roads safer and reduce traffic congestion.
As Cooperative Intelligent Transport Systems, or C-ITS, become increasingly widespread, IDnomic, a digital ID expert, is actively participating in their expansion. The company’s innovative Public Key Infrastructure (PKI) solution helps to secure V2X (vehicle-to-everything) communications.
Compliant with C-ITS standards, the IDnomic PKI has been deployed to 3,000 vehicles and covers several thousand kilometers of roads throughout France and Europe. The company is affirming its position as a key player in the car industry’s cybersecurity ecosystem.En voir plus