Don’t Trust Others With Your Keys


The recent Trustico SSL (Secure Sockets Layer) certificate and private key breach is certainly unique in the way it played out, but unfortunately, the SSL Certificate type of breach is not. The problems surrounding SSL and TLS (Trusted Layer Security) private key security for SSL/TLS certificates have already been experienced in the larger PKI space where the security of a single private key can impact the trust placed in thousands, if not millions, of certificates in use cases such as code signing, database encryption and the Internet of Things (IoT).

In order to keep websites secure, organisations rely on SSL/TLS certificates to enable secure online transactions. Securing SSL/TLS keys and certificates means a secure website and ultimately a safe experience for customers. In the case of Trustico, an SSL Certificate Provider, it appears that the certificate private keys were archived so that they were available to the company’s CEO rather than being stored isolated and under the customer’s control. Furthermore, Trustico then emailed the SSL private keys to DigiCert, compromising 23,000 websites and customers.

It’s All About Control

The Trustico breach could have been avoided had customers been in control of their crypto keys. In this case, customers allowed Trustico to generate the private keys on their behalf, ultimately handing over control. With the Enterprise transitioning to the cloud, and the increase in “as a service” consumption, service providers are managing more and more responsibilities on behalf of customers, but the one thing that should never be handed over is control of those keys.

HSMs - A Proven Solution for SSL/TLS Private Key Security

Hardware Security Modules (HSMs) offer protection for digital credentials. By generating, storing and using your keys in the safe confines of an HSM you can ensure that you own your encryption keys, know their whereabouts at all times, and remain in control.

Here are the top 3 security tips an Enterprise can take to ensure they don’t end up in the same situation as Trustico, and confirm customer controlled protection of digital credentials:

1. Always generate your private keys in hardware: HSMs provide centralised, secure generation of SSL and TLS private keys, preventing their compromise by adding the assurance of hardware-secured FIPS (Federal Information Processing Standard) 140-2-validated key management, to secure websites. HSMs create a tamper-resistant environment to perform cryptographic processes, and act as a hardware root of trust be it on-premises, private, public, hybrid or multi-cloud.

2. Always store your private keys in hardware: tamper-resistant physical designs, coupled with strict operational policies, ensure that direct physical attacks and attacks from trusted insiders are negated. HSMs help you achieve regulatory compliance while reducing legal liabilities and eliminate the risks associated with storing private keys in a more vulnerable software repository.

3. Always use your private keys in hardware: by providing physical and logical isolation of key materials from the computers and applications that use them, HSMs make it almost impossible to extract key materials through traditional network attacks or software implementation flaws such as Heartbleed.

Gemalto SafeNet Luna HSMs

SafeNet Luna HSMs provide a centralised, multi-layered security approach to generating SSL/TLS private keys. This approach includes the secure generation of FIPS and Common Criteria-certified private keys with a strong entropy source, all within the safe confines of a high-assurance, hardware-secured FIPS 140-2-validated appliance.

Third-party HSM Validation

Given the burden of trust riding on SSL and TLS private key security, strict validation and certification standards have been implemented by various government bodies to provide base criteria for the evaluation of HSMs. The most common standards are the National Institute of Standards and Technology (NIST) FIPS 140-1/140-2 validation, and the multinational Common Criteria certification. Certification standards provide a starting point for good HSM design by providing objective, third-party evaluation of the efficacy of an HSM’s ability to protect private keys through stringent hardware, software, and operational design criteria.

Lesson Learned: Don’t Trust Others to Generate and Store Your SSL/TLS Private Keys

Due to the high stakes surrounding the security of SSL/TLS private keys and certificates, Enterprises alone are responsible for protecting the confidentiality, integrity, and availability of their own website and data. With such a great responsibility, it is crucial to always secure and control the SSL/TLS private keys that back SSL/TLS certificates.

To discuss the options available from Gemalto for your organisation to manage your SSL/TLS keys and certificates contact Sameer Shaikh -

CLICK HERE to download the whitepaper - Making SSL Faster and More Secure.

Sameer Shaikh -

Sameer has over 11 years of experience in sales and customer service roles in the technology, financial, wholesale trade and retail sector in India, UAE, United Kingdom and New Zealand.

At MPA Sameer is applying his expertise in customer management and business development to maintain existing business relationships as well as developing new business opportunities.

He also shares responsibility in the sales and purchase order entry and logistics areas.

Sameer has a Bachelor of Science degree.

Latest Security Problems Solved

Internet of Things More >
HTTPS – Uptake Set to Accelerate in 2017 More >
Addressing Endpoint Security Challenges More >
Securing Blurred Boundaries More >
Our Solutions
Security Solutions

We work with leaders in the fields of data protection, authentication and perimeter security to protect your organisation and manage any threats with the most effective security systems. More >

Technical Services

MPA New Zealand Ltd provides a range of technical services to compliment the vendor technology our company brings to the local market. More >