Public key infrastructures (PKI) are slowly but steadily being implemented by multinational corporations as well as medium-sized public and private organizations that exchange sensitive data and execute critical transactions over open networks (e.g., the Internet and wireless networks). Key drivers for PKI range from security incidents and online fraud, electronic signature legislation, internal and business-to-business process improvements, shared services and Internet invoicing, online media distribution, privacy legislation and expectations to reduced logon requirements. Some large organizations also are implementing PKI using smart cards for physical access, logical access, digital signing and data encryption. Usually, no single driver can justify PKI on its own.
After deploying a PKI, management, users and third parties that rely upon digital certificates often require assurance concerning the quality of the PKI design and the effectiveness of its operational controls. Have the PKI implementation and key generation ceremonies been properly performed? Are the PKI systems and processes trustworthy? Are requirements specified in the certificate policy (CP) and certification practice statement (CPS) being followed consistently? A PKI audit can provide answers to these questions to help enable "trust" in the PKI for internal and external purposes. PKI certification also can provide assurance regarding a PKI's compliance with an accepted national or international accreditation scheme.
This article focuses on the PKI audit objectives and scope, relevant PKI standards, PKI audit process, reporting alternatives, PKI certification and practical audit experiences. As PKI is a complex subject from a technical and legal perspective, a brief overview of PKI components and processes is included first to provide context for a discussion of PKI auditing.
PKI Components and Processes
PKI is a combination of technology (hardware and software), process (policies, practices and procedures) and legal components (agreements) that bind the identity of the holder of a private key to the corresponding public key, using the technology of asymmetric cryptography. PKI can be utilized to provide encrypted communications and storage of data (confidentiality), authentication of the identity of a person or organization, message and data integrity, and support for nonrepudiation of transactions or messages.
A PKI consists of various components and processes, which are summarized in figure 1.
Certificate policies typically are used to specify the requirements and intended uses for types of classes of certificates. A CA (certificate authority) typically documents its high-level practices, procedures and control measures in a CPS. To enable end users and trusted parties to obtain insight into the manner in which certificates are generated and what checks and measures a CA has taken to issue reliable certificates, both the CP and CPS documents often are made available publicly via the Internet, unless the CPS provides a level of detail which is too security-sensitive for the audience.
To operate and manage a PKI, there are a number of control areas which must be addressed by the CA. The specific topics included in each control area are summarized in figure 2.
Before a certificate can be issued, a link must be established between the identity of the requesting person or organization and the public key. This process of identification and authentication is performed by a registration authority (RA). In some cases, the RA function is performed by the CA itself, whereas in other cases (e.g., where there is a widely distributed user base), the CA might delegate the RA function to external parties in the appropriate locations.
To facilitate the distribution of certificates to relying parties, certificates often are published to an online directory or repository which may be accessible to internal and/or external users.
End users include subscribers and relying parties. Subscribers are the individuals or organizations to whom certificates have been issued. Relying parties are those who rely upon a subscriber's certificate to, for example, verify a digital signature or authenticate the identity of an organization providing a web site or signed code.
A digital certificate contains the user's public key, identity information and other information required for the specific type of certificate and is signed digitally by the CA. This enables users to verify the integrity of the certificate and to trust a particular certificate if the issuing CA also is trusted. Most certificates issued today utilize the certificate format specified in the ITU X.509 standard (or the WTLS standard for wireless certificates).
PKI Audit Objectives and Scope
The scope of the PKI audit and the reporting mechanism will depend upon the objectives of the audit and the intended users of the audit report. In some cases, the audit is performed for internal purposes to provide feedback to management on the quality of the PKI design and operating effectiveness of controls or to satisfy internal audit requirements. In other cases, the audit is performed to meet the needs of external parties such as customers, potential customers, regulators and policy authorities for communities of trust. In many cases, the audit may be performed for a combination of internal and external purposes.
The scope of a PKI audit generally should include the following four audit areas (see figure 2 for the specific topics included in each area):
- CA business practices disclosure (CA management and policy documentation): the CA's requirements for specific types or classes of certificates, its practices for operating the CA, and the manner in which the CA organization informs end users and third parties regarding its policies and practices
- CA environmental controls (general IT management): those processes, policies, procedures and technical controls that create a secure and trustworthy environment for the CA
- CA key life cycle management: processes, procedures and technical controls to maintain the security and integrity of CA keys throughout their life cycles
- Certificate life cycle management: processes, procedures and technical controls concerning the management of certificates throughout their life cycles
These processes and the management of a PKI are not necessarily all performed by the same party. In defining the specific scope of the audit, the auditor must consider a number of questions such as:
- Does the CA perform all RA functions itself or does it make use of external RAs? Will the activities of external RAs be included or excluded from the audit scope?
- Does the organization issue certificates in the organization's name but outsource the management of the CA systems to a CA service provider? Has the CA service provider completed a third-party audit that is applicable to the organization's hosted systems?
- Will the audit scope be linked to specific industry standards, private community requirements or regulatory requirements?
There are a number of international and national standards which have been developed to assist auditors and implementers of PKI. PKI standards can be leveraged to provide a consistent basis for the audit of PKI controls across CAs, improve the quality of a PKI implementation, increase the efficiency of operations, and help enable interoperability with other PKIs. One of the most widely known and adopted standards for CA operations is the American National Standard (ANS) X9.79:2000 PKI Practices and Policy Framework. X9.79 includes CA control criteria which were based on the existing body of international (ISO, IETF, BSI) and US (ANSI, FIPS, ABA) standards related to certificate management, key management and security management. The AICPA/CICA Electronic Commerce Assurance Task Force then adopted the X9.79 criteria as the basis of the WebTrust Program for Certification Authorities (WebTrust for CAs) which provides an audit framework specifically designed for CAs and has been adopted by the professional accountancy organizations in over 15 countries. In addition, the International Organization for Standardization (ISO) currently is developing an internationalized standard (ISO 21188) for PKI practices using X9.79 as a primary input.
The X9.79 and WebTrust for CAs criteria continue to gain broad international adoption. For example, these criteria have been:
- Adopted by Microsoft as a requirement for Root CA certificates to be included in Microsoft browsers
- Reflected in the European Telecommunications Standards Institute (ETSI) policy requirements for certification service providers (ETSI TS 101456) as a technical underpinning of the European Directive on Electronic Signatures of 1999
- Reflected in the Identrus Compliance and Controls Assessment Guidelines
- Endorsed by the PKI Forum
- Referenced by American Bar Association (ABA) in its PKI Assessment Guidelines
Within individual PKIs or closed communities, specific standards often are specified. In some cases these are derived from existing standards while in others distinct requirements are established.
PKI Audit Process
There are generally three main phases to a PKI audit: planning, execution and reporting. A brief description of each phase is provided.
The planning phase enables the auditor to communicate the overall audit plan to the CA and confirm a common understanding of the audit approach. In addition, this phase provides the CA with an understanding of the audit process and enables the CA to prepare for the audit. This planning phase is critical to ensure that all participants in the audit process have a common understanding of the audit goals and objectives.
The planning phase includes steps such as:
- Gaining an understanding of the CA's business model, PKI architecture and trust model, required level(s) of trust in the CA, intended users and uses of certificates, volume of certificate issuance and certificate validity periods. This information will be used for assessing the risk profile of the particular CA environment.
- Reviewing the CA's CP, CPS and PKI strategy documentation
- Confirming the audit objectives, scope, appropriate standards framework, intended users of the audit report (internal and/or external) and the appropriate reporting format
The result of the planning phase is a well-balanced PKI audit plan that contains descriptions of activities for the performance of the audit.
Test procedures are performed in this phase. In the assessment of the design, the audit will focus on the completeness and sufficiency of the CA's processes, policies and procedures and the design of the PKI architecture. If the audit is focused on a point in time, then procedures are performed to verify the existence of the CA's controls as of that point in time. In addition to documentation review and interviews, this process includes specific testing conducted selectively on critical controls. In addition, if the audit covers a period of time, test procedures must be performed to verify the operating effectiveness of the CA's controls during the period covered by the audit report. These additional test procedures include corroborative inquiries, inspection of documentation evidencing that operational procedures were followed properly, review of system configurations (e.g., CA systems, databases, directories, operating systems, firewalls, routers, etc.), observation of key processes and controls, re-performance of certain processes, and other types of test procedures.
At the conclusion of the execution phase, the PKI audit report is prepared. The specific type of report will depend on the audit objectives and is defined in the planning stage. If the report is prepared for internal purposes only, the report might take the form of a PKI risk assessment report or gap analysis. If the report is for external purposes, it might take the form of a WebTrust for CAs report, a third-party statement, an SAS 70 report, or another appropriate format (such as a format specified by a national PKI accreditation scheme, if applicable). In conjunction with the external report, the auditor typically prepares a management letter that provides recommendations for improvement to the PKI design and operations. Some of the most common PKI reporting alternatives are described in the following section.
A third-party audit report for a service organization is an independent report concerning the design and operating effectiveness of the internal controls over its IT services, such as CA and RA services.
In the past, the general SAS 70 model for reporting on the controls of a service organization was used frequently for reporting on CA activities in the US. The SAS 70 report includes the auditor's opinion, a description of the service provider's services and controls, and the auditor's test procedures and results (for an SAS 70 Type II report only). Other approaches may include an audit of compliance with a specific standard or technical regulation or the performance of agreed-upon test procedures.
Currently, one of the most commonly used reporting approaches for CAs internationally is the WebTrust for CAs framework whereby the auditor performs test procedures to determine whether the CA has achieved the WebTrust for CAs Principles and Criteria and has provided its services in accordance with its disclosed business practices (CP/CPS) over a period of time. In certain European countries, a third-party statement may be issued. The third-party statement includes the auditor's opinion and an appendix containing a description of the organization's services, internal control structure and the audit objectives used. The audit objectives can be compiled from various standards frameworks.
In many countries, PKI supervisory and/or accreditation schemes have been or are being established. For example, the European Directive on Electronic Signatures was established to stimulate trade, facilitate the use of electronic signatures and contribute to their legal recognition across EU Member States through the use of qualified certificates which meet certain criteria. In support of the directive, countries such as the UK and the Netherlands have established voluntary accreditation schemes whereby a CA (certification service provider or CSP) can be certified to issue qualified certificates. This type of certification builds upon technical standards such as X9.79 and WebTrust for CAs and may provide enhanced legal status for digital signatures using qualified certificates. In other countries such as the US, some individual states have established licensing requirements whereby a licensed CA may gain approval to do business with the state government or achieve a certain legal status for digital signatures using certificates issued by the licensed CA. These various schemes typically require an audit of the CA's operations.
Practical PKI Audit Experiences
Many new CAs are not fully prepared to successfully complete an audit and are not yet ready for certification. There are frequently gaps in the areas of documentation of procedures and guidelines, the implementation of the security and risk management processes, and business continuity management. Several older PKI implementations have not considered a standards framework in their requirements specification and design, potentially impacting the trustworthiness and viability of the PKI.
A variety of PKI standards frameworks can be used as the basis for performing an audit of the design and operating effectiveness of a CA's controls. However, many of these frameworks have similar roots--either the ANS X9.79 standard or the international and domestic standards upon which X9.79 was developed. Using a PKI standards framework such as X9.79/WebTrust for CAs can help an organization in the design of its controls and in preparing for an audit or certification. Every PKI implementation will have its own unique requirements, which may be dictated by the CP/CPS, organizational standards or policies, industry sector requirements, regulatory requirements, or standards for the community of trust. These distinct requirements must be considered and addressed.
As the adoption of PKI and related technologies continues and as PKI-enabled business applications become more prevalent, PKI audits and certifications will become increasingly common to support business risk management objectives as well as the needs of external parties.
American Bar Association, Information Security Committee, PKI Assessment Guidelines, Public Draft for Comment v0.30, 18 June 2001, www.abanet.org/scitech/ec/isc/pag/pag.html
American National Standards (ANS) X9.79:2000, PKI Practices and Policy Framework, www.x9.org
American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA), WebTrust Program for Certification Authorities, version 1.0, 25 August 2000, webtrust.org/certauth_fin.htm
European Telecommunications Standards Institute (ETSI), TS 101 456 v 1.2.1, Policy requirements for certification authorities issuing qualified certificates, April 2002, portal.etsi.org/sec/el-sign.asp
Gatekeeper (Australia), Criteria for Accreditation of Certification Authorities, Version 9, 28 March 2001, www.govonline.gov.au/publications/GOL/ CA_AccreditationCriteria_v9.pdf
Ronald Koorn MSc., CISA, RE
is a senior manager at KPMG Information Risk Management in The Netherlands. He has completed a two-year post- graduate study in IT auditing and is responsible for the KPMG services with respect to PKI, online privacy, digital rights management and electronic invoicing. Koorn has spent two years at KPMG San Francisco and Silicon Valley and is a member of the Dutch Central Council of Experts, which determines and maintains the ISO17799 and PKI certification schemes. He is a core group member of the European Certification Authority Forum. (EEMA/ECAF). He can be reached at firstname.lastname@example.org.
Peter van Walsem, MSc.
is an IT audit manager at KPMG Information Risk Management in The Netherlands. His main focus is on the management control aspects of implementing and operating IT systems. He specializes in auditing and certifying public key infrastructures. In 1999 he was involved in the development of the global KPMG PKI audit and control methodology and the KPMG PKI rapid deployment methodology. He has performed PKI audits and reviews in the IT service provider, financial and telecommunications sectors. He can be reached at email@example.com.
Mark Lundin, MSc., CISA, CPA
is a senior manager in KPMG's San Francisco office. He focuses on e-business security; the secure implementation, operation and application of PKI technology; and audits of certification authorities. He has worked with numerous PKI vendor products and service providers and actively participates in the development of international and domestic PKI standards. His clients include leading global organizations operating commercial and enterprise certification authorities (CA) as well as leading IT service providers, Internet payment processors and other organizations with e-business initiatives. He can be reached at firstname.lastname@example.org.