PKI Security

Public key infrastructures (PKIs) are relied upon to secure a broad range of digital applications, validating everything from transactions and identities to supply chains. However, infrastructure vulnerabilities represent a significant risk to the organizations that rely on PKI alone to safeguard digital applications.

Thales offers PKI encryption key management solutions to help you protect the keys at the heart of PKI as well as PKI-based authentication tokens that leverage the security benefits offered by PKI to deliver dependable identity protection. These solutions are available on premises, or as a service in the cloud.

PKI Key and Certificate Security

Secure storage and protection of private keys is integral to the security of the Asymmetric Key Cryptography used in a PKI. If a Certificate Authority’s (CA’s) root key is compromised, the credibility of financial transactions, business processes, and intricate access control systems is adversely affected.

Therefore, in a PKI environment – particularly one integral to business processes, financial transactions, or access controls – it is essential that private keys be guarded with the highest level of security possible via a dedicated security device — a hardware security module (HSM).

HSMs for PKI Encryption Key Management

Organizations deploy Thales TCT’s HSMs, which work in conjunction with a host CA server to provide a secure hardware storage location for the CA’s root key or subordinate CAs’ private keys. It is separately managed and stored outside of the operating system software, thus preventing theft, tampering, and access to the secret key material.

Thales TCT HSM Highlights:

  • FIPS 140-2 validation
  • Hardware-secured key generation, storage, and backup
  • Hardware-secured digital signing
  • PKI-authenticated software updates
  • Host-independent, two-factor authentication
  • Enforced operational roles

PKI Authentication Solutions

Thales TCT offers hardware-based PKI authentication solutions that provide optimal levels of security. Our wide portfolio of Thales smart cards and USB tokens leverage public key infrastructure to provide certificate-based strong authentication.

This ensures two-factors of authentication by leveraging the hardware card or token for something you have, combined with a user selected PIN for something you know to provide two factors of authentication.

Realizing the need for strong PKI authentication

With proper security controls in place to verify the identity of the user before smart card issuance and certificate provisioning, you can be assured that only the legitimate user is the one accessing the corporate network and sensitive data.

Once a certificate-based identity solution has been deployed, there are several additional security features that can be added, including file encryption, email encryption and digital signature.