The PKI Guy talks security with Dr. Thorsten Groetker of Utimaco

Q&A with Dr. Thorsten Groetker, chief technology officer, Utimaco

TPG: What are enterprises’ top security concerns?

TG: Large enterprises have security concerns on many different layers; from secure single sign-on solutions for individual users to security in the cloud. Often, all those challenges must be addressed with an eye on regulatory requirements.

How to maintain security in the cloud?

Elastic, opex-only compute models appeal to everybody, large and small. Most enterprises have come to understand that they still own the responsibility for the integrity and confidentiality of the data entrusted to them even if they neither own nor operate the compute infrastructure used to store and process information. The challenging part is to implement the required IT security mechanisms and processes in such a way that all legal and regulatory requirements are fulfilled without getting locked into a single cloud service provider’s infrastructure.

How to fulfill regulatory requirements, for instance around digital signatures and trust services in Europe?

Navigating a maze of regulatory requirements, technical requirements and certification bodies isn’t exactly easy. Multi-functional teams involving stakeholders from different organizations are often required to find workable solutions.

Is PQC a ticking timebomb?

We may be 10, 15, or 20 years away from a quantum computer breaking today’s asymmetric cryptography. Taking the lifetime of products and information (cf. record now, decrypt later) into account, the time to react often lies much closer in the future though, and sometimes even in the past. Enterprises are coming to realize this at an abstract level. Now they want, and need, to understand their security posture in more detail. What are the vulnerabilities? What are the timelines? Do processes, protocols, and products have the required level of crypto agility to allow for field upgrades?

TPG: What needs to happen with IoT security?

TG: Well, first and foremost, IoT security needs to happen. We have arrived at the point where we need to consider the IoT to be critical infrastructure and, hence, have to equate IoT security with a special form of critical infrastructure protection. Granted, we can sustain failures of individual IoT nodes and subsystems, but large-scale breaches on existing less-than-ideally protected IoT systems could have substantial impact on public safety and the economy.

Legislators and industry bodies need to work together to create easy-to-understand risk profiles and corresponding ratings.

We will see the deployment of more PKI technology too to make this work. As devices are often of the install-and-forget variety, we cannot solely rely on humans to assess (and periodically re-assess) risk ratings. Instead, we need certificate-based classification of devices. In the IoT, the I (the network) needs to reject the T (the node) if it is not, or no longer, fit for the job.

I appreciate related efforts, for instance in the 5G context. Of course, I don’t mean the better connectivity/reduced latency/improved throughput aspect, but rather IoT security related efforts such as those by G5AA.

TPG: How are you working to secure the future of IoT?

TG: Utimaco and its strong partner network are addressing IoT challenges with a broad range of products and services. Just take a look at the partner locator on our website, or on the wealth of case studies.

From a technology point, let me mention the elements that form the basis for those products.

The complete range of Utimaco HSMs — from the most powerful HSM in the cloud to the free HSM simulator — are all based on the most versatile, future-proof crypto programming platform in the market. I am excited to work with leading experts in the post-quantum crypto field enabling our customers to experience true crypto agility laying the foundation for quantum-safe cybersecurity products. Utimaco’s certification support services help our customers and partners to pass the regulatory requirements in their respective markets.

TPG: What’s the latest with your Hardware Security Modules (HSMs)?

TG: Utimaco has been very active. A lot has happened in the past months. Let me just pick three examples from the areas of payments, digital signatures, and the cloud.

Utimaco has completed the acquisition of Atalla.

We believe the traditional separation between payment HSM and general purpose HSM will eventually cease to exist, which is why our goal is to focus on innovation and invest in building one common platform for payment and general purpose HSM customers. We have a clear understanding of how architectures need to come together, providing the product in all required form factors: PCIe, network-attached LAN appliance, and Cloud.

Utimaco rolled out a unique HSMaaS product — CryptoServer Cloud — in NA, EMEA, and AP.

CryptoServer Cloud offers maximum security for cloud-hosted applications that rely on HSMs as a trust anchor. This includes support for remote multi-factor authentication as well as the ability to run custom code inside the secure perimeter of the HSM. The product’s multi-cloud capability and virtually unlimited scalability combined with seamless integration of on-prem HSMs make it ideal for companies on a multi-vectored growth path.

Utimaco is first to offer (EAL 4+) CC-certified HSMs fulfilling the requirements of the eIDAS regulation.

CryptoServer CP5 supports Trust Service Providers (TSPs) in fulfilling policy and security requirements defined in various ETSI technical standards. Application areas include eIDAS-compliant qualified signature creation and remote signing, as well as the issuing of certificates, OCSP status requests and timestamping.

TPG: How are you working with financial services and payment industries?

TG: I have mentioned the Atalla acquisition before. Let me talk about the result of joining forces with the Atalla team.

Strong innovation in the payments and fintech markets — Utimaco has unrolled a number of new products and is actively contributing to the development and adoption of the latest electronic payments standards.

The Utimaco Atalla AT1000 HSM, a PCI-DSS compliant HSM, provides unrivaled protection for AES and other cryptographic keys when safeguarding payment transactions. The HSM protects and manages encryption keys needed for key derivation within the tamper-resistant hardware device.

All payment systems are unique, and the market is constantly evolving. Technologies like blockchain are on the rise. To keep up with market developments, the industry needs of tomorrow require implementing modifications today already, all while keeping regulations and compliance in mind.

TPG: What types of quantum-safe solutions are you working on?

TG: Utimaco is working with a number of leading researchers in the field of post-quantum security around the world. They work on the cryptographic algorithms; we jointly work on secure implementations of quantum-safe cryptography.

That said, in order to ensure that Utimaco’s HSM platform continues to be the most versatile in the market we actively address the whole gamut of solutions:

• from algorithms submitted to the NIST PQC process
• through stateful hash-based signature schemes that are outside of the scope of the NIST process
• to secure implementations of systems relying on symmetric cryptography

There is not a one-size-fits-all solution to the challenge posed by quantum computers.

TPG: Where do you see authentication headed in the next few years?

TG: Authentication is a multi-faceted subject. Who authenticates – man or machine? Is authentication interwoven with a use case such as command-and-control, say, for critical infrastructure protection, or with email encryption? Forward secrecy (back to PQC) may or may not play a role. Also, what is the size of the organization? After all, crypto agility has many layers.

Utimaco has a number of partners offering strong authentication solutions. This topic, I think, deserves a Q&A session in its own right. So, let me constrain my response to a personal, non-authoritative list of comments.

Biometrics are still gaining popularity. Personally, I am not a big fan of technologies that can be breached with a machete, a scalpel, and magic tape though. Jokes aside, while a fingerprint is more secure than repeatedly, and publicly, punching the same PIN into your phone it does not strike me as something I would use to secure high-value corporate assets. To me, multi-factor authentication based on PKI technology is the way to go.

Granted, declared dead long ago, passwords will lead a long life. But my prediction is that anything based on shared secrets, including tokens for one-time passcodes, will be in decline. These technologies lack the scalability required in today’s increasingly heterogenous IoT world. That said, we’ll see more embedded device with secure elements in the future. I just wish they were all sufficiently flexible, secure and crypto-agile to stand the test of (their life-) time.

TPG: What’s the latest cryptographic research you’re working on?

TG: PQC for sure. We addressed this several times already. We are also looking into ring signatures for certain blockchain applications. By and large though, we are concerned with the secure implementation of cryptography – typically, algorithms, standards, and regulations are a given.

The best algorithm is worthless if you lose your keys. Or if you generate weak keys. That is why you need a strong HSM as a root of trust. This includes defenses against side-channel and fault-injection attacks. While we have strong technology based on many years of experience, our research teams are always on the outlook for new attacks and defenses.

TPG: Tell us what about your compliance solutions.

TG: Utimaco’s Telecommunication Solutions division develops security systems for the fulfillment of compliance with legal and regulatory requirements towards telecommunications service providers and internet service providers.

Utimaco’s products for telecommunication surveillance and data retention enable audited and strictly access-controlled real-time monitoring of all types of communications services, as well as long-term storage of telecommunications metadata in public telecommunications networks. The solutions are an integral part of telecommunications networks that are required to provide authorities with certain types of information through processes that are constitutionally sound and guarantee for accountability.

Internal processes and managed data are highly sensitive and need to be protected to eventually serve as trusted evidence at court proceedings. All of this must be ensured in increasingly complex networks of the telecommunication providers.

Utimaco’s compliance solutions are ready to be integrated into the new 5G mobile network infrastructures. 5G networks come with a number of new features like massive IoT connectivity, high bandwidth and low latency, beside others. One major aspect is a fully virtualized network infrastructure with thousands of instances of network functions and interfaces that compliance solutions have to connect to. Security aspects are playing an increasing role in 5G networks.

Utimaco compliance solutions will be enhanced with PKI/CA functionality. According to the 3GPP standards, compliance solutions will act as root- or sub-CA in the network to secure the connected network functions and interfaces. It is recommended by Utimaco to secure such CAs with HSMs to guarantee highest security standards.