Or ‘Wait, what does SCEP stand for again?’
Cryptography is the study of secure communication, but you would be forgiven if you thought it was a mathematician's hobby of creating unpronounceable acronyms. HSTS, really? What's wrong with something like Radar or Crispr?
In this article we’ll go through some of the key terms and acronyms that pop up when working in the cryptography field.
ACME stands for Automatic Certificate Management Environment. It pretty much does what the acronym tells you it does. It’s a protocol to automate the interactions (e.g. request, renew and revoke certificates) between the web server and the Certificate Authorities. Developed by ISRG (ehserg?), as part of their Let's Encrypt non-profit certificate authority. A number of clients exist in both free, inexpensive and part of proprietary PKI (public key infrastructure) solutions. The goal being to remove the more labour intensive parts of certificate management, reduce user errors and provide some protection against attacks like DNS spoofing.
Okay, I’ll give points to cryptography for this one. Airgapping sounds like a sweet skateboard trick. Nice work, nerds. Airgapping is a security measure to a network or a single machine that is physically separate from the rest of the organization’s network and the wider internet. This includes wifi. Data transfers require a physical media such as a USB key or some other removable media. Airgapping is used in high security systems such as military, payments and life-critical applications such as hospitals and nuclear facilities. With respect to cryptography and in particular PKI, Airgapping is used to ensure the security of private keys, especially for root certificates.
CA stands for Certificate Authority: the company or organization that issues security certificates and acts as a third party to certify those certificates.
Or, if you prefer cryptography’s ungainly acronyms, HTTP Public Key Pinning or HPKP, which is the sound you make when you eat something too spicy. However you pronounce it, it’s important to know that HPKP has been deprecated.
Initially, it was a bit of cleverness from Google to make sure no one else could pretend to be Google via a man-in-the-middle attack. The idea was to limit the definition of validity by ‘pinning’ certificates issued by a specific certificate authority, certain public keys or a specific End-Entity Certificate. The hope being that this could protect the users from compromised certificate authorities or the issuance of invalid certificates. The consequences turned out to be more troublesome than the solution. Users found themselves locked out of their own sites due to negligence such as not having backup keys when the pinned keys were revoked or attackers stealing pinned keys and holding the site for ransom. Certificate pinning’s cardinal sin was to remove the crypto agility that is vital for any organization who must deal with unplanned outages, certificate revocations or as-yet undreamed of attacks - events that would require updating or patching the application as well as the certificate. Certificate-related outages are costly and unnecessary, so eventually the idea was deprecated, though it is in some ways replaced by the Certificate Transparency Log.
Certificate Transparency Log
Cryptography has a culture of transparency, which is ironic considering it's in the business keeping things secure and secret. It makes perfect sense though. If a protocol, algorithm or certificate is compromised, it’s better to find that out sooner rather than later. It’s better that it be tested by potential users rather than an attacker quietly keeping the exploit to themselves. Certificate Transparency is part of the public key infrastructure as a means for publicly recording certificates being used to ensure identify and address any erroneously issued certificates, whether by mistake or misbehavior. For TLS certificates Certificate Transparency is mandatory. When a webserver requests a certificate from a CA, it gets recorded in a public log. The log can only be added to. It’s not possible to delete entries to avoid tampering. It is cryptographically-secure and publicly accessible. The logs are monitored by companies, CAs and individuals to address any inconsistencies or any unauthorized certificates.
Corporate social responsibility, just kidding. It stands for certificate signing request and what you need to get a certificate from a CA. The CSR is where you put your public key and identifying information that the CA will need to issue a certificate.
HSM stands for hardware security module. It's a specialized piece of hardware specifically for the management of cryptographic keys and operations used in high security environments such as payment or certificate authorities. An HSM will come with a variety of security measures to protect against attacks and even physical tampering.
HTTP Strict Transport Security or, to be precise Hypertext Transfer Protocol Strict Transport Security but that would be silly. HSTS is a response header value to ensure that the browser connecting to the webserver uses HTTPS, ensuring the use of TLS, rather than plain HTTP. It provides a measure or protection against passive and active attacks, especially man-in-the-middle attacks.
PKI stands for Public Key Infrastructure and the reason we’re here.
I remember when I was young and my dad said to me, if you like protocols, maths and standards, cryptography is for you. SCEP or Simple Certificate Enrollment Protocol is pretty much the standard for issuing and managing certificates by CAs. It was an attempt to simplify and automate the process.
This is sadly not a Star Wars droid but definitely the workhorse of PKI and HTTPS and the secure web. I’m calling it the web because I am not writing ‘world wide web’ like it’s the late 90s and I’ve got an AOL CD on my desk. There’s some of you reading this who don’t know what those acronyms are and I’m not going to explain them. So there. X.509 is the standard for the format of these certificates we keep going on about. Billions and billions of the things zipping around making sure people are who they say they are and that the intended recipient is the only one who can read the message.