The public key infrastructure (PKI) is a well-known mechanism for electronically authenticating individuals. In the PKI, each entity (or individual) has a unique, asymmetric cryptographic key pair, comprising a public key and a private key. A certificate authority (CA) issues a digital certificate—an electronic document—listing the entity's identity credentials (e.g., name and organization) and the entity's public key, binding the entity's identity to its public key. The entity may use its keys to encrypt and decrypt information. For example, the entity may encrypt all or a portion of its outgoing messages with its private key, and may distribute its digital certificate along with the encrypted message. The message recipient may decrypt the encrypted message using the sender's public key, allowing the recipient to confirm that (i) the sender controls the corresponding private key, and therefore deduce (assuming that only the entity identified in the certificate has access to the corresponding private key) that (ii) the sender is the entity identified in the digital certificate.
Because PKI-based authentication is premised on the assumption that whoever is able to use a private key must be the entity identified in the corresponding digital certificate, the security of private keys is a crucial element of the PKI. An unauthorized individual or entity that has access to a private key can use that private key to impersonate the rightful owner in electronic communications and transactions.
Within a PKI environment, a certificate authority (CA) may use its root private key to sign all newly issued digital certificates and to perform other security-related functions (such as, for example, to sign certificate revocation lists (CRLs) and/or OCSP responses). Protecting the CA's root private key is very important to maintaining the legitimacy of the CA and fundamentally the general concept of the PKI. If a CA's root private key is compromised, nothing which has been signed using that root certificate—e.g., any subordinate certificates signed by the root certificate, or any leaf certificates signed by a subordinate certificate—can be trusted, therefore making the CA essentially useless. At the same time, the CA needs to execute these signing operations using the securely stored root key quickly and efficiently.
A variety of systems and methods are used to protect private keys from unauthorized use, ranging from software-level encryption to hardware-based cryptography. For example, some operating systems store private keys in files which have been encrypted using a random symmetric key (also referred to as a master key) that has in turn been encrypted and stored elsewhere within the operating system. In other systems, private keys may be stored in tamper-resistant and/or tamper-evident hardware.
However, such systems and methods may still be vulnerable to attacks. For example, software-based security mechanisms can be susceptible to vulnerabilities in the host operating system. Many hardware-based cryptography devices, which are generally considered to be more secure, are still controlled by or via software (such as an operating system), which may expose those hardware devices to attack through vulnerabilities in the software. If an attacker can instruct the hardware device to sign anything the attacker wants, in many scenarios it is functionally similar to owning the private key itself.
In general, security levels which are acceptable for individuals are often inadequate for storing CA root keys because of the difference in the impact of a compromise. When an individual's key is compromised, it affects only this individual and perhaps the several dozen of people with whom he communicates. When a CA's root key is compromised, however, potentially hundreds of millions of people may be affected. On the other hand, the resources (both hardware and software) available to CAs are generally much more significant than those available to the average individual.
What is needed are systems, methods and apparatuses which may provide highly secure private key storage, while simultaneously ensuring that operations requiring the use of private keys can be performed in a timely manner.