This document discusses auditing norms for PKI-based applications. It begins by describing the organization structure of PKI systems, which includes the Controller of Certifying Authority (CCA), Certifying Authorities (CAs), and Registration Authorities (RAs). It then explains that auditing PKI applications is important to ensure they are functioning properly. The challenges of auditing include certificates having a limited validity and the inability to audit external interactions. It provides recommendations for overcoming these challenges such as using secondary servers and accounting for variations in encryption algorithms. The document concludes by outlining specific considerations for auditing the PKI structure and applications.
Perspective: Auditing norms for pki based applications
1. Auditing Norms for PKI-based Applications
Universal Banking Solution System Integration Consulting Business Process Outsourcing
2. Introduction • Certifying Authority (CA): There are a number
of Certifying Authorities, which are responsible
The use of alternative channels like the Internet for issuing Digital Certificates after verifying
and mobile to exchange information and money the documents of identity; these agencies
is now commonplace. Although some security report to the CCA. The Reserve Bank of India
concerns do persist, the fact remains that has established a separate CA exclusively for
systems such as RTGS (Real Time Gross banking applications, and has been followed
Settlement), NEFT or SWIFT are among the by a number of private agencies.
most reliable and safe mechanisms of fund
transfer and messaging that we have ever • Registration Authority (RA): Every bank has a
known. It is natural to ask how that is possible. Registration Authority, which represents it
and its employees. It is the RA, which verifies
The secret to this is “Public Key Infrastructure” the employees of the bank for whom Digital
(PKI). Certificates are needed, consolidates the
requirements, and then approaches the CA
PKI makes it possible for retail and bank users for issuing the certificates. Incidentally, each
to safely and privately exchange money and bank sets its own policies regarding which
information over a public channel, by generating employees should be issued a certificate.
a pair of cryptographic keys – one public,
typically stored in a browser and the other
private, usually stored on a smart card – which
is received and shared with the help of a trusted
authority. A Digital Certificate/ Signature
connected to the message helps to identify and
authenticate users – senders who use a public
key to encrypt data as well as receivers who use
a private key to decrypt it.
There are a number of PKI systems is
existence. For example, international financial
and non-financial messages via SWIFT
From the above description and diagram it is
(Society for Worldwide Interbank Financial
clear that the PKI hierarchy follows a “trust model”,
Telecommunication) are transported over
in which each tier performs a specific function:
international PKI, whereas local transactions
are typically supported by separate domestic • The CCA represents the law of the land and
infrastructure established by the Central Bank assures legal validity of all the Digital
of each country. Signatures/ Certificates issued in the country
of its jurisdiction. It also devolves authority
Organization Structure upon various Cas.
The organization structure of a PKI system has • The CAs are responsible for the actual
the following three tiers: issuance of certificates.
• The RAs represent and take care of the
• Controller of Certifying Authority (CCA): This
interests of individual banks with respect to the
is a Government authority and the apex of
end-to-end management of Digital Certificates.
the PKI organization. For example, in India,
the CCA has been established under the
The Need for PKI Systems Audit
provisions of the Information Technology Act,
and works under the Ministry of Information Having designed and implemented such
Technology in New Delhi. The CCA is elaborate Public Key Infrastructure, it is equally
responsible for providing the Root Certificate, important to ensure that it works properly. This
under which all other certificates are granted. is the goal of PKI Systems audit.
Auditing Norms for PKI-based Applications
3. Banks routinely undergo manual audit of and undergoes rigorous internal audit at regular
business operations, as well as separate audits intervals. Similarly, RBI and other Certifying
for information systems and information systems Authorities also conduct audits for PKI systems.
security. Information systems audit is defined as Audit of the Registration Authority at each bank
a periodic activity in which data and information is necessary to ensure that all the certificates
systems are accessed and verified for desired issued to current employees are valid, and also
business results in order to understand whether that those previously issued to employees who
the systems are working properly or not. have now quit, are no longer so.
For the same reason, it is also necessary to The auditing of information systems – of which
audit PKI Systems. While the auditing of PKI PKI is a part – is a vast domain, which covers
applications costs time and money, banks must most general practices. Unfortunately, it does
make the investment to ensure that these critical not lay down any specific guidelines for the way
applications are functioning well. in which PKI applications must be audited.
Consequently, banks approach the audit as one
Although PKI audit falls within the ambit of more compliance mandate that must be fulfilled.
information systems audit, its norms vary This is a pity because PKI audit plays a big role
somewhat. One of the key differences and in ensuring that the systems are in order, and
challenges of PKI audit is that unlike physical thereby reduces security lapses.
signatures, Digital Certificates and Signatures
have a fixed life, after which they automatically This paper attempts to raise awareness of
expire. When that happens, messages pertaining auditing norms for PKI based applications.
to the transactions involving the expired
certificates cannot be verified during audit, and Auditing PKI Applications
hence it becomes impossible to establish the
legality of those transactions. One of the ways to Another key constraint of PKI audit (besides the
circumvent this problem is to create a simulated limited validity of certificates mentioned earlier)
environment and push data into it for the is that it can only be a partial one. This is because
purpose of the audit. PKI transactions always involve an external
organization, which are outside the audit’s
PKI audit must occur at two levels: that of the purview. An application module deployed at a
structure and the application. The first one Registration Authority may be audited for what
examines the processes and norms in use by it does within their four walls, but it is not possible
the various tiers of the PKI organization, namely to evaluate its interactions with other modules
the CCA, CA and RA. The second one audits at external agencies, such as a Certifying
different PKI applications and the way they Authority. The auditors simply have to accept this
participate in the business. and move on.
Ideally, as the below diagram shows, there There needs to be two separate audits for the
should be a separate audit at each level of the structure (CCA, CA, RA etc.) and the applications,
PKI organization, and also of PKI applications. both of which will suffer from this constraint.
While auditing the structure, the auditor is
supposed to follow certain norms to check:
• Whether certificate related backups are taken
and stored at the CCA level
• Whether during the verification of individual
signatures, verification is done up to the
root level
Taking the example of India once again, it is
observed that the Controller of Certifying • Whether the CAs are correctly following the
Authority is very conscious of its responsibility norms pertaining to the storage of keys
Auditing Norms for PKI-based Applications
4. with primary and back up servers and Overcoming the Challenges of PKI Application
whether they have adequately secure Audit
storage infrastructure
• Using secondary servers to replicate data
• Whether any time gaps or difference in as well as change the date can circumvent
time zones are taken into account while the run time dependency of PKI applications.
transitioning from one root CCA certificate to In this way, signatures may be verified without
another. It is important that PKI applications impacting the normal course of business.
have a feature to support time gaps, and
even the occasional co-existence of root • Different key generation algorithms used by
certificates with different validities different applications, may lead to variation in
security practices and outcomes. For example,
Difference Between PKI-based Application Audit until some time ago, the SHA1 encryption
and Regular Information Systems Audit algorithm was very popular; now SHA2 has
taken its place in many PKI applications.
In general, the audit norms are similar, however, Hence, any proprietary tools used during audit
PKI-based applications have certain constraints, must be able to accommodate such changes.
which need to be addressed during audit.
• Frequently, browser based applications do
• Digital Signature generation is a run time not recognize the local Certifying Authority and
operation; applications generating and consequently, browser based tools of audit do
verifying a Digital Signature always couple not recognize valid transactions and messages.
it with the date and time of its creation.
What this means is that whenever a Digital This is a known problem, which CAs can solve
Signature is affixed to a message there’s by registering their names with the vendors of
a date and time attached to it. Also, as different browsers.
mentioned earlier, the Digital Signature has a • An important goal of the audit is to
limited validity. discover any mismatch in data between the
messaging layer and the business layer.
• PKI modules always check for the validity
Sometimes, because of some errors in the
of Digital Certificates during verification by
network, messages get delayed. The
continuously polling the system date. This
rescheduling of messages/transactions
might occasionally create a conflict if the
impacts normal account closing at end of
verification involves countries in two distant
day (EOD). Hence, while linking EOD and
times zones, such as South Africa and Japan.
BOD (beginning of day) operations to
accounting entries, it is important to take care
• During PKI application audit it is important to
of any time gaps.
gather the relevant time stamps and verification
logs for future reference, in an offline process. • “Hidden snake in the tunnel”: Often, banks
implement PKI only at the module level, and
• Given the impact and risk associated with bypass the PKI channel while accessing
PKI transactions, it is very important for the data, because it is faster and more convenient
auditor to cross check each transaction to do so. It is the auditor’s responsibility to
signature against the log, something that is find such occurrences and bring them within
seldom required in conventional audit. the audit band. It has been found during audit
that banks take the required data directly from
• In general, an audit is conducted to check
middleware, databases or even logs, after
business value at the organization level, as
bypassing signature verification.
well as compliance. PKI audit highlights the
enormous technology risks, which PKI based • Many banks allocate separate drives to
applications bring to daily banking operations. store logs generated by PKI applications.
It is important to note that such transactions They must exercise adequate access control
are very secure as long as the private keys over such logs by correctly maintaining system
are not compromised. level access.
Auditing Norms for PKI-based Applications
5. • It is a normal practice among banks to copy the capability to connect to the CA’s central
Digital Certificates from their primary site to server periodically to check the CRL
a secondary/Disaster Recovery (DR) site (Certificates Revocation List). As auditor
located on a different seismic plate, as part should also check for revocation, and whether
of Business Continuity Planning (BCP). Certain the transactions pertaining to revoked
PKI modules may not allow the movement of certificates have also been revoked correctly.
certificates, which are tightly coupled with the
system’s IP address. In such cases, while • At times, the CCA revokes its own root
shifting data from one server to another, it is certificates and issues new ones. This in turn
necessary to ensure that the DR/BCP servers revokes the CA’s certificates, and invalidates
have the same system IP address. This must all Digital Certificates allied to them. In
be considered during audit. such cases, the auditor should audit the
application to check for a provision for a
• Digital Certificates are normally stored on second root certificate.
smart cards, Hardware Security Modules or
hard disks; during BCP drills it is important
to make sure that the movement of any PKI
related artifacts, such as digital certificates
or security modules, is conducted by way of a Author
standardized process and is also audited. Makarand Madhukar Baji
Senior Consultant – Finacle Payments
• Since certificates are often revoked as per
Infosys
banks’ policies, PKI applications should have
Auditing Norms for PKI-based Applications