Protecting Private Keys for Certification Authority Servers

If intruders can access a CA computer either physically or through the network, they might decode the private key and then impersonate the CA to gain access to valuable network resources. Intruders who impersonate a CA can cause widespread damage by stealing information, disrupting network services, or destroying network resources. A compromised CA key undermines and invalidates all security protection provided by that CA and any CA hierarchy deployed below it. To reduce the risks of intruder attacks on CA keys, consider using the following practices.

Provide Security for Certification Authority Servers    Provide security for CA servers as discussed earlier in this chapter. Providing physical security minimizes the risk that intruders can gain access to the CA server or the protected store (whether hardware-based or software-based) where the CA key resides. Providing network and server (software) security minimizes the risk that intruders can gain access to the CA server or exploit applications and services that are running on the server to compromise the CA key.

Provide Enhanced Security for Certification Authority Keys    Use hardware-based CSPs when you want to provide maximum security for private keys because keys are stored on tamper-resistant hardware devices and keys are never exposed to the operating system. Use SysKey to provide extra protection for CAs' private keys that are stored by Microsoft CSPs.

Use Large Keys for Certification Authorities    Large CA keys reduce the risks of key attacks, but large keys also require more storage space as well as more computer processing power to sign certificates. Consider using the largest key lengths that are feasible depending on key storage requirements and CA performance requirements.

For example, a 4,096-bit CA key generally provides a great deal of key protection, but signing certificates with such a long key takes a long time, even if you are using crypto-accelerator boards. A 4,096-bit CA key might perform acceptably for root CAs or intermediate CAs that are used infrequently only to certify subordinate CAs. Although, some CAs with hardware-based CSPs might not support the storage of a 4,096-bit key.

However, a 4,096-bit CA key would likely cause unacceptably slow performance for most issuing CAs. For issuing CAs, use key lengths that are as long as feasible and that enable adequate CA performance to support your long-term certificate services goals. You can often use crypto-accelerator boards to improve performance and enable longer keys for issuing CAs. Test the performance CAs in labs and in pilot programs by using the proposed CA key lengths before you deploy CAs in the production environment.

Use Appropriate Lifetimes for CA Keys    The longer CA keys are valid, the greater the risk of key compromise because attackers have more time to attempt cracking the key. There is no simple formula to determine maximum key lifetimes. However, the adequacy of longer key lifetimes depends largely on how well protected the key is and how long the key is. In general, longer keys can have longer key lifetimes. Likewise, keys with more secure storage can have longer lifetimes. For example, keys stored in tamper-resistant hardware crypto-devices are safer than keys stored on local computer hard disks. Therefore, for the same-sized keys, keys stored in hardware crypto-devices usually can have longer safe key lifetimes than keys stored by software CSPs on hard disks.

For more information about the major risk factors for cryptographic keys, see "Cryptography for Network and Information Security" in this book.