By Simon Krauss, Vice President & General Counsel, Kyrio, Inc.
Kyrio Provides The Cable Industry With the Same PKI Security Used In Banks and by the Military
Cable modems, set top boxes and cable modem termination systems (the server in the cable headend that communicates with the cable modem) are all part of a security architecture that uses a Public Key Infrastructure or PKI. PKI is the same security architecture that banks and the military use for their security. When managed correctly, PKI provides the strongest means of authenticating and authorizing devices. That is, through PKI you can control which devices communicate with each other and what information may be exchanged between the devices.
How PKI Works
PKI Works like Your Driver’s License
Everyone trusts your driver’s license to identify what you look like, your name and your date of birth (your height and weight – not so much). This trust is created because each Department of Motor Vehicles office is a governmental entity that relies upon trusted third party documentation (generally government issued documents) to identify who you are, where you live and and when you were born. Driver’s licenses do not authenticate your height and weight because you provide that information personally. Some people are not as tall and lean as their driver’s license would indicate.
PKI and Devices
In a PKI, each device gets a digital certificate, which like a driver’s license, is unique to each device. In the case of cable, the digital certificate provides information as to which company manufactured the device and, like a driver’s license, when the digital certificate expires. The digital certificate is then used to give network access and identify the device. The digital certificate is also used to encrypt communication between the devices. This means that each device can trust who it is communicating with and that the communication is secure.
Digital certificates are also created to sign software. This ensures that each cable device will only accept code that comes from the device manufacturer or the cable operator. This helps keep malware out of cable devices (but, unfortunately, not out of subscriber’s devices as they do not receive cable digital certificates). Digital certificate expiration periods are set for the approximate life of the device or the time needed to control digital certificate usage.
Kyrio Manages the PKI for the Cable Industry
Kyrio manages the cable industry PKI on behalf of our parent company CableLabs and ensures that each company is authenticated (they are who they say they are). Each company is contractually bound to the rules for managing the digital certificates. Kyrio then works with companies like Symantec to create the digital certificates under extremely high security. The digital certificates are then securely delivered in batches the device manufacturer or code signer.
The cable PKI may be one of the largest PKIs in the world, with over 400 million digital certificates issued. Kyrio works closely with the manufacturers and cable operators to operate and govern the cable PKI successfully. To date, there have not been any compromises of cable digital certificates in the field. Kyrio also continually reviews its PKI to increase its security. Recently, the size of the cryptographic key was increased in creating digital certificates. This makes the digital certificates even harder to compromise.
Not All PKI is Secure
Cable, banking, and the military are not the only ones using PKI. Companies use PKI for controlling communications and access. PKI is most commonly used to create SSL certificates, an important part of the https protocol you use when you are using your credit card online. These other PKI uses, however, are under attack.
Often times, PKIs are created but the operations and governance are not managed. This leads to uncertainty as to who has what digital certificates and the risk of hacking of the PKI. The ongoing management of the PKI infrastructure is critical to maintaining device security.
Kyrio’s Managed PKI
Kyrio, Inc., a wholly owned subsidiary of CableLabs, takes the learning, experience, and knowledge learned in managing the PKI for the cable industry and applies it to other industries. Kyrio provides PKI management, operations, and governance to the electrical grid (through the OpenADR Alliance) and the Wi-Fi Alliance as well as global enterprises.
To learn more about our PKI portfolio of products and services contact firstname.lastname@example.org