View Single Post
Old 11-05-12, 01:30 PM   #1
News
Registered User
 
Join Date: Jun 2009
Posts: 50,861
Post A Fort Knox for Web crypto keys: Inside Symantec's SSL certificate vault

Enlarge / Inside these security cabinets are the hardware security modules that safeguard millions credentials used to authenticate the websites of Symantec customers.
Dan Goodin


At the entrance to a nondescript building on the sprawling Symantec campus in Silicon Valley, the company's Senior Director of Operations, Identity and Authentication, Paul Meijer, is presenting his badge and entering his personal identification number to get inside. A second door not far away requires him to repeat the process all over again. A dozen or so feet further is a third door, and this one requires him to press his index finger against a sensor to prove he's one of fewer than 100 Symantec employees permitted to enter.

As he negotiates a series of additional mazes inside, he comes upon still more security checkpoints. One room at the center of the building'inside two concentric squares protected by a double layer of metallic mesh that isn't easily drilled, cut, or welded, requires two authorized Symantec employees to enter. To enter, Meijer and a colleague must key in a PIN and show a fingerprint. Inside are cabinets housing special-purpose computer servers that neither of the two employees can open because the combination is held by a different class of employees. A separate room where digital certificates are generated under rigorous "key-signing ceremonies," also requires dual occupancy. To further ensure the security of the operation, the second employee who must accompany Meijer is one of fewer than two dozen people with the required access codes.

Welcome to Symantec's SSL certificate vault, the company's repository that's built to military-grade specifications. The assets protected here aren't made of gold, silver or any other tangible material. Rather, they're the secret mathematical keys in the public key infrastructure that forms the basis of virtually all encrypted communications between websites and end users. Ars Technica recently took a rare tour of one facility where Symantec mints, stores, and sometimes revokes keys on behalf of companies such as Amazon, PayPal, and British Telecommunications.

Read 12 remaining paragraphs | Comments






More...
News is offline   Reply With Quote