High-profile data breaches from major organizations such as Equifax, Solar Winds, and even the White House have pushed network security into the forefront of the public eye.
One method of security that has seen an increase in response to hacks is security keys, such as Yubikeys. Security keys have actually been present for around a decade, but only recently have they seen heavy usage from the mainstream. This is partially due to the innovations in technology from companies like Yubico, as well as IT professionals becoming more aware of the problems caused by insecure passwords. A majority of IT security respondents and individuals (55%) prefer a method of protecting accounts that don’t involve passwords, SecureW2 can help by combining powerful certificates with Yubikeys, read about our Yubico integration here, or check out what one of our customers had to say here.
It’s important to understand the technology that goes along with them. One particularly important aspect of security keys is an API known as PKCS11.
What is PKCS11?
PKCS11 (Public-Key Cryptography Standards), also known as “Cryptoki” or PKCS#11, is an API used to communicate with cryptographic security tokens such as smart cards, USB keys, and Hardware Security Modules (HSMs).
The API defines the most commonly used cryptographic object types (RSA keys, X.509 Certificates, DES/Triple DES keys, etc.) and all the functions needed to use, create/generate, modify, and delete those objects.
PKCS11 is, at its core, an API used to create or delete cryptographic data like public-private key pairs.
So for example, if you want to generate a new key pair, you would do so by calling one of the interfaces provided by the PKCS#11 standard. Considering that the standard is not bound to any specific platform, it can be used for all kinds of technologies, such as smartcards and hardware security modules.
How Do Smart Cards Use PKCS11?
PKCS11 is the standard that defines a way for software to interact with cryptographic tokens. A typical software application communication sequence using PKCS11 is pictured below.
Yubikey itself actually runs a modified version of the PKCS#11 framework; they aptly dubbed it YKCS11. YKCS11 allows external applications to communicate with and/or use the PIV application present on the YubiKey itself through standardized means.
Improving Security Keys With SecureW2
Protocols like PKCS11 are just one of the many things that make security keys such a good investment for an organization’s security. It’s also important to ensure that anyone who uses security keys is using it to its full potential.
What’s the best way to maximize your security keys? Certificates!
Certificates remove any possibility of user error by relying on rigorous security protocols, encrypted key pairs, and easy identification.
SecureW2 has the industry’s only solution for using certificates with Yubikeys. With SecureW2, you can easily onboard users and have them configure security keys with certificates in minutes. This takes the burden away from IT departments who would traditionally have to manually enroll each Yubikey. Instead, end-users are fully capable of enrolling certificates themselves using our portal.
If you’re interested in exploring the possibilities of certificate onboarding and simple self-enrollment, check out our pricing page here.