Inside Symantec's secret SSL Certificate Vault (pictures)
by James Martin
A beige building in an average office park leads to some of the most closely guarded secrets of the Internet.
|Near a wide, meandering road with meticulous landscaping, a single unmarked front door in an unassuming beige building in a rather average office park leads to some of the most closely guarded secrets of the Internet.
The door buzzed and we stepped inside and were signed in by the 24-hour security guards seated behind protective glass. Immediately, I noticed that it was no ordinary lobby. The small room had all the signs of a guaranteed defense: the guards, security cameras watching, and each door protected by keypad access. We had passed the first of many outer gateways to access the Symantec SSL Certificate Vault.
|Access to this specific building, one of four main data centers that handles Symantec's Public Key Infrastructure, is incredibly restricted. Only employees whose job requires a specific reason to enter are allowed access to the building -- even the CEO doesn't have access.
Doors at the facility have biometric readers, including fingerprint and iris scanners, for access, with fewer and fewer employees approved as you get closer to the center of the building.
|In the Trust Services Operations Center, behind at least four levels of security doors, engineers monitor the health of the Symantec security network, including keeping an eye on Internet traffic around the globe 24 hours a day, seven days a week.|
|As we make our way through layers of security toward the center of the building, our guide describes the unusual walls, which are double layers of metal mesh that run from floor to ceiling. There are no false ceilings here, to prevent intruders from climbing over walls and through the ceilings to gain access.
Down this corridor, through a door protected by a fingerprint scanner, is the data center that issues Symantec's digital certificates to browsers on behalf of businesses, handling 4.5 billion online lookups to verify the validity of the digital signatures using a process called Online Certificate Status Protocol.
|The Symantec SSL Certificate Vault is protected against virtually every threat possible, from hackers to earthquakes to fires.|
|Keypads, iris scanners, and fingerprint readers restrict access to many layers of security throughout the building. Hallways with increasingly tight access wind toward the center, where the Key Ceremony takes place, and the most valuable security information is created and stored. Understandably, the security network is military grade, with practices based on Department of Defense standards for the storing of classified material.|
|Inside the cool hum of one of Symantec's data centers, of which there are 14 worldwide, verified digital certificates ensure secure online transactions with more than 4.5 billion authentication online lookups each day.
In less than a second, the system validates the identity of a Web site by verifying that its public cryptographic key, contained in the certificate, is legitimate.
|The entrance to the data center at the core of the building is behind many layers of security, and restricted to personnel with a verified need to know, which requires an additional two-factor authentication, including biometrics. The servers are secured behind military-grade electronic locks.
This piezoelectric gyro-generator lock works by rotating the face, powering up the battery.
|We briefly entered the Data Center room, a highly secure core where Symantec's digital certificates are stored. The room rarely sees any outside visitors.|
|Security cameras are plentiful throughout the building -- wherever we were, someone was watching. No one wanders these halls alone. Many security doors require two people to enter together -- and those same two people must badge out and leave together as well when exiting a room.|
|Continuing on down a series of narrow corridors, we're taken next to an unmarked room with an iris scanner mounted at its side: the Key Ceremony Room.
With irises scanned, badges scanned, and PINs entered, we're granted access to the heart of the Symantec verification process. It is here where the keys are first created that verify all those billions of transactions per day.
|A motion detector mounted on the ceiling inside the Key Ceremony room.|
|Inside, behind yet another layer of security, is the vault, which is inside this highly secure room with iris-scanner access. This is "probably the most secure room on campus," says our guide. There are 120 safe deposit boxes inside nine fireproof media storage safes within a burglar-proof cage with a special lock. No one can enter the room alone, and multiple keys are needed to open the locks, with only specific people trusted with the access combinations.|
|Expanded metal mesh is used in the walls to create a secure vault at the most central core of the building.|
|The Hardware Security Modules are cryptographic tokens that are used to create the public and private key pairs used to prove that Web sites are legitimate. These are stored in the most interior core of the Symantec Vault, protected by layer on layer of military grade security.|
|The token used to generate a key pair is inserted into a card reader connected to a PIN entry device. The PIN device is connected in turn to the computers where the operator is using the Certificate Authority application. The device also reads the data off the plastic USB shares that the shareholders have in their possession.|
|These "keys" are used to unlock different parts of the password that's used to unlock a token so that a key pair can be created during the Key Ceremony authentication process.|
|A thick packet serves as the Key Ceremony script, detailing the steps needed to create digital keys and certificates, something few outsiders have seen. The entire Key Ceremony is videotaped, with every keystroke and mouse click recorded for posterity.
This formal process can last from 20 minutes to multiple hours, depending on the size and complexity of the keys created.
|Other than the security cameras and motion sensors, it's a rather ordinary looking conference room with half a dozen chairs, a large table, and a few pens at its center. A video camera on a tripod hooked up to a recording console is pointed at two normal looking Windows computers against the wall. These machines, which are disconnected from the Internet for security reasons, are used to create the cryptographic keys and their digital certificate wrappers.|
|The PIN entry device is connected to the computers where the operator is using the Certificate Authority application during the Key Ceremony.|
|After the Key Ceremony is completed and the cryptographic keys and their digital certificate wrappers are created, the master is filed away in a uniquely serialized, tamper evident envelope and locked in the safe, in the cage, in the vault, inside the corridors of one of the Internet's best kept, and most secure, secrets, where billions of safe and secure transactions are made possible each day.|