PKIWorks® Complete
With PKIWorks® Complete, you can securely generate or obtain keys from trusted sources and ensure their integrity throughout the distribution process. Our solution incorporates advanced anti-cloning methods to enforce the uniqueness of keys and certificates, preventing unauthorized replication or misuse. Each set of key and certificate is tightly bound to its intended device, rendering them unusable if copied or tampered with. PKIWorks® Complete empowers you to fortify your entire supply chain and OTA infrastructure, providing robust security measures for the seamless integration of keys and certificates into your IoT devices.
Defend Against Counterfeits with Comprehensive Anti-Cloning Measures
Unauthorized duplication (cloning) of device-unique credentials can undermine the effectiveness of cryptographic keys used for identification purpose. To combat this threat, PKIWorks® Complete incorporates anti-cloning measures at every step of the provisioning process, from the generation or acquisition of device-unique credentials to their installation into target devices. Robust enforcement is achieved through a combination of cryptographic and non-cryptographic techniques, along with the utilization of Hardware Security Modules (HSMs). Even in the event of a compromise at a specific network node or encryption layer, the overall supply-chain and OTA security remain intact, rendering copied keys unusable and thwarting unauthorized access attempts. Our system ensures that each set of device credentials is securely provisioned into a single target device. In summary, PKIWorks® Complete provides a comprehensive protection against counterfeit threats at all levels.
Safeguard the Heart of PKI, Uncompromised Security for Signing CAs
PKIWorks® Complete ensures the highest level of security for the issuance of device certificates by maintaining exclusive oversight and access to the signing Certificate Authorities (CAs), backed by FIPS 140-2 hardware security modules with multi-party control to ensure the protection of the CAs' private keys. Prior to distribution, keys are pre-encrypted using multiple anti-cloning link level keys for each distribution point or subsystem. All the related storage and processing elements of our credentials generation and import system are housed in a secure facility fortified with multiple layers of physical security controls. This stringent control minimizes the risk of compromise, which, if occurred, result in the revocation of all device certificates issued under the affected signing CAs. With exclusive access and robust security protocols in place, PKIWorks® Complete effectively minimizes the potential impact of a breach, safeguarding the integrity and trustworthiness of the PKI ecosystem.
Ensure High-Quality, Uniqueness, and Strength in Cryptographic Keys
With PKIWorks® Complete, a meticulously engineered system ensures a dependable and high-quality source of entropy that remains impervious to manipulation, observation, and physical or electronic attacks. This solution incorporates multiple mechanisms for detecting weak keys and preventing the use of duplicated keys and records, whether within the system or obtained from various licensing authorities. By focusing on the utilization of unique, unpredictable, and robust cryptographic keys, PKIWorks® Complete fortifies the core of security, enabling early prevention measures to safeguard against the introduction of compromised or unauthorized keys into any device.
Elevate Versatility by Supporting a Wide Range of Keys
PKIWorks® Complete is designed to handle a wide range of keys, supporting various applications including CSA Matter, WinnForum CBRS, 5G enterprise certificate authorities, and more. While some key types can be generated internally, others need to be acquired from third-party sources. For instance, certain electronic devices used for consuming digital entertainment content require individualized credentials issued by third-party authorities. Common examples include Netflix, Google Widevine, and Microsoft PlayReady credentials used to secure video streaming services like Netflix, Amazon, Hulu, Disney+, and others. Cable modems utilize X.509 certificates under a CableLabs root of trust. In these cases, CommScope is authorized to issue security credentials directly under license or to request and import credentials from the licensor on your behalf. With PKIWorks® Complete, all types of credentials are protected from the moment of acquisition or generation through their installation onto your devices.
Unlock Security for a Trusted Supply Chain
In recent years, the globalization of supply chains has created new opportunities for organized crime, strategically targeting high-volume production to maximize illicit gains. Consequently, protecting every manufacturing testing station and device on production lines has become an imperative task. PKIWorks® Complete offers a robust solution to counter these threats by providing comprehensive defense mechanisms within the supply chain environment. It includes two separate software development kits (SDKs) designed to address different security needs.
The first SDK is specifically engineered to secure manufacturing test stations. It is equipped with anti-cloning and node locking features, ensuring confirmed identification and authentication of the test stations through the use of crypto tokens. The second SDK is intended for integration with your device's manufacturing test code. This SDK enables secure handling of device keys delivered through the provisioning system. With key protection and node locking mechanisms in place, any attempt to copy device keys to another device renders them unusable. Versions of these two SDKs are available for popular operating systems and programming languages.
Please read more about "Empower IoT Efficiency: Provisioning Perfected for Resource-Limited Devices" and "Optimize Resources and Accelerate Your Production" on the PKIWorks® Essentials page.
Embrace Global Footprint with Unmatched Scale and Capacity
PKIWorks® Complete has been engineered to provide very high provisioning capacity. It currently supports over 15 major domestic and international network and service providers in North America, South America, and Europe. In addition, PKIWorks® Complete deployed hundreds of secure provisioning servers at factories and repair centers at more than 50 sites across over a dozen countries, with a capacity to provision 30+ billion sets of device credentials annually. Capacity can be scaled to support even higher volumes if needed.
- Argentina
- Brazil
- Canada
- Chile
- China
- India
- Indonesia
- Mexico
- Philippines
- Singapore
- Taiwan
- USA
- Vietnam
- plus others
Our experienced staff possesses extensive global expertise in managing all aspects related to device credentials, encompassing OEM/ODM/factory rollouts, relocations, and decommissioning. This extensive experience grants us unique insights into the intricacies of PKI services, enabling us to navigate factory-specific nuances and implement best practices.
System Deployment to Factories, Service/Repair Facilities, and Distribution Centers
A range of deployment options are available to suit your production volume and priorities. For lower production volumes, a fully hosted solution with shared key servers optimizes start-up costs. For high production volumes, a configuration with managed on-site equipment offers high capacity and enhanced resilience against equipment and network malfunctions.
Experience with International Deployment Logistics
We are also experienced in the logistics of international deployments, including the import/export of equipment. Many countries, such as the China, Mexico, Brazil, Argentina, Indonesia, and Vietnam, have very specific and stringent regulations on the import/export of hardware and software. Our experience in this area helps avoid customs issues and other surprises.
Visit our blog on end-to-end supply chain security.
Learn More
To learn more about our PKIWorks® Complete solution, please click to download the white paper.