Thales Blog

Secure Public Key Infrastructure (PKI) Critical to STIR/SHAKEN

June 8, 2021

Claudia Dunphy Claudia Dunphy | Product Marketing More About This Author >

We are all too familiar with answering a call only to be greeted with a loud horn followed by the words “you’ve won a cruise”. Sometimes we may not recognize the phone number, while other times we think we do because it appears to be local. Then comes the moment of realization where the thought of lazing around on a free vacation quickly passes, as it is a scam.

In 2019, 5.2 billion robocalls were placed in the U.S., with scams accounting for over 40 percent of all calls, and over 80 percent of all scam calls using area codes local to the recipient. Add to this the fact that scammers are more sophisticated, leveraging personal data previously stolen to pose as known, trusted businesses.

The statistics are alarming; with 75 percent of all scam victims being called by scammers who already had their personal information, including addresses, passwords and even social security numbers. Tie all of this together, and the result is that businesses are suffering with close to 90 percent of their calls going unanswered, and the inability to contact customers when needed.

In response to enterprise spoofing, the Federal Communications Commission (FCC) has mandated the implementation of STIR/SHAKEN standards, using certificates to digitally sign phone calls which will verify the caller identity. While this is a great step to identifying legitimate callers, STIR/SHAKEN is based on a Public Key Infrastructure (PKI), which must be protected in order to maintain the trustworthiness of the network.

With the mandate for STIR/SHAKEN call authentication to be in place in the U.S. by June 30, 2021, and in Canada by November 30, 2021, I thought it would be helpful to share info and insights, as well as tips to ensuring implementations are secure.


STIR/SHAKEN is a caller ID authentication framework aimed at protecting the public from robocalls, minimizing their ability to illegitimately spoof a caller ID. STIR/SHAKEN leverages digital certificates to assert caller legitimacy, by validating the handoff of calls passing through the networks, and enabling a phone company to verify the presented caller ID.

At the heart of STIR/SHAKEN is a PKI, with one or more Certification Authorities (CAs) issuing digital certificates (electronic files). As certificates are essential components for STIR/SHAKEN, the need to maintain the integrity of those certificates, and the PKI as a whole, is critical. When a CA’s root key is compromised, the credibility of the transactions, business processes, and intricate access control systems is adversely affected.

Experience has shown that to secure a PKI and maintain the integrity of the certificates, extraordinary caution should be taken to protect the root key. Furthermore, the complexity of a PKI is expanded at scale. Using encryption and high assurance key protection will help protect your organization from breach, and should your data be compromised, hackers will not have access to your encrypted data.

CA root key integrity

Thales has collaborated with Neustar, an information services and technology company, a leader in identity resolution, and a Secure Telephone Identity Certificate Authority (STI-CA) serving North America. Thales and Neustar work together to help mitigate robocalling and spoofing by issuing SHAKEN digital certificates to authorized service providers protected by Thales Luna HSMs.

As Neustar Principal Product Specialist, Ken Politz, recently said, “The need for strong root key protection is critical, and preventing the compromise of those private keys preserves the integrity and confidentiality of the entire PKI. Furthermore, using a certified Hardware Security Module (HSM), and observing best practices during HSM operations and maintenance, maximizes root key integrity and virtually eliminates the risk of compromise. The combination of an HSM, coupled with robust operational practices, negates opportunities for the root key to fall into outside hands, and thus maintains trust within the PKI.”


Click here to learn more about how STIR/SHAKEN works.

Luna HSM root of trust

Securing your highest-level CA root keys in a FIPS 140-2 Level 3 validated and Common Criteria EAL4+ certified Luna HSM provides the high assurance needed. Available as license-based and on-premises solutions through Luna Cloud HSM from Data Protection on Demand (DPoD) and Thales Luna Network HSMs, Thales can secure your STIR/SHAKEN PKI regardless of where your applications run.

Visit the Thales CPL STIR/SHAKEN website page for more details on how you can ensure your infrastructure is secure and how it can help with a strong foundation of digital trust.