The New Key Management:



Similar documents
Using Entrust certificates with VPN

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

Applying Cryptography as a Service to Mobile Applications

Security Considerations for DirectAccess Deployments. Whitepaper

Enhancing Organizational Security Through the Use of Virtual Smart Cards

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Upgrading and Improving the Trust of Microsoft Windows Certificate Authorities

Commercially Proven Trusted Computing Solutions RSA 2010

CS 356 Lecture 28 Internet Authentication. Spring 2013

Licensing VeriSign Certificates

Why self-signed certificates are much costlier and riskier than working with a trusted security vendor

Chapter 10. Cloud Security Mechanisms

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

Snow Agent System Pilot Deployment version

Entrust IdentityGuard Comprehensive

Case Study for Layer 3 Authentication and Encryption

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Cornerstones of Security

GoldKey Product Info. Do not leave your Information Assets at risk Read On... Detailed Product Catalogue for GoldKey

Internal Server Names and IP Address Requirements for SSL:

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

WHITE PAPER Usher Mobile Identity Platform

ITL BULLETIN FOR JULY Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance

The Use of the Simple Certificate Enrollment Protocol (SCEP) and Untrusted Devices

SAFEAPP TECHNOLOGY PROGRAM

DRAFT Standard Statement Encryption

2014 IBM Corporation

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Vidder PrecisionAccess

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

Using etoken for SSL Web Authentication. SSL V3.0 Overview

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

Introduction to Cyber Security / Information Security

Licensing Symantec Certificates

Protecting Microsoft Internet Information Services Web Servers with ISA Server 2004

WHITE PAPER. Licensing VeriSign Certificates: Securing Multiple Web Server and Domain Configurations

Running Secure Server Software on Insecure Hardware without a Parachute

Public Key Applications & Usage A Brief Insight

Software Defined Perimeter: Securing the Cloud to the Internet of Things

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

TECHNICAL WHITE PAPER NOK NOK LABS MULTIFACTOR AUTHENTICATION. Any device. Any application. Any authenticator.

Complying with PCI Data Security

Overview. SSL Cryptography Overview CHAPTER 1

Mobile Security Threats: Get Ready for 2016

Hardware Security Modules for Protecting Embedded Systems

Security Guide. BES12 Cloud. for BlackBerry

RSA Digital Certificate Solution

APIs The Next Hacker Target Or a Business and Security Opportunity?

TIBCO Spotfire Platform IT Brief

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

SSL ACCELERATION DEPLOYMENT STRATEGIES FOR ENTERPRISE SECURITY

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

PKI Uncovered. Cisco Press. Andre Karamanian Srinivas Tenneti Francois Dessart. 800 East 96th Street. Indianapolis, IN 46240

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

API-Security Gateway Dirk Krafzig

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Why it s Time to Make the Change Analysis of Current Technologies for Multi-Factor Authentication in Active Directory

Configuring Secure Socket Layer HTTP

Short Thoughts on Clouds, Security, and Privacy: Colliding Mindsets, Depopulated Buildings

CS615 - Aspects of System Administration

Introduction to SAML

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Security Guide. BlackBerry Enterprise Service 12. for BlackBerry. Version 12.0

Using BroadSAFE TM Technology 07/18/05

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

PRIVACY, SECURITY AND THE VOLLY SERVICE

ios Security Decoded Dave Test Classroom and Lab Computing Penn State ITS Feedback -

Binding Security Tokens to TLS Channels. A. Langley, Google Inc. D. Balfanz, Google Inc. A. Popov, Microsoft Corp.

Acano solution. Security Considerations. August E

Public Key Infrastructure (PKI)

FileCloud Security FAQ

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Mobile First Government

User Authentication. FortiOS Handbook v3 for FortiOS 4.0 MR3

Complete Website Security

TLS/SSL in distributed systems. Eugen Babinciuc

Factory-Installed, Standards-Based Hardware Security. Steven K. Sprague President & CEO, Wave Systems Corp.

e-authentication guidelines for esign- Online Electronic Signature Service

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

McAfee Firewall Enterprise 8.2.1

Deploy Remote Desktop Gateway on the AWS Cloud

Tim Bovles WILEY. Wiley Publishing, Inc.

Implementing Microsoft Security Networks Course No. MS2823 h 5 Days

Digital certificates and SSL

Intel Cyber Security Briefing: Trends, Solutions, and Opportunities. Matthew Rosenquist, Cyber Security Strategist, Intel Corp

Data Protection: From PKI to Virtualization & Cloud

Cisco IOS Public-Key Infrastructure: Deployment Benefits and Features

ACCESS CONTROL TO A NETWORKED COMPUTER SYSTEM

SharePoint 2013 Logical Architecture

Security Overview Enterprise-Class Secure Mobile File Sharing

Cloud Security is a First Principle:

Security Yokogawa Users Group Conference & Exhibition Copyright Yokogawa Electric Corporation Sept. 9-11, 2014 Houston, TX - 1 -

Guidance End User Devices Security Guidance: Apple OS X 10.9

Why outsourcing your PKI provides the best value A Total Cost of Ownership analysis

SSL BEST PRACTICES OVERVIEW

Private vs. Public Cloud Solutions

Secure Network Communications FIPS Non Proprietary Security Policy

Transcription:

SESSION ID: SEC-F01 The New Key Management: Unlocking the Safeguards of Keeping Keys Private Jono Bergquist Solutions Engineering Lead - APJ CloudFlare

Outline Why application-level TLS is important Key management is the hardest part of TLS How to use trusted computing for cryptography Solving TLS key management with TPMs 2

The perimeter is porous 3

Traditional Network Security Topology 4

Traditional Network Security Topology Multiple internal services Databases with customer data Employee portals Cross-datacenter communication across Internet via VPN All or nothing access 5

The perimeter is porous - VULCANDEATHGRIP 6

Traditional network topology VPN compromise makes application-to-application data readable 7

Web Application Security Topology 8

Edge Network 9

Mobile network 10

The modern corporate network Components Website hosted on a SaaS/IaaS platform Core business services Loosely affiliated group of services hosted by third parties 11

The modern corporate network Access control Third-party services Federated identity (SAML, OAuth, etc.) Single sign-on Service-to-service authentication Implicit via VPN Token-based 12

Examples of application-to-application data Data breaches User passwords Customer data HR Data Customer lists Proprietary intellectual property All from applications inside the network 13

The modern corporate network The perimeter is fuzzily defined Move security to a higher level in the stack? 14

Application-layer Encryption 15

Encryption Corporate data should be encrypted 16

Encryption at rest in transit with authentication 17

Layer 3 Encryption IPsec tunnel/vpn Expensive hardware Does not scale to edge networks Trust everyone 18

Layer 5/6 Encryption Kerberos Web applications do not use it Transport Layer Security Widely supported among a range of applications 19

Transport Layer Security (TLS) The protocol formerly known as SSL Provides server-to-server encryption Authentication via certificate validation Advantages Cheap in software on modern processors (AES-NI) Widely supported in service oriented software 20

Transport Layer Security (TLS) Challenges for application-to-application TLS Building a system of trust Key management 21

Building trust in applications 22

TLS without certificate validation Traditional man-in-the-middle attack 23

Trust Models for TLS Public Key Infrastructure model Each application has: Public X.509 certificate Corresponding private key 24

X.509 Public Key Infrastructure 25

Trust Models for TLS Session key used to encrypt connection Private key used to Prove ownership of certificate Authenticate session establishment Validate certificates with a chain of trust 26

27

PKI-enabled applications Database access Business services Mobile applications 28

Private PKI Run your own internal Certificate Authority Generate keys locally on endpoints Use internal CA to create certificates 29

Different CAs for different domains 30

31

Tools OpenSSL CFSSL CloudFlare s open source CA software pki.io EJBCA Commercial options 32

Advantages Application data is encrypted in transit Requests are authenticated VPN failure is no longer catastrophic 33

The bootstrap problem Enrolling new servers Authenticating requests for certificates 34

Dangers Keys live in memory and on disk Can be stolen and applications impersonated 35

Trusting trusted computing 36

Protecting keys on servers Keep keys in hardware instead of software Each machine needs its own hardware HSMs are prohibitively expensive TPMs fit the bill ($15-$30 each) 37

Trusted Platform Module 38

Trusted Platform Module Most commonly used for Windows trusted boot List of features of TPM 1.2 Measured Boot Random number generation RSA 2048 private keys 39

Machine provisioning 40

Certificate issuance 41

Benefits Keys do not live in software Safe from memory access (Heartbleed, DMA) Safe from theft (TPM locked) Safe from impersonation 42

Drawbacks Not all software supports TPM crypto It is slooooow 43

Simple guide 44

How to set up secure application transport Create your own CA on a trusted machine or HSM Create a key on your device TPM Use TPM to create a certificate signing request (CSR) Create certificate from CSR with CA Configure web server to use certificate and TPM for private key operation Go for it! 45

Action 46

What you can do right now Do your applications speak TLS? If so, are they doing certificate validation? Where are the private keys stored and managed? 47

What you can do in the next months Consider your attacker is an insider Which backend applications accept connections? Suppose there is a firewall or VPN misconfiguration Is any data is exposed? What authentication is your database using? 48

What you can do in the next months Once TLS is activated, make sure it is configured properly Certificate validation TLS 1.2 Start using C or Go services built on open source tools 49

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information