+ All Categories
Home > Documents > The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of...

The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of...

Date post: 20-Apr-2018
Category:
Upload: buinhu
View: 214 times
Download: 1 times
Share this document with a friend
49
SESSION ID: SEC-F01 #RSAC Jono Bergquist Solutions Engineering Lead - APJ CloudFlare The New Key Management: Unlocking the Safeguards of Keeping Keys Private
Transcript
Page 1: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

SESSION ID: SEC-F01

#RSAC

Jono Bergquist Solutions Engineering Lead -

APJ CloudFlare

The New Key Management: Unlocking the Safeguards of Keeping Keys Private

Page 2: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Outline

◆ Why application-level TLS is important ◆ Key management is the hardest part of TLS ◆ How to use trusted computing for cryptography ◆ Solving TLS key management with TPMs

2

Page 3: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

The perimeter is porous

3

Page 4: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Traditional Network Security Topology

4

Page 5: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Traditional Network Security Topology

◆ Multiple internal services ◆ Databases with customer data ◆ Employee portals

◆ Cross-datacenter communication across Internet via VPN ◆ All or nothing access

5

Page 6: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

The perimeter is porous - VULCANDEATHGRIP

6

Page 7: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Traditional network topology

◆ VPN compromise makes application-to-application data readable

7

Page 8: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Web Application Security Topology

8

Page 9: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Edge Network

9

Page 10: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Mobile network

10

Page 11: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

The modern corporate network

◆ Components ◆ Website hosted on a SaaS/IaaS platform ◆ Core business services ◆ Loosely affiliated group of services hosted by third parties

11

Page 12: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

The modern corporate network

◆ Access control ◆ Third-party services

◆ Federated identity (SAML, OAuth, etc.) ◆ Single sign-on

◆ Service-to-service authentication ◆ Implicit via VPN ◆ Token-based

12

Page 13: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Examples of application-to-application data

◆ Data breaches ◆ User passwords ◆ Customer data ◆ HR Data ◆ Customer lists ◆ Proprietary intellectual property

◆ All from applications inside the network

13

Page 14: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

The modern corporate network

◆ The perimeter is fuzzily defined ◆ Move security to a higher level in the stack?

14

Page 15: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Application-layer Encryption

15

Page 16: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Encryption

◆ Corporate data should be encrypted

16

Page 17: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Encryption

◆ …at rest ◆ …in transit ◆ …with authentication

17

Page 18: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Layer 3 Encryption

◆ IPsec tunnel/VPN ◆ Expensive hardware ◆ Does not scale to edge networks ◆ Trust everyone

18

Page 19: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Layer 5/6 Encryption

◆ Kerberos ◆ Web applications do not use it

◆ Transport Layer Security ◆ Widely supported among a range of applications

19

Page 20: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Transport Layer Security (TLS)

◆ The protocol formerly known as SSL ◆ Provides server-to-server encryption ◆ Authentication via certificate validation

◆ Advantages ◆ Cheap in software on modern processors (AES-NI) ◆ Widely supported in service oriented software

20

Page 21: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Transport Layer Security (TLS)

◆ Challenges for application-to-application TLS ◆ Building a system of trust ◆ Key management

21

Page 22: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Building trust in applications

22

Page 23: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

TLS without certificate validation

◆ Traditional man-in-the-middle attack

23

Page 24: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Trust Models for TLS

24

◆ Public Key Infrastructure model ◆ Each application has:

◆ Public X.509 certificate ◆ Corresponding private key

Page 25: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

X.509 Public Key Infrastructure

25

Page 26: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Trust Models for TLS

26

◆ Session key used to encrypt connection ◆ Private key used to

◆ Prove ownership of certificate ◆ Authenticate session establishment

◆ Validate certificates with a chain of trust

Page 27: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

27

Page 28: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

PKI-enabled applications

◆ Database access ◆ Business services ◆ Mobile applications

28

Page 29: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Private PKI

◆ Run your own internal Certificate Authority ◆ Generate keys locally on endpoints ◆ Use internal CA to create certificates

29

Page 30: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Different CAs for different domains

30

Page 31: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

31

Page 32: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Tools

◆ OpenSSL ◆ CFSSL

◆ CloudFlare’s open source CA software ◆ pki.io ◆ EJBCA ◆ Commercial options

32

Page 33: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Advantages

◆ Application data is encrypted in transit ◆ Requests are authenticated ◆ VPN failure is no longer catastrophic

33

Page 34: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

The bootstrap problem

◆ Enrolling new servers ◆ Authenticating requests for certificates

34

Page 35: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Dangers

◆ Keys live in memory and on disk ◆ Can be stolen and applications impersonated

35

Page 36: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Trusting trusted computing

36

Page 37: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Protecting keys on servers

◆ Keep keys in hardware instead of software

◆ Each machine needs its own hardware ◆ HSMs are prohibitively expensive ◆ TPMs fit the bill ($15-$30 each)

37

Page 38: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Trusted Platform Module

38

Page 39: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Trusted Platform Module

◆ Most commonly used for Windows trusted boot

◆ List of features of TPM 1.2 ◆ Measured Boot ◆ Random number generation ◆ RSA 2048 private keys

39

Page 40: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Machine provisioning

40

Page 41: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Certificate issuance

41

Page 42: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Benefits

◆ Keys do not live in software ◆ Safe from memory access (Heartbleed, DMA) ◆ Safe from theft (TPM locked) ◆ Safe from impersonation

42

Page 43: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Drawbacks

◆ Not all software supports TPM crypto ◆ It is slooooow

43

Page 44: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Simple guide

44

Page 45: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

How to set up secure application transport

◆ Create your own CA on a trusted machine or HSM ◆ Create a key on your device TPM ◆ Use TPM to create a certificate signing request (CSR) ◆ Create certificate from CSR with CA

◆ Configure web server to use certificate and TPM for private key operation

◆ Go for it!

45

Page 46: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

Action

46

Page 47: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

What you can do right now

◆ Do your applications speak TLS? ◆ If so, are they doing certificate validation? ◆ Where are the private keys stored and managed?

47

Page 48: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

What you can do in the next months

◆ Consider your attacker is an insider ◆ Which backend applications accept connections?

◆ Suppose there is a firewall or VPN misconfiguration ◆ Is any data is exposed? ◆ What authentication is your database using?

48

Page 49: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA

#RSAC

What you can do in the next months

◆ Once TLS is activated, make sure it is configured properly ◆ Certificate validation ◆ TLS 1.2

◆ Start using C or Go services built on open source tools

49


Recommended