the new key management - rsa conference · the new key management: unlocking the safeguards of...
TRANSCRIPT
![Page 1: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/1.jpg)
SESSION ID: SEC-F01
#RSAC
Jono Bergquist Solutions Engineering Lead -
APJ CloudFlare
The New Key Management: Unlocking the Safeguards of Keeping Keys Private
![Page 2: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/2.jpg)
#RSAC
Outline
◆ Why application-level TLS is important ◆ Key management is the hardest part of TLS ◆ How to use trusted computing for cryptography ◆ Solving TLS key management with TPMs
2
![Page 3: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/3.jpg)
#RSAC
The perimeter is porous
3
![Page 4: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/4.jpg)
#RSAC
Traditional Network Security Topology
4
![Page 5: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/5.jpg)
#RSAC
Traditional Network Security Topology
◆ Multiple internal services ◆ Databases with customer data ◆ Employee portals
◆ Cross-datacenter communication across Internet via VPN ◆ All or nothing access
5
![Page 6: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/6.jpg)
#RSAC
The perimeter is porous - VULCANDEATHGRIP
6
![Page 7: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/7.jpg)
#RSAC
Traditional network topology
◆ VPN compromise makes application-to-application data readable
7
![Page 8: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/8.jpg)
#RSAC
Web Application Security Topology
8
![Page 9: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/9.jpg)
#RSAC
Edge Network
9
![Page 10: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/10.jpg)
#RSAC
Mobile network
10
![Page 11: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/11.jpg)
#RSAC
The modern corporate network
◆ Components ◆ Website hosted on a SaaS/IaaS platform ◆ Core business services ◆ Loosely affiliated group of services hosted by third parties
11
![Page 12: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/12.jpg)
#RSAC
The modern corporate network
◆ Access control ◆ Third-party services
◆ Federated identity (SAML, OAuth, etc.) ◆ Single sign-on
◆ Service-to-service authentication ◆ Implicit via VPN ◆ Token-based
12
![Page 13: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/13.jpg)
#RSAC
Examples of application-to-application data
◆ Data breaches ◆ User passwords ◆ Customer data ◆ HR Data ◆ Customer lists ◆ Proprietary intellectual property
◆ All from applications inside the network
13
![Page 14: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/14.jpg)
#RSAC
The modern corporate network
◆ The perimeter is fuzzily defined ◆ Move security to a higher level in the stack?
14
![Page 15: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/15.jpg)
#RSAC
Application-layer Encryption
15
![Page 16: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/16.jpg)
#RSAC
Encryption
◆ Corporate data should be encrypted
16
![Page 17: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/17.jpg)
#RSAC
Encryption
◆ …at rest ◆ …in transit ◆ …with authentication
17
![Page 18: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/18.jpg)
#RSAC
Layer 3 Encryption
◆ IPsec tunnel/VPN ◆ Expensive hardware ◆ Does not scale to edge networks ◆ Trust everyone
18
![Page 19: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/19.jpg)
#RSAC
Layer 5/6 Encryption
◆ Kerberos ◆ Web applications do not use it
◆ Transport Layer Security ◆ Widely supported among a range of applications
19
![Page 20: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/20.jpg)
#RSAC
Transport Layer Security (TLS)
◆ The protocol formerly known as SSL ◆ Provides server-to-server encryption ◆ Authentication via certificate validation
◆ Advantages ◆ Cheap in software on modern processors (AES-NI) ◆ Widely supported in service oriented software
20
![Page 21: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/21.jpg)
#RSAC
Transport Layer Security (TLS)
◆ Challenges for application-to-application TLS ◆ Building a system of trust ◆ Key management
21
![Page 22: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/22.jpg)
#RSAC
Building trust in applications
22
![Page 23: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/23.jpg)
#RSAC
TLS without certificate validation
◆ Traditional man-in-the-middle attack
23
![Page 24: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/24.jpg)
#RSAC
Trust Models for TLS
24
◆ Public Key Infrastructure model ◆ Each application has:
◆ Public X.509 certificate ◆ Corresponding private key
![Page 25: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/25.jpg)
#RSAC
X.509 Public Key Infrastructure
25
![Page 26: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/26.jpg)
#RSAC
Trust Models for TLS
26
◆ Session key used to encrypt connection ◆ Private key used to
◆ Prove ownership of certificate ◆ Authenticate session establishment
◆ Validate certificates with a chain of trust
![Page 27: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/27.jpg)
#RSAC
27
![Page 28: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/28.jpg)
#RSAC
PKI-enabled applications
◆ Database access ◆ Business services ◆ Mobile applications
28
![Page 29: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/29.jpg)
#RSAC
Private PKI
◆ Run your own internal Certificate Authority ◆ Generate keys locally on endpoints ◆ Use internal CA to create certificates
29
![Page 30: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/30.jpg)
#RSAC
Different CAs for different domains
30
![Page 31: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/31.jpg)
#RSAC
31
![Page 32: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/32.jpg)
#RSAC
Tools
◆ OpenSSL ◆ CFSSL
◆ CloudFlare’s open source CA software ◆ pki.io ◆ EJBCA ◆ Commercial options
32
![Page 33: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/33.jpg)
#RSAC
Advantages
◆ Application data is encrypted in transit ◆ Requests are authenticated ◆ VPN failure is no longer catastrophic
33
![Page 34: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/34.jpg)
#RSAC
The bootstrap problem
◆ Enrolling new servers ◆ Authenticating requests for certificates
34
![Page 35: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/35.jpg)
#RSAC
Dangers
◆ Keys live in memory and on disk ◆ Can be stolen and applications impersonated
35
![Page 36: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/36.jpg)
#RSAC
Trusting trusted computing
36
![Page 37: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/37.jpg)
#RSAC
Protecting keys on servers
◆ Keep keys in hardware instead of software
◆ Each machine needs its own hardware ◆ HSMs are prohibitively expensive ◆ TPMs fit the bill ($15-$30 each)
37
![Page 38: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/38.jpg)
#RSAC
Trusted Platform Module
38
![Page 39: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/39.jpg)
#RSAC
Trusted Platform Module
◆ Most commonly used for Windows trusted boot
◆ List of features of TPM 1.2 ◆ Measured Boot ◆ Random number generation ◆ RSA 2048 private keys
39
![Page 40: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/40.jpg)
#RSAC
Machine provisioning
40
![Page 41: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/41.jpg)
#RSAC
Certificate issuance
41
![Page 42: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/42.jpg)
#RSAC
Benefits
◆ Keys do not live in software ◆ Safe from memory access (Heartbleed, DMA) ◆ Safe from theft (TPM locked) ◆ Safe from impersonation
42
![Page 43: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/43.jpg)
#RSAC
Drawbacks
◆ Not all software supports TPM crypto ◆ It is slooooow
43
![Page 44: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/44.jpg)
#RSAC
Simple guide
44
![Page 45: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/45.jpg)
#RSAC
How to set up secure application transport
◆ Create your own CA on a trusted machine or HSM ◆ Create a key on your device TPM ◆ Use TPM to create a certificate signing request (CSR) ◆ Create certificate from CSR with CA
◆ Configure web server to use certificate and TPM for private key operation
◆ Go for it!
45
![Page 46: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/46.jpg)
#RSAC
Action
46
![Page 47: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/47.jpg)
#RSAC
What you can do right now
◆ Do your applications speak TLS? ◆ If so, are they doing certificate validation? ◆ Where are the private keys stored and managed?
47
![Page 48: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/48.jpg)
#RSAC
What you can do in the next months
◆ Consider your attacker is an insider ◆ Which backend applications accept connections?
◆ Suppose there is a firewall or VPN misconfiguration ◆ Is any data is exposed? ◆ What authentication is your database using?
48
![Page 49: The New Key Management - RSA Conference · The New Key Management: Unlocking the Safeguards of Keeping Keys Private. #RSAC Outline ... pki.io EJBCA](https://reader031.vdocuments.site/reader031/viewer/2022022510/5ad99df47f8b9a53618b7b46/html5/thumbnails/49.jpg)
#RSAC
What you can do in the next months
◆ Once TLS is activated, make sure it is configured properly ◆ Certificate validation ◆ TLS 1.2
◆ Start using C or Go services built on open source tools
49