Alfresco DevCon 2019: Encryption at-rest and in-transit
7 likes1,164 views
The document presents a detailed guide on encryption at-rest and in-transit, covering foundational concepts, encryption methods including symmetric and asymmetric approaches, and tools for managing encrypted data. It highlights the importance of encryption for data protection against unauthorized access, both for stored data and data in transit using protocols like TLS and mTLS. Additionally, it discusses the challenges and features of managing encryption within microservices and service mesh architectures, particularly through the use of technologies like Istio.
Alfresco DevCon 2019: Encryption at-rest and in-transit
- 1. Encryption At-Rest and In-Transit: Survival Guide Toni de la Fuente Lead SecOps and Security Architect Edinburgh, January 30th 2019
- 2. Learn. Connect. Collaborate. Who am I Click to speaker
- 3. Agenda • Requirements • Encryption Foundations • Encryption At-Rest – Native on premises – Third party on premises – Cloud • Encryption In-Transit – TLS and mTLS – Service to Service – Service Mesh
- 4. Requirements
- 5. Learn. Connect. Collaborate. Requirements: • Organization policies and compliance • Industry or government regulations • Protect privacy • Minimizes unauthorized access to data CIA triad: Information Security Integrity Availability Confidentiality Authenticity Accountability Non-repudiation
- 7. Learn. Connect. Collaborate. Foundations • Encryption keeps confidentiality and a key un-encrypt: AES (symmetric), Blowfish (symmetric), RSA (asymmetric) • Hashing checks integrity of data by creating a hash or digest with one-way function (signatures): SHA, MD5, MD4, etc. • Encoding is for maintaining data usability and can be reversed by employing the same algorithm that encoded the content: ASCII, Unicode, URL Encoding, Base64 • Obfuscation is used to prevent people from understanding the meaning of something, like source code
- 8. Learn. Connect. Collaborate. Symmetric key encryption Alice wants to send an encrypted message to Boriss: Key (1234) Plaintext Ciphertext A B C D E F G H I J K 99rwV+HMzEX4ux1O9t0TwQ== Algorithm Blowfish, AES, DES, TripleDES, etc. They both use the same key to encrypt and decryptThis process is usually FAST
- 9. Learn. Connect. Collaborate. Asymmetric key encryption: public and private keys Alice wants to send an encrypted message to Boriss: Alice uses Boriss’ Public Key (1234) Plaintext Ciphertext A B C D E F G H I J K 99rwV+HMzEX4ux1O9t0TwQ== Algorithm RSA, ElGamal, etc. Boriss uses his Private Key to decrypt (5678) Alice only needs to know Bob’s public keyThis process is usually SLOW
- 10. Learn. Connect. Collaborate. Certificates: X.509 (RFC6818) A certificate has: • subject name • subject’s public key • issuer name (CA name) • validity • signed by CA
- 11. Learn. Connect. Collaborate. Tools and Common File Formats • Many tools like OpenSSL, keytool, cfssl, mkcert, minica • Encoding: – DER: binary cert encoded with DER .cer or .crt files – PEM: ASCII (base64 encoded) cert .cer or .crt or .pem files “----BEGIN CERTIFICATE----” “----END CERTIFICATE----” • File extension: – .crt: Unix/Linux convention for a DER or Base64 PEM – .cer: MS convention for a DER or Base64 PEM – .key: public or private key PKCS#8. DER or PEM
- 13. Learn. Connect. Collaborate. What is encryption at-rest? Protect stored data from unauthorized access using encryption at block, file, directory, file system or full disk level with keys
- 14. Learn. Connect. Collaborate. Where do we store information today? • Alfresco CS Content Store • Alfresco CS Database • Alfresco CS Indexes • Alfresco CS Shared File Store (new Transformation Service) • Alfresco PS Database • Alfresco Identity Database (Keycloak) • Alfresco mobile Apps DBs DBs DBs File System Network Storage
- 15. Learn. Connect. Collaborate. How can we encrypt stored data? • Natively → Encryption add-on for Alfresco Content Store (application side encryption) Repo Storage doc doc doc doc Encrypted content store feature added DB Indexes / Transformations • Uses Java Cryptography Extension (supports HW encryption) • Each content element encrypted with individual symmetric key (AES 128 bit default). Symmetric keys are stored in alf_content_url_encryption table • Content keys then encrypted with asymmetric master key-pair (RSA)
- 16. Learn. Connect. Collaborate. How can we encrypt stored data? • Third parties → for Alfresco Content Store and everything else Repo Storage doc doc doc doc Encrypted content store feature added DB Indexes / Transformations • File system level tools • AWS EBS or S3 Server Side Encryption, RDS volume encryption • MSSQL or Oracle TDE
- 17. An introduction to mTLS and Service Mesh
- 19. Learn. Connect. Collaborate. Intro • What is encryption in-transit? • TLS and mTLS • SSL Offloading • Our Research and POCs: – Service to Service – Service Mesh
- 20. Learn. Connect. Collaborate. What is encryption in-transit? Protect moving data from unauthorized access using encryption on the wire with protocols like TLS or IPsec and keys
- 21. Learn. Connect. Collaborate. TLS and mTLS • SSL/TLS History: – 1995: SSL v2 (deprecated in 2011) – 1996: SSL v3 (deprecated in 2015) – 1999: TLS 1.0 (deprecation 2020) * – 2006: TLS 1.1 (deprecation 2020) * – 2008: TLS 1.2 * – 2018: TLS 1.3 * Vulnerable depending on browser or cipher used (POODLE, FREAK RC4 attacks and others) • TLS: are cryptographic protocols that provide communications security over a computer network. It uses symmetric cryptography to encrypt data transmitted and public-key cryptography for authentication. Authentication usually is from the server side only (using X.509 certs). • mTLS: mutual authentication using X.509 cert, commonly used between servers, applications or services.
- 22. Learn. Connect. Collaborate. SSL Offloading Repo Storage doc doc doc doc DBs File System Indexes / Transformations Service A Service B Service C Service D Service E Service F HTTP over TLS LB Plain HTTP
- 23. Learn. Connect. Collaborate. How does TLS and mTLS look like together? Repo Storage doc doc doc doc DBs File System Indexes / Transformations Service A Service B Service C Service D Service E Service FJDBC over TLS HTTP over TLS HTTP over TLS with mutual Authenticati on = mTLS LB HTTP over TLS
- 24. Learn. Connect. Collaborate. mTLS: Java Implementation High Level Overview Service A Service C Service B -Service A is client of Service B and server for Service C -Service B is client for Service C and server for Service A -Service C is client for Service A and server for Service B Client Server keystore truststore keystore truststore 1. Service connection requested 2. Provides server certificate 3. Client verifies server cert authenticity using CA cert 4. Provides client certificate 5. Server Verifies client cert authenticity using CA cert 6. They agree and share a symmetric session key for encryption and decryption and communication starts Server Certific ate Server Private Key CA Certific ate CA Certific ate Client Certific ate Client Private Key
- 25. Disclaimer • The information contained in these presentations is intended to inform the developer community based on a working prototype and should not be relied upon in making purchasing decisions. • The content is for informational purposes only and may not be incorporated into any contract. • The information presented is not a commitment, promise, or legal obligation to deliver any material, code or functionality. • Any references to the development, release, and timing of any features or functionality described for these products remains at Alfresco's sole discretion • Product capabilities, timeframes and features are subject to change and should not be viewed as Alfresco commitments.
- 26. Learn. Connect. Collaborate. Our Research Service to Service Service Mesh Remember: We want to see what is the best way to implement encryption and authentication between services! Tested with Alfresco CS 6.1, our Helm charts and EKS in AWS.
- 27. But Let’s Recap First
- 28. Learn. Connect. Collaborate. Internet LB / Proxy Tomcat Tomcat Tomcat DB File Storage 1. Load balancing 2. Application 3. Data #10YearsChallenge 2009
- 30. Learn. Connect. Collaborate. Layers! + Virtual Machine + Host + Infrastructure vendor https://adam.shostack.org/blog/2018/05/threat-model-thursday-google-on-kubernetes/ Java VM
- 32. Learn. Connect. Collaborate. Service-to-Service Encryption in-transit and Authentication POC • mTLS configuration per service/microservice • Automated with customized Helm chart and services • Repo and Solr communication was already mTLS • Limitations: – Repository service can’t do mTLS with transformation services: handshake fails – SSL certificate CN must match with domain name of internal services (requires usage of a CA) – mTLS between ELB and ingress – Automating certificate generation via Helm chart Kudos to Abdul Mohammed!
- 33. Learn. Connect. Collaborate. Service Mesh Intro • Challenges managing microservice architecture or service-oriented architecture – Multiple services, different IP, different hosts – Routing and discovery challenges – Network security challenges – Compatibility – Multi-level network awareness • Patterns: – Sidecar – Ambassador – Adapter or Node Agent • Known open source options: – Istio (Google, IBM and Lyft) - mTLS stable – Linkerd (Buoyant.io) - mTLS experimental – Consul (Hashicorp) - mTLS through Consul Connect – App Mesh (AWS) preview - no mTLS support
- 34. Learn. Connect. Collaborate. Istio Requirements and Features • Requirements: – For us: end-to-end encryption and authentication – Discovery, load balancing, failure recovery, metrics, monitoring, A/B testing, canary releases, rate limiting and access control. • Istio Features: – Automatic load balancing for HTTP, gRPC, WebSocket, and TCP traffic. – Fine-grained control of traffic behavior with rich routing rules, retries, failovers, and fault injection. – A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. – Automatic metrics, logs, and traces for all traffic within a cluster, including cluster ingress and egress. – Secure service-to-service communication in a cluster with strong identity-based authentication and authorization.
- 35. Learn. Connect. Collaborate. Istio Architecture ● Data Plane ● Control Plane ● Components: ● Envoy: proxy per {micro}service ● Mixer: policies, telemetry and plugins ● Pilot: service discovery ● Citadel: manages certs for authorization and authentication ● Galley: istio API ● Others: ingress and egress gateways, injector, etc. https://istio.io/docs/concepts/security/architecture.svg
- 36. Demo
- 37. Learn. Connect. Collaborate. Related Sessions • TODAY – 13:30-14:00 Shea Nangle: Best Practices for DIY Alfresco Security – 15:00-15:30 Gavin Cornwell & Morris Singer: Alfresco Digital Business Platform on EKS • TOMORROW – 15:00-15:30 Sergiu Vidrascu: Developing on Kubernetes – 15:00-15:30 Ciju Joseph: Azure Devops and Alfresco DBP – 16:00-16:30 Luis Cabaciera & Victor Moreira: GDPR Watchdog
- 38. Questions?
- 39. Thanks!
- 40. Learn. Connect. Collaborate. References and Recommended Lectures • Liz Rice: GopherCon 2018: The Go Programmer's Guide to Secure Connections https://www.youtube.com/watch?v=kxKLYDLzuHA • Hanno: CCC 2018: The Rocky Road to TLS 1.3 and better Internet Encryption https://media.ccc.de/v/35c3-9607- the_rocky_road_to_tls_1_3_and_better_internet_encryption