Abstract image of a woman sitting on books and studying on a laptop

Certificates, PKI, and SSL/TLS for infrastructure builders and operators

Download as PPTX, PDF
David Ochel, profile picture
David Ochel

This document discusses the importance of managing infrastructure components that rely on TLS and certificates for transport security, covering applied cryptography basics, public key infrastructures, and SSL/TLS configurations. It emphasizes the practical security implications of key management, certificate lifecycles, and the challenges of key distribution and trust. Additionally, it outlines recommendations for proper certificate issuance, management, and configuration to enhance security against threats such as man-in-the-middle attacks.

Internet
1 of 29
Downloaded 11 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Certificates, Public Key Infrastructures, and SSL/TLS for infrastructure builders and operators David Ochel, August 2019 2019-08-31-00 Unless otherwise noted, clip art is from pixabay.com and subject to PixaBay’s license (https://pixabay.com/service/terms/#license). All remaining content that has not otherwise been attributed is released into the public domain under the CC0 1.0 – https://creativecommons.org/publicdomain/zero/1.0/.
Agenda & Outline Objective: Align on the practical and security implications of managing infrastructure components that rely on TLS and (server) certificates for enabling transport security. • Applied crypto basics – 20’ • Symmetric & asymmetric encryption • Hashes and digital signatures • What makes crypto hard • Public Key Infrastructures – 40’ • Certificates & CAs – and how they are used in TLS • Lifecycle considerations for server keys and certificates • SSL/TLS – Configuration Gotchas – 30‘
Thwarting the “Man in the Middle” PLAIN TEXT PLAIN TEXTtPLAIN TEXT • Communication over (public) networks is not confidential, by design • Emails, web traffic, secrets, etc. can be intercepted and/or manipulated • Originators of content can be impersonated • Unless it is protected and authenticated, typically using encryption • TLS (as in, HTTPS, FTPS) • IPsec, OpenVPN, MACsec, … (or application-specific, like PGP and SSH)
Crypto basics (because it’s the foundation for everything)
01101001 11100011 10001111 10010101 10110100 00000110 11010100 10010011 11001111 10110000 00001010 11110000 10100011 00100001 10001011 01001111 Secret Key – Symmetric Encryption • One key, multiple copies • Good: fast, straightforward • Bad: key distribution (requires out-of-band, can’t control copies) • Examples: AES, Blowfish – e.g., 256 bit key length PLAIN TEXT PLAIN TEXT CIPHER TEXT the key (it’s actually a random string of bits)
Public and private keys – Asymmetric Encryption • Mutually complementary pair of keys • Good: distribution (private key stays with owner, copies of the matching public key can be distributed freely); digital signatures • Bad: high CPU need, based on (theoretically solvable) math problems • Examples: RSA, Diffie Hellman – e.g., 2048 bit key length PLAIN TEXT PLAIN TEXT CIPHER TEXT private key public key
Cryptographic Hashes • Maps a message into a fixed-size digest (“hash”) • Deterministic • Collision-resistant • Non-reversible (one way), cannot compute message from hash • Examples: bcrypt, SHA-2 PLAIN TEXT hash PLAIN TEXT hash PLAIN TEXT PLAIN TEXT hash From https://en.wikipedia.org/wiki/File:Cryptographic_Hash_Function.svg
Digital Signatures • Originator encrypts hash with private key (“digital signature”) • Recipient decrypts hash with originator’s public key, and computes its own hash over the message • If the two hashes match, the message must have been signed by somebody in possession of the private key PLAIN TEXT hash PLAIN TEXT PLAIN TEXT PLAIN TEXT hash signature signature signature hash
Typical Crypto Limitations • Implementing crypto algorithms is hard Use approved libraries/products • Key material “weakens” (risk of eventual compromise increases) over time Rotate keys on defined frequencies Use recommended key lengths and algorithms • Protecting access to secret and private keys is hard Re-key if somebody with access to a secret key leaves organization Keep keys in as few locations as possible, defend them thoroughly Don’t re-use the same key for different purposes or in different trust settings • Distributing public keys in a trustworthy manner is still hard Use public key infrastructures!
Public Key Infrastructures (or, how do I know that Alice’s public key that I grabbed from the web is the one that in fact matches Alice’s private key, and not Chuck’s, who is pretending to be Alice?)
Remember the Man in the Middle? • We want to distribute public keys freely, over networks • But is Alice in fact the one that possesses the private key to the public key that has her name on it? • Can I trust that digital signatures signed with the corresponding private key are in fact Alice’s signatures, and not somebody who’s pretending to be her? • Can messages I encrypt with this key only be decrypted by her? PLAIN TEXT PLAIN TEXT A A C CA C A C
Attesting to a distributed key’s authenticity • Crowd-sourced web of trust (e.g., PGP) • Users attest to the authenticity of public keys by signing each other’s public keys (after having established that they have the same key in front of them) • Key Signing Party, anyone? • Trusted Third Parties • Certificate authorities establish a hierarchical chain of trust into public keys • All users trust the same CA, thus any public key signed by the CA is extended trust (without the need for a secure channel to obtain individual public keys) https://imgs.xkcd.com/comics/responsible_behavior.png
Certificates! Cert Signing Request Name: Alice Address: alice@foo.bar Public key: Certificate Authority PLAIN TEXT PLAIN TEXT CIPHER TEXT A signature A A A A A CERTIFICATE Expiration: … Name: Alice Address: … Public key: CA signature A CA CA A CA
Transport Layer Security – crypto (simplified) CERTIFICATE Expiration: … Name: Company A Address: … Public key: CA signature A CERTIFICATE Expiration: … Name: Company A Address: … Public key: CA signature A 1: Client requests server certificate, validates it against CA cert 2: Client generates symmetric session key* A 3: Client & server exchange traffic encrypted with the session key ENCRYPTED PAYLOAD (e.g., HTML) *This is a much simplified view of how key generation with RSA works. Authentication of the server with RSA is implicit. DH/ECDH works differently. AA
Lifecycle of a server certificate 1. Public/private keypair management 2. Certificate request 3. Certificate issuance 4. Certificate use and revocation 5. Certificate consumption by clients
(1) Managing server public/private keys • Private keys should never leave the server (need to keep confidential) • Use Certificate Signing Requests instead of letting the CA generate the server’s public/private key pair • Do not share private keys across trust domains / between different services (lest compromise of the weakest link will compromise them all) • Beware of aging keys • Limit validity of certificates to an appropriate number of days or years • Generate new keys when “renewing” a cert instead of getting a new cert for the same old key • Consider new keys & certs if an operator with access leaves the organization • Self-signed certificates
(2) Requesting a certificate • Prefer FQDN subject names over wildcards • Wild cards encourage proliferation of the same keys across different services / trust domains • Consider multiple Subject Alternative Names instead • Choose your CA wisely • Consider reputation of different CAs, even though browsers might trust them all • Consider validation and support needs (e.g., Let’s Encrypt – domain validation only) • Identity Verification • Registration Authorities – (in-person) offices of the CA for high-trust situations (e.g., validating somebody’s passport in person - not common in TLS server scenarios • Domain Validation – does the requesting organization control the domain that the cert is for? • Organization Validation – can the requesting organization prove its name/DBA/address as listed in the CSR? • Extended Validation – subject name matches organization’s incorporation doc • Certificate Signing Request (CSR) – standardized format to request a certificate • Does not include the user’s|server’s private key, but is signed by its private key to demonstrate possession of it
(3) Issuing a certificate • Do not use self-signed certs • Teaching users to click through warnings in their browsers desensitizes them against actual threats • Internal CAs for internal services are OK *if* they are managed properly • Mitigate risk of CA compromise • The root CA should be highly protected, offline, and only used to issue certs to certificate-issuing CAs lower down in the hierarchy • Consider using different cert-issuing CAs for different cert purposes / environments • Automation is OK… • ...if cert requests are properly authenticated & authorized
(4) Hosting and revoking certificates • Serve certificate chains with your certificate • Clients may break if intermediate certs are not served by your server, since they may only have the root CA certs in their trust stores • Monitor for certificate expiration • Revoke certificates for compromised or retired keys
Certificates – the devil is in the details • Expiration Date • Purpose (domain validation, cert issuer) • Subject Alternative Names • Wildcard Certs vs. FQDN • Key Usage
Other uses of certificates & trust chains • Code signing • Windows updates • Europe: electronic signatures • Device authentication • User authentication • S/MIME • DNSSEC • PGP Web of Trust
Using certificates for authentication • Authentication factors: what you have; what you know; what you are • Certs (i.e., private keys!) are “what you know” • Same issue as passwords – can be cloned onto multiple devices, picked up by malware, … • Can be used to implement “what you have” if protected from cloning • E.g., on a smart card, HSM, secure enclave • Do certs authenticate users or devices? • Certs don’t authenticate anything, it’s the private key that corresponds to the public key in the cert that does the authentication • Arguably, the CA’s digital signature on the certificate provides for authenticity of the certificate’s content • Do keys (SSH keys, keys related to device certs, …) authenticate users or devices? • It depends – on usage, protection of the keys, context, …
SSL/TLS – Configuration Gotchas
Transport Layer Security – crypto (simplified) CERTIFICATE Expiration: … Name: Company A Address: … Public key: CA signature A CERTIFICATE Expiration: … Name: Company A Address: … Public key: CA signature A 1: Client requests server certificate, validates it against CA cert 2: Client generates symmetric session key* A 3: Client & server exchange traffic encrypted with the session key ENCRYPTED PAYLOAD (e.g., HTML) *This is a much simplified view of how key generation with RSA works. Authentication of the server with RSA is implicit. DH/ECDH works differently.
Versions • SSL is outdated and insecure • v2 – 1994 (Netscape Navigator 1.1 ) • v3 – 1995 • TLS • 1.0 – 1999 (RFC 2246), similar to SSLv3 • 1.1 – 2006, uses MD5 and SHA-1 (on it’s way out) • 1.2 – 2008 • 1.3 – 2018
Cipher Suites • Determine the mix and match of crypto algorithms a client and server can agree on for: • Authentication • Key exchange • Encryption algorithm & key sizes • Etc. Disable weak cipher suites Prefer them in order of strength
Other Tidbits • Perfect Forward Secrecy • Session keys don’t depend on protection by the server’s private key • A result of using DH/ECDH (instead of RSA) for key agreement • If RSA is not supported by a web server, MITM traffic inspection will break ;-) • Various other, security-relevant configuration settings. For example: • Prevent protocol version downgrade attacks (TLS_FALLBACK_SCSV) • Reject insecure renegotiation (support the Renegotiation Indication extension, RFC 5746) • Tell clients to always use TLS (Strict Transport Security (HSTS)) • Only use the TLS NULL compression method • Support OCSP stapling (RFC 6066) • Support session resumption
Potential Client Issues • Mismatch of supported protocol versions • Mismatch of supported ciphersuites • Certificate Pinning • Will interfere with MITM attempts to de- and re-encrypt traffic (e.g., for inspection)
Fun Tools • Dealing with certs • OpenSSL • Checking TLS configs • sslyze • www.ssllabs.com • observatory.mozilla.org • References • https://www.ssllabs.com/projects/documentation/

More Related Content

PDF
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
David Ochel
 
PPTX
Email Security with OpenPGP - An Appetizer
David Ochel
 
PDF
[OPD 2019] Threat modeling at scale
OWASP
 
PDF
[OPD 2019] .NET Core Security
OWASP
 
PPTX
How to write secure code
Flaskdata.io
 
PDF
IT-Security@Contemporary Life
Oliver Pfaff
 
PDF
Web-of-Things and Services Security
Oliver Pfaff
 
PDF
Microservices Security: dos and don'ts
Minded Security
 
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
David Ochel
 
Email Security with OpenPGP - An Appetizer
David Ochel
 
[OPD 2019] Threat modeling at scale
OWASP
 
[OPD 2019] .NET Core Security
OWASP
 
How to write secure code
Flaskdata.io
 
IT-Security@Contemporary Life
Oliver Pfaff
 
Web-of-Things and Services Security
Oliver Pfaff
 
Microservices Security: dos and don'ts
Minded Security
 

What's hot (20)

PPTX
Security in microservices architectures
inovia
 
PDF
Let's get evil - threat modeling at scale
SecuRing
 
PPTX
Charles Weir's Security presentation for Code Cumbria, January 2014
Charles Weir
 
PDF
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
SecureAuth
 
PDF
OpenID Foundation RISC WG Update - 2018-04-02
MikeLeszcz
 
PPTX
Certificate pinning in android applications
Arash Ramez
 
PDF
[OPD 2019] Web Apps vs Blockchain dApps
OWASP
 
PDF
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
 
PPTX
Red teaming in the cloud
Peter Wood
 
PDF
Service Mesh vs. Frameworks: Where to put the resilience?
Michael Hofmann
 
PDF
DevSecOps: The Open Source Way for CloudExpo 2018
Gordon Haff
 
PDF
The Principles of Secure Development - BSides Las Vegas 2009
Security Ninja
 
PPTX
How to do Cryptography right in Android Part One
Arash Ramez
 
PDF
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
MikeLeszcz
 
PPTX
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
SecuRing
 
PPT
Introduction To PKI Technology
Sylvain Maret
 
PDF
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OpenIDFoundation
 
PDF
Easy public-private-keys-strong-authentication-using-u2 f
Cyber Security Alliance
 
PDF
Heartbleed && Wireless
Luis Grangeia
 
PPTX
How to do Cryptography right in Android Part Two
Arash Ramez
 
Security in microservices architectures
inovia
 
Let's get evil - threat modeling at scale
SecuRing
 
Charles Weir's Security presentation for Code Cumbria, January 2014
Charles Weir
 
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
SecureAuth
 
OpenID Foundation RISC WG Update - 2018-04-02
MikeLeszcz
 
Certificate pinning in android applications
Arash Ramez
 
[OPD 2019] Web Apps vs Blockchain dApps
OWASP
 
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
 
Red teaming in the cloud
Peter Wood
 
Service Mesh vs. Frameworks: Where to put the resilience?
Michael Hofmann
 
DevSecOps: The Open Source Way for CloudExpo 2018
Gordon Haff
 
The Principles of Secure Development - BSides Las Vegas 2009
Security Ninja
 
How to do Cryptography right in Android Part One
Arash Ramez
 
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
MikeLeszcz
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
SecuRing
 
Introduction To PKI Technology
Sylvain Maret
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OpenIDFoundation
 
Easy public-private-keys-strong-authentication-using-u2 f
Cyber Security Alliance
 
Heartbleed && Wireless
Luis Grangeia
 
How to do Cryptography right in Android Part Two
Arash Ramez
 
Ad

Similar to Certificates, PKI, and SSL/TLS for infrastructure builders and operators (20)

PPTX
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
JaroslavChmurny
 
PPT
PKI by Gene Itkis
Information Security Awareness Group
 
PPTX
Public Key Infrastructures
Zefren Edior
 
PDF
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
JUSTSTYLISH3B2MOHALI
 
PPT
Public Key Infrastructure and Application_Applications.ppt
lanhuongvernon
 
PPTX
Introduction to Public Key Infrastructure
Theo Gravity
 
PPT
Certificates and Web of Trust
Yousof Alsatom
 
PPT
PKI_Applications digital certificate.ppt
ubaidullah75790
 
PPTX
Kent King - PKI: Do You Know Your Exposure?
centralohioissa
 
PDF
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Netgate
 
PDF
Trust and Security, presented by Geoff Huston
APNIC
 
PPT
PKI and Applications
Svetlin Nakov
 
PPT
Ch12 Cryptographic Protocols and Public Key Infrastructure
Information Technology
 
PDF
encryption presentation (SAGE-WA, 2010-10-05)
Alastair Irvine
 
PDF
What Every Software Engineer Should Know About Security and Encryption
All Things Open
 
PPT
Crypto Analysis slides presentation slides
tahirsaleem54
 
PPTX
Secure socket layer
BU
 
PPTX
CompTIASecPLUS-Part6 - UnlimitedEdited.pptx
mohedkhadar60
 
PDF
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
ODP
SSL certificates
Kevin OBrien
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
JaroslavChmurny
 
PKI by Gene Itkis
Information Security Awareness Group
 
Public Key Infrastructures
Zefren Edior
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
JUSTSTYLISH3B2MOHALI
 
Public Key Infrastructure and Application_Applications.ppt
lanhuongvernon
 
Introduction to Public Key Infrastructure
Theo Gravity
 
Certificates and Web of Trust
Yousof Alsatom
 
PKI_Applications digital certificate.ppt
ubaidullah75790
 
Kent King - PKI: Do You Know Your Exposure?
centralohioissa
 
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Netgate
 
Trust and Security, presented by Geoff Huston
APNIC
 
PKI and Applications
Svetlin Nakov
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Information Technology
 
encryption presentation (SAGE-WA, 2010-10-05)
Alastair Irvine
 
What Every Software Engineer Should Know About Security and Encryption
All Things Open
 
Crypto Analysis slides presentation slides
tahirsaleem54
 
Secure socket layer
BU
 
CompTIASecPLUS-Part6 - UnlimitedEdited.pptx
mohedkhadar60
 
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
SSL certificates
Kevin OBrien
 
Ad

Recently uploaded (20)

PDF
Exploring The Internet Of Things(IOT).ppt
rakeshk19831911
 
PPTX
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
PPT
Ethics in Information System - Management Information System
faizhossain3
 
PDF
Alethe Consulting Corporate Profile and Solution Aproach
debashisrakshit2025
 
PDF
Containerization lab dddddddddddddddmanual.pdf
muler161921
 
PPTX
Reading as a good Form of Recreation
Raj Kumble
 
PDF
📍 LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1 TERPOPULER DI INDONESIA ! 🌟
alexiskandar061
 
PDF
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
PDF
mera desh ae watn.(a source of motivation and patriotism to the youth of the ...
DtMalhonSharma
 
PPTX
Database Information System - Management Information System
faizhossain3
 
PDF
Alethe Consulting Corporate Profile and Solution Aproach
debashisrakshit2025
 
PPTX
module 1-Part 1.pptxdddddddddddddddddddddddddddddddddddd
KevinSeelu
 
PPT
12 Things That Make People Trust a Website Instantly
Shethil Ahammed
 
PDF
The Evolution of Traditional to New Media .pdf
NIKKODENSMIRO
 
PDF
Understand the Gitlab_presentation_task.pdf
ruhinisiyara
 
PDF
Uptota Investor Deck - Where Africa Meets Blockchain
jjc123linkedin
 
PPTX
curriculumandpedagogyinearlychildhoodcurriculum-171021103104 - Copy.pptx
HeneszaAvenido1
 
PDF
Lean-Manufacturing-Tools-Techniques-and-How-To-Use-Them.pdf
Turreteng
 
PPTX
Internet Safety for Seniors presentation
mwnorman1
 
PDF
Top 8 Trusted Sources to Buy Verified Cash App Accounts.pdf
How To Buy Verified Cash App Accounts
 
Exploring The Internet Of Things(IOT).ppt
rakeshk19831911
 
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
Ethics in Information System - Management Information System
faizhossain3
 
Alethe Consulting Corporate Profile and Solution Aproach
debashisrakshit2025
 
Containerization lab dddddddddddddddmanual.pdf
muler161921
 
Reading as a good Form of Recreation
Raj Kumble
 
📍 LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1 TERPOPULER DI INDONESIA ! 🌟
alexiskandar061
 
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
mera desh ae watn.(a source of motivation and patriotism to the youth of the ...
DtMalhonSharma
 
Database Information System - Management Information System
faizhossain3
 
Alethe Consulting Corporate Profile and Solution Aproach
debashisrakshit2025
 
module 1-Part 1.pptxdddddddddddddddddddddddddddddddddddd
KevinSeelu
 
12 Things That Make People Trust a Website Instantly
Shethil Ahammed
 
The Evolution of Traditional to New Media .pdf
NIKKODENSMIRO
 
Understand the Gitlab_presentation_task.pdf
ruhinisiyara
 
Uptota Investor Deck - Where Africa Meets Blockchain
jjc123linkedin
 
curriculumandpedagogyinearlychildhoodcurriculum-171021103104 - Copy.pptx
HeneszaAvenido1
 
Lean-Manufacturing-Tools-Techniques-and-How-To-Use-Them.pdf
Turreteng
 
Internet Safety for Seniors presentation
mwnorman1
 
Top 8 Trusted Sources to Buy Verified Cash App Accounts.pdf
How To Buy Verified Cash App Accounts
 

Certificates, PKI, and SSL/TLS for infrastructure builders and operators

  • 1. Certificates, Public Key Infrastructures, and SSL/TLS for infrastructure builders and operators David Ochel, August 2019 2019-08-31-00 Unless otherwise noted, clip art is from pixabay.com and subject to PixaBay’s license (https://pixabay.com/service/terms/#license). All remaining content that has not otherwise been attributed is released into the public domain under the CC0 1.0 – https://creativecommons.org/publicdomain/zero/1.0/.
  • 2. Agenda & Outline Objective: Align on the practical and security implications of managing infrastructure components that rely on TLS and (server) certificates for enabling transport security. • Applied crypto basics – 20’ • Symmetric & asymmetric encryption • Hashes and digital signatures • What makes crypto hard • Public Key Infrastructures – 40’ • Certificates & CAs – and how they are used in TLS • Lifecycle considerations for server keys and certificates • SSL/TLS – Configuration Gotchas – 30‘
  • 3. Thwarting the “Man in the Middle” PLAIN TEXT PLAIN TEXTtPLAIN TEXT • Communication over (public) networks is not confidential, by design • Emails, web traffic, secrets, etc. can be intercepted and/or manipulated • Originators of content can be impersonated • Unless it is protected and authenticated, typically using encryption • TLS (as in, HTTPS, FTPS) • IPsec, OpenVPN, MACsec, … (or application-specific, like PGP and SSH)
  • 4. Crypto basics (because it’s the foundation for everything)
  • 5. 01101001 11100011 10001111 10010101 10110100 00000110 11010100 10010011 11001111 10110000 00001010 11110000 10100011 00100001 10001011 01001111 Secret Key – Symmetric Encryption • One key, multiple copies • Good: fast, straightforward • Bad: key distribution (requires out-of-band, can’t control copies) • Examples: AES, Blowfish – e.g., 256 bit key length PLAIN TEXT PLAIN TEXT CIPHER TEXT the key (it’s actually a random string of bits)
  • 6. Public and private keys – Asymmetric Encryption • Mutually complementary pair of keys • Good: distribution (private key stays with owner, copies of the matching public key can be distributed freely); digital signatures • Bad: high CPU need, based on (theoretically solvable) math problems • Examples: RSA, Diffie Hellman – e.g., 2048 bit key length PLAIN TEXT PLAIN TEXT CIPHER TEXT private key public key
  • 7. Cryptographic Hashes • Maps a message into a fixed-size digest (“hash”) • Deterministic • Collision-resistant • Non-reversible (one way), cannot compute message from hash • Examples: bcrypt, SHA-2 PLAIN TEXT hash PLAIN TEXT hash PLAIN TEXT PLAIN TEXT hash From https://en.wikipedia.org/wiki/File:Cryptographic_Hash_Function.svg
  • 8. Digital Signatures • Originator encrypts hash with private key (“digital signature”) • Recipient decrypts hash with originator’s public key, and computes its own hash over the message • If the two hashes match, the message must have been signed by somebody in possession of the private key PLAIN TEXT hash PLAIN TEXT PLAIN TEXT PLAIN TEXT hash signature signature signature hash
  • 9. Typical Crypto Limitations • Implementing crypto algorithms is hard Use approved libraries/products • Key material “weakens” (risk of eventual compromise increases) over time Rotate keys on defined frequencies Use recommended key lengths and algorithms • Protecting access to secret and private keys is hard Re-key if somebody with access to a secret key leaves organization Keep keys in as few locations as possible, defend them thoroughly Don’t re-use the same key for different purposes or in different trust settings • Distributing public keys in a trustworthy manner is still hard Use public key infrastructures!
  • 10. Public Key Infrastructures (or, how do I know that Alice’s public key that I grabbed from the web is the one that in fact matches Alice’s private key, and not Chuck’s, who is pretending to be Alice?)
  • 11. Remember the Man in the Middle? • We want to distribute public keys freely, over networks • But is Alice in fact the one that possesses the private key to the public key that has her name on it? • Can I trust that digital signatures signed with the corresponding private key are in fact Alice’s signatures, and not somebody who’s pretending to be her? • Can messages I encrypt with this key only be decrypted by her? PLAIN TEXT PLAIN TEXT A A C CA C A C
  • 12. Attesting to a distributed key’s authenticity • Crowd-sourced web of trust (e.g., PGP) • Users attest to the authenticity of public keys by signing each other’s public keys (after having established that they have the same key in front of them) • Key Signing Party, anyone? • Trusted Third Parties • Certificate authorities establish a hierarchical chain of trust into public keys • All users trust the same CA, thus any public key signed by the CA is extended trust (without the need for a secure channel to obtain individual public keys) https://imgs.xkcd.com/comics/responsible_behavior.png
  • 13. Certificates! Cert Signing Request Name: Alice Address: [email protected] Public key: Certificate Authority PLAIN TEXT PLAIN TEXT CIPHER TEXT A signature A A A A A CERTIFICATE Expiration: … Name: Alice Address: … Public key: CA signature A CA CA A CA
  • 14. Transport Layer Security – crypto (simplified) CERTIFICATE Expiration: … Name: Company A Address: … Public key: CA signature A CERTIFICATE Expiration: … Name: Company A Address: … Public key: CA signature A 1: Client requests server certificate, validates it against CA cert 2: Client generates symmetric session key* A 3: Client & server exchange traffic encrypted with the session key ENCRYPTED PAYLOAD (e.g., HTML) *This is a much simplified view of how key generation with RSA works. Authentication of the server with RSA is implicit. DH/ECDH works differently. AA
  • 15. Lifecycle of a server certificate 1. Public/private keypair management 2. Certificate request 3. Certificate issuance 4. Certificate use and revocation 5. Certificate consumption by clients
  • 16. (1) Managing server public/private keys • Private keys should never leave the server (need to keep confidential) • Use Certificate Signing Requests instead of letting the CA generate the server’s public/private key pair • Do not share private keys across trust domains / between different services (lest compromise of the weakest link will compromise them all) • Beware of aging keys • Limit validity of certificates to an appropriate number of days or years • Generate new keys when “renewing” a cert instead of getting a new cert for the same old key • Consider new keys & certs if an operator with access leaves the organization • Self-signed certificates
  • 17. (2) Requesting a certificate • Prefer FQDN subject names over wildcards • Wild cards encourage proliferation of the same keys across different services / trust domains • Consider multiple Subject Alternative Names instead • Choose your CA wisely • Consider reputation of different CAs, even though browsers might trust them all • Consider validation and support needs (e.g., Let’s Encrypt – domain validation only) • Identity Verification • Registration Authorities – (in-person) offices of the CA for high-trust situations (e.g., validating somebody’s passport in person - not common in TLS server scenarios • Domain Validation – does the requesting organization control the domain that the cert is for? • Organization Validation – can the requesting organization prove its name/DBA/address as listed in the CSR? • Extended Validation – subject name matches organization’s incorporation doc • Certificate Signing Request (CSR) – standardized format to request a certificate • Does not include the user’s|server’s private key, but is signed by its private key to demonstrate possession of it
  • 18. (3) Issuing a certificate • Do not use self-signed certs • Teaching users to click through warnings in their browsers desensitizes them against actual threats • Internal CAs for internal services are OK *if* they are managed properly • Mitigate risk of CA compromise • The root CA should be highly protected, offline, and only used to issue certs to certificate-issuing CAs lower down in the hierarchy • Consider using different cert-issuing CAs for different cert purposes / environments • Automation is OK… • ...if cert requests are properly authenticated & authorized
  • 19. (4) Hosting and revoking certificates • Serve certificate chains with your certificate • Clients may break if intermediate certs are not served by your server, since they may only have the root CA certs in their trust stores • Monitor for certificate expiration • Revoke certificates for compromised or retired keys
  • 20. Certificates – the devil is in the details • Expiration Date • Purpose (domain validation, cert issuer) • Subject Alternative Names • Wildcard Certs vs. FQDN • Key Usage
  • 21. Other uses of certificates & trust chains • Code signing • Windows updates • Europe: electronic signatures • Device authentication • User authentication • S/MIME • DNSSEC • PGP Web of Trust
  • 22. Using certificates for authentication • Authentication factors: what you have; what you know; what you are • Certs (i.e., private keys!) are “what you know” • Same issue as passwords – can be cloned onto multiple devices, picked up by malware, … • Can be used to implement “what you have” if protected from cloning • E.g., on a smart card, HSM, secure enclave • Do certs authenticate users or devices? • Certs don’t authenticate anything, it’s the private key that corresponds to the public key in the cert that does the authentication • Arguably, the CA’s digital signature on the certificate provides for authenticity of the certificate’s content • Do keys (SSH keys, keys related to device certs, …) authenticate users or devices? • It depends – on usage, protection of the keys, context, …
  • 24. Transport Layer Security – crypto (simplified) CERTIFICATE Expiration: … Name: Company A Address: … Public key: CA signature A CERTIFICATE Expiration: … Name: Company A Address: … Public key: CA signature A 1: Client requests server certificate, validates it against CA cert 2: Client generates symmetric session key* A 3: Client & server exchange traffic encrypted with the session key ENCRYPTED PAYLOAD (e.g., HTML) *This is a much simplified view of how key generation with RSA works. Authentication of the server with RSA is implicit. DH/ECDH works differently.
  • 25. Versions • SSL is outdated and insecure • v2 – 1994 (Netscape Navigator 1.1 ) • v3 – 1995 • TLS • 1.0 – 1999 (RFC 2246), similar to SSLv3 • 1.1 – 2006, uses MD5 and SHA-1 (on it’s way out) • 1.2 – 2008 • 1.3 – 2018
  • 26. Cipher Suites • Determine the mix and match of crypto algorithms a client and server can agree on for: • Authentication • Key exchange • Encryption algorithm & key sizes • Etc. Disable weak cipher suites Prefer them in order of strength
  • 27. Other Tidbits • Perfect Forward Secrecy • Session keys don’t depend on protection by the server’s private key • A result of using DH/ECDH (instead of RSA) for key agreement • If RSA is not supported by a web server, MITM traffic inspection will break ;-) • Various other, security-relevant configuration settings. For example: • Prevent protocol version downgrade attacks (TLS_FALLBACK_SCSV) • Reject insecure renegotiation (support the Renegotiation Indication extension, RFC 5746) • Tell clients to always use TLS (Strict Transport Security (HSTS)) • Only use the TLS NULL compression method • Support OCSP stapling (RFC 6066) • Support session resumption
  • 28. Potential Client Issues • Mismatch of supported protocol versions • Mismatch of supported ciphersuites • Certificate Pinning • Will interfere with MITM attempts to de- and re-encrypt traffic (e.g., for inspection)
  • 29. Fun Tools • Dealing with certs • OpenSSL • Checking TLS configs • sslyze • www.ssllabs.com • observatory.mozilla.org • References • https://www.ssllabs.com/projects/documentation/

Editor's Notes

  • #4: https://pixabay.com/vectors/robber-burglar-bandit-stripes-303444/