SlideShare a Scribd company logo

The Future of PKI. Using automation tools and protocols to bootstrap trust in dynamic environment

Download as PPTX, PDF
DATA SECURITY SOLUTIONS
DATA SECURITY SOLUTIONS

Anton Krupskyi security analyst Accenture Latvia https://dssitsec.eu

Technology
1 of 20
1 The futureof PKI. Usingautomationtoolsandprotocolstobootstraptrustina dynamicenvironment Anton Krupskyi October25th,2018
2 AGENDA Problem End-to-end encryption in dynamic cloud software- defined infrastructure Solution Automated certificate lifecycle management Implementation Design, Tools and Mechanisms used
3 THE SITUATION  Separatenetworks in every country  Individual services and productsfor every market  Traditional hardware platforms  Around 650 service platforms
4 THE SOLUTION  A single unified network  Modular services to cater to different market requirements  Agile infrastructure cloud, based on virtualization and software defined networks  Agile datacentres  End-to-end encryption
5  Data transmitted on networks can be intercepted  Agencies like the NSA and motivated criminals use surveillance technology to gain information  To protect ourselves and our clients, we need to use encryption DESIGN PRINCIPLE:END TO END ENCRYPTION TheSolution: Public Key Infrastructure  State-of-the-art encryption algorithms  End-to-end encryption between all machines  Trust anchors
6 Asymmetric encryption  Uses pairs of public and private keys.  A message encrypted by one key can only be decrypted by the other.  Users publish their public keys and keep the private key secret. CORNERSTONES OF A PUBLIC KEY INFRASTRUCTURE Trust & Identity  A certificate links a public key to an identity.  The certificate is provided by an authority that we trust.  The certificate authority verifies the identity of the public key before issuing the certificate. We can think of the public key as a mailbox and the private key as the key to the mailbox The mailbox now has an ID that assures us that the owner is indeed who we want to contact
7  Encryption relies on the secrecy & trustworthiness of the key  Communication partners exchange public keys when establishing a connection  Without certificates, malicious 3rd parties could intercept the key exchange and substitute their own key  A Certificate Authority provides us with the means to verify a chain of trust  The CA signs a server’s public key after it proves its identity  If we trust the CA, we can trust the website that has the certificate THE CERTIFICATE AUTHORITY AS TRUST ANCHOR
8  Infrastructure or service owners need to enroll their services to receive a certificate  This is typically done in a manual verification process to prove legitimacy and ownership  Same process needs to be repeated periodically to renew certificates  This process does not scale in cloud environment AUTOMATION & CLOUD Challenge  Certificate distribution in a dynamic, highly distributed environment  Distribute certificates quickly to new machines when scaling out  Remove need for manual certificate lifecycle management  Short certificate lifetime
9  CA provides certificates to services after verifying their Identity  Using a dedicated client, a service can automate the verification and the certificate lifecycle  Using the CLIENT with configuration management tool, deployment of the client and requesting a certificate can be fully automated AUTOMATED CERTIFICATE DISTRIBUTION Solution  Challenge response mechanism between client and CA  Certificate lifecycle management through automated client
10 THE ACME PROTOCOL Created bytheInternet Security Research Group forLet’s Encrypt Their goal: Increase usage of https over http by making certificates free and easy to obtain Automatesinteraction between Certificate Authorityandclients No manual steps necessary to receive certificate Certificate lifecycle is fully automated Does not sacrificesecurity over convenience Client and server perform the necessary steps for a full domain name validation
• Boulder is a CA that implements the ACME protocol and can communicate with Certbot • Certbot is a client that can automatically fulfill validation challenges • Certbot also takes care of certificate lifecycle management 11 THE ACME PROTOCOL BoulderCA andCertbot are theLet’s Encryptimplementations ofthe ACMEprotocol Certificate signing request Validation challenge Challenge response Signed certificate
12 VALIDATION CHALLENGES • The ACME protocolandBoulderCA offerthreedifferentwaysto prove ownershipofadomain • Forall challenges, the CA providesa token • The tokenis anoncethatuniquely identifies thechallenge withatleast 128bitsof entropy HTTP Challenge • Client creates ad- hoc webserver • Client places file at specific address on the webserver • File contains token TLS-SNI Challenge • Client creates TLS server with custom vhost • CA creates TLS connection to client and uses SNI extension to request the custom vhost • Client provides self- signed certificate containing the token in the SAN field DNS Challenge • Client provisions a txt source record for the domain at the DNS server • This record contains a SHA256 digest of the token • Not automated at this point
13 WHAT YOU GET Transparent end-to-endencryption Every device has a private/public key pair and a certificate to identify itself Automatedcertificatedeployment Receiving a certificate is as easy as adding few lines to server configuration tool Managedlife-cycle/ ease ofuse The lifecycle functions of the client are also automated, removing the need for manual renewal
14 USE-CASES BoulderCA (PKI-CA)  Can perform automated validation  Signs service certificates for identification and encryption ManualCA  For services that do not support automation  Signs service certificates for identification and encryption UserCertCA  SSL certificate for user authentication  S/MIME certificate for email encryption & signature  Certificate for document/code signing EndpointCertCA  802.1x certificate for access management between devices & within network  EFS endpoint encryption SmartCardCertCA  Two-factor authentication  Physical access control  Future use- case: Payment option
15 ARCHITECTURE OF OURPKI UserCertCA EndpointCertCA SmartCardCertCA RootCA BoulderCA PKI-CA CertBot PKI-CLIENT ManualCA signed Signed manually offline InfrastructureCA UserCA Signed manually offline signed signedsignedsigned signed signed signed signed Automation Manualverification EndpointUser SmartCard
16 HIGH AVAILABILITY BOULDERCA SETUP Service with Certbot Boulder 1 Soft- HSM HAProxy LB GALERA BoulderCA SetupInternal Services DNS LB Boulder 2 Soft- HSM Boulder n Soft- HSM scales out PKI-CLIENT HAProxy LB PKI-CA
17 BOULDER CA INTERNAL ARCHITECTURE Storage Authority Web Front- End Validation Authority Registration Authority Certificate Authority Soft-HSM MariaDB OCSP Updater OCSP Responder Certbot Service/ Client BoulderCA  Tasks split between separate components  Standard deployment straight from GitHub: Docker containers • Boulder • MariaDB • Soft-HSM
Automation and Virtualization SecurityContinuous Integration Open Source Software 18 ENVIRONMENT, TOOLS AND DESIGN PRINCIPLES  Infrastructure as code  Reproducible, automated infrastructure deployment  Automated software deployment and configuration  End-to-end encryption of all communication  Certificates with full chain of trust  Automated certificate deployment  Automatically deploy all changes to the development & production environments  Pan Net relies entirely on open source software solutions
19 WHO WE ARE Diverse set of skills, from PKI to automation 6 People from Germany, Switzerland and Latvia Fully embedded Working as one team
Q&A Thank You! Contact Latvia.SecurityST@accenture.com

Recommended

Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudCryptzone
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture AddWeb Solution Pvt. Ltd.
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0 Shamun Mahmud
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices WorldDiogo Mónica
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterVishwas Manral
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'tsMinded Security
 

Recommended

Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone
 
Cryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone AppGate Technical Architecture
Cryptzone AppGate Technical ArchitectureCryptzone
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudCryptzone
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture AddWeb Solution Pvt. Ltd.
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0 Shamun Mahmud
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices WorldDiogo Mónica
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterVishwas Manral
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'tsMinded Security
 
The WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems OverviewThe WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems OverviewNick Owen
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebCASCouncil
 
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationMTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationLaurentiu Meirosu
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscapeSagara Gunathunga
 
Bletchley
BletchleyBletchley
BletchleyDiogo Mónica
 
kerberos
kerberoskerberos
kerberossameer farooq
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Kerberos explained
Kerberos explainedKerberos explained
Kerberos explainedDotan Patrich
 
Denovolab’s is voip all in one softswich
Denovolab’s is voip all in one softswichDenovolab’s is voip all in one softswich
Denovolab’s is voip all in one softswichDeNovoLab Limited
 
eMCA Suite
eMCA SuiteeMCA Suite
eMCA SuiteKalyana Sundaram
 
The last picks
The last picksThe last picks
The last picksNafiur Rahman Tuhin
 
EAP-TLS
EAP-TLSEAP-TLS
EAP-TLSKarri Huhtanen
 
Kerberos
KerberosKerberos
KerberosMohanasundaram Nattudurai
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
Kerberos
KerberosKerberos
KerberosSparkbit
 
Security issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAASecurity issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAAKarri Huhtanen
 
Kerberos authentication
Kerberos authenticationKerberos authentication
Kerberos authenticationSuraj Singh
 
Kerberos
KerberosKerberos
KerberosSutanu Paul
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case studyMayuri Patil
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkpromediakw
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone
 

More Related Content

What's hot

The WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems OverviewThe WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems OverviewNick Owen
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebCASCouncil
 
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationMTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationLaurentiu Meirosu
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscapeSagara Gunathunga
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Denovolab’s is voip all in one softswich
Denovolab’s is voip all in one softswichDenovolab’s is voip all in one softswich
Denovolab’s is voip all in one softswichDeNovoLab Limited
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
Security issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAASecurity issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAAKarri Huhtanen
 
Kerberos authentication
Kerberos authenticationKerberos authentication
Kerberos authenticationSuraj Singh
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case studyMayuri Patil
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 

What's hot (20)

The WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems OverviewThe WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems Overview
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure Web
 
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationMTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscape
 
Bletchley
BletchleyBletchley
Bletchley
 
kerberos
kerberoskerberos
kerberos
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
Kerberos explained
Kerberos explainedKerberos explained
Kerberos explained
 
Denovolab’s is voip all in one softswich
Denovolab’s is voip all in one softswichDenovolab’s is voip all in one softswich
Denovolab’s is voip all in one softswich
 
eMCA Suite
eMCA SuiteeMCA Suite
eMCA Suite
 
The last picks
The last picksThe last picks
The last picks
 
EAP-TLS
EAP-TLSEAP-TLS
EAP-TLS
 
Kerberos
KerberosKerberos
Kerberos
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
 
Kerberos
KerberosKerberos
Kerberos
 
Security issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAASecurity issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAA
 
Kerberos authentication
Kerberos authenticationKerberos authentication
Kerberos authentication
 
Kerberos
KerberosKerberos
Kerberos
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case study
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 

Similar to The Future of PKI. Using automation tools and protocols to bootstrap trust in dynamic environment

Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkpromediakw
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone
 
SSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesSSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesNelson Calero
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
How EverTrust Horizon PKI Automation can help your business?
How EverTrust Horizon PKI Automation can help your business?How EverTrust Horizon PKI Automation can help your business?
How EverTrust Horizon PKI Automation can help your business?mirmaisam
 
Securing MQTT - BuildingIoT 2016 slides
Securing MQTT - BuildingIoT 2016 slidesSecuring MQTT - BuildingIoT 2016 slides
Securing MQTT - BuildingIoT 2016 slidesDominik Obermaier
 
Deploying Compliant Kubernetes: Real World Edge Cases
Deploying Compliant Kubernetes: Real World Edge CasesDeploying Compliant Kubernetes: Real World Edge Cases
Deploying Compliant Kubernetes: Real World Edge CasesDevOps.com
 
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017Micro Focus
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskInductive Automation
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskInductive Automation
 
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical OverviewShawn Wells
 
Cyberoam SSL VPN
Cyberoam SSL VPNCyberoam SSL VPN
Cyberoam SSL VPNAjay Nawani
 
Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsIRJET Journal
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemInductive Automation
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresOliver Pfaff
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentKurtis Kemple
 
Best Practices with IoT Security - February Online Tech Talks
Best Practices with IoT Security - February Online Tech TalksBest Practices with IoT Security - February Online Tech Talks
Best Practices with IoT Security - February Online Tech TalksAmazon Web Services
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHansFarroCastillo1
 

Similar to The Future of PKI. Using automation tools and protocols to bootstrap trust in dynamic environment (20)

Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?
 
SSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesSSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprises
 
MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
How EverTrust Horizon PKI Automation can help your business?
How EverTrust Horizon PKI Automation can help your business?How EverTrust Horizon PKI Automation can help your business?
How EverTrust Horizon PKI Automation can help your business?
 
Securing MQTT - BuildingIoT 2016 slides
Securing MQTT - BuildingIoT 2016 slidesSecuring MQTT - BuildingIoT 2016 slides
Securing MQTT - BuildingIoT 2016 slides
 
Deploying Compliant Kubernetes: Real World Edge Cases
Deploying Compliant Kubernetes: Real World Edge CasesDeploying Compliant Kubernetes: Real World Edge Cases
Deploying Compliant Kubernetes: Real World Edge Cases
 
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
 
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
 
Cyberoam SSL VPN
Cyberoam SSL VPNCyberoam SSL VPN
Cyberoam SSL VPN
 
Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed Systems
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition System
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
 
Best Practices with IoT Security - February Online Tech Talks
Best Practices with IoT Security - February Online Tech TalksBest Practices with IoT Security - February Online Tech Talks
Best Practices with IoT Security - February Online Tech Talks
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 

More from DATA SECURITY SOLUTIONS

MLM or how to look at company users with new eyes
MLM or how to look at company users with new eyesMLM or how to look at company users with new eyes
MLM or how to look at company users with new eyesDATA SECURITY SOLUTIONS
 
How to maintain business equality secured in network and cloud
How to maintain business equality secured in network and cloudHow to maintain business equality secured in network and cloud
How to maintain business equality secured in network and cloudDATA SECURITY SOLUTIONS
 
IBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapIBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapDATA SECURITY SOLUTIONS
 
Transform your enterprise branch with secure sd-wan
Transform your enterprise branch with secure sd-wanTransform your enterprise branch with secure sd-wan
Transform your enterprise branch with secure sd-wanDATA SECURITY SOLUTIONS
 
How to discover vulnerabilities in business and mission critical systems
How to discover vulnerabilities in business and mission critical systemsHow to discover vulnerabilities in business and mission critical systems
How to discover vulnerabilities in business and mission critical systemsDATA SECURITY SOLUTIONS
 
Protecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabricProtecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabricDATA SECURITY SOLUTIONS
 
Patching: answers to questions you probably were afraid to ask about oracle s...
Patching: answers to questions you probably were afraid to ask about oracle s...Patching: answers to questions you probably were afraid to ask about oracle s...
Patching: answers to questions you probably were afraid to ask about oracle s...DATA SECURITY SOLUTIONS
 
Practical approach to NIS Directive's incident management
Practical approach to NIS Directive's incident managementPractical approach to NIS Directive's incident management
Practical approach to NIS Directive's incident managementDATA SECURITY SOLUTIONS
 
New security solutions for next generation of IT
New security solutions for next generation of ITNew security solutions for next generation of IT
New security solutions for next generation of ITDATA SECURITY SOLUTIONS
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data DATA SECURITY SOLUTIONS
 
Let's hack your mobile device. Yes we can. And many other do.
Let's hack your mobile device. Yes we can. And many other do.Let's hack your mobile device. Yes we can. And many other do.
Let's hack your mobile device. Yes we can. And many other do.DATA SECURITY SOLUTIONS
 
North European Cybersecurity Cluster - an example of the regional trust platf...
North European Cybersecurity Cluster - an example of the regional trust platf...North European Cybersecurity Cluster - an example of the regional trust platf...
North European Cybersecurity Cluster - an example of the regional trust platf...DATA SECURITY SOLUTIONS
 
IoT Technologies for Context-Aware Security
IoT Technologies for Context-Aware SecurityIoT Technologies for Context-Aware Security
IoT Technologies for Context-Aware SecurityDATA SECURITY SOLUTIONS
 
Services evolution in cybercrime economics
Services evolution in cybercrime economicsServices evolution in cybercrime economics
Services evolution in cybercrime economicsDATA SECURITY SOLUTIONS
 

More from DATA SECURITY SOLUTIONS (20)

MLM or how to look at company users with new eyes
MLM or how to look at company users with new eyesMLM or how to look at company users with new eyes
MLM or how to look at company users with new eyes
 
The artificial reality of cyber defense
The artificial reality of cyber defenseThe artificial reality of cyber defense
The artificial reality of cyber defense
 
How to maintain business equality secured in network and cloud
How to maintain business equality secured in network and cloudHow to maintain business equality secured in network and cloud
How to maintain business equality secured in network and cloud
 
Forensic tool development with rust
Forensic tool development with rustForensic tool development with rust
Forensic tool development with rust
 
IBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapIBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmap
 
Transform your enterprise branch with secure sd-wan
Transform your enterprise branch with secure sd-wanTransform your enterprise branch with secure sd-wan
Transform your enterprise branch with secure sd-wan
 
How to discover vulnerabilities in business and mission critical systems
How to discover vulnerabilities in business and mission critical systemsHow to discover vulnerabilities in business and mission critical systems
How to discover vulnerabilities in business and mission critical systems
 
Protecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabricProtecting web aplications with machine learning and security fabric
Protecting web aplications with machine learning and security fabric
 
Patching: answers to questions you probably were afraid to ask about oracle s...
Patching: answers to questions you probably were afraid to ask about oracle s...Patching: answers to questions you probably were afraid to ask about oracle s...
Patching: answers to questions you probably were afraid to ask about oracle s...
 
Practical approach to NIS Directive's incident management
Practical approach to NIS Directive's incident managementPractical approach to NIS Directive's incident management
Practical approach to NIS Directive's incident management
 
When network security is not enough
When network security is not enoughWhen network security is not enough
When network security is not enough
 
New security solutions for next generation of IT
New security solutions for next generation of ITNew security solutions for next generation of IT
New security solutions for next generation of IT
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data
 
Network is the Firewall
Network is the FirewallNetwork is the Firewall
Network is the Firewall
 
Let's hack your mobile device. Yes we can. And many other do.
Let's hack your mobile device. Yes we can. And many other do.Let's hack your mobile device. Yes we can. And many other do.
Let's hack your mobile device. Yes we can. And many other do.
 
Secure enterprise mobility
Secure enterprise mobilitySecure enterprise mobility
Secure enterprise mobility
 
North European Cybersecurity Cluster - an example of the regional trust platf...
North European Cybersecurity Cluster - an example of the regional trust platf...North European Cybersecurity Cluster - an example of the regional trust platf...
North European Cybersecurity Cluster - an example of the regional trust platf...
 
IoT Technologies for Context-Aware Security
IoT Technologies for Context-Aware SecurityIoT Technologies for Context-Aware Security
IoT Technologies for Context-Aware Security
 
Cyber crime as a startup
Cyber crime as a startupCyber crime as a startup
Cyber crime as a startup
 
Services evolution in cybercrime economics
Services evolution in cybercrime economicsServices evolution in cybercrime economics
Services evolution in cybercrime economics
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

The Future of PKI. Using automation tools and protocols to bootstrap trust in dynamic environment

  • 1. 1 The futureof PKI. Usingautomationtoolsandprotocolstobootstraptrustina dynamicenvironment Anton Krupskyi October25th,2018
  • 2. 2 AGENDA Problem End-to-end encryption in dynamic cloud software- defined infrastructure Solution Automated certificate lifecycle management Implementation Design, Tools and Mechanisms used
  • 3. 3 THE SITUATION  Separatenetworks in every country  Individual services and productsfor every market  Traditional hardware platforms  Around 650 service platforms
  • 4. 4 THE SOLUTION  A single unified network  Modular services to cater to different market requirements  Agile infrastructure cloud, based on virtualization and software defined networks  Agile datacentres  End-to-end encryption
  • 5. 5  Data transmitted on networks can be intercepted  Agencies like the NSA and motivated criminals use surveillance technology to gain information  To protect ourselves and our clients, we need to use encryption DESIGN PRINCIPLE:END TO END ENCRYPTION TheSolution: Public Key Infrastructure  State-of-the-art encryption algorithms  End-to-end encryption between all machines  Trust anchors
  • 6. 6 Asymmetric encryption  Uses pairs of public and private keys.  A message encrypted by one key can only be decrypted by the other.  Users publish their public keys and keep the private key secret. CORNERSTONES OF A PUBLIC KEY INFRASTRUCTURE Trust & Identity  A certificate links a public key to an identity.  The certificate is provided by an authority that we trust.  The certificate authority verifies the identity of the public key before issuing the certificate. We can think of the public key as a mailbox and the private key as the key to the mailbox The mailbox now has an ID that assures us that the owner is indeed who we want to contact
  • 7. 7  Encryption relies on the secrecy & trustworthiness of the key  Communication partners exchange public keys when establishing a connection  Without certificates, malicious 3rd parties could intercept the key exchange and substitute their own key  A Certificate Authority provides us with the means to verify a chain of trust  The CA signs a server’s public key after it proves its identity  If we trust the CA, we can trust the website that has the certificate THE CERTIFICATE AUTHORITY AS TRUST ANCHOR
  • 8. 8  Infrastructure or service owners need to enroll their services to receive a certificate  This is typically done in a manual verification process to prove legitimacy and ownership  Same process needs to be repeated periodically to renew certificates  This process does not scale in cloud environment AUTOMATION & CLOUD Challenge  Certificate distribution in a dynamic, highly distributed environment  Distribute certificates quickly to new machines when scaling out  Remove need for manual certificate lifecycle management  Short certificate lifetime
  • 9. 9  CA provides certificates to services after verifying their Identity  Using a dedicated client, a service can automate the verification and the certificate lifecycle  Using the CLIENT with configuration management tool, deployment of the client and requesting a certificate can be fully automated AUTOMATED CERTIFICATE DISTRIBUTION Solution  Challenge response mechanism between client and CA  Certificate lifecycle management through automated client
  • 10. 10 THE ACME PROTOCOL Created bytheInternet Security Research Group forLet’s Encrypt Their goal: Increase usage of https over http by making certificates free and easy to obtain Automatesinteraction between Certificate Authorityandclients No manual steps necessary to receive certificate Certificate lifecycle is fully automated Does not sacrificesecurity over convenience Client and server perform the necessary steps for a full domain name validation
  • 11. • Boulder is a CA that implements the ACME protocol and can communicate with Certbot • Certbot is a client that can automatically fulfill validation challenges • Certbot also takes care of certificate lifecycle management 11 THE ACME PROTOCOL BoulderCA andCertbot are theLet’s Encryptimplementations ofthe ACMEprotocol Certificate signing request Validation challenge Challenge response Signed certificate
  • 12. 12 VALIDATION CHALLENGES • The ACME protocolandBoulderCA offerthreedifferentwaysto prove ownershipofadomain • Forall challenges, the CA providesa token • The tokenis anoncethatuniquely identifies thechallenge withatleast 128bitsof entropy HTTP Challenge • Client creates ad- hoc webserver • Client places file at specific address on the webserver • File contains token TLS-SNI Challenge • Client creates TLS server with custom vhost • CA creates TLS connection to client and uses SNI extension to request the custom vhost • Client provides self- signed certificate containing the token in the SAN field DNS Challenge • Client provisions a txt source record for the domain at the DNS server • This record contains a SHA256 digest of the token • Not automated at this point
  • 13. 13 WHAT YOU GET Transparent end-to-endencryption Every device has a private/public key pair and a certificate to identify itself Automatedcertificatedeployment Receiving a certificate is as easy as adding few lines to server configuration tool Managedlife-cycle/ ease ofuse The lifecycle functions of the client are also automated, removing the need for manual renewal
  • 14. 14 USE-CASES BoulderCA (PKI-CA)  Can perform automated validation  Signs service certificates for identification and encryption ManualCA  For services that do not support automation  Signs service certificates for identification and encryption UserCertCA  SSL certificate for user authentication  S/MIME certificate for email encryption & signature  Certificate for document/code signing EndpointCertCA  802.1x certificate for access management between devices & within network  EFS endpoint encryption SmartCardCertCA  Two-factor authentication  Physical access control  Future use- case: Payment option
  • 15. 15 ARCHITECTURE OF OURPKI UserCertCA EndpointCertCA SmartCardCertCA RootCA BoulderCA PKI-CA CertBot PKI-CLIENT ManualCA signed Signed manually offline InfrastructureCA UserCA Signed manually offline signed signedsignedsigned signed signed signed signed Automation Manualverification EndpointUser SmartCard
  • 16. 16 HIGH AVAILABILITY BOULDERCA SETUP Service with Certbot Boulder 1 Soft- HSM HAProxy LB GALERA BoulderCA SetupInternal Services DNS LB Boulder 2 Soft- HSM Boulder n Soft- HSM scales out PKI-CLIENT HAProxy LB PKI-CA
  • 17. 17 BOULDER CA INTERNAL ARCHITECTURE Storage Authority Web Front- End Validation Authority Registration Authority Certificate Authority Soft-HSM MariaDB OCSP Updater OCSP Responder Certbot Service/ Client BoulderCA  Tasks split between separate components  Standard deployment straight from GitHub: Docker containers • Boulder • MariaDB • Soft-HSM
  • 18. Automation and Virtualization SecurityContinuous Integration Open Source Software 18 ENVIRONMENT, TOOLS AND DESIGN PRINCIPLES  Infrastructure as code  Reproducible, automated infrastructure deployment  Automated software deployment and configuration  End-to-end encryption of all communication  Certificates with full chain of trust  Automated certificate deployment  Automatically deploy all changes to the development & production environments  Pan Net relies entirely on open source software solutions
  • 19. 19 WHO WE ARE Diverse set of skills, from PKI to automation 6 People from Germany, Switzerland and Latvia Fully embedded Working as one team
  • 20. Q&A Thank You! Contact Latvia.SecurityST@accenture.com

Editor's Notes

  1. encryption makes net better & safer traditional way is manual & complicated they made things easier for everyone & also for us high security standard – important for us
  2. In some countries, networks are still mainly public-switched-telephone-network based
  3. all sorts of technology to intercept as seen in case of google to protect against this: encryption & pki sota crypto to resist sophisticated attackers -> this is the easy part problems to solve: distribute keys, delegate trust
  4. not the same key like in symmetric crypto advantage: can keep 1 key secret mailbox example don’t put letters into wrong mailbox
  5. need to be able to trust keys key exchange could be intercepted how do we know we have the right key? delegate job of verifying to CA trust CA -> trust certificate a lot can go wrong: who has clicket “ignore error”
  6. how does CA verify identity? normally: manual process, email, 2fa, manually copy certificate repeat this at renewal does not scale need to automate and make it faster
  7. we implement solution that solves these issues and removes the need for manual management 2 components client automates lifecycle for you CA communicates with client through challenge response -> more in 2nd part
  8. encryption makes net better & safer traditional way is manual & complicated they made things easier for everyone & also for us high security standard – important for us
  9. client can be installed on any kind of machine boulder provides ssl certs implemented by let’s encrypt communicate through acme challenge-response
  10. validation proves ownership now we get technical diff challenges for diff use cases SNI is for vhosts that share same IP
  11. certificate & keys for every device fully automated & just add ansible role automated lifecycle, don’t worry about renewal