Build and Operate Your Own Certificate Management Center of Mediocrity

T.Rob Wyatt
T.Rob WyattIndependent Consultant - Messaging, IoT, Security em IoPT Consulting, LLC
How To Build And Operate A Certificate Authority Center of Mediocrity (CACOM) T.Rob Wyatt Managing Partner, IoPT Consulting 704-443-TROB (8762) t.rob@ioptconsulting.com https://ioptconsulting.com Capitalware's MQ Technical Conference v2.0.1.4
This presentation reflects… My current opinions regarding WMQ security The product itself continues to evolve (even in PTFs) Attacks only get better with time This version of the presentation is based on WebSphere MQ v7.1 & v7.5 This content will be revised over time so please be sure to check for the latest version at https://t-rob.net/links Your thoughts and ideas are welcome
What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
A disinterested 3rd party A stable, long-lived entity A pool of specialized and deep security skills An implementation of strict physical controls An implementation of strict human processes An investigatory service A revocation service Part of a consortium that provides a consistent set of well-defined services
Oh yeah… They sign certificates once in a while.
What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
First need to understand the certificate. Bound to An identity A key Pair = A certificate
First need to understand the certificate. The identity and key are bound using a cryptographic Identity Bound to Key Pair = Certificate signature.
First need to understand the certificate. Self-signed means that the key in the certificate is the same one used to sign the Identity Bound to Key Pair = Certificate certificate.
First need to understand the certificate. Special Note: Self-signed does NOT mean “signed with our internal CA.” Self-signed has a specific technical meaning describing the relationship between the identity and the key used to bind it. Identity Bound to Key Pair = Certificate
First need to understand the certificate. When the certificate is signed by an external key, it is Identity Bound to Key Pair = Certificate said to be CA-signed.
Signs the certificate. Validates the claimed identity. Enforce policy on the Distinguished Name fields. Ensures unique names within its namespace. Provides revocation services. Maintains key lifecycle for root, intermediate and signed certificates. Disinterested 3rd party provides bilateral trust.
Relying parties typically need much less security than the CA. Generate the cert signing requests securely. Review and approve requests at the CA. Keep the keystore files private. Most of the heavy lifting is offloaded to the CA.
What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
Cost savings. Convenience. The trick is to fully account for all of the service and security provided by the CA. Replacing those services internally is expensive. Omitting them is dangerous. How do you find the balance?
What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
SAS70 key ceremony used to generate roots. Root certs stored in an offline HSM. Dual-knowledge access controls for roots. Multiple intermediate signers. Secure, robust provisioning process for certs and revocation entries. Highly available and separate provisioning and revocation infrastructure.
ISO 21188:2006 Public key infrastructure for financial services – Practices and policy framework ETSI TS 101 456 v1.2.1 ETSI TS 102 042 V1.1.1 Webtrust Program For Certification Authorities
What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
To run a true Center of Mediocrity, one must first determine which CA Best Practices to omit. The quickest way to begin is to omit all of them right off the bat. Then add back in those that give the appearance of security at little or no cost. The CACOM is your BFF. Once you have it, you’ll never get the money to build a CACOE. Why? Because what we have seems to work just fine.
The stories you are about to hear are true. Only the names have been changed to protect the (not so) innocent. My name is T.Rob. I carry a laptop.
All of the items in the following pages were observed in Production somewhere. Banking, finance, insurance, healthcare, govt. These are your vendors!
Build and Operate Your Own Certificate Management Center of Mediocrity
Hundreds of thousands of entries explain which commands to issue in order to “set up a Certificate Authority.” Try to find even one that tells you the commands and describes some of the physical and procedural controls commercial CAs use and why running an internal CA without these controls is a bad idea.
Hardware Security Modules are so expensive! And vaults? Don’t even go there! Most CACOM’s today store the root cert on an administrator’s workstation or laptop. If you start out this way, eventually moving it to a server in a locked datacenter will appear very secure by comparison and nobody will ask about an HSM, a vault or a key signing ceremony. Booyah!
Certificate provisioning and revocation must be highly available to support critical business apps. So if the CA is run off of administrator’s workstations, it stands to reason that each administrator must be able to manage certs independently. Give each admin their own copy of the root cert. Or if a central server is used, give a copy of the root to each admin for emergencies.
Intermediate signers provide classes of service, isolation, higher security for the root cert, etc. But someone has to manage those things, and we do that with Notepad. We plan to evaluate several PKI products someday and we will start using intermediate certs then.
Certificate extensions can specify policies that control the ways that a certificate can be used. Understanding and checking certificate policies requires deep skill. Certs with no policies set can be used for many purposes, such as encryption, code signing or signing other certificates. These are very versatile. What could go wrong?
Security certified administrators who understand X.509 certificates, TLS/SSL and all of the PKCS standards are expensive! Formally building skills in house is less expensive, but takes time. Fortunately, your average administrator can pick up all they need to know with a few Google searches! Certifications and formal training are SO overrated, right?
A certificate represents an identity. Because the Center of Mediocrity is concerned mainly with cost, it is common to re-use the same personal certificate across multiple, even unrelated, systems. A QMgr is a QMgr is a QMgr, right? Generate a single cert called QMgr and be done with it.
Anyone who can read the configuration files and keystores can use your personal cert. Fortunately, only authorized admins ever have access to the filesystem in a CACOM so filesystem controls are redundant. What’s that you say? Layered defense is good? Not when aspiring to mediocrity!
Credentials need to be both provisioned and revoked. Sometimes they need to be revoked prior to their natural expiry. A primary characteristic of a mediocre CA is that a revocation responder service is planned for later. A revocation service that is not highly available is just as bad, possibly worse.
Ideally, personal certs are generated where they will be used and not moved. Central management and key backup is possible but difficult to do securely. In a CACOM, centrally generated certs are distributed over FTP, email, shared drives, etc.
Sometimes it isn’t your CA that places you at risk, but rather your business partner’s CA. A CACOM will assume the partner’s certificates are trustworthy without question. The next slides are examples of this.
The root cert is the thing that controls who can bind an identity to a key pair. Any trusted root can generate a cert claiming any identity. Now that the internal CE Center of Mediocrity has become so popular, you will have occasion to trust the internal root CA certificates of your business partners. Go ahead and drop these right into the trust store. What could go wrong?
If you are using AMS with Privacy (encryption) then you will need to trust the personal cert of the app, user or business partner. A commercial CA will have set the IsCA=No and PathLength=0 flags to ensure that personal certificates cannot also sign other certificates. The typical CACOM does not know or care about such things and will place any certificate from any source into the trust store. What could go wrong?
What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
Baseline S e c u r i t y L e v e l Skill Level Best!
Baseline S e c u r i t y L e v e l Skill Level Best! Worse than doing nothing
Possibly, yes! Because… • People take more risks when they believe it is safe to do so. • Poor implementation can make it easier Baseline S e c u r i t y L e v e l • You rarely get a second chance to implement security. Skill Level Best! to break in. Wore than doing nothing
What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
Running a robust internal CA is expensive. Can be cost justified, given enough certs. Cost savings almost always correspond to some loss of effective security. Know what you are omitting and the offsetting risk. Deep skill is essential! Formal training is highly recommended. Beware of other people’s CACOM!
Capitalware's MQ Technical Conference v2.0.1.4 Questions & Answers
Thank you! T.Rob Wyatt Managing Partner, IoPT Consulting 704-443-TROB (8762) t.rob@ioptconsulting.com https://ioptconsulting.com
1 de 44

Build and Operate Your Own Certificate Management Center of Mediocrity

Baixar para ler offline
Tecnologia

Building and operating a robust internal Certificate Authority is difficult and expensive. Fortunately, building a Certificate Authority Center of Mediocrity (CACOM) is *much* cheaper, and can be done in your spare time. Follow these instructions to create your own CACOM or to discover if you already have one.

T.Rob Wyatt
T.Rob WyattIndependent Consultant - Messaging, IoT, Security em IoPT Consulting, LLC

Recomendados

Getting Started with Cognito User Pools - September Webinar Series por
Getting Started with Cognito User Pools - September Webinar SeriesGetting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar SeriesAmazon Web Services
7.8K visualizações33 slides
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ... por
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...Amazon Web Services
4.7K visualizações46 slides
Detecting modern PowerShell attacks with SIEM por
Detecting modern PowerShell attacks with SIEMDetecting modern PowerShell attacks with SIEM
Detecting modern PowerShell attacks with SIEMJustin Henderson
1.8K visualizações27 slides
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A... por
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
1.5K visualizações59 slides
Automatically Renew Certificated In Your Kubernetes Cluster por
Automatically Renew Certificated In Your Kubernetes ClusterAutomatically Renew Certificated In Your Kubernetes Cluster
Automatically Renew Certificated In Your Kubernetes ClusterHungWei Chiu
2K visualizações26 slides
Protecting Your Data With AWS KMS and AWS CloudHSM por
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Amazon Web Services
22.1K visualizações34 slides

Mais conteúdo relacionado

Mais procurados

(DVO304) AWS CloudFormation Best Practices por
(DVO304) AWS CloudFormation Best Practices(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best PracticesAmazon Web Services
14.2K visualizações36 slides
Ace Up the Sleeve por
Ace Up the SleeveAce Up the Sleeve
Ace Up the SleeveWill Schroeder
23.7K visualizações60 slides
TLS_SSL-with-cert-manager por
TLS_SSL-with-cert-managerTLS_SSL-with-cert-manager
TLS_SSL-with-cert-managerKnoldus Inc.
130 visualizações10 slides
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub... por
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...Andrey Devyatkin
84 visualizações31 slides
Threat Modeling workshop by Robert Hurlbut por
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutDevSecCon
2.4K visualizações80 slides
Speed and Reliability at Any Scale: Amazon SQS and Database Services (SVC206)... por
Speed and Reliability at Any Scale: Amazon SQS and Database Services (SVC206)...Speed and Reliability at Any Scale: Amazon SQS and Database Services (SVC206)...
Speed and Reliability at Any Scale: Amazon SQS and Database Services (SVC206)...Amazon Web Services
10.7K visualizações74 slides

Mais procurados(20)

(DVO304) AWS CloudFormation Best Practices por Amazon Web Services
(DVO304) AWS CloudFormation Best Practices(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best Practices
Amazon Web Services14.2K visualizações
Ace Up the Sleeve por Will Schroeder
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
Will Schroeder23.7K visualizações
TLS_SSL-with-cert-manager por Knoldus Inc.
TLS_SSL-with-cert-managerTLS_SSL-with-cert-manager
TLS_SSL-with-cert-manager
Knoldus Inc.130 visualizações
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub... por Andrey Devyatkin
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
Andrey Devyatkin84 visualizações
Threat Modeling workshop by Robert Hurlbut por DevSecCon
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
DevSecCon2.4K visualizações
Speed and Reliability at Any Scale: Amazon SQS and Database Services (SVC206)... por Amazon Web Services
Speed and Reliability at Any Scale: Amazon SQS and Database Services (SVC206)...Speed and Reliability at Any Scale: Amazon SQS and Database Services (SVC206)...
Speed and Reliability at Any Scale: Amazon SQS and Database Services (SVC206)...
Amazon Web Services10.7K visualizações
SEC599 - Breaking The Kill Chain por Erik Van Buggenhout
SEC599 - Breaking The Kill ChainSEC599 - Breaking The Kill Chain
SEC599 - Breaking The Kill Chain
Erik Van Buggenhout1.7K visualizações
Data Protection in Transit and at Rest por Amazon Web Services
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
Amazon Web Services1.5K visualizações
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica... por Edureka!
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
Edureka!876 visualizações
AWS AutoScaling por Mahesh Raj
AWS AutoScalingAWS AutoScaling
AWS AutoScaling
Mahesh Raj559 visualizações
Secure Coding 101 - OWASP University of Ottawa Workshop por Paul Ionescu
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu902 visualizações
Azure Automation and Update Management por Udaiappa Ramachandran
Azure Automation and Update ManagementAzure Automation and Update Management
Azure Automation and Update Management
Udaiappa Ramachandran510 visualizações
Thick Application Penetration Testing: Crash Course por Scott Sutherland
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland16.7K visualizações
Cloud Security Architecture.pptx por Moshe Ferber
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
Moshe Ferber601 visualizações
Adversary Emulation using CALDERA por Erik Van Buggenhout
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout7.8K visualizações
Cybersecurity domains-map-3.0 por Oscar Ferreira
Cybersecurity domains-map-3.0Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0
Oscar Ferreira836 visualizações
Red Team Methodology - A Naked Look por Jason Lang
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang14.7K visualizações
Kubernetes and container security por Volodymyr Shynkar
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar2.5K visualizações
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT por Tenchi Security
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CTPalestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT
Tenchi Security927 visualizações
Docker Networking Deep Dive por Docker, Inc.
Docker Networking Deep DiveDocker Networking Deep Dive
Docker Networking Deep Dive
Docker, Inc.17.5K visualizações

Destaque

Let’s Get Cirrus About Personal Clouds por
Let’s Get Cirrus About Personal CloudsLet’s Get Cirrus About Personal Clouds
Let’s Get Cirrus About Personal CloudsT.Rob Wyatt
1.9K visualizações23 slides
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows por
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows T.Rob Wyatt
4.6K visualizações35 slides
What I did on my summer vacation (in Hursley) por
What I did on my summer vacation (in Hursley)What I did on my summer vacation (in Hursley)
What I did on my summer vacation (in Hursley)T.Rob Wyatt
1.7K visualizações20 slides
IBM MQ V8 Security por
IBM MQ V8 SecurityIBM MQ V8 Security
IBM MQ V8 SecurityMorag Hughson
3.4K visualizações67 slides
WebSphere MQ CHLAUTH - including V8 changes por
WebSphere MQ CHLAUTH - including V8 changesWebSphere MQ CHLAUTH - including V8 changes
WebSphere MQ CHLAUTH - including V8 changesMorag Hughson
12.7K visualizações63 slides
IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'... por
IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...
IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...T.Rob Wyatt
3.6K visualizações28 slides

Destaque(8)

Let’s Get Cirrus About Personal Clouds por T.Rob Wyatt
Let’s Get Cirrus About Personal CloudsLet’s Get Cirrus About Personal Clouds
Let’s Get Cirrus About Personal Clouds
T.Rob Wyatt1.9K visualizações
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows por T.Rob Wyatt
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
T.Rob Wyatt4.6K visualizações
What I did on my summer vacation (in Hursley) por T.Rob Wyatt
What I did on my summer vacation (in Hursley)What I did on my summer vacation (in Hursley)
What I did on my summer vacation (in Hursley)
T.Rob Wyatt1.7K visualizações
IBM MQ V8 Security por Morag Hughson
IBM MQ V8 SecurityIBM MQ V8 Security
IBM MQ V8 Security
Morag Hughson3.4K visualizações
WebSphere MQ CHLAUTH - including V8 changes por Morag Hughson
WebSphere MQ CHLAUTH - including V8 changesWebSphere MQ CHLAUTH - including V8 changes
WebSphere MQ CHLAUTH - including V8 changes
Morag Hughson12.7K visualizações
IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'... por T.Rob Wyatt
IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...
IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...
T.Rob Wyatt3.6K visualizações
IBM MQ v8 and JMS 2.0 por Matthew White
IBM MQ v8 and JMS 2.0IBM MQ v8 and JMS 2.0
IBM MQ v8 and JMS 2.0
Matthew White4.9K visualizações
IBM WebSphere MQ V8 Security Features: Deep Dive por Morag Hughson
IBM WebSphere MQ V8 Security Features: Deep DiveIBM WebSphere MQ V8 Security Features: Deep Dive
IBM WebSphere MQ V8 Security Features: Deep Dive
Morag Hughson21.8K visualizações

Similar a Build and Operate Your Own Certificate Management Center of Mediocrity

The Hidden Costs of SelfSigned SSL Certificates por
The Hidden Costs of SelfSigned SSL Certificates The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates RapidSSLOnline.com
244 visualizações6 slides
The Hidden Costs of Self-Signed SSL Certificates por
The Hidden Costs of Self-Signed SSL CertificatesThe Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesCheapSSLsecurity
264 visualizações6 slides
Easing the Pains of Certificate Management por
Easing the Pains of Certificate ManagementEasing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEntrust Datacard
593 visualizações15 slides
Impact of digital certificate in network security por
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network securityrhassan84
677 visualizações38 slides
Impact of digital certificate in network security por
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network securityrhassan84
1.6K visualizações38 slides
Certificate Management Made Easy por
Certificate Management Made EasyCertificate Management Made Easy
Certificate Management Made EasyJason Newell
103 visualizações2 slides

Similar a Build and Operate Your Own Certificate Management Center of Mediocrity(20)

The Hidden Costs of SelfSigned SSL Certificates por RapidSSLOnline.com
The Hidden Costs of SelfSigned SSL Certificates The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates
RapidSSLOnline.com244 visualizações
The Hidden Costs of Self-Signed SSL Certificates por CheapSSLsecurity
The Hidden Costs of Self-Signed SSL CertificatesThe Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL Certificates
CheapSSLsecurity264 visualizações
Easing the Pains of Certificate Management por Entrust Datacard
Easing the Pains of Certificate ManagementEasing the Pains of Certificate Management
Easing the Pains of Certificate Management
Entrust Datacard593 visualizações
Impact of digital certificate in network security por rhassan84
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
rhassan84677 visualizações
Impact of digital certificate in network security por rhassan84
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
rhassan841.6K visualizações
Certificate Management Made Easy por Jason Newell
Certificate Management Made EasyCertificate Management Made Easy
Certificate Management Made Easy
Jason Newell103 visualizações
Is web security part of your annual security audit por Dianne Douglas
Is web security part of your annual security auditIs web security part of your annual security audit
Is web security part of your annual security audit
Dianne Douglas147 visualizações
Alternatives to Certificate Authorities for a Secure Web por CASCouncil
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure Web
CASCouncil2.2K visualizações
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services por kieranjacobsen
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
kieranjacobsen4.5K visualizações
TierPoint White Paper_With all due diligence_2015 por sllongo3
TierPoint White Paper_With all due diligence_2015TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015
sllongo3230 visualizações
With-All-Due-Diligence20150330 por Jim Kramer
With-All-Due-Diligence20150330With-All-Due-Diligence20150330
With-All-Due-Diligence20150330
Jim Kramer150 visualizações
Certificate Pinning in Mobile Applications por Luca Bongiorni
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
Luca Bongiorni6.1K visualizações
Understanding SSL Certificate for Apps by Symantec por CheapSSLsecurity
Understanding SSL Certificate for Apps by SymantecUnderstanding SSL Certificate for Apps by Symantec
Understanding SSL Certificate for Apps by Symantec
CheapSSLsecurity485 visualizações
Digital certificate management v1 (Draft) por Avirot Mitamura
Digital certificate management v1 (Draft)Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)
Avirot Mitamura1.5K visualizações
Tech t18 por SelectedPresentations
Tech t18Tech t18
Tech t18
SelectedPresentations198 visualizações
CCM_WP-9-8-16-v10__MT_GP_Final por Greg Posten
CCM_WP-9-8-16-v10__MT_GP_FinalCCM_WP-9-8-16-v10__MT_GP_Final
CCM_WP-9-8-16-v10__MT_GP_Final
Greg Posten81 visualizações
Lotusphere 2011 SHOW104 por WorkFlowStudios
Lotusphere 2011 SHOW104Lotusphere 2011 SHOW104
Lotusphere 2011 SHOW104
WorkFlowStudios3.2K visualizações
Finding Security a Home in a DevOps World por Shannon Lietz
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
Shannon Lietz450 visualizações
A Complete RapidSSL Guide on Securing Online Business with SSL Certificate por RapidSSLOnline.com
A Complete RapidSSL Guide on Securing Online Business with SSL CertificateA Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL Certificate
RapidSSLOnline.com296 visualizações
What's in Blockchain For Chartered Accountants por ABHISHEK JAIN
What's in Blockchain For Chartered AccountantsWhat's in Blockchain For Chartered Accountants
What's in Blockchain For Chartered Accountants
ABHISHEK JAIN204 visualizações

Último

TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors por
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective SensorsTouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensorssugiuralab
15 visualizações15 slides
20231123_Camunda Meetup Vienna.pdf por
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdfPhactum Softwareentwicklung GmbH
28 visualizações73 slides
RADIUS-Omnichannel Interaction System por
RADIUS-Omnichannel Interaction SystemRADIUS-Omnichannel Interaction System
RADIUS-Omnichannel Interaction SystemRADIUS
15 visualizações21 slides
Future of Learning - Yap Aye Wee.pdf por
Future of Learning - Yap Aye Wee.pdfFuture of Learning - Yap Aye Wee.pdf
Future of Learning - Yap Aye Wee.pdfNUS-ISS
41 visualizações11 slides
How the World's Leading Independent Automotive Distributor is Reinventing Its... por
How the World's Leading Independent Automotive Distributor is Reinventing Its...How the World's Leading Independent Automotive Distributor is Reinventing Its...
How the World's Leading Independent Automotive Distributor is Reinventing Its...NUS-ISS
15 visualizações25 slides
The Importance of Cybersecurity for Digital Transformation por
The Importance of Cybersecurity for Digital TransformationThe Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital TransformationNUS-ISS
27 visualizações26 slides

Último(20)

TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors por sugiuralab
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective SensorsTouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors
sugiuralab15 visualizações
20231123_Camunda Meetup Vienna.pdf por Phactum Softwareentwicklung GmbH
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdf
Phactum Softwareentwicklung GmbH28 visualizações
RADIUS-Omnichannel Interaction System por RADIUS
RADIUS-Omnichannel Interaction SystemRADIUS-Omnichannel Interaction System
RADIUS-Omnichannel Interaction System
RADIUS15 visualizações
Future of Learning - Yap Aye Wee.pdf por NUS-ISS
Future of Learning - Yap Aye Wee.pdfFuture of Learning - Yap Aye Wee.pdf
Future of Learning - Yap Aye Wee.pdf
NUS-ISS41 visualizações
How the World's Leading Independent Automotive Distributor is Reinventing Its... por NUS-ISS
How the World's Leading Independent Automotive Distributor is Reinventing Its...How the World's Leading Independent Automotive Distributor is Reinventing Its...
How the World's Leading Independent Automotive Distributor is Reinventing Its...
NUS-ISS15 visualizações
The Importance of Cybersecurity for Digital Transformation por NUS-ISS
The Importance of Cybersecurity for Digital TransformationThe Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital Transformation
NUS-ISS27 visualizações
Combining Orchestration and Choreography for a Clean Architecture por ThomasHeinrichs1
Combining Orchestration and Choreography for a Clean ArchitectureCombining Orchestration and Choreography for a Clean Architecture
Combining Orchestration and Choreography for a Clean Architecture
ThomasHeinrichs169 visualizações
DALI Basics Course 2023 por Ivory Egg
DALI Basics Course 2023DALI Basics Course 2023
DALI Basics Course 2023
Ivory Egg14 visualizações
Report 2030 Digital Decade por Massimo Talia
Report 2030 Digital DecadeReport 2030 Digital Decade
Report 2030 Digital Decade
Massimo Talia14 visualizações
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor... por Vadym Kazulkin
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
Vadym Kazulkin75 visualizações
SAP Automation Using Bar Code and FIORI.pdf por Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
Virendra Rai, PMP19 visualizações
Understanding GenAI/LLM and What is Google Offering - Felix Goh por NUS-ISS
Understanding GenAI/LLM and What is Google Offering - Felix GohUnderstanding GenAI/LLM and What is Google Offering - Felix Goh
Understanding GenAI/LLM and What is Google Offering - Felix Goh
NUS-ISS41 visualizações
Attacking IoT Devices from a Web Perspective - Linux Day por Simone Onofri
Attacking IoT Devices from a Web Perspective - Linux Day Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day
Simone Onofri15 visualizações
The details of description: Techniques, tips, and tangents on alternative tex... por BookNet Canada
The details of description: Techniques, tips, and tangents on alternative tex...The details of description: Techniques, tips, and tangents on alternative tex...
The details of description: Techniques, tips, and tangents on alternative tex...
BookNet Canada121 visualizações
Business Analyst Series 2023 - Week 3 Session 5 por DianaGray10
Business Analyst Series 2023 - Week 3 Session 5Business Analyst Series 2023 - Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5
DianaGray10209 visualizações
The Research Portal of Catalonia: Growing more (information) & more (services) por CSUC - Consorci de Serveis Universitaris de Catalunya
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)
CSUC - Consorci de Serveis Universitaris de Catalunya73 visualizações
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu... por NUS-ISS
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...
NUS-ISS37 visualizações
handbook for web 3 adoption.pdf por Liveplex
handbook for web 3 adoption.pdfhandbook for web 3 adoption.pdf
handbook for web 3 adoption.pdf
Liveplex19 visualizações
AI: mind, matter, meaning, metaphors, being, becoming, life values por Twain Liu 刘秋艳
AI: mind, matter, meaning, metaphors, being, becoming, life valuesAI: mind, matter, meaning, metaphors, being, becoming, life values
AI: mind, matter, meaning, metaphors, being, becoming, life values
Twain Liu 刘秋艳35 visualizações
Igniting Next Level Productivity with AI-Infused Data Integration Workflows por Safe Software
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software225 visualizações

Build and Operate Your Own Certificate Management Center of Mediocrity

  • 1. How To Build And Operate A Certificate Authority Center of Mediocrity (CACOM) T.Rob Wyatt Managing Partner, IoPT Consulting 704-443-TROB (8762) t.rob@ioptconsulting.com https://ioptconsulting.com Capitalware's MQ Technical Conference v2.0.1.4
  • 2. This presentation reflects… My current opinions regarding WMQ security The product itself continues to evolve (even in PTFs) Attacks only get better with time This version of the presentation is based on WebSphere MQ v7.1 & v7.5 This content will be revised over time so please be sure to check for the latest version at https://t-rob.net/links Your thoughts and ideas are welcome
  • 3. What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
  • 4. A disinterested 3rd party A stable, long-lived entity A pool of specialized and deep security skills An implementation of strict physical controls An implementation of strict human processes An investigatory service A revocation service Part of a consortium that provides a consistent set of well-defined services
  • 5. Oh yeah… They sign certificates once in a while.
  • 6. What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
  • 7. First need to understand the certificate. Bound to An identity A key Pair = A certificate
  • 8. First need to understand the certificate. The identity and key are bound using a cryptographic Identity Bound to Key Pair = Certificate signature.
  • 9. First need to understand the certificate. Self-signed means that the key in the certificate is the same one used to sign the Identity Bound to Key Pair = Certificate certificate.
  • 10. First need to understand the certificate. Special Note: Self-signed does NOT mean “signed with our internal CA.” Self-signed has a specific technical meaning describing the relationship between the identity and the key used to bind it. Identity Bound to Key Pair = Certificate
  • 11. First need to understand the certificate. When the certificate is signed by an external key, it is Identity Bound to Key Pair = Certificate said to be CA-signed.
  • 12. Signs the certificate. Validates the claimed identity. Enforce policy on the Distinguished Name fields. Ensures unique names within its namespace. Provides revocation services. Maintains key lifecycle for root, intermediate and signed certificates. Disinterested 3rd party provides bilateral trust.
  • 13. Relying parties typically need much less security than the CA. Generate the cert signing requests securely. Review and approve requests at the CA. Keep the keystore files private. Most of the heavy lifting is offloaded to the CA.
  • 14. What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
  • 15. Cost savings. Convenience. The trick is to fully account for all of the service and security provided by the CA. Replacing those services internally is expensive. Omitting them is dangerous. How do you find the balance?
  • 16. What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
  • 17. SAS70 key ceremony used to generate roots. Root certs stored in an offline HSM. Dual-knowledge access controls for roots. Multiple intermediate signers. Secure, robust provisioning process for certs and revocation entries. Highly available and separate provisioning and revocation infrastructure.
  • 18. ISO 21188:2006 Public key infrastructure for financial services – Practices and policy framework ETSI TS 101 456 v1.2.1 ETSI TS 102 042 V1.1.1 Webtrust Program For Certification Authorities
  • 19. What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
  • 20. To run a true Center of Mediocrity, one must first determine which CA Best Practices to omit. The quickest way to begin is to omit all of them right off the bat. Then add back in those that give the appearance of security at little or no cost. The CACOM is your BFF. Once you have it, you’ll never get the money to build a CACOE. Why? Because what we have seems to work just fine.
  • 21. The stories you are about to hear are true. Only the names have been changed to protect the (not so) innocent. My name is T.Rob. I carry a laptop.
  • 22. All of the items in the following pages were observed in Production somewhere. Banking, finance, insurance, healthcare, govt. These are your vendors!
  • 24. Hundreds of thousands of entries explain which commands to issue in order to “set up a Certificate Authority.” Try to find even one that tells you the commands and describes some of the physical and procedural controls commercial CAs use and why running an internal CA without these controls is a bad idea.
  • 25. Hardware Security Modules are so expensive! And vaults? Don’t even go there! Most CACOM’s today store the root cert on an administrator’s workstation or laptop. If you start out this way, eventually moving it to a server in a locked datacenter will appear very secure by comparison and nobody will ask about an HSM, a vault or a key signing ceremony. Booyah!
  • 26. Certificate provisioning and revocation must be highly available to support critical business apps. So if the CA is run off of administrator’s workstations, it stands to reason that each administrator must be able to manage certs independently. Give each admin their own copy of the root cert. Or if a central server is used, give a copy of the root to each admin for emergencies.
  • 27. Intermediate signers provide classes of service, isolation, higher security for the root cert, etc. But someone has to manage those things, and we do that with Notepad. We plan to evaluate several PKI products someday and we will start using intermediate certs then.
  • 28. Certificate extensions can specify policies that control the ways that a certificate can be used. Understanding and checking certificate policies requires deep skill. Certs with no policies set can be used for many purposes, such as encryption, code signing or signing other certificates. These are very versatile. What could go wrong?
  • 29. Security certified administrators who understand X.509 certificates, TLS/SSL and all of the PKCS standards are expensive! Formally building skills in house is less expensive, but takes time. Fortunately, your average administrator can pick up all they need to know with a few Google searches! Certifications and formal training are SO overrated, right?
  • 30. A certificate represents an identity. Because the Center of Mediocrity is concerned mainly with cost, it is common to re-use the same personal certificate across multiple, even unrelated, systems. A QMgr is a QMgr is a QMgr, right? Generate a single cert called QMgr and be done with it.
  • 31. Anyone who can read the configuration files and keystores can use your personal cert. Fortunately, only authorized admins ever have access to the filesystem in a CACOM so filesystem controls are redundant. What’s that you say? Layered defense is good? Not when aspiring to mediocrity!
  • 32. Credentials need to be both provisioned and revoked. Sometimes they need to be revoked prior to their natural expiry. A primary characteristic of a mediocre CA is that a revocation responder service is planned for later. A revocation service that is not highly available is just as bad, possibly worse.
  • 33. Ideally, personal certs are generated where they will be used and not moved. Central management and key backup is possible but difficult to do securely. In a CACOM, centrally generated certs are distributed over FTP, email, shared drives, etc.
  • 34. Sometimes it isn’t your CA that places you at risk, but rather your business partner’s CA. A CACOM will assume the partner’s certificates are trustworthy without question. The next slides are examples of this.
  • 35. The root cert is the thing that controls who can bind an identity to a key pair. Any trusted root can generate a cert claiming any identity. Now that the internal CE Center of Mediocrity has become so popular, you will have occasion to trust the internal root CA certificates of your business partners. Go ahead and drop these right into the trust store. What could go wrong?
  • 36. If you are using AMS with Privacy (encryption) then you will need to trust the personal cert of the app, user or business partner. A commercial CA will have set the IsCA=No and PathLength=0 flags to ensure that personal certificates cannot also sign other certificates. The typical CACOM does not know or care about such things and will place any certificate from any source into the trust store. What could go wrong?
  • 37. What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
  • 38. Baseline S e c u r i t y L e v e l Skill Level Best!
  • 39. Baseline S e c u r i t y L e v e l Skill Level Best! Worse than doing nothing
  • 40. Possibly, yes! Because… • People take more risks when they believe it is safe to do so. • Poor implementation can make it easier Baseline S e c u r i t y L e v e l • You rarely get a second chance to implement security. Skill Level Best! to break in. Wore than doing nothing
  • 41. What is a Certificate Authority? The role of a CA in the security model Why run your own CA? Some example CA Best Practices CA Second-Best (and lesser) Practices The CA Maturity Model Wrapping up
  • 42. Running a robust internal CA is expensive. Can be cost justified, given enough certs. Cost savings almost always correspond to some loss of effective security. Know what you are omitting and the offsetting risk. Deep skill is essential! Formal training is highly recommended. Beware of other people’s CACOM!
  • 43. Capitalware's MQ Technical Conference v2.0.1.4 Questions & Answers
  • 44. Thank you! T.Rob Wyatt Managing Partner, IoPT Consulting 704-443-TROB (8762) t.rob@ioptconsulting.com https://ioptconsulting.com