Presentation is loading. Please wait.

Presentation is loading. Please wait.

Certificate and Secret Management Services

Published byJonah Murphy Modified over 6 years ago

Similar presentations

Presentation on theme: "Certificate and Secret Management Services"— Presentation transcript:

1 Certificate and Secret Management Services
For Mutual TLS and Password protection – One of the security solutions required to meet Carrier grade deployment security requirements Project Contributors : Intel & Tech Mahindra (Committed)

2 Certificate Management Service

3 Secure Communication – Need for Mutual TLS (with Certificate based authentication)
Background ONAP consists of multiple micro services Two types of communication among micro services – REST API based and DMAPP publish/subscriber based communication. Both use TCP transport Hence TLS 1.2+ secure communication is good enough. No need for others such as IPSEC. Need Protect bad actors stealing the data on the wire Protect from receiving messages from bad actors - Secure communication among services that provide Mutual Authentication of end points (Mutual TLS) Confidentiality, Integrity and non-repudiation of transport  TLS1.2+ based transport (HTTPS) Secure DMAPP messages using TLS1.2+ between brokers to publishers/subscribers. Possible End-to-End encryption/integrity of the data between publishers and subscribers.

4 How does Mutual TLS work?
Java HTTPS library and underlying TLS1.2+ classes do support Mutual TLS (Certificate based authentication) But, it requires certificate provisioning on each end point. Auth: S1Cert S1PrivateKey Peer verification: S2 CA Cert Subject name Auth: S2Cert S2PrivateKey Peer Verification: S1 CA Cert Subject Name Each endpoint is expected to have private key and certificate with public key signed by CA. This information is used to authenticate itself with the peer. It is also expected to have CA Certificate and subject names to verify the peer when presented with its certificate. S1 S2 Mutual Authentication (as part of TLS handshake) Secure Communication (TLS record layer)

5 Certificate provisioning – Best Practice
Internal CA In Micro Services, before it communicates with other micro services, it needs to get certificate enrolled by CA. Typically at startup, generates RSA/ECDSA public/private key pair. Generates PKCS10 CSR (Certificate request) – Which involves signing the message with private key. Request Certificate by sending PKCS10 request to CA. CA verifies that genuine service is requesting for certificate, verifies PKCS10 request, generates X.509v3 certificate, signs it using CA certificate-private key. Sends signed X.509v3 certificate and CA certificate. Service stores the information. It uses this information during TLS handshake to establish secure communication channels. 4 5 3 S1 S1 1 Service 1 2 6 7 Secure communication with other service instances

6 Internal CA broker service- Requirements
RESTful API support for Certificate request agents Generate Certificate request Revocation status request Usage report update Token Authentication Admin interface Generate self signed CA Upload CA cert + CA private key (In PEM/DER) Get usage report on per key Revoke certificate Get CA Certificate in PEM/DER format. Token Service to provide temporary tokens Authenticate user using AAF Role based access control using AAF Settings using Distributed KV Store Service registration using MSB Reports and Logs GUI/CLI support using Portal and CLI Security of CA private key – Using TPM/SGX/Trustzone if available. Ability to add new CA plugins to talk to deployment specific CA service. policy support such as algorithms allowed(For example to support NIST specified algorithms such as RSA 3K) Optional: Multiple CA instances Validation of Genuine HW of client agents SCEP Support for Certificate enrollment. OCSP support for Revocation status.

7 Certificate request agent requirements
Ability to generate RSA/ECDSA key pair using PKCS11 interface Secure storage of private key : Ability to use HW security under PKCS11 if TPM/SGX is available. PKCS10 CSR generation Communication with CA over REST API Java Client and Python Client support Periodic generation of usage report. Service discovery of Certificate Credential Management service. Certificate renewal

8 Certificate Credential Management : Architecture Blocks
Internal CA Service Existing ONAP Service logic Certificate Client agent Certificate Credential Management Service External CA Service Vault Plugin Custom CA Service Plugin Java Sun PKCS11 Provider HashiCorp Vault - PKI SoftHSMv2 SW store TPM/SGX Plugin SGX Plugin TPM Plugin

9 Enhancement in Services
Build : With Sun PKCS11 provider SoftHSMv2, TPM/TSS bundling. Bundling with Certificate Request agent. Calling Certificate request agent during startup of Micro service Enabling HTTPS No changes to applications OOM Changes: Requesting token from CA service, right before starting the service. Passing token along as environment variable to service.

10 Secret Server proposal

11 Secret Service - Need Background
Many services still use password based authentication – Various database servers, Publish/Subscribe brokers, Log Service, VIM and many more… Passwords are stored in files in many services. With many services and service instances, attack surface area is becoming very big. Need Avoid passwors sprawl in files. Avoid passing passwords via environment variables to services Avoid clear passwords in storage.

12 Secret Server is nothing new….
K8S Orchestrator has built in Secret Server As an admin/user, create a secret in secret server, get the secret reference. Puts these references in yaml files instead of actual secrets. K8 controller on demand basis (while bringing up the POD), creates file system volumes with secrets using secret references. Application in Pods read the secrets from volumes. Volumens disappear when POD exits. Openstack deployments typically have Barbican to store secrets. Secrets can be created using Barbican APIs. Refernece to secret is returned. These refercnces are passed to Openstack services. Secrets can be retrived by calling Barbican APIs by services on demand basis.

13 Secret Service - Requirements
RESTful API support Adding secrets Deletion of secrets Update secrets Token Authentication for above operations User name/password based authentication too Authenticate user using AAF Role based access control using AAF Settings using Distributed KV Store Service registration using MSB Reports and Logs GUI/CLI support using Portal and CLI Security of secrets via AES encryption Usage of AES-256 based master key – Plugin approach to secure master key (eg. TPM/SGX/HSM/TrustZone)

14 Secret Service: Architecture Blocks
Sercret Service Service Secret Management Service Secret Client agent External Secret Service Vault Plugin Custom Secret Server plugin HashiCorp Vault TPM/SGX plugin

15 What are secret backend candidiates
Choices: K8S Secret Server, Barbican Vault K8S Secret Server: Tightly integrated with K8S, if ONAP needs to be brought up using other orchestrators, then this could be an issue. Secrets in the secret service are not protected. Barbican : Good architecture, but…. But only used in Openstack, Maturity/Scalability may be a concern. Community support is limited Vault: (Recommended) Good architecture and well supported Widely used in multiple projects. Quoram based master key, but can be enhanced to use TPM/SGX/HSMs for hardware level security.

16 Proposed next steps Intel and Tech Mahindra intends to assign few engineers. Get approval from Security committee - Done Create project proposal for R2 – Done, but content WIP Present to Architecture committee Present to TSC for approval

17

18 Why not use istio Istio (istio.io) is service mesh project, has all the features required for service/service-instance with versions/ registration, discovery, load balancing, Mutual TLS security with certificate credential provisioning Challenges with istio: Yet to mature. Closely works with Kubernetes – Since ONAP may be also orchestrated via Openstack and others, this could be impediment. Security does not start from application : There is sidecar container in every POD which runs envoy HTTP proxy. Security starts from the envoy. Communication data between application container and sidecar container is in clear. CA software – Seems basic, may be good enough. Also, need to check how CA private key is stored securely. Support for new protocols (beyond HTTP) – Needs to upgrades to Envoy container

Download ppt "Certificate and Secret Management Services"

Similar presentations

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.

Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 SAN Certificate in Unity Connection Presenter Name: Bhawna Goel.

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 SAN Certificate in Unity Connection Presenter Name: Bhawna Goel.
Chapter 21 Distributed System Security Copyright © 2008.

Chapter 21 Distributed System Security Copyright © 2008.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Security fundamentals Topic 5 Using a Public Key Infrastructure.

Security fundamentals Topic 5 Using a Public Key Infrastructure.
VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.

VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.
Doc.: IEEE 802.19-10/0098r0 Submission July 2010 Alex Reznik, et. al. (InterDigital)Slide 1 802.19.1 Security Procedures Notice: This document has been.

Doc.: IEEE /0098r0 Submission July 2010 Alex Reznik, et. al. (InterDigital)Slide Security Procedures Notice: This document has been.
Security Working Group

Security Working Group
The Secure Sockets Layer (SSL) Protocol

The Secure Sockets Layer (SSL) Protocol
Key management issues in PGP

Key management issues in PGP
Microservice Bus Tutorial Huabing Zhao

Microservice Bus Tutorial Huabing Zhao

Similar presentations

Ads by Google