Read time: 6 minutes

Pretty Good Privacy or PGP is a cryptographic method for communicating privately over the Internet. It encrypts data and provides cryptographic privacy and authentication for online communication. It is frequently used to encrypt documents, emails, and files to improve email security. Data compression, hashing, and public-key cryptography are all used in PGP encryption. PGP also verifies the sender’s identity and ensures that the message was not tampered with while in transit.

It also encrypts data being exchanged across networks using symmetric and asymmetric keys. It combines both private and public-key cryptography features. It uses a different encryption algorithm at every step, and a username and email are associated with each public key.

Working of PGP Encryption

PGP is a type of hybrid cryptography. PGP combines the best features of both symmetric and public-key cryptography in one bundle. When a user encrypts plaintext with PGP, the plaintext is compressed first. Data compression reduces transmission time and disc space use while also improving cryptographic security. Most cryptanalysis techniques use patterns present in plaintext to exploit the cipher. Compression increases cryptanalysis resistance by reducing the patterns in plaintext (Files with very small sizes are not compressed).

PGP generates a session key, which is a secret key and is generated only once. This key generates a random number from the movement of your cursor and the keystrokes you type. This session key is used to encrypt the plaintext with a very secure and fast symmetric encryption algorithm, and the output is ciphertext. The session key is then encrypted with the recipient’s public key after the data has been encrypted.

Sender Side Process

The decryption of encrypted data works in reverse. The temporary session key can be recovered using the recipient’s private key, which is then used to decrypt the ciphertext encrypted with symmetric cryptography.

Receiver Side Process

The two encryption methods are combined to give you the convenience of public-key encryption with the speed of symmetric encryption. Public key encryption is much faster than conventional encryption. In turn, public-key encryption solves key distribution and data transfer issues. When both are used in combination, performance and key distribution improve without compromising security.

Use Cases of PGP Encryption

The major uses of PGP encryption are:

  • To encrypt data.
  • To send and receive encrypted emails.
  • To verify the sender’s identity.

Encrypt Data: PGP can be used to encrypt files. PGP offers a highly secure solution of encrypting data at rest, especially when combined with a Threat Detection and Response Solution. The algorithm used by PGP – typically the RSA algorithm – is nearly unbreakable. This technique is so safe as it has been employed in high-profile malware like the CryptoLocker virus.

Encrypt Emails: PGP is mainly used to send encrypted emails. Activists, journalists, and others who deal with sensitive data were the primary users of PGP in its early years. PGP’s popularity has grown at a rapid pace. As more individuals become aware of how much data corporations and governments collect, many people are now using the standard to keep their personal information private.

Identity Verification: PGP can also be used for email verification. For example, if a person is doubtful about the identity of someone sending them a message, they can use a Digital Signature in combination with PGP to authenticate it.
Digital signatures work by combining the sender’s public key with the data they send via an algorithm. A hash function is generated using another algorithm that converts a message to a fixed-size data block which is then encrypted with the sender’s private key.
The data is then decrypted by the recipient using the sender’s public key. The recipient will be informed if even one character of the message has been altered in transit.

Pros of PGP Encryption

Benefits of using PGP encryption are:

  • It is extremely secure and nearly unbreakable.
  • It improves cloud security.
  • Easy to learn and use.

Cons of PGP Encryption

Some limitations of PGP Encryption are:

  • There is no recovery process if passwords are forgotten or deleted.
  • The information will either not be decrypted or decoded by only one party unless both the sender and the receiver have compatible versions of PGP software.

How to Create PGP Key Pair

Prerequisite: In this article, we discuss how PGP key pair can be generated using GnuPG. You can download GnuPG from the given link: https://gpg4win.org/get-gpg4win.html

Follow the steps below to generate PGP key pair:

1. Open the Command Prompt (cmd) as Administrator.

2. Execute the command below to create a key pair:
$ gpg –full-generate-key


3. Now, It prompts with the below configurations based on the information provided by the requestor:

  1. Select key type that you want to create:
    We have selected RSA and RSA (default).

  1. Now, it prompts for the size of the key between 1024 and 4096.
    3072 is the default key length. You can hit enter to select 3072.

  1. Now, it will prompt for the validity of the key.
    Zero (0) is the default. You can hit enter to select 0.

  1. It will prompt you to confirm that the key does not expire at all.

  1. Now, enter the Real name, Email address, and Comment.
    Real name can be the name of a person, product, or company.
    You can leave the comment blank.

  1. Validate the Name, Email, and comment.
    Type O for Okay.

  1. Now, a prompt will open for the passphrase, enter the passphrase, and hit enter.

  1. Copy the Public Key ID from the output.


4. Export the Public and Private Keys:

  1. To export the Public Key, enter the command below:
    $ gpg –export -a keyid > publickeyname.key

  1. To export the Private Key, enter the command below:
    $ gpg –export-secret-key -a keyid > privatekeyname.key

It will prompt for the password that you enter in Step 3.g.
Enter the passphrase and hit enter.

Note: Both Public and Private keys will be saved in the directory where the export commands are executed.

About the Author

Shorya Goel is a Consultant at Encryption Consulting, working with PKIs, HSMs, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 5 minutes

There are many formats in which digital certificates can be downloaded or converted. Following are X.509 certificate encoding formats and extensions:

Binary

  • DER: .der, .cer
  • PKCS#12: .p12, pfx

Base64

  • PKCS#7: .p7c, .p7b
  • PEM: .crt, .ca-bundle, .pem

However, different certificate forms have no advantages or disadvantages. It all depends on the certificate’s format requirements for the application that will be using it.

PEM

  • A PEM (Privacy Enhanced Mail) file is a Base64-encoded certificate file used to verify a website’s security. It may contain a private key, a server certificate from a certificate authority (CA), or other trust chain certificates. PEM files are compatible with OpenSSL applications and are commonly imported from a Unix-based Apache Web server.
  • You can see the contents of a PEM file with the help of a text editor. The file has one or more headers that describe the information contained within it. A PEM file for a certificate includes the “—-BEGIN CERTIFICATE—-” and “—-END CERTIFICATE—-” statements.
  • A PEM file can have several certificates and private keys one after another.
  • Linux and Unix-based web servers typically use PEM files.
  • Commonly used extensions of PEM files are: .cer, .pem, .crt, .key

DER (Distinguished Encoding Rules)

  • A DER (Distinguished Encoding Rules) file is a binary format certificate file. As DER files can end in either .der or .cer, you will need to read the file with a text editor to tell the difference between DER.cer and PEM.cer. There should be no BEGIN/END statements in a DER file, or the binary information will be distorted.
  • The DER format can be used to encode both digital certificates and private keys.
  • DER files are generally used with java platforms.
  • Commonly used extensions of DER files are: .cer and .der

PKCS#7

  • PKCS#7 is a Base64-encoded certificate file. This format cannot be used to store private keys. Only digital certificates and Certificate Revocation List (CRL) can be stored in PKCS#7 file format.
  • A PKCS#7 file contains the “—-BEGIN PKCS7—-” and “—-END PKCS7—-” statements.
  • Commonly used extensions of PKCS#7 files are: .p7b and .p7c
  • Java Tomcat and Microsoft Windows platforms commonly use these files.

PKCS#12

  • PKCS#12 is a single password-protected binary file format that stores the server certificate, intermediate certificate, and private key. It refers to a personal information exchange format.
  • Windows platforms commonly use these files to import and export certificates and private keys.
  • Commonly used extensions are: .p12, ,pfx

Change Certificate Format By Changing The Extension

You can convert the following file format into different formats by changing the extensions.

PEM

You can change the PEM file format to the following formats by changing its extension:

  • .crt
  • .cer
  • .pem
  • .key

For Example: Convert the .crt certificate file into .pem file.

  1. Open the .crt certificate file in any text editor.

    Convert the .crt certificate
  2. Go to File.

  3. Click on Save As

  4. In Save as type “Select All Files.”

    Want to convert (.cer, .key, .pem, .crt).
  5. In the File name, enter the file name and the extension you want to convert (.cer, .key, .pem, .crt).

    .crt certificate file into .pem file
  6. click on Save.

DEM

You can change the DER file format to the following formats by changing its extension:

  • .der
  • .cer

For Example: Convert the .der certificate file into .cer file.

  1. Open the certificate in any text editor.

    Change the DER file format
  2. Go to File.

  3. Click on Save As

  4. In Save as type “Select All Files.”

    change the DER file format
  5. In the File name, enter the file name and the extension you want to convert (.cer, .der).

    extension you want to convert (.cer, .der).
  6. Click on Save As

    Cert file format change

Change Certificate Format Using OpenSSL

PEM

  • Convert PEM to DER: 

    You can convert the PEM certificate file format to DER by using the command below:

    $ openssl x509 -outform der -in certificate.pem -out certificate.der

    PEM certificate file format to DER
  • Convert PEM to P7B

    You can convert the PEM certificate file format to P7B by using the command below:

    $ openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CAcert.cer

  • Note: -certfile CAcert.cer is optional, use this if having more than one PEM certificates and wants to include into P7B file.

    PEM certificate file format to P7B
  • Convert PEM to PFX

    You can convert the PEM certificate file format to PFX by using the command below:

    $ openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CAcert.crt

    Note: -certfile CAcert.cer is optional, use this if having more than one PEM certificates and wants to include into PFX file.

    PEM certificate file format to PFX

DER

  • Convert DER (.crt, .cer, .der) to PEM:

    You can convert the DER certificate file format to PEM by using the command below:

    $ openssl x509 -inform der -in certificate.der -out certificate.pem

    Convert DER (.crt, .cer, .der) to PEM

P7B

  • Convert P7B to PEM

    You can convert the P7B certificate file format to PEM by using the command below:

    $ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
    Convert the P7B certificate file format to PEM
  • Convert P7B to PFX

    You can convert the P7B certificate file format to PFX by using the two commands below:

    $ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer $ openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CAcert.cer
  • Note: -certfile CAcert.cer is optional, use this if having more than one P7B certificates and wants to include into PFX file.

    Convert P7B to PFX

PFX

  • Convert PFX to PEM

    You can convert the PFX certificate file format to PEM by using the command below:

    $ openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

    Note: OpenSSL will combine all the Certificates and Private Keys into a single file when converting PFX to PEM format. You will need to open the file in Text Editor and copy each

    Certificate and Private key (including the BEGIN/END instructions) to its text file.

    convert the PFX certificate file format to PEM

About the Author

Shorya Goel is a Consultant at Encryption Consulting, working with PKIs, HSMs, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 4 minutes

SCEP or Simple Certificate Enrollment Protocol, is an open-source certificate management protocol that stands for , automating the task of certificate issuance. Public key infrastructure (PKI) certificate issuance requires a process for information exchange with a trusted Certificate Authority (CA). This is required so that it can authenticate the information provided by the user, like domain name and identities associated with the Certificate. By automating this process, SCEP makes it easy and faster for the IT team to enroll certificates on devices without having to manually exchange the information. Using a URL to exchange information and a shared secret to communicate with the CA, a device can easily enroll for a certificate.

How does SCEP work?

  1. SCEP URL: The Simple Certificate Enrollment Protocol URL enables a device to communicate with the CA to obtain an enrollment Certificate.
  2. SCEP Shared Secret: A case-sensitive, secure password is used as a SCEP shared secret between the CA and SCEP server to authenticate the identities and domains associated with the CA certificate.
  3. SCEP Certificate Signing Request: After setting up and sharing the SCEP gateway and Shared secret, respectively, users can create and distribute a configuration profile that enables managed devices to auto-enroll for certificates by sending a certificate enrollment request to the CA through the SCEP gateway. A signed certificate will be issued to the device after authentication.
  4. SCEP Signing Certificate: The SCEP signed Certificate is uploaded by Mobile Device Management (MDM), in which the entire certificate chain (Root CA, Intermediate CA, End-entity Certificate) is included.

SCEP Device Enrollment Process

The following steps are required for SCEP device enrollment on MDMs:

  1. Add SCEP URL
  2. Add SCEP Shared Secret
  3. Upload the SCEP certificate, which needs to be signed.
  4. Set the SCEP configuration.
  5. Define any application-specific certificate setting.
  6. Specify the device which will receive the certificates.

After authentication by the CA, a signed certificate will be deployed on the required device.

SCEP certificate Configuration profile

While setting up an SCEP server, the Administrator can customize the SCEP implementation by setting up the number of available certificate properties in the certificate configuration profile. The certificate properties are given below:

  • Certificate Template Name
  • Certificate Type
  • Subject Name (this refers to the entity requesting the Certificate, it can be an email id, server name, or IP address of the entity.)
  • Certificate Validity Period (this refers to the time for which the Certificate is valid, if not revoked.)
  • Hashing Algorithm
  • Root CA Certificate
  • Key Usage (this refers to the usage of the key, whether it is for Digital Signature, key encipherment, or both.)
  • Key Size (this refers to the size of the key, for example, 1024-bit or 2048-bit)
  • Subject Alternative Name (this relates to the alternative details of the subject like DNS, URI, UPN, etc.)


SCEP vs. EST

EST stands for Enrollment over Secure Transport. It is the evolution of SCEP and uses Transport Layer Security (TLS) for client-side device authentication. Both SCEP and EST are used to automate the Certificate enrollment process, but the difference is that SCEP uses Shared Secret protocol and CSRs for enrolling Certificates, whereas EST uses TLS for authentication. EST uses TLS to securely transport the messages and Certificates, whereas SCEP uses PkcsPKIEnvelope envelopes to secure the messages.

SCEP vs. ACME

ACME stands for Automated Certificate Management Environment. Both SCEP and ACME are the same in certificate management. ACME uses key pairs, also known as authorization keys, for validation of the CA and organization. ACME installs the Certificate Management Tool to generate Authorization keys.

SCEP vs. CMP and CMC

CMP stands for Certificate Management Protocol, and CMC stands for Certificate Management CMS. Both SCEP and EST are used for enrollment and issuance of Certificates, whereas CMP and CMC are used for Certificate management like renewal, status, and revocation of Certificates.

Conclusion

SCEP Gateway API can be used to distribute certificates to every managed device. The SCEP Gateway API enables managed devices to enroll for Certificates on their own easily, but it also increases security risk. Mobile devices that use SCEP for digital certificate enrollment may be susceptible to a Privilege Escalation Attack. EST is the evolution of SCEP, which is more secure and uses TLS for client-side device authentication.

About the Author

Shorya Goel is a Consultant at Encryption Consulting, working with PKIs, HSMs, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read Time: 15 minutes

AWS provides many services, including database, storage, networking, and many more. AWS Key Management Service (KMS) is one of the most popular services offered by AWS. It is a beneficial service that helps in dealing with sensitive data and managing cryptographic keys.

What is AWS Key Management Service (KMS)?

AWS KMS is a service that can be integrated with various other AWS services. It can be used to create, store, and control cryptographic keys to encrypt data in your application. With the help of the AWS KMS service, a user can control access to the encrypted data. AWS KMS provides almost 100 percent of the durability of cryptographic keys.

Keys are stored in multiple Availability Zones (AZ’s) that ensure the high availability of keys. AWS KMS is integrated with CloudTrail, which allows users to audit the purpose for which the key is used, when it was used, and by whom the key was used.

Some Important Points about AWS KMS

  • The keys generated in a region cannot be sent outside of that region.
  • KMS uses an AWS Hardware Security Module (HSM), which is FIPS 140-2 compliant, to store keys.
  • AWS KMS allows controlling access to master keys.
  • Users can encrypt data stored in Amazon EBS, Amazon S3, and Amazon Redshift as AWS KMS is integrated with these services.

How does AWS KMS work?

To learn the inner workings of AWS KMS, we must first learn the terms and concepts used in AWS KMS.

There are two types of keys in AWS KMS:

  1. Customer Master Keys
  2. Data Keys

Customer Master Keys (CMKs)

A CMK is a logical representation of the master key. The CMK contains metadata like key ID, Creation Date, key state, and description of the key and the key material used for encryption and decryption.

By default, Key material is created by AWS KMS. No one can modify, manage, view, or extract the key material. Key material cannot be deleted as well. If a user wants to delete key material, then the user has to delete the CMK. Users can import their key material into a CMK or create key material for CMKs in an AWS CloudHSM Cluster.

AWS CMK provides both Symmetric and Asymmetric CMKs. Symmetric CMKs use a 256-bit key for encryption and decryption. In contrast, asymmetric CMKs use RSA key pairs for encryption and decryption or Signing and verification. An asymmetrically created key, called an ECC key, can only be used for signing and verification. CMKs are created in AWS KMS. CMKs can be managed by the AWS Management Console or the AWS KMS API. All symmetric keys and private asymmetric keys never leave the AWS KMS unencrypted. To perform any cryptographic operation using CMKs, the user must use the AWS KMS API.

There are three types of CMKs supported by AWS KMS:

  1. Customer Managed CMK: Customer Managed CMKs are those CMKs in the user account that the user can create, own, and manage. Users have complete control over Customer Managed Keys, allowing them to establish and manage their key policies, IAM policies, grants, rotation of cryptographic material, etc.
  2. AWS Managed CMK: The CMKs in the user account created and managed by AWS on behalf of the user is known as AWS Managed CMKs. AWS managed CMKs cannot be directly used in cryptographic operations. Users cannot manage, rotate or change the key policies of AWS managed CMKs. However, users can view the key policies and audit their use in AWS CloudTrail (integrated with AWS KMS) in their AWS account.
  3. AWS Owned CMK: The Collection of CMKs owned and managed by AWS for use in multiple clouds is known as an AWS Owned CMK. AWS owned CMKs protect the resources in the user account. These CMKs are not found in the user’s account. With AWS owned CMKs, users do not need to create or manage CMKs. Users cannot view, use, track, or audit them.

Data Keys

The keys used to encrypt data and other data encryption keys are Data Keys. Data keys are used to encrypt a large amount of data as customer master keys (CMKs) cannot encrypt data larger than 4KB. Data keys are used and managed outside of AWS KMS. Data keys are not stored, managed, or tracked by AWS KMS. AWS KMS does not perform any cryptographic operation with data keys, however, users can generate, encrypt, and decrypt data keys with the help of AWS KMS customer master keys (CMKs). Data keys can encrypt and decrypt data in other AWS services like Amazon S3, EBS, EC2, etc.

  • Create data key
    AWS KMS uses user-specified CMKs to generate a data key. A data key can be generated by calling the GenerateDataKey operation. This operation returns two copies of the data key, one in plaintext and the other one encrypted under the CMK. Another operation, GenerateDataKeyWithoutPlaintext, can also be used, which returns a single copy of the data key that is encrypted under CMK.
    Before using an encrypted data key, ask AWS KMS to decrypt it.
  • Encrypting data with a data key
    As mentioned earlier, AWS KMS does not use data keys to perform any cryptographic operation. To encrypt data with a data key, use a plaintext data key, encrypt data outside of AWS KMS, and delete it from memory, then, store the encrypted data key.
  • Decrypting data with a data key
    To decrypt data outside of AWS KMS with a data key, the Decrypt operation is used to decrypt the encrypted data key, which returns a plaintext copy of the data key.
    Now, Data outside of AWS KMS can be decrypted using a plaintext data key. The user must remove the plaintext data key from memory after using it.
    The following diagram show how the Decrypt operation decrypt the Encrypted Data Key:
  • Data Key Pair
    Users can create an asymmetric data key pair consisting of mathematically related private and public keys. Generally, these key pairs are used for client-side encryption and decryption or the signing and verification process outside of AWS KMS.
    The private key of each data key is protected by AWS KMS using user-specified symmetric CMKs, but users have to manage and use the data key pair outside the AWS KMS as it does not track, manage or use data key pairs to perform any cryptographic operations.
    Users can generate the following data key pairs in AWS KMS:  
    • RSA key pair of 2048 bit, 3076 bit, and 4096 bits. Generally used for encryption and decryption.
    • Elliptical Curve key pair: ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P512, and ECC_SECG_P256K1. Generally used for Signing and verification.
  • Creating a Data key Pair
    To generate a data key pair, the user needs to call the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operation according to the requirement and specify a symmetric CMK that will encrypt the private key.
    GenerateDataKeyPair operations generate three keys: a plaintext public key, a plaintext private key, and an encrypted private key. In contrast, GenerateDataKeyPairWithoutPlaintext generates two keys: a plaintext public key and an encrypted private key.
  • Encrypting data with a data key pair
    The public key of a data key pair is used to encrypt the data, and the private key of the same data key pair is used to decrypt the data.
  • Decrypting data with a data key pair
    The plaintext private key of the same data key pair whose public key was used for encryption is used to decrypt the data. The Decrypt operation is used to decrypt the encrypted private key of a data key pair, and remove the plaintext private key from memory after using it.
  • Signing messages with a data key pair
    The plaintext private key of a data key pair is used to generate a cryptographic signature for a message, and anyone with the public key of the same data key pair can use it to verify the signature.
    If the private key is encrypted with the AWS CMK, the Decrypt operation is used, which returns the private key in plaintext format used for signing purposes. As always, the user should remove the plaintext private key from memory after use.
  • Verifying a message with a data key pair
    The public key of the data key pair is used for verification. The public key should belong to the same data key pair whose private key was used for Signing. Verification of the signature confirms that an authorized user signed the message and it has not been altered.
  • Aliases
    Users can give a friendly name to a CMK known as an Alias. For example, the CMK name is 9897aswd-34dw-1234-89hg-asdkal212012, the user can give it an alias of key-01. With the help of an alias, users can easily identify a CMK in AWS KMS operations.
  • Cryptographic Operations
    The AWS SDK, AWS Tools for PowerShell, or AWS Command Line Interface (AWS CLI) is required to perform any cryptographic operations with CMKs because CMKs remain within AWS KMS. Users cannot perform any cryptographic operation with CMKs in the AWS KMS console.

Below is a table which summarizes the AWS KMS cryptographic operations:

OperationCMK Key TypeCMK Key Usage
DecryptSymmetric/AsymmetricENCRYPT_DECRYPT
EncryptSymmetric/AsymmetricENCRYPT_DECRYPT
GenerateDataKeySymmetricENCRYPT_DECRYPT
GenerateDataKeyWithoutPlaintextSymmetricENCRYPT_DECRYPT
GenerateDataKeyPairAsymmetricENCRYPT_DECRYPT
GenerateDataKeyPairWithoutPlaintextAsymmetricENCRYPT_DECRYPT
ReEncryptSymmetric/AsymmetricENCRYPT_DECRYPT
SignAsymmetricSIGN_VERIFY
VerifyAsymmetricSIGN_VERIFY

Note:  GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext operations generate asymmetric data key pair which symmetric CMKs protect it.

  • Envelope Encryption
    Users can protect their plaintext data by encrypting it with a key, but how do they protect the encryption key? This brings in the concept of Envelope encryption, where the plaintext data is encrypted with the data keys, and the data keys are encrypted with master key. AWS KMS is responsible for the security of the master key. Master keys are stored and managed by AWS KMS and never leave the HSM unencrypted.
    Benefits of Envelope Encryption:  
    • Protecting data keys: The data keys are inherently protected by encrypting them with CMKs. So, the encrypted data keys can be safely stored with encrypted data.
    • Encrypting the data key with master key: Encrypting large data with data keys, again and again, can be a time-consuming process. So, instead of encrypting data repeatedly, the encryption key can be encrypted with a master key.
    • Combining the strength of multiple algorithms: Envelope Encryption enables you to use the strength of both Symmetric and Asymmetric algorithms.
  • Key Policy
    Users can define the permissions for CMK in a document called a key policy. Users can add, remove or change permissions at any time for Customer Managed Keys, but cannot edit the AWS Managed CMK as AWS manages it on behalf of the user.
  • Grant
    Grants are temporary permissions that users can create, use, and delete without changing key or IAM policies. Grants are also considered with IAM policies and key policies when users access a CMK.
  • Auditing CMK Usage
    AWK KMS is integrated with CloudTrail, which can be used to audit key usage. CloudTrail creates log files for AWS API calls and related events in the account. These log files contain all AWS API requests from AWS SDK, AWS Management Console, or AWS command-line tools. These log files can be used to find important information like when the CMK was used, which operation was requested, requester identity, and the source IP address.

Creating Customer Managed Symmetric CMKs

A user should follow the following steps to create Customer Managed Symmetric CMK using AWS Management Console:

  1. Sign in to the AWS management console and open the AWS KMS console.
  2. You can change the AWS region from the upper-right corner of the page.
  3. Choose customer manages keys from the navigation pane.
  4. Choose create key.
  5. In Key type, select the type of CMK, i.e., Symmetric.
  6. Click on Next.
  7. Create an alias for the CMK.
  8. Type the description for the CMK. (Optional)
  9. Click on Next.
  10. Type a tag key and tag value. (Optional)
  11. Click on Next.
  12. Select IAM users and roles that can administer the CMK.
  13. Clear Allow key administrators to delete this key check box if you do not want to allow IAM users and roles to delete this key. (Optional)
  14. Click on Next.
  15. Select IAM users and roles that can use the CMK to perform cryptographic operations.
  16. In the Other AWS accounts section, click on Add another AWS account and type AWS account identification number to allow them to use this CMK for cryptographic operations. (Optional)
  17. Click on Next.
  18. Review the key configuration that you have done.
  19. Click on Finish to create the CMK.

Creating Customer Managed Asymmetric CMKs

A user should follow the following steps to create Customer Managed Symmetric CMK using AWS Management Console:

  1. Sign in to the AWS management console and open the AWS KMS console.
  2. You can change the AWS region from the upper-right corner of the page.
  3. Choose customer manages keys from the navigation pane.
  4. Choose create key.
  5. In Key type, select the type of CMK, i.e., Asymmetric.
  6. In Key usage, select the purpose for which key is created, i.e., Encrypt and decrypt or Sign and verify.
  7. Select the specification of your asymmetric CMK.
  8. Click on Next.
  9. Create an alias for the CMK.
  10. Type the description for the CMK. (Optional)
  11. Type a tag key and tag value. (Optional)
  12. Click on Next.
  13. Select IAM users and roles that can administer the CMK.
  14. Clear Allow key administrators to delete this key check box if you do not want to allow IAM users and roles to delete this key. (Optional)
  15. Click on Next.
  16. Select IAM users and roles that can use the CMK to perform cryptographic operations.
  17. In the Other AWS accounts section, click on Add another AWS account and type AWS account identification number to allow them to use this CMK for cryptographic operations. (Optional)
  18. Click on Next.
  19. Review the key configuration that you have done.
  20. Click on Finish to create the CMK.

Benefits of AWS KMS

  1. Fully managed: AWS KMS provides full control access to encrypted data by enforcing the permissions defined by the user to use keys.
  2. Centralized key management: AWS KMS provides a single control point to manage and define key policies. Users can create, import, manage, delete, or rotate keys from the AWS key management console, or use AWS CLI or SDK.
  3. Digitally Sign data: The user can generate an asymmetric key in AWS KMS and can perform digital signing operations to maintain the integrity of the data.
  4. Secure: In AWS KMS, keys are generated and protected in Hardware security modules (HSMs) validated under FIPS 140-2. For security, keys are only used inside HSMs and can never be shared outside the AWS region in which they were created.
  5. Built-in auditing: AWS KMS is integrated with CloudTrail to help in monitoring key usage to meet regulatory and compliance needs.

Below is the table which summarizes the AWS Key Management Service Crypto Properties:

AWS Key Management Service Crypto Properties
 
Tenant Multi-Tenant
Standard FIPS 140-2 Level 2
Master Keys
  • Customer Owned Master key
  • AWS Managed Master Key
  • AWS owned Master key
Crypto Keys
  • Symmetric
  • Asymmetric
    AES in XTS mode only
Crypto API AWS SDK/API for KMS
Access Authentication/Policy AWS IAM Policy
Key Accessibility Accessible in multiple regions (Keys outside the region in which created cant be used)
High Availability AWS Managed Service
Audit Capability
  • CloudTrail
  • Cloud Watch
TenantMulti-TenantStandardFIPS 140-2 Level 2Master Keys
  • Customer Owned Master key
  • AWS Managed Master Key
  • AWS owned Master key
Crypto Keys
  • Symmetric
  • Asymmetric
    AES in XTS mode only
Crypto APIAWS SDK/API for KMSAccess Authentication/PolicyAWS IAM PolicyKey AccessibilityAccessible in multiple regions (Keys outside the region in which created cant be used)High AvailabilityAWS Managed ServiceAudit Capability
  • CloudTrail
  • Cloud Watch
 
TenantMulti-Tenant
StandardFIPS 140-2 Level 2
Master Keys
  • Customer Owned Master key
  • AWS Managed Master Key
  • AWS owned Master key
Crypto Keys
  • Symmetric
  • Asymmetric
    AES in XTS mode only
Crypto APIAWS SDK/API for KMS
Access Authentication/PolicyAWS IAM Policy
Key AccessibilityAccessible in multiple regions (Keys outside the region in which created cant be used)
High AvailabilityAWS Managed Service
Audit Capability
  • CloudTrail
  • Cloud Watch
Move your IT infrastructure to Cloud.

AWS CloudHSM

AWS CloudHSM is an AWS hardware security module that is customer-owned and managed. AWS CloudHSM acts as a single-tenant on hardware, restricting it from being shared with other customers and applications. Organizations can utilize AWS CloudHSM for those wanting to use HSMs to administer and manage encryption keys, but not have to worry about managing HSM Hardware in a datacenter.
AWS CloudHSM allows FIPS 140-2 Level 3 overall validated single-tenant HSM clusters in your Amazon Virtual Private Cloud (VPC) to store and use your keys. Complete control is given to users whose keys are used through an authentication mechanism separate from AWS.

AWS CloudHSM supports multiple use cases, including the following: management of Public/Private key pairs for Public Key Infrastructure (PKI), Code & Document Signing, or storing private keys for various services such as database, storage, and web applications, storing keys for DRM solution. AWS CloudHSM will allow your organization to meet compliances of key management requirements with the use of Hardware Security Modules supervised by AWS with the ability to incorporate multiple platforms to store keys.

Below is the table which summarizes the AWS Cloud HSM Crypto Properties

AWS CloudHSM Crypto Properties
 
Tenant Single-Tenant
Standard FIPS 140-2 Level 3
Common Criteria EAL4+( supported by cloudHSM classic older model)
Master Keys Master Key HSM
Crypto Key types
  • Symmetric – AES (Modes supported CBC, GCM and ECB)
  • Asymmetric – RSA, ECC
  • Hashing – SHA-256, SHA-512, RSA, ECDSA
API Support
  • PKCS11
  • OpenSSL
  • JCE
  • Crypto next generation (CNG)
Access Authentication/Policy Quorum based K of N principle
Key Accessibility Can be accessed and shared across multiple VPC
High Availability ADD HSM in Different Availability Zones
Audit Capability
  • CloudTrail
  • Cloud Watch
  • MFA support
TenantSingle-TenantStandardFIPS 140-2 Level 3
Common Criteria EAL4+( supported by cloudHSM classic older model)
Master KeysMaster Key HSMCrypto Key types
  • Symmetric – AES (Modes supported CBC, GCM and ECB)
  • Asymmetric – RSA, ECC
  • Hashing – SHA-256, SHA-512, RSA, ECDSA
API Support
  • PKCS11
  • OpenSSL
  • JCE
  • Crypto next generation (CNG)
Access Authentication/PolicyQuorum based K of N principleKey AccessibilityCan be accessed and shared across multiple VPCHigh AvailabilityADD HSM in Different Availability ZonesAudit Capability
  • CloudTrail
  • Cloud Watch
  • MFA support
 
TenantSingle-Tenant
StandardFIPS 140-2 Level 3
Common Criteria EAL4+( supported by cloudHSM classic older model)
Master KeysMaster Key HSM
Crypto Key types
  • Symmetric – AES (Modes supported CBC, GCM and ECB)
  • Asymmetric – RSA, ECC
  • Hashing – SHA-256, SHA-512, RSA, ECDSA
API Support
  • PKCS11
  • OpenSSL
  • JCE
  • Crypto next generation (CNG)
Access Authentication/PolicyQuorum based K of N principle
Key AccessibilityCan be accessed and shared across multiple VPC
High AvailabilityADD HSM in Different Availability Zones
Audit Capability
  • CloudTrail
  • Cloud Watch
  • MFA support

Custom Key Store

The Custom Key store feature of AWS KMS provides a way of integrating AWS CloudHSM clusters easily with AWS KMS.

Users can configure their CloudHSM cluster to store keys rather than the default KMS key store.

Users can also generate key material within the CloudHSM cluster. The master keys generated in the customer key store never leave the AWS Hardware Security Module in the CloudHSM Cluster in plaintext form, and all the cryptographic operations required by KMS are performed within the HSMs.

Conclusion:

AWS CloudHSM provides single-tenant key storage giving organizations FIPS 140-2 Level 3 compliance. CloudHSM allows full control of your keys, including Symmetric (AES), Asymmetric (RSA), SHA-256, SHA 512, Hash-Based, or Digital Signatures (RSA). On the other hand, AWS Key Management Service is multi-tenant key storage owned and managed by AWS. AWS KMS allows Customer Master Keys for symmetric key encryption (AES-256-XTS) and asymmetric keys (RSA or elliptic curve (ECC)). Suppose your organization’s key management strategy for encryption will be running a singular cloud service provider for now and for the foreseeable future. In that case, AWS KMS will provide the simplest environment to maintain the keys. However, suppose you are planning to take advantage of multiple cloud providers but do not wish to maintain the HSMs. In that case, AWS CloudHSM may be the solution for your organization that allows separating encryption keys from the data of the other platforms that are being utilized.

About the Author

Shorya Goel is a Consultant at Encryption Consulting, working with PKIs, HSMs, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 3.5 minutes

WPA2 stands for Wireless Fidelity Protected Access 2 – Pre-Shared Key. It allows home users or small offices to secure their network without using an enterprise authentication server.

How WPA2-PSK works?

WPA2-PSK requires a router with a passphrase, with a length between 8 to 63 characters, to encrypt the data in the network. It uses a technology named TKIP, i.e., Temporal Key Integrity Protocol, that requires network SSID and the passphrase to generate unique encryption keys for each wireless client.

WPA2-PSK (AES) is more secure than WPA2-PSK (TKIP), but WPA2-PSK (TKIP) can be used with older devices that are not WPA2-PSK (AES) enabled devices.

When a user connects to the router, the user provides a password to authenticate their identity and, as long as the password matches, the user is connected to WLAN.

With WPA2-PSK, user can secure their data, transmitted through the wireless channel between a router and other network devices. It is the latest generation of Wi-Fi security where the key is shared between connected devices. WPA2-PSK is also known as WPA2 Personal.

Is WPA2-PSK vulnerable?

WPA2-PSK is designed for small offices and home networks to allow users to trust the network they are connected to. WPA2-PSK is secure but shares a password to all the users connected to the network, leading to snoop on the network by the attacker.

WPA2-PSK is also found in airports, public hotspots, or universities as it is easy to implement and requires only one password. But if your WPA2-PSK gets compromised, an attacker can easily get access to your network and is capable of doing the following malicious activities:

  • Switch Spoofing
  • Spanning Tree Protocol (STP) Attacks
  • Dynamic Host Configuration (DHCP) Spoofing
  • Media Access Control (MAC) Spoofing
  • Double Tagging
  • Address Resolution Protocol (ARP) Spoofing.

Using a single password for network access requires good faith to keep the password secret on every user’s device. The reason for this is that if one user gets compromised, then all users can be hacked.

Brute force attacks like dictionary attacks can be performed, and an attacker can decrypt all the device traffic if it obtains the Pre-Shared Key and capture the key handshake while a user joins the network.

Alternatives to WPA2-PSK

WPA2-PSK is secure enough for a home network as users can change passwords when they doubt that an unintended person is using it.

However, if users can not compromise with security, then WPA2-Enterprise can be used to provide different passwords to each participant and not allow access to the network as a whole. It isolates the network per user. The requirement of RADIUS in 802.1x implementation makes it complex, but for more security, 802.1x can be used, which allows authentication through certificates instead of credentials.

Secure Your 802.1x Network with WPA2 EAP-TLS Authentication

The larger organization can adopt WPA2 Extensible Authentication Protocol over Transport Layer Security. It uses AES encryption but adds username and password authentication. A user without a registered account or whose account is disabled cannot access the wireless network. The wireless network can be impenetrable to over-the-air attacks by certificate-based authentication that relies on EAP-TLS with server certificate validation. The unauthorized user cannot access the information being sent for authentication through an encrypted EAP tunnel, and the identifying information is only sent to the correct RADIUS through the server certificate validation process.

The implementation of WPA2 EAP-TLS can be an issue due to its complexity with its initial design and configuration. It can also be resource-intensive as it requires setting up and management of a  Public Key Infrastructure.

Secure your network with WPA3

WPA3 removes the security issue by using individualized data encryption. If WPA3 is enabled and the user connects to an open Wi-Fi network, then the data transmitted between the device and the Wi-Fi access point will be encrypted. Even at the time of connection, the user does not enter any password.

Conclusion

Security is essential in this connected world. Our data should be secured and can only be accessed by the intended person. In today’s world of wireless networks, we should configure our network security to the latest so that no one can penetrate our network. Users should use WPA3 to improve the authentication and encryption while making the connection easier. WPA3-SAE (Simultaneous Authentication of Equals) replaced the WPA2-PSK authentication process. WPA3-SAE uses a 128-bit encryption key and Forward secrecy protocol to resist offline dictionary attacks while improving key exchange security without any additional complexity. On the other hand, WPA2-Enterprise is replaced by WPA3-Enterprise, which uses a 192-bit encryption key and a 48-bit initialization vector as requested by sensitive organizations.

About the Author

Shorya Goel is a Consultant at Encryption Consulting, working with PKIs, HSMs, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 7 minutes

In today’s world, all the applications or software utilized by users are virtualized and downloaded from a docker container. One fear many users have is that it might be possible that attackers tampered with the file that users are downloading from the container and have injected a malicious script or malware in it. If this is the case, whenever any person downloads and executes it in their system, the system gets affected by the attacker’s malicious script.

The Necessity for Docker Image Signing:

If an organization is providing a software/product to their customer, then how can the customer verify it is not tampered with? To provide customers with peace of mind on this subject, an organization can put their trusted signature on the software/product. If someone tries to tamper with the code, the signature gets changed. This is where image signing comes into the picture. Image signing is where an organization can sign their image before they push it to the container so that the customer can use it safely.

Similar to how malicious activity can be caught by code signing, when a user tries to install or execute the file, the signature will first be verified. If the organization’s image signing certificate is not found then it will stop the user from proceeding.

What is Docker Image Signing?

Docker image signing is the process of digitally signing docker images to confirm the software author’s identity and provide assurance that the code has not been altered or compromised.

How does Docker Image Signing work?

The way image signing works can be broken into two parts:

  1. At the server or developer side
  2. At the client side

Firstly, we’ll discuss how the
process takes place on the server side:

Figure 1: Server Side
  1. The original image, i.e., the docker image the user wants to provide to customers safely, is firstly hashed by a hashing algorithm, because it’s practically impossible to reverse a hash.
  2. The hashed docker image we get is then signed by the private key of the developer.
  3. The signed hash docker image is then packed with the original image and digital certificate, which together are also known as an image signing certificate.
  4. Now, it can be uploaded or transferred to the customer.

Now, let’s go through how the process takes place on the client side.

Figure 2: Client Side
  1. The original docker image is passed through a hashing algorithm, to get the hash of the image.
  2. The public key is extracted from the certificate and applied to the signed hash of the docker image to extract the hash of the image.
  3. Both the hashes created from steps 1 and 2 are compared, and if both the hashes are the same then the image has not been changed and the signature is considered valid.
  4. At the same time, the image signing certificate is checked to ensure it was signed by a trusted CA. The expiry date of the image signing certificate is checked, and certificate is also checked against the revocation lists to ensure it is valid.

Weaknesses of Docker Image Signing

There are several weaknesses to image signing, as well, including:
Improper management of the private key created at the beginning of the Image signing process can result in insecurity of the software being sent. If a legitimate private key is stolen, then the attacker can encode their malicious software with the private key, which will tell the user that the software is safe to use, even if it isn’t.

Threat actors can obtain a trusted certificate, but what deters most attackers is the need to provide identification information to obtain a certificate. If malicious software is distributed with a legitimate certificate, the developer can be identified and stopped.

Note: If the user allows the installation of the software, even if the Operating System says it is not a signed image, then image signing is rendered useless.

To prevent these weaknesses, there are best practices that should be followed:

For the protection of encryption keys, Hardware Security Modules, or HSMs, should be used. An HSM is a specialized, highly trusted physical device. It is a network computer that performs all the major cryptographic operations including encryptiondecryption, authentication, key management, key exchange, etc. They are tamper-resistant and use extremely secure cryptographic operations.

Along with HSMs, the principle of least privilege should be used with keys, to ensure only users who need the key have access to it.

Finally, caution should always be used with image signing. Only download and install software that is image signed by a trusted CA.

Future of Code Signing

As we can see in today’s world, security and trust are a major part of any organization to growth. Every organization wants to save its data and provide secure data to its clients. Various malicious activities are occurring daily, so image signing is going to increase exponentially. Every organization needs to put code signing and image signing into practice.

Our offering of Code Signing

Our product, CodeSign Secure, provides a secure and flexible solution to an organization’s code signing needs for signing Windows, Linux, Macintosh, Docker, and Android/iOS apps.

Our framework can be extended to protect any other code or document as requested by our customers.

  • The keys are protected by your choice of HSM, – nCipher, Utimaco, Safenet.
  • Policies and workflows are defined to secure and streamline your job submission and approval process.
  • Your existing virus and malware scans can be integrated systematically.
  • Developed on an open REST API, allowing for custom integrations and requirements.

Conclusion

Data is crucial in this connected world, where code signing can be used for the verification of data. Tampered data can lead to a severe loss and thus should not be trusted. Software should also show a warning or completely block the user from installing software with untrusted certificates. A signed software or application can achieve a trusted network of users, devices, and programs.

To learn more about CodeSign Secure, visit our website: www.encryptionconsulting.com/code-signing-solution/

About the Author

Shorya Goel is a Consultant at Encryption Consulting, working with PKIs, HSMs, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Table of Contents

What’s is a Container?

A container is a standard, standalone software unit that encapsulates code with its dependencies so that an application may operate rapidly and consistently in various computing environments. Containers are a type of virtualization for operating systems. All of the necessary executables, binary code, libraries, and configuration files are contained within a container. A single container can handle a small microservice to a larger application. Containers do not contain operating system images. As a result, they are more lightweight and portable, with less overhead. Container images are stored in containers. These images are layers of files rather than actual images, with the base image serving as the starting point for constructing derivative images. As a result, the base image is the most critical to secure.

What is Container Management, and How can it help you?​

Container management is a method of automating container development, deployment, and scalability. Container management allows for the large-scale addition, replacement, and classification of containers. This is usually accomplished by analyzing and safeguarding all of the images that your team downloads and builds. To assign role-based assignments, automate policies, reduce human error, and discover vulnerabilities, private registries and metadata are employed.

Importance of Container Security​

Containers provide some inherent security benefits, such as enhanced application isolation, but they also broaden a company’s danger landscape. Organizations may face increased security risks if they fail to understand and plan specific security procedures related to containers.

Container deployment in production environments has increased significantly, making containers a more desirable target for attackers. Additionally, a single vulnerable or exploited container could become a point of entry into a company’s infrastructure.

With the increase in traffic across the data center and the cloud, few security controls are in place to keep track of this major source of network traffic. As the conventional network security solutions do not guard against lateral threats, all of this emphasizes the significance of container security.

How to Secure a Container?​

The Application Container Security Guide, issued by the National Institute of Standards and Technology (NIST), describes various essential techniques to secure containers. The following are some significant points from the NIST report:

  • To reduce attack surfaces, use the container-specific host OS: NIST recommends using the container-specific host operating systems. They are specially designed only to run containers with reduced features that help minimize attack surfaces.
  • Group containers based on purpose, sensitivity, and risk profile: Grouping of containers helps an organization make it difficult for the hacker to access one of the groups to extend the compromise to others.
  • Use vulnerability management and runtime security solutions: When it comes to containers, traditional vulnerability testing and management technologies often have blind spots, leading to erroneous reporting that everything is fine regarding container images, configuration settings, and others. Maintaining runtime security is an important aspect of container deployments and operations. Traditional perimeter-oriented tools, like Web Application Firewalls (WAFs), intrusion-prevention systems (IPS), were not explicitly designed for containers and cannot defend them properly.

Docker Container Security Best Practices​

Docker, a market leader in containerization, offers a container platform for developing, managing, and securing applications. Customers can use Docker to deploy both traditional applications and the latest microservices from any location. You must ensure that you have enough protection, just as you would with any other container platform.

There are some best practices for Docker security:

  • To avoid malware, only use images from credible sources.
  • Reduce your attack surface by using thin, short-lived containers.
  • Limit SSH access by enabling troubleshooting without logging in.
  • Sign and Verify Docker Images.
  • Do not include sensitive data in Docker images.
  • Detect, fix and monitor open source vulnerabilities.

Kubernetes Container Security Best Practices​

Kubernetes is a portable and scalable open-source platform for managing containerized workloads and services. While Kubernetes provides security capabilities, you’ll need a dedicated security solution to keep your cluster safe, as attacks on Kubernetes clusters have increased.

There are some best practices for Kubernetes security:

  • Ensure that Kubernetes is up to date: Kubernetes is a container orchestration system with over 2,000 contributors and is frequently updated. Vulnerabilities are being identified and patched more regularly. It’s important to keep updated on Kubernetes versions, particularly as the technology evolves.
  • Restrict SSH Access: Restriction of SSH access to your Kubernetes nodes is another simple and important security policy that should be implemented in your new cluster. You should not leave port 22 open on any node, but you may need to troubleshoot problems. You can use your cloud provider to set your nodes to block all access to port 22 except through your company’s VPN.
  • Establish Security Boundaries by using namespaces: Isolate components by creating different namespaces. When different workloads are deployed in separate namespaces, it becomes much easier to apply security rules.
  • Regular auditing and monitoring: Ensure that audit logs are enabled and should be monitored for abnormal or unwanted API requests, particularly for any authorization failures. Authorization failures indicate that an attacker is attempting to use stolen credentials. Managed Kubernetes providers, such as GKE, provide access to the data through their cloud console and may allow you to set up alerts for authorization failures.

AWS Container Security Best Practices​

AWS understands the importance of containers in enabling developers to deploy applications more quickly and consistently. So, they offer a scalable, high-performance container orchestration, Amazon Elastic Container Service (ECS) and Amazon Kubernetes Service (EKS), that supports Docker containers.

There are some best practices for AWS container security:

  • Environment Tests: Perform environment tests with the help of tools such as Prowler to confirm that the environment is working as intended before deployment tackles the security threats. AWS shared responsibility model means that users should keep the environment secure, monitor container security, and regulate network access.
  • Unnecessary Privileges: Allowing unrestricted access or granting rights to the containers themselves increases the risk of security breaches. The more default access anything has, the greater the risk of a container being compromised. It also makes it more difficult to trace the entry point for a breach.
  • Focusing on Container: When it comes to securing the ecosystem, don’t make the mistake of focusing solely on the containers. The hosts that run the container management system are also important. Assess the security of all components, scan vulnerabilities regularly, monitor threats and keep the system up to date.

Microsoft Azure Container Security Best Practices​

There are some best practices for Microsoft Azure container security:

  • Private Registry: Images from repositories are used to create containers. These repositories might be part of a public or private registry. The Docker Trusted Registry, which may be installed on-premises or in a virtual private cloud, is an example of a private registry. You can also use Azure Container Registration, which is a cloud-based private container registry service. Publicly available images might not be secured as images are made up of multiples software layers, each of which can be vulnerable. So, you should store and retrieve images from a private registry, such as Azure Container Registry or Docker Trusted Registry, to help reduce the threat of attacks.
  • Secure Credentials: Containers can be distributed across multiple Azure regions and clusters. As a result, credentials such as passwords or tokens are required for logins or API access must be kept secure. Only privileged users should have access to those containers while in transit or at rest. All credential secrets should be inspected, and developers should use emerging secret-management tools designed for container platforms.
  • Monitor and Scan Container images: Utilize solutions to analyze container images stored in a private registry for potential vulnerabilities. Azure Container Registry optionally integrates with Azure Security Center to scan all Linux images pushed to a registry. The integrated Qualys scanner in Azure Security Center detects image vulnerabilities, classifies them, and provides mitigation guidance.

About the Author

Shorya Goel is a Consultant at Encryption Consulting, working with PKIs, HSMs, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Table of Contents

Overview

Encryption is the best option for an organization’s data security, which is why almost every business uses encryption to protect their data as they’ve realized how important it is. However, it must be remembered that managing encryption keys remains a challenge for the vast majority of people.

Implementing the Key Management Interoperability Protocol is the best solution to deal with a situation where data exchange is required between different key management servers and clients. It allows data to be sent in an interoperable manner between different management servers and the client’s system.

Development of KMIP

KMIP was developed by OASIS (the Organization for the Advancement of Structured Information Standards).

The primary purpose of KMIP was to define an interoperable protocol for data transfer between the various servers and consumers who may use these keys. It was first utilized in the storage division to exchange important management messages between archival storage and the management server. However, security concerns grew over time, requiring better encryption and a centralized key management system capable of uniting all moving parts inside an organization.

What is KMIP?

KMIP is a protocol that allows key management systems and cryptographically enabled applications, such as email, databases, and storage devices, to communicate. KMIP streamlines the management of cryptographic keys for organizations, removing the need for redundant, incompatible key management systems.

KMIP is an extensible communication protocol for manipulating cryptographic keys on a key management server that defines message formats. KMIP makes data encryption easier by simplifying encryption key management. On a server, keys can be generated and subsequently retrieved, sometimes wrapped or encrypted by another key. It also supports various cryptographic objects such as symmetric and asymmetric keys, shared secrets, authentication tokens, and digital certificates. Clients can also ask a server to encrypt or decrypt data without directly accessing the key using KMIP.

The key management interoperability standard can support both legacy systems as well as new cryptographic applications. In addition, the standard protocol makes it easier to manage the cryptographic key lifecycle, including generation, submission, retrieval, and termination.

How Does KMIP work?

KMIP is an open standard-based encryption and cryptographic key management system that standardizes and creates a universal language to communicate. In the absence of KMIP, different organizations use different languages for different purposes, which requires different security communication lines and results in increased costs for operations, infrastructure, and training.

The Key Management Interoperability Protocol ensures that a single language is used across different management environments without impacting performance.

The common interface provided by the Key Management Interoperability Protocol eliminates redundant and incompatible key management processes and enables more ubiquitous encryption. Furthermore, it provides easy and secure communication among different cryptographically secure applications.

Not only does KMIP ensure the security of critical data, but it also makes it easier to handle various keys across different platforms and vendors. All of this improves the IT infrastructure’s cost-effectiveness.

KMIP Profile Version 2.1

The Key Management Interoperability Protocol is a single, extensive protocol for communicating between clients who request any number of encryption keys and servers that store and manage those keys. KMIP delivers enhanced data security while minimizing expenditures on various products by removing redundant, incompatible key management protocols.

The KMIP Specification v2.1 is for developers and architects who want to develop systems and applications that use the Key Management Interoperability Protocol Specification to communicate.

Within specific contexts of KMIP server and client interaction, KMIP Profiles v2.1 specifies conformance clauses that define the use of objects, attributes, operations, message elements, and authentication mechanisms.

Benefits of KMIP

  • Task Simplification: Organizations encounter a variety of issues while establishing IT security configurations. When many companies and technologies are involved, the situation becomes even more complicated. For example, the problem is significantly more complicated in the case of encryption and key management, as a separate key manager is required for each encryption. KMIP efficiently solves this issue by allowing a single key management system to manage all encryption systems, allowing organizations to spend their time and resources on more valuable business tasks.
  • Operational Flexibility: Different proprietary key management systems were required to manage encryptions before the deployment of KMIP. Organizations must collaborate with different vendors, each of whom has systems built for different situations and configurations. KMIP provides flexibility to the organization to utilize any key management system. KMIP enables the organization to integrate across cloud platform, edge, and on-prem systems with a single key manager.
  • Reduces the IT Infrastructure Cost: The hardware and software necessary to secure data are considerably reduced using a single KMIP-powered encryption key management system, lowering the total cost of owning security infrastructure. In addition, KMIP makes it easier to handle various keys across different platforms and vendors, improving the IT infrastructure’s cost-effectiveness.

Conclusion

With time, KMIP adoption and diversification became stronger. Technical and communications companies, universities, and libraries have been found to use KMIP to protect sensitive data. The robust security, effectiveness, and cost-efficiency of management of key lifecycle implementation and technology advancement show no sign of slowing down.

References:

About the Author

Shorya Goel is a Consultant at Encryption Consulting, working with PKIs, HSMs, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 14 minutes, 33 seconds

Before we go deep into the Zero Trust Security model, we should first analyze the model called a Castle-and-Moat model. The Castle-and-Moat model assumes that whatever is inside the organization, i.e., on-prem, is highly trusted, while the resources outside the organization are untrusted. The weakness of this model lies in its misplaced intense focus on external threats. When an organization extends its network to the cloud, there is a flaw in this model where users can have permission to create resources that the user can then mark public or private. If the user marks it as public, then it is considered outside the organization, while making it private makes it inside the organization. It is not, however, the same case on-prem. In recent years, high-profile attacks taught that external threats are usually the least of a company’s problems. Even secured attack surface can still be infiltrated. Still, insider threats are frequently overlooked.

There are more disadvantages of the Castle-and-Moat approach that include:

  • Providing permissions that are unclear or that can be overused.
  • Allowance of Bring Your Own Device (BYOD), which results in data leakage.
  • User authentication by passwords only.

This is where Zero Trust Security comes into the picture. The Zero Trust Model is based on the concept of “Trust No One,” whether it is inside of the organization or not. The Zero Trust Security model requires identity verification of every entity, whether it is a user or any network device trying to access private resources.

Cybercrimes are increasing day by day, so organizations need to be proactive about their data and network security. The Zero Trust Security model can be effectively used to secure data and networks from unauthorized access.

How does Zero Trust Security Work?

As hackers try to steal data regularly, data security is critical to a successful Zero Trust Model. The Zero Trust Security model focuses on increasing the organization’s data security, while integrating with current laws and providing the flexibility to adopt future security and privacy laws.

Data security is critical to an effective Zero Trust model, because hackers are constantly attempting to steal it. While all security safeguards are vital, there will always be a significant gap if data activity is not controlled.

Some areas need that need to be focused on for security purposes are:

  • Data Security: As data is a crucial part of every organization. The Zero Trust Security model protects the data by encrypting data-at-rest and data-in-transit before moving to cloud storage devices or any other devices. If a data breach occurs, even in with limited access to data, no one can read the data except the intended person.
  • Multi-factor authentication (MFA): The Zero Trust Security model validates the user based on multiple factors including location, device, permissions, and IP address.
  • Micro-segmentation: This security model splits the data centres into secure segments or zones based on different parameters like user groups, locations, etc. Segments can have their own security policies that can act as border control within the system.
  • Logs and Packet Analysis: This deals with determining the source of the abnormal activity and monitoring all activities around it. It also creates logs for every activity, and inspects and analyzes all the traffic and data.

Best Practices for Implementing Zero Trust

Some best practices should be considered while implementing the Zero Trust Security model:

  • Understanding the Protection Surface: Regulatory compliance standards and guidelines such as General Data Protection Regulation (GDPR), make it compulsory for organizations to identify and secure data accordingly. All regulatory compliance standards and the Zero Trust Security model share a common component: the organization’s sensitive data.
  • Mapping the Connections: A conventional network architecture diagram that depicts network traffic flow is insufficient. A complete map of the various connections throughout the network is required for the Zero Trust Security model to be effective. It requires a detailed mapping of applications currently in use, data associated with the applications, and data transmission connections with enough details to decide where security controls are needed.
  • Architecting the Network Using Micro-Segmentation: Popular information security tools such as Firewalls, intrusion detection, and prevention systems, deep packet inspection tools, and data loss prevention tools, can be used to implement a Zero Trust environment, but they must be updated to assess and regulate traffic across the stack.
  • Implementing Zero Trust Policies: Organizations must develop and implement policies about the appropriate traffic flow that should be accepted or denied and enforced on all networks. The following questions should be considered while implementing Zero Trust Policies:
    • Who is the user?
    • What resource does the user want to access?
    • Where are the requesting users and endpoints located?
    • Why does the user want to access the requesting resource?
  • Monitoring Traffic continuously: All resources and traffic in an organization should be continuously monitored for better security and to detect malicious activity. Monitoring of traffic should be automated so that it effectively monitors and blocks unwanted traffic.

Steps to Implement a Zero Trust Security Model

A Zero Trust model is based on the concept “Trust No One.” Instead of implementing security measures at the network border, it concentrates on bringing them as close as possible to the actual surface that must be protected. It also requires strong user authentication and validation of the device over the network. The following steps should be followed to implement a Zero Trust Security model in your organization:

  1. Identifying and Segmenting Data: One of the most challenging aspects of establishing Zero-Trust is determining which data is sensitive. The Zero Trust model requires micro-segmentation. Micro-segmentation is the process of dividing security perimeters into small zones so that different areas of the network can have independent access. A user who can access one of these zones should not be able to access another zone with the same authorization.
  2. Implement Multi-Factor Authentication: Since a Zero Trust Security model is based on the concept of “Trust No One, always verify,” it requires verification every time a resource needs to be accessed. For that, Multi-Factor Authentication is a fundamental component of a well-designed network security strategy. Multi-Factor Authentication operates by requesting further information for verification. One-time passwords (OTP) are one of the most typical Multi-Factor Authentication elements that users follow. There are three main types of Multi-factor Authentication Methods:
    • Knowledge: It refers to the things that users know, such as a PIN or Password.
    • Possession: Things that users have, such as a smart card, ATM card.
    • Inherence: Things that users have attached to themselves, such as fingerprints, iris scanning, etc.
  3. Implement the Principle of Least Privilege (PoLP): Enforcing least privilege helps to reduce the overall cyber-attack surface by limiting super-user and administrator privileges. Least privileges must be enforced on endpoints so that malware attacks will not exploit elevated rights to increase access and move laterally to install or execute malware or otherwise damage the machine.
    Access rights for applications, systems, processes, and devices can be restricted to to those permissions required to perform authorized tasks using the principle of least privilege.
  4. Validate all endpoint devices: Trust No One means No One, whether a user or a device. There must be a robust authentication procedure for the verification of the device also. Zero Trust Security can be achieved by extending the identity-centric controls to the endpoints. Any device used to access resources must be enrolled first for its identification and verification.
    By implementing the Zero Trust Security model, an organization can have better control over access to resources, like who can access what resource.

Principles of a Zero Trust Security Model

  • Strict Authentication Access: A Zero Trust Security Model is based on the concept of “Trust No One.” The organization should not trust anything inside or outside of it. According to the model, an attacker can be inside and outside the network, so the organization must authenticate and authorize access to every system.
  • Least Privilege Model: The Zero Trust Security model limits the user’s access only to the required resources based on their roles and can prevent the attacker from gaining full access to a large number of resources by getting access to a single account.
  • Documentation and Inspection: All activities must be assessed and authenticated under the Zero Trust approach. There must be a procedure that documents every action automatically. To detect any malicious activity running, the organization needs to analyze a complete picture of data accesses to guide better decision-making. It can also detect any malicious activity going on within the organization, like if any user tries to access the resource of another department not associated with them.

Benefits to a Zero Trust Security Model

  • User Identification and Access: The Zero Trust model uses multi-factor authentication (MFA) to access resources that are more secure than two-factor authentication. By making it mandatory for all employees and customers to verify their identity using Time-based One-time passwords, Google Authenticator, etc., only authorized users can access resources.
  • Robust Access Policy: The Zero Trust model uses micro-segmentation of data and resources, protecting critical data from unauthorized access. Splitting the organization’s network into segments, and each segment having its security policies, reduces the chances of attack by keeping vulnerable systems well-guarded. It can also mitigate insider risks.
  • Greater visibility across the Enterprise: The Zero Trust Security model is based on the concept “Trust No One.” When you’ve set up monitoring for all of your resources and activities, it gives complete visibility of who accesses your network with time, location, and which application was accessed.
  • Enhanced Data Security: A Zero Trust model restricts access to resources and reduces the attack surface through Robust Access Policy and User Identification and Access. By deploying the monitoring system, all ongoing activities are tracked.
  • Better User Experience: The Zero Trust model automates the verification process and makes it more efficient as users need not wait for approval for access requests.
  • Easy Cloud Migration: All organizations are moving to cloud-based solutions. The Zero Trust Security model provides a robust access policy and user identification process for cloud platforms, making it easier and more secure to migrate to the cloud.

Challenges of a Zero Trust Model

Following are some of the challenges and complexities associated with a Zero Trust model:

  1. Technical Challenges: The Zero Trust model requires micro-segmentation of data and resources and monitoring all activities in an organization. But most of systems are not capable of meeting the Zero Trust model’s micro-segmentation requirements.
  2. Legacy Systems: Legacy systems do not have a concept of least privilege, and the Zero Trust Security model requires multiple verification of the user trying to access resources. Based on the characteristics of legacy systems, monitoring network traffic is also nearly impossible due to the heavy encryption requirements of the Zero Trust model.
  3. Peer-to-Peer Technologies: Many systems, including Windows operating systems and wireless mesh networks, adopt the peer-to-peer (P2P) model, which works in a decentralized manner and breaks the micro-segmentation model of the Zero Trust model.
  4. Hybrid Cloud: The micro-segmentation model breaks when both cloud services, i.e., public and private, work together and unite to provide a common service, which in turn destroys the Zero Trust model.
  5. Moving from Silos to Data-Centric: The majority of systems in use are data silos that contain both sensitive and general information. Because the Zero Trust model relies solely on data for verification and access control, efficient segmentation is required. Currently, most systems require a larger architecture.

The road to a Zero Trust Security Model

Due to redefining and reengineering job roles and their classification, implementing the Zero Trust Security model might be challenging for an organization. Organizations require an entirely separate inventory service for better device monitoring, greater visibility into apps, multiple user authentications, and enforcing access control policies. All these efforts are required at the managerial level. The trust in users must be based on their identity, devices, and resources they want to access, instead of access attempts. An organization must implement Multi-Factor Authentication and User Behavioural Analytics to establish the required level of trust.

Services offered by Encryption Consulting

The Zero Trust Security model focuses on increasing an organization’s data security while integrating with the present laws and having the flexibility to adopt future security and privacy laws. An organization can get an encryption assessment from Encryption Consulting to know how strong the current encryption techniques implemented by your organization are,  how they can be improved, and what the encryption strategy should be. It can also help to know what privacy laws are currently followed by your organization.

Conclusion

On comparing the challenges and benefits of the Zero Trust Security model, we can conclude that the disadvantages are primarily related to the additional technicality necessary in the implementation phase. After implementing the Zero Trust model in an organization, it ensures greater trust within the organization and adds an additional security layer outside the organization. The only challenge associated with the Zero Trust model is how the organization adopts and implements it. Otherwise, it is an extremely effective cyber-security solution.

About the Author

Shorya Goel is a Consultant at Encryption Consulting, working with PKIs, HSMs, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Table of Contents

Importance of Digital Certificates in the PKI environment

Digital certificates are critical to any environment as they possess a greater degree of authorization with them. With this authorization power, it becomes very important to secure them with the utmost care. Many organizations care about certificates that are manually generated; however, they lack auto-enrolled certificates. Since the number of auto-enrolled and manually generated certificates exist in the hundreds of thousand, it becomes a quintessential need for organizations to manage all the certificates (auto-enrolled and manually generated) with the help of automation.

The Role of PKI in Digital Certificate Management

For many customers, the role of Public Key Infrastructure (PKI) is to process workflow for manually generated certificates and auto-enroll the rest of the certificates through group-policy in the Microsoft PKI environment. Some customers may see auto-enrollment through group-policy as a certificate management feature of PKI, however, when you look in-depth you see that it’s just the functionality provided by the Microsoft PKI environment. The true definition of certificate as well as key management is when the certificates and keys are managed from enrollment to revocation. This means that both (certificate and keys) are managed through their entire lifecycle process, including inventory and reporting, all the way through the revocation of certificates, when the certificates are no longer needed, or potentially compromised. Skill gap is another factor which contributes to the inefficiency of certificate management as it requires specialized skills to manage the certificate & keys through their entire lifecycle. Based on the above understanding, we can state that it is requisite to monitor the issuance of certificates in your PKI environment to ensure that the certificate issuance process is secure, efficient, and customized as per your organization’s requirement.

Types of Digital Certificates exists in your PKI environment

As we discussed, certificates possess a greater degree of authorization that results in gaining attention from bad actors like criminals with malicious intent, as these certificates provide them an increased level of access or the ability to impersonate a user. One of the most common certificate types that is susceptible to attack are machine certificates, as these are automatically issued to the devices in your network. There are hundreds of these types of certificates in the environment of an organization that could potentially be a risk in terms of unauthorized access to critical resources such as Wi-Fi access, VPN access, authentication for network access control systems, multi-factor authentication for single-sign-on applications, email encryption, Microsoft Azure WCF services, etc.

Considerations for effective Certificate Management

The following points should be considered while assessing the certificate management situation in an organization:

  1. The inventory of certificates in your environment is very critical. Also, the pattern of certificate issuance indicates normal or abnormal behavior from the certificate generation perspective.
  2. The issued certificates are used for the purpose for which they are issued. PKI administrators should always keep an eye on their PKI environment for any discrepancy with respect to certificate usage.
  3. As every certificate has a key usage field, this should be correctly chosen, as a misconfigured certificate template in the PKI domain would create complete chaos and might result in organization-wide risk and loss.

Risk with Unmanaged Certificates

There is a saying that if you can’t see the risk, it doesn’t mean there is none. PKI administrators sometimes ignore the risks based on the fact that they don’t see any immediate problem because of this. Also, some minor issues in the PKI go unnoticed in the initial stage that create bigger issues in the future. To avoid this, PKI admins must have tools deployed to detect and manage these issues in order to establish and maintain a healthy PKI in their environment.

The following are risk avoidance actions that can be taken by the PKI team for certificate management:

  1. Certificates are issued based on certificate standards that vary with time. This requires the need for continuous audit of your PKI environment and all the certificates issued by the PKI. At times, certificates are issued based on old certificate standards, for example the key length of 2048-bit keys are still active even though the new standard states that a key length of 4096-bit is more secure. PKI admins must have an inventory of all those certificates (with key length of 2048-bit) to address all of them in a single attempt.
    When there is a requirement to replace or re-issue the certificates in bulk, the ability to automate this transaction efficiently can help improve security response time. The same scenario is applicable when a critical vulnerability is identified and the admin must extract the certificate inventory at risk to remediate those within a short span of time.
  2. At times, there are small misconfiguration issues in certificates which can cause critical and large-scale issues. For example, a PKI admin has issued 10,000 certificates with a validity period of 10 years, and later on the validity period has to change based on some compliance policy. Now, there has to be a centralized and quick way to locate these certificates to remove them from the environment to remediate & recover from this situation. It is significant to monitor the certificate issuance process and issuance policies to identify issues. Also, having a monitoring tool in place enables the quick detection of issues if they arise.
  3. Rogue certificates do exist and get issued in the PKI environment. These rogue certificates lead to disastrous results if not dealt with properly. To counter rogue certificates, PKI admins must have an accurate inventory of all the legitimate certificates issued in the PKI environment so that centralized action can be taken, if required, to replace, re-issue, or revoke them.Till now, we have discussed many situations that may happen in any organization and could lead to unexpected results or outcomes. These include PKI issues, skill gaps on PKI, and lack of centralized management for digital certificate and key lifecycles. Effective management of all digital certificates and keys in a PKI environment requires the appropriate management tool and resources in place to mitigate the risks associated with PKI expeditiously and reliably.

About the Author

Shorya Goel is a Consultant at Encryption Consulting, working with PKIs, HSMs, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Let's talk