Page 51 – Encryption Consulting

Enabling LDAPS with Microsoft PKI

LDAPS is one of the most crucial functionalities to properly protect and secure credentials in your PKI environment. By default, LDAP communications between client and server applications are not encrypted. This means that it would be possible to use a network monitoring device or software and view the communications traveling between LDAP client and server computers. This is especially problematic when an LDAP simple bind is used because credentials (username and password) are passed over the network unencrypted. This could quickly lead to the compromise of credentials.

Prerequisites

A functional Microsoft PKI should be available and configured. While viewing PKIView.msc, no errors should appear

If you need help in deploying your own PKI, you can refer to this article to build your own Two Tier PKI

Installing AD LDS

This step should be carried out on LDAP Server or on Domain Controllers which would be responsible for hosting LDAPS service.

Open Server Manager
From manage, open Add Roles and Features
On Before you Begin, click Next

On Installation type, ensure Role based or feature based installation, and click Next

On Server Selection, click Next.

On Server Roles, click Active Directory Lightweight Directory Services, and click Add Features, and then click Next

On Features, click Next

On AD LDS, click Next

On Confirmation, click Install

Post Installation, AD LDS needs to be configured

Configuring AD LDS

Run AD LDS setup wizard. Click Next on first page.

Ensure unique instance is selected, and click Next

Provide Instance name and Description, and click Next

Leave default ports and click Next

If AD LDS is installed on domain controller, then LDAP port would be 50000 and SSL port would be 50001

On Application Directory Partition, click Next

On File locations, click Next

On Service Account Selection, you may leave it on the Network service account, or choose a preferred account that can control LDAPS service

On AD LDS administrators, leave the current admin, or choose another account from the domain

Choose all LDF Files to be imported, and click Next

On Ready to Install, click Next

After Installation, click Finish

Publishing a certificate that supports Server Authentication

Login to the Issuing CA as enterprise admin
Ensure you are in Server Manager
From the Tools menu, open Certificate Authority

Expand the console tree, and right click on Certificate Templates

Select Kerberos Authentication (as it provides Server Authentication). Right click and select Duplicate Template. We can now customize the template.

Change Template Display Name and Template Name on General tab. Check Publish Certificate in Active Directory. This will ensure that the certificate appears when we enrol domain controllers using that template

On Request Handling, check Allow private key to be exported.

On the Security tab, provide Enroll permissions to appropriate users

Click Apply

Issue the Certificate on Issuing CA

Login to the Issuing CA as enterprise admin
Ensure you are in Server Manager
From the Tools menu, open Certificate Authority

Expand the console tree, and click on Certificate Templates

On the menu bar, click Action > New > Certificate Template to Issue

Choose the LDAPS certificate

Click OK and it should now appear in Certificate Templates

Requesting a certificate for Server Authentication

Log into LDAP server or domain controller.
Type win+R and run mmc
Click File and click Add/Remove Snap-in

Choose Certificates and click Add

Choose Computer account

If the steps are followed on LDAPServer where AD LDS is installed, click Local computer, or choose Another computer and choose where it would need to be installed

Expand the console tree, and inside Personal, click Certificates

Right click on Certificates and click All Tasks and select Request New Certificate

Follow the instructions, choose LDAPS template that we issued earlier and Install.
Once Installed click Finish

Open the certificate, and in Details tab, navigate to Enhanced Key Usage to ensure Server Authentication is present.

Validating LDAPS connection

Login to LDAP Server as Enterprise admin
Type win+R and run ldp.exe
On the top menu, click on Connections, and then click Connect

In server, provide domain name, ensure SSL is checked and proper port is provided and click OK

No errors should appear. If connection was unsuccessful, the following output may appear

Conclusion

This should enable LDAPS which can be used to properly protect credentials used in your PKI environment as well as enable other applications to use LDAPS.

If you need help with your PKI environment, feel free to email us at [email protected].

What are the basic elements required for code signing?

Trust is crucial in the software-driven society we live in. But how can we tell which software to rely on and which to avoid? We can thank code signing for that.

Developers use code signing to demonstrate a piece of software’s legitimacy and ensure that it originates from a reliable source and hasn’t been tampered with. Cryptography, more especially a certificate known as a code signing certificate, is necessary for code signing.

Customers should constantly be on the lookout for third parties posing as software providers while downloading software from the Internet. Software may be ensured that it is coming from the right source with the use of a tool like code signing. To ensure that consumers are receiving software that accomplishes what its creator claims it will, code signing is a process where a software developer or distributor digitally signs the file being sent out. The signature indicates that the code has not been altered from its original state.

Benefits of Code Signing

Code signing is a technique for adding a digital signature to a program, file, software update, or executable so that, upon installation and execution, its validity and integrity can be checked. It ensures to the receiver who the author is and that it hasn’t been opened and tampered with, much like a wax seal. To demonstrate, for instance, that your Windows 10 update genuinely came from Microsoft and not a hacker attempting to breach your machine, Microsoft developers, programmers, and software engineers utilize code signing.

You can be confident that you are downloading a file from a legitimate author or publisher and not from an attacker trying to steal your personal information and data thanks to code signing. In essence, it informs you that a bad guy hasn’t changed the code so you know it’s safe to install and run on your machine.

If you’ve ever seen the small window that appears when you attempt to launch a software you’ve downloaded, the one that asks, “Are you sure you want to run this? ” and identifies the publisher, then you know what I’m talking about. then you have experienced code signing. That dialogue box informs you that the patch for your Mac OS X is authentic and still in the same state as when it was signed by Apple Inc.

What Does Code Signing Do?

As a user, code signing serves a few distinct purposes that might assist you in determining if you should trust software downloads and other online interactions. Code signing is mostly used to verify the authorship of files, downloads, and software. For instance, you are more likely to install a download file supplied to you from Microsoft than one from any other source since it will seem to be much more reliable.

There will inevitably be updates for the software you install on your computer in the future. You may be sure that subsequent updates have come from the same source and are secure to run on your computer when they are code signed with the same key that was used to “seal” your initial downloads.

How Does Code Signing Work?

From the perspective of a developer, code signing has three main parts: unsigned software files; code-signing certificates; and code-signing apps. Applications for code signing are typically included with operating systems like Microsoft Windows, Mac OS X, etc. Certificate Authorities are frequently the source of the code signing certificates (CAs).

Public Key Encryption

When you encode a message to shield it from unauthorized viewers, you are using encryption. Decoding the message depends on knowing the key that puts the values back to their original state, enabling the message to be read. Typically, this is done by running it through a mathematical function (referred to as a “key”) to alter values. The key that encrypts the message and the key that decrypts it is distinct in public key encryption (also known as asymmetric encryption) (hence asymmetrical). It is known as a “public key” system because only one key—the “public key”—is used to secure the communication, while the other—the “private key”—is kept secret.

Private keys must be kept secure, confidential, and out of the hands of anybody who would try to intercept or tamper with messages in order for this type of encryption to work. The kind of transmission determines whether the public key is used to encode or decode the message. Encrypt using the private key and decode with the public key if you want everyone to be able to read the message but don’t want anyone to tamper with it. You encrypt using the public key but decode with the private key if you want everyone to be able to send messages but don’t want them intercepted by the incorrect person.

Hash Function

A form of encryption called hash functions is intended to be irreversible. Hash functions are designed to be one-way, utilizing a mathematical function that modifies the data in a way that can’t be undone, as opposed to encoding with a key and using a key to decode. The most typical comparison is like mixing paint. As an illustration, mixing blue (the original values) and yellow (the hash function) will always result in green, but there is no way to separate the two colors and get back the blue.

When you require a set value and don’t need to read the data again, hash functions are utilized. The most prevalent example is login passwords, which are frequently hashed by websites for storage. If there is ever a breach, all the hacker has obtained is a collection of random numbers. The website hashes your password once again and compares it to the previously saved hash value when you log in. They let you in if the information you provided matches what is in their records. They only need to know the value; they don’t need to read the password itself.

Code Signing Certificates

Before the developers can sign their work, they need to generate a public/private key pair. This is often done locally through software tools such as ‘OpenSSL’. Developers then give the public key and the organization’s identity information to a trustworthy CA. The CA verifies the authenticity of identity information and then issues the certificate to the developer. This is the code signing certificate which was signed by CA’s private key and contains the developer organization’s identity and the developer’s public key.

Developers take all the code they produced and hash it when they’re ready to “sign” it to prove authorship. The output value is then encoded using the previously stated private key, which is often created by the author, as well as the code signing certificate, which contains the public key and the author’s identity (proving the authorship). The result of this procedure is then included in the program that will be distributed.

This is an instance of code signing. The majority of browsers and operating systems come with the public key of the CA pre-installed. When a user downloads the program, they first authenticate the legitimacy of the code signing certificate incorporated in the signed software to ensure it’s from a reliable CA using the CA’s public key. The encrypted hash is then decrypted using the developer’s public key, which is subsequently taken out of the certificate.

The program is then hashed once more, and the result is contrasted with the decrypted value. The program has not been tampered with or damaged during transmission if the hash values generated by the user and the developer coincide. The user is then informed that the program is in the same condition as when the developer last left it and that it is safe to install and execute if the developer can be believed.

Root Certificates

Code signing can provide you, the end user, confidence in the reliability and validity of the downloaded program. However, you should also be mindful that malicious actors may produce a code signing certificate and a public-private key pair to give the impression that they were authorized by a legitimate CA. How do you determine whether certificates are reliable if anybody can create a code signing certificate?

Root certificates have a role in this. Code signing certificates can be compared to a family tree. You may trace certificates back to discover which signing certificate—your root certificate—is at the root of the tree in order to confirm where they originated. Because you can follow the “chain of trust” back to the initial signing authority with the root certificate, you can tell whether the other code signing certificates are reliable.

A business like Apple or Microsoft might be considered the root authority. The system will warn you not to trust the certificate that was used to sign the program you are attempting to download if your software’s signing certificate is unable to locate a reliable root certificate. Even a trusted authority may occasionally fail to be recognized if it is not installed on a browser or in the trust store of an operating system. For the browser or operating system to accept the root certificate as reliable and valid in these situations, you will need to manually put it on your trust store.

What Are the Types of Digital Certificates?

Different systems require different types of authentication. What works on a desktop is likely unsuitable for mobile systems and vice versa. Here are a few examples of the different certificates for both desktop and mobile software.

Desktop Certificates:

Microsoft
Java
Microsoft Office and VBA
Adobe AI

Mobile Certificates:

Windows Phone
Windows Phone Private Enterprise
Java Verified
Android

If you’re looking to sign and secure your software, you should first know what kind of software or system you are starting with and work from there.

What is the Use of a Digital Certificate?

A digital certificate is meant to provide the software or code you’re distributing to your users with an identity. Users can verify the program publisher using a digital certificate. Because these digital certificates are issued by certificate authorities, users have more faith in the publishers. The ability to track their product and the number of downloads gives digital certificates to software providers a lot of additional value.

How Long is a Digital Certificate Valid?

How long a certificate is valid is another typical query from those trying to obtain their own digital code signing certificate. Digital certificates normally only have a year or two of validity, however, the actual duration might vary depending on the issuer.

This validity is brief for the following two reasons:

Private keys and security certificates may and do become hacked. Any prior certifications, even those that have been stolen, become invalid upon renewal and change every year or two.

Technology is evolving at an even quicker rate than the rest of the globe. Five years ago, what was secure is no longer nearly as secure. Code signing certificates can be updated and changed to keep the certificate security current.

Where is Code Signing Used?

Code signing is used any place a developer wants a user to be sure of the source of a piece of software. This includes:

1. Windows applications and software patches

2. Apple software

3. Microsoft Office VBA objects and macros

4. .jar files

5. .air or .airi files

6. Essentially any executable

Be aware that, because of the distributed nature of Linux development, code signing is often not used for Linux-based software, so that software may come unsigned. If that happens, your computer will (if it gives any notice) will tell you it’s from an “unknown developer,” or something along those lines. Here are a few other applications and software that utilize code signing to increase their security.

iOS: Code signing in iOS for the App Store is done using Xcode. The purpose of signing your app is simply to let iOS know who signed the app originally and to make sure it hasn’t been altered since it was originally signed by the developer. If you need to revoke your iOS certificate, you will need to use your developer account or Xcode to complete the process.
Xcode: Xcode is used by iOS to code sign apps and ensure their security. Before any device can be uploaded and approved for the iTunes store it must have a valid Apple Developer ID with a valid certificate or profile. To successfully integrate your app, you will need to use a development certificate. In order to run the app on any device, you must use a distribution certificate to send out the app and test it.
C#: Visual C# uses strong name signing to get a unique sign code that is not available to anyone else in the world and cannot be spoofed. When using Visual C#, you can simply sign your deployment using the sn.exe tool. This functions as your signature by using sig check tool printing “Strong Name: Signed.”
Windows Certificate: Nearly any executable can be signed with a digital signature to verify the security and integrity of the file. For the file to be considered secure in Windows, it must be signed by a recognized certificate authority. Anyone who distributes malware under a valid certificate is held legally accountable for the software they distribute.
Visual Studio: Visual Studio is particularly helpful when it comes to strong name signing for assemblies—a notoriously difficult task. Strong name signing through Visual Studio allows other computers to trust the software developer.

Enable certification Authority Advanced Audit Filter to create a secure architecture in your organization

Setting up Audit is one of the key aspects of any security architecture. For ADCS, logging is important as well. You may enable and set up Active Directory Certificate Services auditing using the instructions given in this article.

First thing First!

The first step is to ensure that auditing is enabled on your ADCS servers.

For this, Run the auditpol command and make sure “Registry” and “Certificate Services” advanced auditing are turned on.

Wait, but what is auditpol?

Windows captures logs of all kinds which may not be useful to us and cause a lot of confusion and loss of focus. To address this, Microsoft has introduced auditpol. Auditpol is used to categorize granually these logs at user level.

Remember to refresh the group policy after you have enabled it!

Some more examples to use auditpol are shown below :

Example 1

Example 2

In our ADCS use case we will use:

auditpol /get /category:*

The next step is to enable monitoring using the ADCS snap-in.

To do this, perform the following steps on the ADCS server.

Open Server Manager
Select Tools -> Certificate Authority
Right-click the CA name and select Properties.
Select monitor
Enable required monitoring settings
Backing up and restoring the CA database
Change CA configuration
Change CA security settings
Issuing and managing certificate requests
Revoke certificates and publish CRLs
Storing and retrieving archived keys
Starting and stopping the ADCS

The next step is to enable the certificate template changes using the certutil command.

certutil –setreg policy\EditFlags +EDITF_AUDITCERTTEMPLATELOAD

Some changes can be made directly through the registry, so registry auditing should be enabled. For this you need to:

Open regedit on the ADCS server
Find below Registry Key
HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\
Right click on Configuration and select Permissions
Click Details
Select Monitoring and click Add
Set the principal to Authenticated Users and configure the following permissions:
set value
create subkey
fire extinguishing
write DAC
write owner
read control

Restart the server and see your changes. After rebooting, you will see various event IDs in the security log.

Reboot your server and verify the changes. After the reboot, you should see different event IDs in your Security logs.

Now we have the ADCS auditing up and running.

You can also sieve the audit logs via Azure Arc and Azure Sentinel as well using “Data Collector Rules” in MS Azure.

How CodeSign Secure Revolutionized Workflow for a Financial Institution

Company Overview

This financial institution is a leading entity in the finance sector, known for its comprehensive array of services, such as retail banking, investment banking, and asset management. It has built a strong reputation for implementing stringent data protection measures, using innovative technologies to safeguard client data against cyber threats. These measures include multi-layered encryption, regular security audits, and continuous monitoring of their IT infrastructure to prevent unauthorized access and data breaches.

However, the institution faces significant challenges in its code signing practices, which are critical for ensuring the integrity and authenticity of its software applications. The current manual code signing processes are time-consuming and prone to human error, leading to potential security vulnerabilities.

Additionally, the institution’s practices around the storage of private keys are not fully secure, with these keys sometimes stored in less protected environments. This inadequate safeguarding of private keys could potentially allow unauthorized access to the keys, thereby compromising the security of the software distribution process.

The organization is exploring solutions to overhaul its code signing practices by adopting automated tools and more secure key management systems. This will enable it to maintain its high security and trust standards, ensuring that all software releases meet the stringent security requirements expected by its clients and regulators in the financial industry.

Challenges

Theft of Code Signing Keys
Private code signing keys can be a juicy target for cyber attackers. Improperly protected keys are dangerous. Stealing private code signing keys allows intruders to disguise malicious software or malware as authentic code. Worse, there are limited revocation mechanisms in code signing systems, which makes the threat of stolen private keys even worse.
Compliance Requirements
Secure code signing provides an audit trail. DevSecOps embraces transparency and accountability. Signed artifacts facilitate compliance with regulatory requirements. For example, a company must comply with a regulation that mandates data security. Signed code provides an audit trail that can show the software hasn’t been tampered with.
Lack of timestamping
Lack of timestamping was a major issue with this organization, which can lead to a detrimental security posture. Without time stamping, expiration/revocation of code signing certificates would lessen customers’ confidence in the same software product. Timestamps make sure that even if certificates lose their validity or are revoked for some reason, their signatures remain valid, secure, and trusted.
Misplaced trust in keys or certificates
Code signing verification is handled by cybersecurity experts who know there is no such thing as being careful about cybersecurity. However, an inexperienced expert could inadvertently use untrustworthy or unsuitable certificates and keys for code signing. Using insecure or untrustworthy certificates and keys makes the organization prone to dangerous cyber attacks. In addition, verifiers may allow users to extend trust to such certificates, which opens them up to vulnerabilities.

Solutions

Deployed CodeSign Secure with Thales HSM to store and manage private keys of code signing certificates. This mitigated the issue of the lack of centralized management for code signing certificates and the lack of administrative control due to its manual processes.
CodeSign Secure supported extensive file types, including Windows files like .exe, .dll, .msi, .cab, .ocx, RPM on Linux, Jar files, Mac OS software, Android and iOS apps, and Docker images. This eliminated the issue of very basic support for file types, mostly Microsoft and not RPM or Mac.
CodeSign Secure provided the anti-malware team with a trusted list of code-signing certificates for policy enforcement. It eliminated the lack of a documented assurance method to protect private code-signing keys. Furthermore, it mitigated the issue of insecure storage of private keys while they were placed in signing servers or the endpoint of user devices.
CodeSign Secure developed approval workflows and audit processes for key usage for different function units and metric reports. It eliminated the issue of the lack of capabilities to enforce security policies consistently.

Impact

We deployed CodeSign Secure with Thales HSM to store and manage the private keys of code signing certificates, which provided a centralized code signing solution.
CodeSign Secure supported extensive file types, including Windows files like .exe, .dll, .msi, .cab, .ocx, RPM on Linux, Jar files, Mac OS software, Android and iOS apps, and Docker images. This eliminated the issue of very basic support for file types, mostly Microsoft and not RPM or Mac. This provided a robust access control system integrated with LDAP.
CodeSign Secure provided the anti-malware team with a trusted list of code-signing certificates for policy enforcement. This provided customizable workflows to mitigate the risks of granting unauthorized users wrong access.
CodeSign Secure developed approval workflows and audit processes for key usage for different function units and metric reports, which enhanced the audit process for code signing certificates.

Conclusion

The introduction of CodeSign Secure has significantly transformed the code signing operations of this financial institution, streamlining workflows and enhancing security measures.

By adopting CodeSign Secure integrated with Thales Hardware Security Module (HSM), the institution has successfully centralized the management of code signing certificates and significantly mitigated the risks associated with storing and handling private keys. This system has addressed previous vulnerabilities and aligned the institution’s practices with stringent compliance and security standards.

The diverse compatibility of CodeSign Secure with various file types—including those used across different operating systems and applications—has broadened the scope of the institution’s digital security measures, eliminating previous limitations. Introducing a trusted list of code-signing certificates and robust policy enforcement capabilities has further fortified the institution against malware and other cyber threats.

Moreover, implementing structured approval workflows and detailed audit processes has drastically improved transparency and accountability within the institution’s code signing practices. These enhancements have empowered the financial institution to maintain high trust with its clients and regulators, safeguarding its reputation and financial integrity in a competitive and increasingly regulated sector.

In conclusion, CodeSign Secure has revolutionized the institution’s approach to code signing and set a new standard in the financial industry for managing digital security risks associated with software distribution and maintenance.

Microsoft PKI Cryptographic Service Providers That Every Organization Should Know About

Cryptographic Service Providers (CSPs) store, access and create cryptographic keys– the building blocks of PKI. In the case of certificates, what type of cryptographic service depends on the provider, different types of keys and key lengths are available with different providers. Different examples include RSA, Elliptical Key or a host of others such as DES, 3DES, etc.

For hardware solutions such as Smart Cards and Hardware Security Modules (HSMs), third party software is sometimes needed for optimal performance. Newer Next Gen KSPs and more standard Microsoft CSPs are listed below for a comparison.

Since there are so many different providers, it’s best to divide into groups based on all around capabilities in every use case. The below tables show different cryptographic methods from modern to legacy. In reviewing this list, the primary things being evaluated are what types of keys can be used, their size, protections, and compatibility.

Modern Microsoft cryptography providers

Provider Name & Type	Description	Purposes	Crypto	Default Microsoft Templates
Microsoft Software Key Storage Provider (CNG)	Standard windows software-based RSA and ECC provider.	Key Exchange Digital Signature Data Encryption	RSA ECC SHA1 SHA2	OCSP Response Signing (KSP Required, Provider not specific)
Microsoft Smart Card Key Storage Provider (CNG)	Supports smart card key creation and use	Key Exchange Digital Signature Data Encryption	RSA ECC SHA1 SHA2	None

Legacy Microsoft cryptography providers

Provider Name & Type	Description	Purposes	Crypto	Default Microsoft Templates
Microsoft RSA SChannel Cryptographic Prodvider (CAPI)	Supports hashing, data signing, and signature verification. The algorithm identifier CALG_SSL3_SHAMD5 is used for SSL 3.0 and TLS 1.0 client authentication. This CSP supports key derivation for the SSL2, PCT1, SSL3 and TLS1 protocols.	Key Exchange	RSA SHA1	CEP Encryption Computer Directory Email Replication Domain Controller Domain Controller Authentication IPSec IPSec (Offline) Kerberos Authentication RAS and IAS Server Router (Offline request) Web Server Workstation Authentication
Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider (CAPI)	Supports Diffie-Hellman key exchange (a 40-bit DES derivative), SHA hashing, DSS data signing, and DSS signature verification. Derived from Base DSS and Diffie-Hellman Cryptographic Provider. Adds support for RC2/4, DES and 3DES encryption	Digital Signature	RSA SHA1	Authenticated Session Basic EFS CA Exchange Code Signing EFS Recovery Agent Enrollment Agent Enrollment Agent (Computer) Exchange Enrollment Agent (Offline request) Exchange Signature Only Exchange User Key Recovery Agent Trust List Signing User User Signature Only
Microsoft DSS and Diffie-Hellman/Schannel Cryptographic Provider (CAPI)	Supports hashing, data signing with DSS, generating Diffie-Hellman (D-H) keys, exchanging D-H keys, and exporting a D-H key. This CSP supports key derivation for the SSL3 and TLS1 protocols. This CSP supports key derivation for the SSL3 and TLS1 protocols.	Key Exchange	RSA SHA1	Web Server
Microsoft Base Cryptographic Provider (CAPI)	A broad set of basic cryptographic functionality that can be exported to other countries or regions. No 3DES support. RC2/4 limited to 40bits.	Digital Signatures Data Encryption	RSA SHA1	Administrator Authenticated Session Basic EFS Code Signing EFS Recovery Agent Enrollment Agent Enrollment Agent (Computer) Exchange Enrollment Agent (Offline request) Exchange Signature Only Exchange User Trust List Signing User User Signature Only
Microsoft DSS Cryptographic Provider (CAPI)	Provides hashing, data signing, and signature verification capability using the Secure Hash Algorithm (SHA) and Digital Signature Standard (DSS) algorithms.	Digital Signatures	RSA SHA1	Authenticated Session Code Signing Enrollment Agent Enrollment Agent (Computer) Exchange Enrollment Agent (Offline request) Exchange Signature Only Trust List Signing User Signature Only

Deprecated Microsoft cryptography providers

Provider Name & Type	Description	Purposes	Crypto	Default Microsoft Templates
Microsoft Base Smart Card Crypto Provider (CAPI)	Derived from Microsoft Strong Cryptographic Provider. Communicates with Smart Card Modules (minidriver).	Digital Signatures Data Encryption	RSA SHA1	None
Microsoft Strong Cryptographic Provider (CAPI)	An extension of the Microsoft Base Cryptographic Provider available with Windows XP and later. Default RSA CSP. Cryptographic Provider. Supports all the same key lengths, but lacks configurable Salt length for RC encryption algorithms.	Digital Signatures Data Encryption	RSA SHA1	None
Microsoft Enhanced Cryptographic Provider (CAPI)	Derived from Base Cryptographic Provider. The Enhanced Provider supports stronger security through longer keys and additional algorithms. Can only generate 128bit RC2/4 keys, can import smaller	Digital Signatures Data Encryption	RSA SHA1	None
Microsoft RSA and AES Cryptographic Provider (CAPI)	Microsoft Enhanced Cryptographic Provider with support for AES encryption algorithms.	Digital Signatures Data Encryption	RSA SHA1	None
Microsoft Base DSS and Diffie-Hellman Cryptographic Provider (CAPI)	A superset of the DSS Cryptographic Provider that also supports Diffie-Hellman key exchange, hashing, data signing, and signature verification using the Secure Hash Algorithm (SHA) and Digital Signature Standard (DSS) algorithms.	Diffie Hellman (Key Exchange) Digital Signatures	RSA SHA1	None

Conclusion

In conclusion, Microsoft has a wide range of available cryptographic services, suitable for any application. With these tools, Encryption Consulting has worked with Top 500 companies to secure and update PKI solutions to ensure reliability and availability for cryptographic services.

How to seamlessly convert PFX encoded certificate file to PEM format using OpenSSL?

What is PKCS #12?

PKCS #12 is an archive file format used for storing multiple cryptography objects in a single file. The filename extension for PKCS #12 files is .p12 or .pfx. This format is often used to bundle a PEM certificate and its corresponding private key, along with any additional CA chain certificates.

What is a PFX file?

A .pfx file is a bag that can hold many objects with optional password protection; however, a PKCS#12 archive usually contains a certificate and the corresponding private key. The file can also include CA chain certificates as well. When creating a PFX file, a PFX password may be set to protect the contents of the file, ensuring that only authorized users can access the sensitive information it contains.

What is a PEM file?

PEM is a base64 encoded certificate placed between the headers —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–. The following file extensions are possible for PEM certificates:*.pem, *.crt, and *.cer

How to convert PFX file to PEM format?

Scenario 1: Export private key and certificate files from PFX file

The following procedure will convert the PFX-encoded certificate file into two files in PEM format.

certconvert.pem – PEM file containing the SSL/TLS certificate for the resource.
privatekeyconvert.pem – PEM file containing the private key of the certificate with no password protection.

Prerequisites

We use an OpenSSL toolkit to convert a PFX encoded certificate to PEM format. For testing this scenario, we use a password protected PFX-encoded file – certificatepfx.pfx and a 2048-bit RSA private key.

Commands

For exporting key:

openssl pkcs12 -in certificatepfx.pfx -nocerts -out privatekeyconvert.pem -nodes

Snippet of output

For exporting certificate

openssl pkcs12 -in certificatepfx.pfx -clcerts -nokeys -out certconvert.pem

Snippet of output

Note: Optionally, we can also have CA certificate chain as a part of the PFX file. In order to export it from the PFX file we run the following command:

openssl pkcs12 -in certificate.pfx -cacerts -nokeys -chain -out ca-chain.pem

Scenario 2: Convert PFX file to PEM format

Execute the following command to convert the data in the certificatepfx.pfx file to PEM format in the convertcert.pem file. The PEM file contains all of the certificates that were in the PFX file, and each of the certificates is wrapped within headers.

Command

openssl pkcs12 -in certificatepfx.pfx -out convertcert.pem -nodes

Snippet of output

Conclusion

In order to use the certificate and private keys on another system in PEM format, you can convert the PFX file using the procedure mentioned above.

Why is mutual TLS (mTLS) authentication a necessity in an organization?

Mutual Transport Layer Security or mTLS is a process that starts a TLS connection that remains encrypted by both parties using X.509 digital certificates to authenticate each other.

MTLS also helps mitigate the risk of migrating services to cloud instances and helps prevent malicious third parties from mitigating.

What is TLS?

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network of computers. Web services use this protocol to secure all communications between servers and web browsers. There are several applications of this protocol, such as web browsing, email, instant messaging, and voice over IP (VoIP).

How does TLS work?

TLS is how web browsers create secure connections to web servers. The web browser can trust the web server because of the trust of a third party (the Certificate Authority). But for this trust to work, the web browser must have an existing knowledge of this CA. This is also why a user’s device and web browsers come with preloaded certificates for many public CAs. These preloaded CAs form the connection or anchor of trust between web browsers and websites that a user visits or wishes to visit.

The following steps are essential for a web browser to trust the certificate that a web server provides successfully:

The CA’s public certificate should exist in the operating system or web browser. Thus, providing the anchor upon which all trust relations are made.
The web browser must provide the site’s domain name ownership with a requested certificate. Upon verification of the right, CA issues a new certificate and installs it on the web browser after digitally signing it using its private key.
When the web browser visits the website and starts a TLS connection, the web server sends its certificate to the web browser.
Now, the web browser uses the CA’s public certificate to check the signature of the received certificate. Once the verification is successful, the web browser knows it is connected to a web server with proven domain ownership.

What is mutual TLS Authentication?

Mutual or two-way authentication is a security process in which entities authenticate each other before an actual communication. In mutual authentication, a connection can only be established if both client and server trust and verify each other’s credentials. The client and server must provide digital certificates to prove identities. This certificate exchange occurs by TLS protocol to ensure clients communicate with legitimate servers, and servers respond to only clients who try to access for fair purposes.

Is mTLS a new protocol?

Mutual authentication is a part of the TLS standard and has been part of this specification since it was known as Secure Socket Layer (SSL). A web server that uses TLS to secure its traffic could be capable of mutual authentication. The server needs to ask the client for its certificate to implement mutual authentication, but most web browsers are not configured to do this by default.

Where is mTLS useful?

Mutual authentication can be used any time the server needs to ensure the authenticity and validity of a specific user or device. In practical applications, mTLS can be used for the following:
Users being authenticated into applications
Devices onto a corporate or private network
Content Delivery Networks (CDNs) or cloud security services onto backend servers
Internet of Things (IoT) sensors
Business-to-business (B2B) data exchanges that use various APIs.
Microservice architectures where each microservice must ensure that each component is communicating and valid.

How does Mutual Authentication Foster Application Security?

Many businesses are relocating to the cloud to utilize the benefits of multi-cloud platforms. But these communications are creating issues regarding security with various cloud instances. So, ensuring that only approved applications or processes can access these is essential. This issue can be addressed by leveraging mutual TLS Authentication. Mutual authentication is used either in conjunction with a password/ identity provider or alone to limit the range of certificates acceptable by a particular certificate authority. A client authenticates a website’s identity by validating the server’s and client’s credentials. For cloud-based instances, HTTP is the transport for API, enabling mutual authentication for components.

Benefits of mTLS

mTLS is a prevalent thing used as SSL became outdated. Several companies like – Skype uses mTLS to secure their business servers, and Cloudflare is a significant provider of PKI for mTLS. This is more important for cases where a user wants to secure traffic in both directions by making them encrypted. Many times, devices automatically login into some network and can access resources. Using TLS will ensure proper encryption, and without authentication, no machine can access resources, to prevent “man-in-the-middle attacks” or other cyber-attacks. This means providing a device or server identity that can be verified cryptographically or making users’ resources more flexible while keeping those secure.

Conclusion

No technology is perfect, so TLS is updated frequently, and users should always go for trusted CAs. Usernames and passwords are a good choice, but those are unreliable and exploitable. To go for a better secure method, start by using cryptographic signage to identify authenticable devices.

Top 7 techniques that can prevent data loss prevention

What is Data Loss Prevention?

Data Loss Prevention (DLP) is a solution for exposing sensitive data. DLP is used by organisations to safeguard and protect data as well as to adhere to legislation. Through their network, businesses transmit sensitive data to partners, clients, remote workers, and other authorised users, but occasionally an unauthorised user may be able to intercept it.

Organizations need to protect sensitive data due to multiple industry and government regulations such as HIPAA and PCI-DSS.

Why your organization needs data loss prevention?

A “borderless” network perimeter with numerous attack vectors has been produced by today’s digital transformation, which started with mobile devices and continued with embedded systems, social media applications, hypervisors, and the proliferation of connected devices.

Organizations need to make sure that their most sensitive data and assets are secured in order to adapt to this technological transformation. When implemented correctly, DLP offers visibility, granular control, and data security coverage to defend against human error-related data loss and external threats. The creation of a thorough data loss prevention strategy shouldn’t be put off; it may assist your business in safeguarding its “crown jewels,” ensuring compliance with the changing regulatory environment, and preventing the publication of the next data breach story.

You don’t know where the private information of your business is kept, where it is sent, or who is accessing it.

DLP technology gives IT and security employees a complete picture of where data is located, how it moves through the organisation, and how it is being used. It lets you to protect and maintain control over sensitive data, such as customer information, personally identifiable information (PII), financial information, and intellectual property. It does this by comparing network actions to your organization’s security regulations. Your firm will be able to develop the right rules to safeguard this data and decide which assets need to be protected and at what cost after having a complete grasp of this data.

Although your business has a plan in place to guard against external intrusion, it does not cover employee theft or the unintentional disclosure of sensitive data by partners and employees.

Data loss may not always occur as a result of outside, hostile attacks. One important factor is internal employees accidentally disclosing or improperly handling confidential information. In 28 percent of the attacks, insiders were involved, according to Verizon’s 2018 Data Breach Investigations Report. It can be particularly challenging to protect against insider threats because it’s difficult to tell when someone is abusing their rightful access to data. DLP has the ability to identify confidential information-containing files and stop them from leaving the network. It has the ability to implement policies that protect data on an as-needed basis and can stop sensitive data transfers to USB devices and other removable media.

For instance, access to a particular endpoint may be immediately barred in the event that a security event is discovered. In response to occurrences, policies may also quarantine or encrypt data

The responsibility, adverse exposure, penalties, and lost revenue linked to data breaches worry you.

Alarmingly frequently, data breaches have been in the news. Through fines, negative publicity, the loss of important clients, and legal action, they can wreak financial havoc on an organisation. The mean time to identify (MTTI) breaches have reportedly reached an average of 191 days, which equates to nearly six months of dwell time for attackers, according to the Ponemon Institute’s 2017 Cost of Data Breach Study. Lateral movement is made possible by dwell time, which is essential for boosting hackers’ chances of success.

You’re worried about your next audit and wish to continue adhering to the intricate laws.

Regulations like the GDPR and New York Cybersecurity Every regulated firm that collects, stores, and utilises sensitive customer data must raise the bar to meet new standards as a result of requirements, which are ushering in a new era of accountability. Failure to comply with regulations may result in fines of up to 4% of annual global turnover and orders to stop processing. Controls over technology are becoming important in some instances to achieve compliance. These controls are offered by DLP, together with policy templates and maps that cover certain requirements, streamline compliance, and permit the gathering and reporting of metrics.

Data must be safeguarded from security risks brought on by BYOD and IoT.

DLP assists in preventing the unintentional disclosure of sensitive data across all devices when used in conjunction with complementing safeguards. DLP can monitor data and dramatically lower the risk of data loss wherever it resides, whether it is in use, at rest in storage, or in transit over the network.

Types of DLP Solutions

An company might lose data in a number of ways. The numerous methods that sensitive data may be removed from an organisation should be able to be recognised by the DLP solution. The various DLP solution types include:

Endpoint DLP

Data on the network’s devices is monitored by an endpoint DLP solution. To monitor and safeguard the data stored on endpoints such as laptops, servers, smartphones, printers, etc., this solution is installed. Even when the endpoint is online or linked to a public network, endpoint DLP safeguards the data on such endpoints. Additionally, this method stops sensitive data from being transferred to USBs

Network DLP

This DLP system is put into place on the network and keeps track of data transfer. Any device linked to the network may monitor, safeguard, and prevent all incoming and outgoing data. All of the network-connected devices can be subject to the DLP policies. Data on offline devices cannot be protected by this solution; it can only secure data on devices that are connected to the network.

Email DLP

The email DLP system keeps track of emails and filters them based on particular keywords. This remedy can lessen email-based data leaks.

Cloud DLP

A cloud DLP solution keeps an eye on and safeguards the data kept in the cloud. Emails, documents, and other forms of files may all be protected and monitored with the service.

Techniques needed for your data loss prevention

Determine the primary data protection objective in order to determine the appropriate DLP solution for the organization.

Implement a centralised DLP programme and collaborate with various departments and business units to define standard DLP rules that control data for the organisation. Data visibility will rise as a result throughout the organisation.

Make an evaluation of the different forms of data and their importance to the company. Determine the type of data, whether it is sensitive, and where it is stored. Consider the data exit points. Then assess the danger of each type of data being compromised to the organisation.

Make a method for classifying data that includes both structured and unstructured information. Internal, private, public, personally identifiable information (PII), intellectual property, and other types of data may exist.
Create policies for data processing and correction for various sorts of data. DLP software comes with pre-configured rules based on laws like GDPR and HIPAA. These guidelines can be altered to suit the requirements of the company. Create controls to lower the danger to the data. To lessen the unique data risks, organisations should build granular, fine-tuned controls.
Employee education can lower the possibility of insiders accidentally leaking data. A good data loss prevention programme depends heavily on employee knowledge and comprehension of security standards. Employee understanding and adherence to data security policies and best practises can be improved with the support of awareness campaigns and trainings such as posters, emails, online trainings, and seminars.
Utilize indicators like the number of events, the mean time to incident response, and the proportion of false positives to gauge how effective your DLP system is.

Conclusion

A company’s security depends heavily on having the right cyber security platforms and solutions in place. Any firm can utilise DLP to stay ahead of threat actors, whether they are internal or external. Any business, especially banks and healthcare companies, must prioritise protecting sensitive consumer and corporate data. At Encryption Consulting, we place the utmost importance on cyber security. We work with organizations to create the most secure environment possible using methods such as DLP, Public Key Infrastructure (PKI), and encryption assessments. We provide assessment, implementation, and development services for PKI, encryption, and Hardware Security Modules (HSMs). If you have any questions, visit our website at www.encryptionconsulting.com.

Assess the maturity of your organization with CMMC Compliance

In today’s world of wireless networks, we should configure our network security to the latest so that no one can penetrate our network. Users should use WPA3 to improve the authentication and encryption while making the connection easier. WPA3-SAE (Simultaneous Authentication of Equals) replaced the WPA2-PSK authentication process. WPA3-SAE uses a 128-bit encryption key and Forward secrecy protocol to resist offline dictionary attacks while improving key exchange security without any additional complexity. On the other hand, WPA2-Enterprise is replaced by WPA3-Enterprise, which uses a 192-bit encryption key and a 48-bit initialization vector as requested by sensitive organizations

CMMC stands for Cybersecurity Maturity Model Certification and is quickly gaining popularity in the IT and security communities. The government, especially the Department of Defense, uses the CMMC (Cybersecurity Maturity Model Certification) system of compliance levels to assess if a company has the security required to deal with regulated or otherwise susceptible data. Companies who want to cooperate with the DoD must be rated by CMMC and adhere to CMMC rules. Creating a CMMC framework, adhering to it, and employing CMMC best practices are typically how this is accomplished.

Let’s examine CMMC compliance in more detail, including who requires it and where your organization might fit.

What is CMMC?

The CMMC has been around for a while but was just upgraded. A corporation must reference the current CMMC framework and papers to ascertain where it falls. This may be a lengthy process; therefore, many organizations want the assistance of a knowledgeable partner to determine where they stand on the CMMC level system and whether there are any gaps or opportunities for growth.

The CMMC’s primary goal is to assess the maturity of an organization’s present cybersecurity initiatives. This involves whether the company can improve and optimize its security while simultaneously maintaining it.

For businesses in the DIB, the Cybersecurity Maturity Model Certification (CMMC) program raises the bar for cyber security. It is intended to safeguard unclassified information that the DoD shares with its contractors and subcontractors. The initiative gives the DoD more certainty that contractors and subcontractors are adhering to a set of cybersecurity criteria and integrates them into procurement programs.

Three key features of the framework:

Tiered Model

CMMC mandates that, based on the type and severity of the information, organizations with access to national security information apply cybersecurity requirements at increasingly higher levels. The program also outlines how information should be passed down to subcontractors.

Assessment Requirement

CMMC evaluations give the DoD a way to confirm that defined cybersecurity standards are being followed.

Contract-based Implementation

After CMMC is completely implemented, certain DoD contractors who deal with sensitive unclassified DoD information will need to reach a specific CMMC level to be awarded a contract.

Who requires CMMC Certification?

Organizations using DoD information must have CMMC accreditation. The organization might only require a Level 3 clearance or below if it is working with non-classified DoD information. The organization will require clearance of Level 4 or higher if it deals with some valuable information. The project, however, determines classes.

CMMC Certification Levels

The CMMC certification has a total of five levels, with Level 1 being the lowest and Level 5 being the highest.

Most businesses ought to have already attained Level 1, which includes fundamental security measures, good password practices, and antivirus software. It is the most basic type of security.

At level 5, systems and procedures are in place to audit infrastructure, spot deficiencies, and fill them. Proactive techniques are also used to detect and mitigate hazards before they materialize. The Level 5 system is continuously improved.

Under the CMMC, levels are cumulative. Consequently, Level 3 businesses will satisfy Level 3, Level 2, and Level 1 standards.

Whether they engage with the government or not, most firms ought to aim for Level 4 or Level 5 compliance. A managed services provider’s audit may be able to assist them.

Framework Components

The CMMC elements in action are:

Domains
Processes
Capabilities
Practices

Contractors eventually become certified to a certain degree as they improve in their evaluations of each of these components.

At each level of the model, federal prime contractors and subcontractors are evaluated for their compliance with the Processes and Practices as they pertain to each of the relevant Domains.

Not every Domain includes all five levels. Domains relate to any consecutive number of levels between 1 and 5, or any minimum and maximum.

How Can You Get CMMC Certification?

For the CMMC, businesses cannot self-certify. Instead, a third-party certification procedure will be required for government contractors and anyone who interacts with government organizations. The degree of maturity and preparation they meet will be determined by this third party’s assessment of their present security procedures and systems.

Most businesses will conduct a full audit before they seek to become certified since CMMC certification cannot be self-certified and requires a third-party study. A managed services provider may aid a business in navigating the CMMC framework, determining whether changes are feasible, and setting up the certification procedure itself. After the certification procedure is over, a managed services provider can also develop a strategy for raising the certification level, if necessary.

The CMMC certification is one of the most sought-after security certifications for a corporation to acquire because requirements have recently altered. The business will be able to pursue federal contracts and work with privileged information once it has received CMMC accreditation.

What if you are not working with the Government?

Your business might require CMMC compliance if working with the government is something you are interested in. According to the contract, several levels of CMMC compliance may be required. For example, many contracts simply call for Level 1 or Level 2 compliance, while other contracts may call for Level 5 compliance. Obviously, the contracts with greater CMMC certification requirements are also the ones that are most likely to pay off.

But that does not necessarily mean you do not require CMMC compliance if you aren’t dealing with government or DoD contracts. The fundamental ideas of CMMC compliance are around consistent and proactive security best practices. Even for their own piece of mind, every firm should be able to attain CMMC compliance.

Conclusion

According to estimates, cybercrime reduces the global GDP by more than $600 billion every year. By relying on a broad network of contractors to carry out its purpose, the Department of Defense is giving each one of them access to vital information, thus raising the DIB’s overall risk profile. DoD is aware of the cost and disproportionate amount of danger that cybercrime poses to its base of subcontractors, many of which are tiny firms without the capabilities of their bigger, prime counterparts.

Considering this, DoD released CMMC to make it easier for its whole worldwide contractor base to implement best practices in cybersecurity with a “defense in depth” strategy.

The Microsoft Signed Rootkit Malware That Can Decrypt All Encrypted Communications

Microsoft had given its digital imprimatur to a rootkit that has decrypted all the encrypted communications and sent them to the attacker-controlled servers. This malicious driver has been spread within gaming environments. This driver is known as “Netfilter,” whose primary purpose or critical role is as a rootkit that communicates with the Chinese command-and-control (C2) IPs.

Discovery

Karsten Hahn, who is a researcher at security firm G Data, discovered this driver using his company’s malware detection system. The initial observation was declared a false alarm as Microsoft had digitally signed Netfilter under the company’s Windows Hardware Compatibility Program. After further testing and research, Karsten concluded that this was not a false warning or positive. He and his fellow researchers discovered that “The core functionality seems to be eavesdropping on SSL connections. In addition to the IP redirecting component, it also installs and protects a root certificate to the registry” [1] (by reverse engineer Johann Aydinbas on Twitter)

What is a Rootkit?

A rootkit is a type of malware written to prevent or stop itself from being shown in file directories, other standard OS functions, and task monitors. A root certificate is usually used to authenticate traffic sent through connections protected by the Transport Layer Security protocol; this helps encrypt the data in transit and ensures the server whether a user connected is genuine or an imposter.

Typically, these TLS certificates are issued by a Windows-trusted Certificate Authority (or CA), and by installing these root certificates in Windows, hackers can bypass the CA requirement.

Origin story

The driver Netfiler was seen communicating with China-based C&C IPs providing no legitimate functionality, which further led to suspicions. Around this time, G Data’s malware analyst Karsten Hahn shared the signature info publicly on Twitter and contacted Microsoft.

Figure 1: Malicious binary signed by Microsoft

According to Hahn, any code that runs in kernel mode must be tested and signed before being released publicly to ensure stability for the Operating System. At this time, BleepingComputer also began observing the behavior of C2 URLs and contacted Microsoft for a valid reason or explanation.

The first few C2 URL returns a set of more routed separated by the pipe (“|”) symbol:

Each of these serves a purpose:

The URL which is ending in “/p” means it’s associated with proxy settings
“/s” denotes encoded redirection IP addresses.
“/h?” is for representing CPU-ID.
“/c” gave a root certificate
“/v?” denotes the malware’s self-update functionality.

According to BleepingComputer, the “/v?” path provided the URL to the malicious Netfilter driver in the question itself (at “/d3”):

Figure 3 Path to malicious Netfiler driver

The G Data researcher, Hahn spent quite some time sufficiently analyzing the driver, result concluded that this driver has self-update functionality. According to him, the sample has a self-update routine that sends its MD5 hash to the server through “hxxp://110.42.4.180:2081/v?v=6&m=”.

The server then replies with the URL for the latest sample with “OK” if the model is up-to-date and the malware replaces its file accordingly.

Figure 4 Malware self-update functionality analyzed

Security Lapse

Microsoft said they investigate a malicious actor who distributed these negative drivers (Netfilter) within gaming environments. This actor submitted drivers for certification through the Windows Hardware Compatibility Program. These drivers were built by a third party, so Microsoft has suspended their account and reviewed their submissions for additional signs of malware. The company (Microsoft) could not find evidence of either the Windows Hardware Compatibility Program signing certificate or its WHCP signing infrastructure being compromised. So, they have since added Netfilter detections to the Windows Defender AV engine built into Windows and provided this detection to other AV providers.

Update regarding the Malware [2]

Jun 26th, 12:26 PM ET: Clarified that BleepingComputer did not see the DoD list explicitly mentioning the alleged Chinese company, contrary to the details in the researcher’s report. Also reached out to Hahn for clarification.
Jun 27th, 04:58 AM ET: A previous version of the blog post mentioned another researcher, @cowonaut alleging that the company mentioned above was previously marked by the U.S. Department of Defense (DoD) as a “Communist Chinese military” company. The claim has since been retracted from the original blog post, and we have updated our article to reflect the same. However, BleepingComputer did not see Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd. present on any of the DoD lists available.

Conclusion

Despite the limitations, this security lapse was a serious one. Microsoft’s certification program was designed to block precisely the kind of attack which G Data first discovered. Microsoft has yet to say how they came to sign the malware digitally; company representatives also declined to explain.