Page 59 – Encryption Consulting

Are your PKI Admins keeping up with the global skill requirements?

In this discussion whiteboard, let us understand what is PKI? What are several components involved in Public Key Infrastructure (PKI)? What are the important skill set required for a candidate to become PKI admin? Are there any specific trainings to undergo for becoming PKI admin? We will discuss these points at high level in this blog article. Let’s get into the topic:

There is a day-by-day increase in the demand for cybersecurity services with the rising penetration of various mobile and wireless devices. The enhancement in mobile and internet infrastructure and advancements in the technology across the globe are propelling the adoption of smart devices across enterprises and consumers. At the same time, enterprises are rapidly embracing cloud platforms and other networking technologies. Because of these advancements, companies are becoming more vulnerable to various cyber-attacks.

In 2017, cyber-attacks on mobile devices increased by over 40% with an average of over 1.2 million attacks per month. Hence, cyber security modules such as cryptography, Data Loss Prevention became more and more critical for the end-users and organizations dealing with sensitive data. The global cybersecurity market is set to grow from its market value of more than $120 billion in 2019 to over $300 billion by 2024. The cybersecurity market is propelled by the increasing need among enterprises to minimize security risks.

All these factors combined contributed to the growth in demand for cybersecurity especially key technologies like PKI – Public Key Infrastructure. With the increase in demand for PKI there is a high requirement in the cyber market for job roles such as PKI admin. In this article we will be focusing on the important skills and trainings that one has to undergo to become PKI admin. Before jumping into the main topic, let us first understand the basics of what is PKI?

What is Public Key Infrastructure – PKI?

The Public Key Infrastructure (PKI) is the set of hardware, software, policies, processes, and procedures required to create, manage, distribute, use, store, and revoke digital certificates and public-keys. PKI or Public Key Infrastructure is cyber security technology framework which protects the client – server communications. Certificates are used for authenticating the communication between client and server. PKI also uses X.509 certificates and Public keys for providing end-to-end encryption.

In this way, both server and client can ensure trust on each other and check the authenticity for proving the integrity of the transaction. With the increase in digital transformation across the globe, it is highly critical to use Public Key Infrastructure for ensuring safe and secure transactions. PKI has vast use cases across several sectors and industries including Medical and Finance.

Explore the complete information about Public Key Infrastructure here

What are important components in Public Key Infrastructure?

There are three key components: Digital Certificates, Certificate Authority, and Registration Authority. PKI can protect the environment using the three critical components. These components play a crucial role in protecting and securing digital communications, electronic transactions.

Digital Certificates:

Most critical component in Public Key Infrastructure (PKI) is Digital certificates. These certificates are used to validate and identify the connections between server and client. This way, the connections formed are very secure and trusted. Certificates can be created individually depending on the scale of operations. If the requirement is for a large firm, PKI digital certificates can be purchased from trusted third party issuers.
Certificate Authority:

Certificate Authority (CA) provides authentication and safeguards trust for the certificates used by the users. Whether it might be individual computer systems or servers, Certificate Authority ensures digital identities of the users is authenticated. Digital certificates issued through certificate authorities are trusted by devices.
Registration Authority:

Registration Authority (RA) is an approved component by Certificate Authority for issuing certificates for authenticated users based requests. RA certificate requests ranges from individual digital certificate to sign email messages to companies planning to setup their own private certificate authority. RA sends all the approved requests to CA for certificate processing.

What are the responsibilities of PKI administrator?

As a PKI admin you will be reporting mostly either to a CIO or a CISO depending on the organization’s hierarchy. Important responsibilities as PKI admin would be to administer the Certificate Authorities (CA) and Hardware Security Modules (HSMs) of the company’s Public Key Infrastructure (PKI) and Key Management. Also, you will be responsible in handling large scale enterprise and commercial/publicly trusted PKI services. Additionally, you are expected to perform and understand the below requirements:

Administer Windows 2008 R2 and Windows Server 2012
Active directory services
Hardware Security Modules
Certificate lifecycle management – Installation, Renewal, Revoke
Certificate Enrolment Web Services

These are the core expectations from any firm handling Public Key Infrastructure would have from a PKI admin. Along with these responsibilities, it you would need to manage the Service Level Agreement (SLA) timelines and enhance the efficiency of the process. Currently, there are automated solutions to handle most of the features of PKI. Hence, it is important to have an automation bend of mind to understand, handle and enforce those solutions in the company.

Skillset requirement for PKI Admin

PKI administrator requires quite a good amount of skillsets to handle the day to day activities. This would have been the realization after going through the responsibilities mentioned above. The desired skills for a PKI admin would be as follows:

PKI hands on experience in handling Certificate Authority Administration, Certificate Enrollment Web Service & Policy Web Service, Active Directory Certificate Services (ADCS) monitoring.
Data-in-motion and Data-at-rest Encryption.
Understanding of PKI architecture.
System Administration of Windows Server 2012/R2 or 2016 and Windows 10, Unix, or Linux, and/or database skillset.
Expertise in Public Key Infrastructure (PKI) machine identity technologies such as SSH, SSL, TLS.
Disaster Recovery process and Business Continuity procedures.
Experience in managing Key Management Systems (KMS).

It is always important and good to have coding skills while handling such critical infrastructure as PKI. Some of the development technologies that a PKI admin should know are Java, PowerShell scripting, Command line tools, HTML, XML, JavaScript.

Knowledge requirement

As PKI administrator you might not be expected to having a complete hands-on experience on the following criteria but you need to have a fair understanding on the concepts of cryptography solutions such as:

Symmetric/asymmetric cryptography
Secure hash functions
Digital signatures
SSL Certificates

Experience

PKI administrator is a critical position in any company’s cyber security landscape. So, in majority of the cases companies expect the person handling the role of PKI admin to be hands-on experienced on the key responsibilities and skillsets mentioned above in this article. It is expected from you to have a solid experience in PKI, SSL/TLS, and SQL. Other than the direct experience, if you are an IT administrator with cyber security knowledge and skills then there would be higher chances on cracking the opportunity. Just keep in mind that there are no entry level positions for Public Key Infrastructure (PKI) administrator. You would require specialization. Immediately undergo trainings provided by Encryption Consulting or any other reputed certified providers.

Understand the security best practices followed by major firms across industries. Along with the above mentioned responsibilities and skill sets, it would be a major bonus point if you understand what a PKI health check is and how to perform the health checks on a regular basis.

Why should firms worry about PKI Health?

Public Key Infrastructure is not a one-time setup and forget activity. Regular health monitoring is as important as the initial implementation of your PKI as it plays a crucial and deciding role in the firm’s cyber security. PKI Health monitoring and checking activity will ensure that steady state of operations is achieved. Majority of the certificate policies states that an audit has to be performed on a regular basis for safeguarding the compliance of the Certificate Authorities (CAs). It is highly advisable to perform a complete check once a year at least.

Public Key Infrastructure health checks involve multiple steps and factors. Out of all these, some of the important processes that are included in a standard PKI health checks are:

Patch management and backup
Certificate checks: Issuing and revoking of certificates
Auditing of the Certificate Authority

PKI health check benefits

Performing regular PKI health checks will ensure a strong overall cyber security posture of the organization.
Operational effectiveness will be monitored on a regular basis by performing PKI health checking activity regularly.
Compliance with the regulatory standards and frameworks will be ensured as there is periodic check on certificate health.
Threat vectors of data loss will be reduced considerably with a reduction in risk.
High availability of critical processes will ensure smooth running of the business.

Encryption Consulting’s PKI training complete package

Encryption Consulting LLC (EC) is offering a complete all-round package on training for Public Key Infrastructure (PKI). This PKI course can be taken by candidate who is at any level – be it a beginner, intermediate level or advanced level. PKI course is recommended for anyone using or managing certificates, designing or deploying a PKI enterprise solution, or evaluating & selecting a commercial PKI Technology Solution.

Planning a Public Key Infrastructure (PKI) can have a significant skill ceiling, as an organization’s authentication, encryption, and digital signing can depend on how the PKI is built. An organization needs a robust and secure PKI infrastructure to ensure security and privacy and meet regulations and compliance. Creating and managing a PKI requires ample knowledge about it, which Encryption Consulting brings along with the experience needed for organizations to have a custom solution for their needs.

In our three days, PKI Training delivered online, In-person focusing on Microsoft Active Directory Certificate Service (ADCS) Training, customers will learn how to deploy or design PKI solutions in the enterprise.

You will learn how to build a PKI on Windows Server 2019, focusing on areas such as integration with HSM, Two-tier PKI, Cloud PKI, and more.

There is a strong emphasis on: PKI Governance, PKI Design best practices, Certificate Lifecycle Management process and PKI operations and hands-on skills lab.

Quantum Computing: The Future of Cryptography

The world of computers and cybersecurity is an ever-changing environment, with new tools like machine learning and AI being created every day. One idea, which has slowly become much more than just an idea, is the idea of quantum computing. With quantum computing, new encryption algorithms can be created which are many times more powerful than the classical cryptography we use today.

While quantum computing can have many advantages for cryptography, it can also be used by threat actors to create new malware that can break classical cryptographic algorithms in half the time or less. Luckily, as of now, quantum computers are still a long way off from being fully created and usable, but your enterprise can still begin preparing for the quantum revolution before it starts.

What is Quantum Computing?

The way classical computing works is that operations are performed in the form of a bit. These bits can have a value of either 0 or 1 at a certain time. Quantum computing leverages the quantum mechanics idea of superposition. Superposition is where something, like a bit, is in two states at once. This means that quantum bits, or qubits, can be in the state of both 1 and 0 at the same time.

Performing a computation on a set of two classical bits takes four calculations, as the bits can be set to either 00, 11, 01, or 10. With quantum computing, since the qubits can be in all four states at once, then the quantum computer can perform calculations on all four states at once. Since quantum computers can perform four calculations at once on two qubits, a fully functioning quantum computer could break the majority of classical encryption algorithms in days, and in some cases even hours.

This causes many huge issues for our modern encryption systems. Some encryption algorithms like RSA, which is used in the majority of ecommerce transaction encryptions, base their security on the fact that the private key is generated by factoring a number that is the product of two large prime numbers.

This is extremely difficult to do with classical computers and could take up to thousands of years to break with a strong enough key length. With quantum computers however, their use of qubits significantly reduces the time to crack an algorithm like RSA. The key length can be extended for more security, but that just means that a 256-bit key is now only as strong as a 128-bit key in the face of quantum computing.

Advantages and Disadvantages to Quantum Computing

There are many different reasons that quantum computing could cause issues for the cybersecurity landscape, the biggest being that classical cryptography techniques can be broken in hours instead of years. As I previously mentioned, increasing the size of keys can slow down quantum cryptography, but that won’t stop these algorithms from being cracked. Another issue with quantum computing is that threat actors will eventually be able to use quantum computers to launch malware attacks.

Today, threat actors use machine learning and Artificial Intelligence to launch malware attacks, but with quantum computing, finding vulnerabilities in software and IT infrastructures will be much easier. Also, many threat actors are doing things like scraping the Internet for sensitive information and saving the encrypted information until quantum computing is usable.

Once that happens, the sensitive information can then be decrypted and used as the threat actor sees fit. Information like email addresses or phone numbers may not be a big deal, but if encrypted sensitive government information was taken and then decrypted ten years down the line when quantum computing is in existence, then that information could be used against that government.

Quantum computing may seem like a negative for the world of cryptography, but there are also many advantages to the creation of quantum computing. With the computational abilities offered by quantum computing, new, more powerful encryption algorithms can be created. Already, just using the ideas behind quantum computing, several different algorithms have been created to solve computational problems that are hard or next to impossible to solve with classical computing.

These algorithms include Shor’s algorithm, Grover’s algorithm, the Quantum Approximate Optimization Algorithm (QAOA) and the Harrow Hassidim Lloyd (HHL) Algorithm. These algorithms solve problems like factoring large numbers and solving the discrete logarithm problem to solving a linear system of equations.

Additionally, with quantum computing coming ever closer every day, many organizations like the National Institute of Science and Technology (NIST) are reviewing certain post-quantum cryptography algorithms. These algorithms will be resistant to quantum computing attacks, thus ensuring data will stay secure as long as these algorithms are utilized. As of now, however, no quantum computer strong enough to break any classical cryptographic algorithms has been created yet.

When will Quantum Computers be Operational?

At the time of writing this, quantum computers are still in the early development phases. Some smaller quantum computers have been created, but the biggest number factored on a quantum computer was 15 which is only 4 bits long. According to recent research, it looks like it will be another decade, around 2030, before a truly fully functional quantum computer is designed and in use. It could still be sooner, however, as new quantum computing methods are being found each day that push forward the design of a quantum computer. There are also many hardware components to a quantum computer that must be created first, before a quantum computer is designed.

To create a quantum computer, the current day processors must be many times faster than they are, as quantum computing requires extreme speeds to work. Another issue facing quantum computer creation is the idea of logic gates. Currently, several small quantum computers have been created, and they are programmed from individual quantum logic gates.

This works fine when the quantum computer you are using only deals with a small number of qubits, but once you reach thousands of qubits this is impractical. One other hurdle quantum computers must overcome is the lack of trained quantum computing professionals. Some universities and open-source communities teach about quantum computers, but there is just not enough practical knowledge out there yet to create the talent needed for quantum computing.

Protecting yourself ahead of Time

Although quantum computing seems a long way off, it is still important to protect yourself and your organization from the coming quantum computing threat. There are a number of different ways to protect your enterprise from quantum computing threats, starting with ensuring you are always up-to-date on NIST best practices and recommendations. The National Institute of Science and Technology is currently working on creating encryption algorithms that can stand up to quantum computing.

As long as you are using the most up-to-date compliance and best practice standards for your organization, you can stay ahead of the negative effects of quantum computers. Other supposedly “quantum-safe” ideas have also been designed, like Quantum Key Distribution which uses quantum mechanics properties to transport keys securely. These types of technology may become the standard to protect against quantum computing in future, so continually learning about the latest and greatest quantum resistant technologies can also benefit your organization.

Conclusion

Although it may be a decade or more away, quantum computing could be nearer than most people think. In the near future, threat actors may be able to leverage these quantum computers and use them to launch new, sophisticated malware attacks. But quantum computing is not all bad, it will help make the world of cryptography a much safer place in the long run. Many of today’s computational problems may be a thing of the past with quantum computing. Understanding how quantum computing works is the first step to protecting your enterprise from quantum computing attacks and helping develop new methods of safely transmitting sensitive data.

Is Your Organization Updated with the Public Key Cryptography Standards?

Organization Updates with the Public Key Cryptography Standards

Cryptographic standards have two important goals: to make different implementations interoperable and to avoid various known errors in typical schemes. In this blog, we discussed the Public Key Cryptography Standard (PKCS), which has had a significant impact on the use of public-key encryption in practice. The PKCS standard is a set of standards called PKCS 1 to 15.

These standards cover RSA encryption, RSA signature, password-based encryption, encrypted message syntax, private key information syntax, selected object category and attribute type, authentication request syntax, encryption token interface, personal information exchange syntax, and encrypted token information grammar. RSA Laboratories publishes the PKCS standard.

Although RSA Laboratories solicits comments and suggestions from the public on the PKCS standard, RSA Laboratories reserves the exclusive power to decide all aspects of the PKCS standard. PKCS has become the basis for many other standards, such as S/MIME.

Public key cryptography is based on an asymmetric cryptographic algorithm, which uses two related keys, a public key, and a private key; the nature of these two keys is that, given the public key, the private key is derived. It is computationally infeasible. Users publish their public keys in public directories, such as LDAP directories, and leave their private keys to themselves.

Depending on the purpose of the algorithm, there are public-key encryption and decryption algorithms and signature algorithms. Encryption algorithms can be used to encrypt data using a public key (for example, a symmetric key) so that only the recipient with the corresponding private key can decrypt the data.

Typical public key encryption algorithms are RSA and ECIES (Elliptic Curve Integrated Encryption Scheme, see SECG 2000). The signature algorithm is combined with the message digest algorithm, which can convert messages of any length using the private key into a signature. In this way, without knowing the private key, the same signature cannot be found computationally.

The message with the default signature can be found, or see the signature of a specific message. Anyone with the corresponding public key can verify the validity of the signature. Typical public key digital signature algorithms are RSA, DSA, and ECDSA.

PKCS Specifications

No.	PKCS Title	Comments
1	RSA Cryptography Standard
2		incorporated into PKCS #1
3	Diffie-Hellman Key Agreement Standard	superseded by IEEE 1363a etc.
4	Password-Based Cryptography Standard
5	Extended-Certificate Syntax Standard	never adopted
6	Cryptographic Message Syntax Standard	superseded by RFC 3369 (CMS)
7	Private-Key Information Syntax Standard
8	Selected Object Classes and Attribute Types
9	Certification Request Syntax Standard
10	Cryptographic Token Interface Standard	referred to as CRYPTOKI
11	Personal Information Exchange Syntax Standard
12	(reserved for ECC)	never been published
13	(reserved for pseudo-random number generation)	never been published
14	Cryptographic Token Information Syntax Standard

PKCS Standards

PKCS #1: RSA Cryptography Standard

PKCS #1 v2.1 provides standards for implementing RSA algorithm-based public key cryptographic encryption schemes and digital signature schemes with appendix. It also defines corresponding ASN.1 syntax for representing keys and for identifying the techniques.

The security of the RSA algorithm is believed to be based on the hardness of factoring the product of large prime numbers. In PKCS #1 v2.1, a multi-prime RSA scheme is introduced. Multiprime RSA means that the modulus isn’t the product of two primes but more than two primes. This is used to increase the performance of RSA cryptographic primitives.

PKCS #3 (outdated): Diffie-Hellman Key Agreement Standard

PKCS #3 v1.4 describes a method for implementing the Diffie-Hellman key agreement, whereby two parties can agree upon a secret key known only to them. PKCS #3 is superseded by the modern treatment of key establishment schemes specified in IEEE 1363a (2003), ANSI 9.42, ANSI X9.44, ANSI X9.63, etc.

PKCS #5: Password-Based Cryptography Standard

In many applications of public-key cryptography, user security is ultimately dependent on one or more secret text values or passwords. For example, a user’s private key is usually encrypted with a password, and the encrypted private key is kept in storage devices. However, there are two fundamental problems regarding password application:

A password is not directly applicable as a key to any conventional cryptosystem
Passwords are often chosen from a relatively small space.

Thus special care is required to defend against search attacks. PKCS #5 provides a general mechanism to achieve enhanced security for password-based cryptographic primitives, covering key derivation functions, encryption schemes, message-authentication schemes, and ASN.1 syntax identifying the techniques.

PKCS #6 (Historical): Extended-Certificate Syntax Standard

When PKCS #6 was drafted, X.509 was in version 1.0, and no extensions component was defined in the certificate. An X.509 v3 certificate can contain information about a given entity in the extensions component. Since the introduction of X.509 v3, the status of PKCS #6 is historic.

PKCS #7 and RFC 3369: CMS or Cryptographic Message Syntax

PKCS #7 has been superseded by IETF RFC 3369 (Housley 2002): cryptographic message syntax (CMS), which is the basis for the S/MIME specification. CMS defines the syntax used to digitally sign, digest, authenticate, or encrypt arbitrary message content. In particular, CMS describes an encapsulation syntax for data protection. The syntax allows multiple encapsulations; one encapsulation envelope can be nested inside another.

Likewise, one party can digitally sign some previously encapsulated data. In the CMS syntax, arbitrary attributes, such as signing time, can be signed along with the message content, and other details, such as countersignatures can be associated with a signature. A variety of architectures for certificate-based key management (e.g., the one defined by the IETF PKIX working group) are supported in CMS.

PKCS #8: Private-Key Information Syntax Standard

The security of the public key cryptosystem is entirely dependent on the protection of the private keys. Generally, the private keys are encrypted with a password and stored in some storage medium. It is essential to have a standard to store private keys to move private keys from one system to another system without any trouble.

PKCS #8 v1.2 describes a syntax for private-key information, including a private key for some public-key algorithms, a set of attributes, and a syntax for encrypted private-key information. A password-based encryption algorithm (e.g., one of those described in PKCS #5) could be used to encrypt the private-key information.

PKCS #9: Selected Object Classes and Attribute Types

To support PKCS-defined attributes (e.g., to store PKCS attributes in a directory service) in directory systems based on LDAP and the X.500 family protocols, PKCS #9 v2.0 defines two auxiliary object classes, pkcsEntity, and naturalPerson. PKCS attributes could be packaged into these two object classes and be exported to other environments such as LDAP directory systems.

PKCS #9 v2.0 also defines some new attribute types and matching rules that could be used in different PKCS standards. For example, it defines challengePassword and extensionRequest attribute types to be used in PKCS #10 attribute field, and it describes some attribute types to be used in PKCS #7 (CMS) signedAttrs, unsignedAttrs, unprotectedAttrs, authAttrs, and unauthAttrs fields

PKCS #10: Certification Request Syntax Standard

PKCS #10 v1.7 specifies syntax for certificate request. When one entity wants to get a public key certificate, the entity constructs a certificate request. It sends it to a certification authority, which transforms the request into an X.509 public-key certificate.

A certification authority fulfills the request by authenticating the requesting entity and verifying the entity’s signature, and, if the request is valid, constructing an X.509 certificate from the distinguished name and public key, the issuer name, and the certification authority’s choice of a serial number, validity period, and signature algorithm.

Suppose the certification request contains any PKCS #9 attributes. In that case, the certification authority may also use the values in these attributes and other information known to the certification authority to construct X.509 certificate extensions. PKCS #10 does not specify the forms that the certification authority returns the new certificate.

PKCS #11: Cryptographic Token Interface Standard

PKCS #11 v2.20 specifies an application programming interface (API), called “Cryptoki”, to devices that hold cryptographic information and perform cryptographic functions. Cryptoki, pronounced “crypto-key” and short for “cryptographic token interface”, follows a simple object-based approach, addressing the goals of technology independence (any device) and resource sharing (multiple applications accessing multiple devices), presenting to applications a standard, logical view of the device called a “cryptographic token”.

Cryptoki was intended from the beginning to be an interface between applications and all kinds of portable cryptographic devices, such as those based on smart cards, PCMCIA cards, and intelligent diskettes. The primary goal of Cryptoki was a lower-level programming interface that abstracts the details of the devices and presents to the application a standard model of the cryptographic device, called a “cryptographic token”.

PKCS #12: Personal Information Exchange Syntax Standard

PKCS #12 v1.0 describes a transfer syntax for personal identity information, including private keys, certificates, miscellaneous secrets, and extensions. Machines, applications, browsers, Internet kiosks, and so on that support this standard will allow users to import, export, and exercise a single set of personal identity information. PKCS #12 can be viewed as building on PKCS #8 by including essential but ancillary identity information and private keys and instituting higher security through public-key privacy and integrity modes.

PKCS #15: Cryptographic Token Information Syntax Standard

Cryptographic tokens, such as Integrated Circuit Cards (or IC cards), are intrinsically secure computing platforms ideally suited to providing enhanced security and privacy functionality to applications. They can handle authentication information such as digital certificates and capabilities, authorizations, and cryptographic keys.

Furthermore, they can provide secure storage and computational facilities for sensitive information such as private keys and key fragments. At the same time, many of these tokens provide an isolated processing facility capable of using this information without exposing it within the host environment where it is at potential risk from malicious code (viruses, Trojan horses, and so on). Unfortunately, using these tokens for authentication and authorization purposes has been hampered by the lack of interoperability.

First, the industry lacks standards for storing a common format of digital credentials (keys, certificates, etc.) on them. This has made it difficult to create applications that can work with credentials from various technology providers. Second, mechanisms to allow multiple applications to share digital credentials effectively have not yet reached maturity.

Resources

Public Key Cryptography Standards

RFC 2986

PKCS

How to get a free SSL certificate for AWS Hosted Websites?

Free SSL Certificates for AWS hosted websites

In this discussion whiteboard, what is meant by SSL? What is TLS certificates? What are the benefits and uses of SSL/TLS? What is the difference between SSL certificate and TLS certificate? How to identify if a website/portal has SSL/TLS certificate? How to get a free SSL certificate for AWS hosted websites? How to request an SSL public certificate using AWS certificate manager? How to add the DNS records to your domain? How to install your own certificate on the server? Let’s get into the topic to understand responses to these questions:

Amazon Web Services (AWS) provides free SSL certificate for websites hosted with them and have a load balancer purchased. AWS Certificate Manager Service lets you to effortlessly provide, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. Using AWS Certificate Manager, you can swiftly request a certificate, deploy it on ACM-integrated AWS resources, such as Elastic Load Balancers, Amazon CloudFront distributions, and APIs on API Gateway, and leverages AWS Certificate Manager to perform certificate renewals. However, it is not an easy process to access and deploy the free SSL/TLS certificates from AWS certificate manager. Let us first understand what SSL and TLS certificates are in the below article:

What is SSL?

SSL stands for Secure Sockets Layer; it is the standard technology for keeping an Internet connection secure and safeguarding any sensitive data sent between two systems. The two systems can be server to client (for example, a shopping website and browser) or server to server (for example, an application with personal identifiable information or payroll information). An SSL certificate is a digital certificate or electric document providing proof of public key ownership. This certificate is an important indication to the user that passwords, contact information, and credit card numbers will remain secure as they are sent from the client’s browser to the website’s web server.

What is TLS?

TLS stands for Transport Layer Security, which is just an updated, and more secure, version of SSL. TLS is a cryptographic protocol that establishes an encrypted session between applications over the Internet. TLS certificates usually contain the following information:

The subject domain name
The subject organization
The name of the issuing CA
Additional or alternative subject domain names, including subdomains, if any
Issue date
Expiry date
The public key (The private key, however, is kept a secret.)
The digital signature of the CA

How does TLS work?

TLS uses a combination of symmetric and asymmetric cryptography, as this provides a good negotiation between performance and security when transmitting data securely. A TLS certificate is the successor of the SSL certificate.

However, the terms are often used interchangeably given the term SSL has become interchangeable with website encryption and security.

Learn more about Certificate management, SSL, TLS certificate management in the below blog article:

Certificate Management

How to get free SSL certificate for AWS hosted sites?

Amazon Web Services offers free public certificate for your hosted website if you use AWS certificate manager and other Amazon services. You require a custom domain on AWS account. AWS certificate manager can be leveraged to obtain Secure Socket Layer (SSL)/ Transfer Layer Security (TLS) certificates. You need to note that only Single certificate can be added to an EB deployed Django App so add all of the necessary domain to that one certificate. AWS does not allow changes to a verified certificate so create a new certificate if you need a new domain added.

Steps to install free SSL certificate in AWS hosted certificate

You need to have an app or website hosted on Amazon Web Services to get the free SSL certificate from Amazon. Website / App has to have a dedicated port and complete control over it. Developed platform for the App / Website is irrelevant.

Step 1: Set up an Amazon EC2 instance

Log into the Amazon console and under “Services” tab choose “EC2” option. Post that, click on “Launch Instance” button. This will create an instance.
Next step is to choose Amazon Machine Image (AMI) for selecting the operating system for the instance to use.
Then, choose the RAM requirement, processing power, the size and type for your server instance. Another option is to select the default settings.
Next click on “Launch” button where you will be given option to select new key. Make a new one (or use an old one if you still have access to the .pem file and want to use it) and give it a name. Download it and keep it somewhere on your computer that is easy to access (I usually keep it in ~/).
Change directory using “cd” in your terminal and point to the location of .pem location and hit connect button. Now, you can clone the code from your source location or GitHub and install any dependencies and start the server.

Step 2: Setting up your AWS Elastic IP address

Next step is to get an IP address for the instance created in the AWS to make the website / app available for the public. Elastic IPs are required to achieve this in AWS. The option to create Elastic IP is listed on the left side panel. Find it and open up the page. Click on Allocate new address and then when the EC2 instance you just made shows up in the list, CTRL click on it and select Associate Address. Then select the instance you just created and click Associate.
Edit security group and add “Port_Num” with type “http” to allow the port access. You can visit your site with the format “<Elastic IP Address>:<Port_Num>”.
Now, you have successfully deployed your website / App in AWS. To enhance the security you need to deploy the SSL certificate to your website.

Step 3: How to setup free SSL certificate in AWS hosted site

Amazon Certificate Manager helps in creating and using free public certificates for your website / app hosted on Amazon. The only pre-requisite is to have a domain created in AWS which you have already done. One of the services provided by AWS is a Certificate Manager for Secure Socket Layer (SSL)/ Transfer Layer Security (TLS) certificates. Now, let us look into the steps involved in setting up SSL certificate for enhanced security of your website / app hosted on AWS.

Search for “AWS certificate manager” once you log in to the AWS home page.
You can find the option under “Security, Identity & Compliance” section of “All services”. Click open the certificate manager.
For installing free public certificate, click on “Get started” button under “Provision certificates” on AWS certificate manager home page
Public certificate is required as it is trusted by browsers and operating systems.
Click on “Request a certificate” to continue
Now, next important step is to add your domain names in to the certificate. Please keep in mind that you need to add both formats of domain names as specified: add “www.domain_name.com” and “domain_name.com”
You have the facility to add up to 10 domain names, including sub domains in one AWS certificate. Click “Next” after adding all the relevant domain names.
Next step is to select the validation method. You can choose to validate either by adding a DNS record to the DNS configuration on the web hosting site or via email. If you are relatively familiar with DNS records, web hosting, and have access to modify the website’s records, choose “DNS validation”. If you do not have access to modify records via a web hosting site, choose “Email validation”. Click “Next” when you are ready to continue.
The next step is optional. You can choose to assign metadata to your certificates to help manage them. Click “Review” to continue to the next step.
It’s time to review the options selected for the certificate. You have to double-check the domain name is spelled correctly and other details. You cannot change your certificate once it is created, so be sure to change any errors now. When you are ready, click “Confirm and request”.
Final step is validation, once the DNS records are generated, you will see your domains with the validation status of “Pending validation”.

What are the benefits of using the free SSL certificate in AWS hosted site?

With the evolution of internet and technology such as cloud hosting, ease of doing business has been enhanced. Along with the benefits there are several threats that are posed to businesses. Using SSL certificate will create a sense of trust in your customers. There are multiple benefits in leveraging the free SSL certificate provided by Amazon Web Services. Some of them are discussed below:

Security of your website / application

The HTTPS shows your website has installed an SSL certificate. It helps you prevent security breaches and get secondary authentication in the shape of Public Key Infrastructure (PKI). It helps to send information only to the receptive server.
Authentication

SSL ensures that right website is accessed while uploading the files and documents. It also considers the validation of target servers while uploading these files.
Customer Trust

Your customers who visit your website will have enhanced trust if they are accessing the website for uploading sensitive information.
Encryption

Sensitive data can be encrypted while performing exchange between one device to another device.
Prevention from data breach attacks

SSL certificate on your website can prevent attacks such as phishing, Man in the middle attacks etc. These attacks are now increasing day-to-day in internet today and securing your website from these attacks is a mandatory requirement. Attacks such as phishing involve cloning of webpage and it is not likely that a webpage with SSL certificate can be replicate. Hence, this scenario is also avoided.
Regulatory compliance through SSL

To comply with the Payments Card Industry (PCI) compliance norms, an online business must have at least a 128-bit SSL certificate with proper encryption. The PCI standards also make it mandatory to acquire the SSL certificate from a trusted source. As per their guidelines, a website must use the right strength of encryption for it to be able to take card payments. These guidelines also make it compulsory for the website to provide a private connection on any page that requires customers to enter personal information / sensitive information.

This is a good opportunity provided by Amazon Web Services (AWS) through free SSL certificate. Along with leveraging the free SSL certificate provided, you also have the facility to get your own SSL certificate. There are several type of SSL certificates available.

Please go through the below detailed blog article on SSL / TLS certificates for better understanding:

SSL/TLS certificates

Encryption Consulting’s AWS Consulting/ Managed PKI / CodeSign Secure

Encryption Consulting LLC (EC) will completely offload the Public Key Infrastructure environment, which means EC will take care of building the PKI infrastructure to lead and manage the PKI environment (on-premises, PKI in the cloud, cloud-based hybrid PKI infrastructure) of your organization. Also, along with PKI, Encryption Consulting also assists you in performing AWS consulting process for your websites to be deployed on AWS. Also, you can EC provides certificate management assessment & implementation as per your requirement.

Encryption Consulting will deploy and support your PKI using a fully developed and tested set of procedures and audited processes. Admin rights to your Active Directory will not be required and control over your PKI and its associated business processes will always remain with you. Furthermore, for security reasons the CA keys will be held in FIPS 140-2 Level 3 HSMs hosted either in in your secure datacentre or in our Encryption Consulting datacentre in Dallas, Texas.

Conclusion

Encryption Consulting’s AWS consulting, Certificate management, PKI-as-a-Service, or managed PKI, allows you to get all the benefits of a well-run PKI without the operational complexity and cost of operating the software and hardware required to run the show. Your teams still maintain the control they need over day-to-day operations while offloading back-end tasks to a trusted team of experts.

AWS KMS Vs Azure Key Vault Vs GCP KMS

Differences in AWS KMS Azure Key vault and GCP KMS

IT world across the globe has been dominated by the news of global data breaches and cloud data leaks. From the accidental sensitive data disclosure to stolen card data across the board, it appears that the trend will continue and nobody is sure how safe their data is especially in the cloud.

Due to this, we saw a continuous uptrend in the usage of encryption technology in every organization’s IT department because it provides a safety layer to the company’s critical data and makes it unusable for anyone who doesn’t have the associated key be it internal or external bad actor.

Based on the industry experience, we can simply say that the security provided by any crypto entity doesn’t depend much on the cipher mechanism used in the entity but surely depends upon the security of the associated keys. You can use any cipher with good key length but that doesn’t guarantee the protection unless keys are secured.

When it comes to managing a single security key manually, it is relatively easy, however, if the number of security keys in use is huge, the task of managing those keys becomes cumbersome. Thus, the need arises for automated key management services for data encryption.

Now, the key management service for any crypto system can be considered as managing the complete lifecycle of keys including generation, storage, activation, distribution, rotation, expiration, revocation, and destruction.

We can classify the key management systems under three broad categories:

Software-based KMS

Software-based KMS can be considered as standalone software installed in a physical or virtual environment. From a cost perspective, software-based KMS solutions are cheaper and easy to install as compared to hardware-based KMS solutions.
Hardware-based KMS

Hardware-based KMS can be considered as a specialized, tamper-proof hardware appliance built for cryptographic operations or key management and known as Hardware Security Module i.e., HSM. HSM can be integrated with Software-based KMS or KMS software can be embedded into the HSM as well.
Cloud-based KMS

Cloud-based KMS can be considered as a service offering from cloud service providers. All three biggest CSPs (AWS, Azure, and GCP) provide KMS as a managed service with a pay-as-you-go model which means that the customer doesn’t have to manage the underlying software/hardware. Also, other services within the CSPs environment are seamlessly integrated with their KMS services.

Now, since we have discussed the types of KMS in general, deciding which cloud-based KMS vendor is best for you is the next obvious question.

Choosing among three CSPs (Amazon Web Services, Microsoft Azure, or Google Cloud Platform) is heavily debated by users. The transition towards uploading data on the public cloud is becoming the standard for organizations. The two main factors for protecting data are to protect the data from unauthorized access and to meet compliance regulations. Cloud Security must be the main priority of everyone in the organization. In the next section, we will summarize our comparison among three biggies of the cloud computing world:

Amazon Web Services (AWS) Key Management System (KMS)
Microsoft Azure Key Vault
Google Cloud Platform (GCP) Key Management System (KMS)

AWS Key Management Service (KMS)

AWS KMS is a managed service that is used to create and manage encryption keys. The two types of encryption keys in AWS KMS are Customer Master Keys (CMKs) and Data keys. CMKs can be used to encrypt and decrypt up to 4-kilobytes of data whereas data Keys are generated, encrypted, and decrypted by CMKs.

The CMKs can never leave the AWS KMS and keys created by the AWS KMS service are never sent outside of the AWS region in which they were created and can only be used in the region in which they were created. The CMKs could be customer-managed or AWS-managed. CMKs are used to encrypt/decrypt the data keys whereas data keys are used to encrypt/decrypt the actual customer data. AWS KMS does not store, manage or track data keys.

AWS KMS cannot use the data key to encrypt/decrypt data for you. Users have to use and manage data keys on their own. By default, AWS KMS uses FIPS 140-2 validated hardware security modules (HSM) and supported FIPS 140-2 validated endpoints ensuring confidentiality and integrity of your keys.

Microsoft Azure Key Vault

Microsoft Azure Key Vault is used to store secrets like tokens, passwords, certificates, and API keys. Azure Key Vault can also be used as a key management solution. Key Vault can encrypt keys and secrets in hardware security modules (HSMS). Key Vault supports RSA and Elliptic Curve keys only. Microsoft will not see your keys, but processes the keys in FIPS 140-2 Level 2 validated HSMs.

GCP Key Management Service

Google Cloud Key Management Service (KMS) is an encryption key management offering from Google Cloud that is used to implement cryptographic functions for enterprises. Google Cloud KMS uses AES 256-bit key to protect the data and can also be used to manage the keys encrypting other types of sensitive data such as API tokens, user credentials, etc.

Google provides Google Cloud KMS service via REST APIs so that users can create, list, update and destroy the keys that help in managing a large number of keys specifically for enterprises that span across the globe. It also provides AES keys in a five-level hierarchy with a 24-hour delay in key deletion action.

The below table provides a summarized view of comparison among AWS KMS, Azure Key Vault, and Google Cloud KMS Services categorized on the features of the service:

#	Feature	AWS KMS	Azure Key Vault	Google Cloud KMS
1	Key Storage	Appliance (Software + Hardware)	Appliance* (Software)	Appliance (Software + Hardware)
2	FIPS 140-2 Level	Level 2	Level 2	Level 1
3	Key Types	Symmetric and Asymmetric	Asymmetric	Symmetric and Asymmetric
4	BYOK (Bring Your Own Key)	AES 256-bit wrapped by RSA 2048-bit	RSA wrapped by AES and RSA-OAEP	AES 256-bit wrapped by RSA 3072-bit
5	Symmetric Key Length	256-bit AES	None	256-bit AES
6	Asymmetric Key Length	2048-bit, 3072-bit, 4096-bit RSA	2048-bit, 3072-bit, 4096-bit RSA	2048-bit, 3072-bit, 4096-bit RSA
7	Encryption Modes	AES-GCM, RSA-OAEP	AES-GCM, RSA-OAEP	RSA PKCS#1v1.5, RSA-OAEP
8	Plain-text size limit	4KB	0.25KB	64KB
9	Signature Modes	RSA-PSS RSA PKCS#1v1.5 ECDSA with P-256 ECDSA with P-384 ECDSA with P-512 ECDSA with SECP-256k1	RSA-PSS RSA PKCS#1v1.5 ECDSA with P-256 ECDSA with P-384 ECDSA with P-512 ECDSA with SECP-256k1	RSA-PSS RSA PKCS#1v1.5 ECDSA with P-256 ECDSA with P-384
10	Key Capabilities	AWS Managed Service Encryption/Decryption Sign/Verify Auditing REST APIs	Support Customer Managed Keys Support tokens, passwords, certificates, API keys, and other secrets Encryption/Decryption Sign/Verify Key Vault logging REST APIs	Support Customer Managed Keys Encryption/Decryption Sign/Verify Auditing REST APIs

*Azure Key vault integration with Azure’s Managed HSM is in public preview and might be available sometime in future.

Conclusion

The continuous uptrend in encryption technology prompts the requirement of managing more and more keys that force enterprises to use automated key management systems to manage the high numbers of keys with efficiency. Considering the high demand for key management systems, the three biggest CSPs (Cloud Service Provider) are in cut-throat competition to add more and more features to their KMS services in their environment; however, it often becomes confusing with the limited documentation.

Encryption Consulting helps customers get familiarized with the latest & advanced security features, tools, documentation and assists them in harnessing the true value for their organization while deploying them within their environment, keeping the organization’s business objective intact.

The Best Way To Generate PGP Key Pair

Pretty Good Privacy or PGP is a cryptographic method for communicating privately over the Internet. It encrypts data and provides cryptographic privacy and authentication for online communication. It is frequently used to encrypt documents, emails, and files to improve email security. Data compression, hashing, and public-key cryptography are all used in PGP encryption. PGP also verifies the sender’s identity and ensures that the message was not tampered with while in transit.

It also encrypts data being exchanged across networks using symmetric and asymmetric keys. It combines both private and public-key cryptography features. It uses a different encryption algorithm at every step, and a username and email are associated with each public key.

Working of PGP Encryption

PGP is a type of hybrid cryptography. PGP combines the best features of both symmetric and public-key cryptography in one bundle. When a user encrypts plaintext with PGP, the plaintext is compressed first. Data compression reduces transmission time and disc space use while also improving cryptographic security. Most cryptanalysis techniques use patterns present in plaintext to exploit the cipher. Compression increases cryptanalysis resistance by reducing the patterns in plaintext (Files with very small sizes are not compressed).

PGP generates a session key, which is a secret key and is generated only once. This key generates a random number from the movement of your cursor and the keystrokes you type. This session key is used to encrypt the plaintext with a very secure and fast symmetric encryption algorithm, and the output is ciphertext. The session key is then encrypted with the recipient’s public key after the data has been encrypted.

Sender Side Process

The decryption of encrypted data works in reverse. The temporary session key can be recovered using the recipient’s private key, which is then used to decrypt the ciphertext encrypted with symmetric cryptography.

Receiver Side Process

The two encryption methods are combined to give you the convenience of public-key encryption with the speed of symmetric encryption. Public key encryption is much faster than conventional encryption. In turn, public-key encryption solves key distribution and data transfer issues. When both are used in combination, performance and key distribution improve without compromising security.

Use Cases of PGP Encryption

The major uses of PGP encryption are:

To encrypt data.
To send and receive encrypted emails.
To verify the sender’s identity.

Encrypt Data: PGP can be used to encrypt files. PGP offers a highly secure solution of encrypting data at rest, especially when combined with a Threat Detection and Response Solution. The algorithm used by PGP – typically the RSA algorithm – is nearly unbreakable. This technique is so safe as it has been employed in high-profile malware like the CryptoLocker virus.

Encrypt Emails: PGP is mainly used to send encrypted emails. Activists, journalists, and others who deal with sensitive data were the primary users of PGP in its early years. PGP’s popularity has grown at a rapid pace. As more individuals become aware of how much data corporations and governments collect, many people are now using the standard to keep their personal information private.

Identity Verification: PGP can also be used for email verification. For example, if a person is doubtful about the identity of someone sending them a message, they can use a Digital Signature in combination with PGP to authenticate it.
Digital signatures work by combining the sender’s public key with the data they send via an algorithm. A hash function is generated using another algorithm that converts a message to a fixed-size data block which is then encrypted with the sender’s private key.
The data is then decrypted by the recipient using the sender’s public key. The recipient will be informed if even one character of the message has been altered in transit.

Pros of PGP Encryption

Benefits of using PGP encryption are:

It is extremely secure and nearly unbreakable.
It improves cloud security.
Easy to learn and use.

Cons of PGP Encryption

Some limitations of PGP Encryption are:

There is no recovery process if passwords are forgotten or deleted.
The information will either not be decrypted or decoded by only one party unless both the sender and the receiver have compatible versions of PGP software.

How to Create PGP Key Pair

Prerequisite: In this article, we discuss how PGP key pair can be generated using GnuPG. You can download GnuPG from the given link: https://gpg4win.org/get-gpg4win.html

Follow the steps below to generate PGP key pair:

1. Open the Command Prompt (cmd) as Administrator.

2. Execute the command below to create a key pair:
$ gpg –full-generate-key

3. Now, It prompts with the below configurations based on the information provided by the requestor:

Select key type that you want to create:
We have selected RSA and RSA (default).

Now, it prompts for the size of the key between 1024 and 4096.
3072 is the default key length. You can hit enter to select 3072.

Now, it will prompt for the validity of the key.
Zero (0) is the default. You can hit enter to select 0.

It will prompt you to confirm that the key does not expire at all.

Now, enter the Real name, Email address, and Comment.
Real name can be the name of a person, product, or company.
You can leave the comment blank.

Validate the Name, Email, and comment.
Type O for Okay.

Now, a prompt will open for the passphrase, enter the passphrase, and hit enter.

Copy the Public Key ID from the output.

4. Export the Public and Private Keys:

To export the Public Key, enter the command below:
$ gpg –export -a keyid > publickeyname.key

To export the Private Key, enter the command below:
$ gpg –export-secret-key -a keyid > privatekeyname.key

It will prompt for the password that you enter in Step 3.g.
Enter the passphrase and hit enter.

Note: Both Public and Private keys will be saved in the directory where the export commands are executed.

How to Seamlessly Change the Format of Digital Certificates?

There are many formats in which digital certificates can be downloaded or converted. Following are X.509 certificate encoding formats and extensions:

Binary

DER: .der, .cer
PKCS#12: .p12, pfx

Base64

PKCS#7: .p7c, .p7b
PEM: .crt, .ca-bundle, .pem

However, different certificate forms have no advantages or disadvantages. It all depends on the certificate’s format requirements for the application that will be using it.

PEM

A PEM (Privacy Enhanced Mail) file is a Base64-encoded certificate file used to verify a website’s security. It may contain a private key, a server certificate from a certificate authority (CA), or other trust chain certificates. PEM files are compatible with OpenSSL applications and are commonly imported from a Unix-based Apache Web server.
You can see the contents of a PEM file with the help of a text editor. The file has one or more headers that describe the information contained within it. A PEM file for a certificate includes the “—-BEGIN CERTIFICATE—-” and “—-END CERTIFICATE—-” statements.
A PEM file can have several certificates and private keys one after another.
Linux and Unix-based web servers typically use PEM files.
Commonly used extensions of PEM files are: .cer, .pem, .crt, .key

DER (Distinguished Encoding Rules)

A DER (Distinguished Encoding Rules) file is a binary format certificate file. As DER files can end in either .der or .cer, you will need to read the file with a text editor to tell the difference between DER.cer and PEM.cer. There should be no BEGIN/END statements in a DER file, or the binary information will be distorted.
The DER format can be used to encode both digital certificates and private keys.
DER files are generally used with java platforms.
Commonly used extensions of DER files are: .cer and .der

PKCS#7

PKCS#7 is a Base64-encoded certificate file. This format cannot be used to store private keys. Only digital certificates and Certificate Revocation List (CRL) can be stored in PKCS#7 file format.
A PKCS#7 file contains the “—-BEGIN PKCS7—-” and “—-END PKCS7—-” statements.
Commonly used extensions of PKCS#7 files are: .p7b and .p7c
Java Tomcat and Microsoft Windows platforms commonly use these files.

PKCS#12

PKCS#12 is a single password-protected binary file format that stores the server certificate, intermediate certificate, and private key. It refers to a personal information exchange format.
Windows platforms commonly use these files to import and export certificates and private keys.
Commonly used extensions are: .p12, ,pfx

Change Certificate Format By Changing The Extension

You can convert the following file format into different formats by changing the extensions.

PEM

You can change the PEM file format to the following formats by changing its extension:

.crt
.cer
.pem
.key

For Example: Convert the .crt certificate file into .pem file.

Open the .crt certificate file in any text editor.
Go to File.
Click on Save As
In Save as type “Select All Files.”
In the File name, enter the file name and the extension you want to convert (.cer, .key, .pem, .crt).
click on Save.

DEM

You can change the DER file format to the following formats by changing its extension:

.der
.cer

For Example: Convert the .der certificate file into .cer file.

Open the certificate in any text editor.
Go to File.
Click on Save As
In Save as type “Select All Files.”
In the File name, enter the file name and the extension you want to convert (.cer, .der).
Click on Save As

Change Certificate Format Using OpenSSL

PEM

Convert PEM to DER:

You can convert the PEM certificate file format to DER by using the command below:

$ openssl x509 -outform der -in certificate.pem -out certificate.der
Convert PEM to P7B

You can convert the PEM certificate file format to P7B by using the command below:

$ openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CAcert.cer
Note: -certfile CAcert.cer is optional, use this if having more than one PEM certificates and wants to include into P7B file.
Convert PEM to PFX

You can convert the PEM certificate file format to PFX by using the command below:

$ openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CAcert.crt

Note: -certfile CAcert.cer is optional, use this if having more than one PEM certificates and wants to include into PFX file.

DER

Convert DER (.crt, .cer, .der) to PEM:

You can convert the DER certificate file format to PEM by using the command below:

$ openssl x509 -inform der -in certificate.der -out certificate.pem

P7B

Convert P7B to PEM

You can convert the P7B certificate file format to PEM by using the command below:
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
Convert P7B to PFX

You can convert the P7B certificate file format to PFX by using the two commands below:
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer $ openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CAcert.cer
Note: -certfile CAcert.cer is optional, use this if having more than one P7B certificates and wants to include into PFX file.

PFX

Convert PFX to PEM

You can convert the PFX certificate file format to PEM by using the command below:

$ openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

Note: OpenSSL will combine all the Certificates and Private Keys into a single file when converting PFX to PEM format. You will need to open the file in Text Editor and copy each

Certificate and Private key (including the BEGIN/END instructions) to its text file.

Stay Updated With The Best Practices For Modern Public Key Infrastructure

Public Key Infrastructure (PKI) is a vital part of your organization’s security. Many PKI deployments are more than a decade old and still supporting various applications across the organization/business. However, the set of use cases, challenges, standards related to PKI has changed over the years. Today, organizations face different challenges while using PKI. PKI had emerged as a core technology to secure applications at the lead of digital transformations.

Today’s modern computing architecture, distributed workforce, and devices demand an advanced security level against constant and developing threats. This forces organizations to re-think their security perspectives to close potential vulnerabilities and meet expanding compliance requirements.

Modern Enterprise PKI Use Cases

Web and application servers

Enterprise should implement an advanced level of authentication and encryption across all websites and applications in their environment (on-prem and cloud) and behind the firewall. A trusted client-server authentication can be achieved by using SSL/TLS certificate to encrypt communication over the internet.
DevOps containers and code

The Engineering team in an organization can incorporate compliant certificate processes into their regular workflow with code signing certificates and high-volume, short-lifespan SSL certificates to ensure the integrity of containers, the code they run, and the production applications that use them.
Public-cloud certificate Management

A centralized certificate management solution can be used to manage all the certificates automatically in both your cloud and entire enterprise environment to ensure your applications are always running smoothly. The certificates protect your applications hosted in the cloud.
Zero-Trust Security

PKI Certificates and key pairs strengthen digital identity verification and secure connections between entities beyond the firewall network architecture to ensure a Zero-Trust Security Strategy.
Internet of Things (IoT) Devices

To securely build, scale, and manage the IoT ecosystem, it is vital to have a strong identity authentication and remote security deployment to all connected devices.

Devices are the most frequent Internet users, and they require digital IDs to operate safely. In addition, the rapid evolution of IoT technology is boosting demand for internet of things public key infrastructure (IoT PKI) as businesses seek to adapt their business models to stay competitive and secure.

PKI has long been a significant Internet security standard, with all of the characteristics required to provide the high degree of trust and security demanded by today’s IoT deployments. It offers robust and well-proven protection through encryption and authentication and digital signatures to validate data integrity. PKI is also a dynamic security approach designed to handle a variety of IoT use cases. Organizations can use PKI to ensure that users, systems, and devices securely authenticate and secure data in transit and at rest.

The public key infrastructure (PKI) is a set of hardware, software, policies, and procedures for creating, managing, distributing, and updating digital certificates over time. PKI is considered the backbone of Internet security for decades, and it’s now evolving as a flexible and scalable solution capable of fulfilling the data and device security needs of the Internet of Things. End-user adoption and productivity are boosted when friction is reduced, and PKI provides an intuitive experience that includes mutual authentication, encryption of sensitive data, and data integrity assurance. In addition, it allows for flexible deployment in a variety of environments and is scalable.

PKI eliminates the need for passwords and complex authorization checks. Devices need to share their public keys and can begin exchanging data. Digital certificates provide a secure environment for IoT devices to operate, minimizing data leakage and hacking risks with point-to-point encryption and flawless authentication. They also validate software upgrades, making it difficult for hackers to get access to the network. PKI is a key component of TLS (Transport Layer Security), and incorporating it into IoT could provide much-needed consistency.

Securing a Remote workforce

Post Covid-19 majority of the workforce is working remotely. The challenge for a remote user is also different and usual. A modern PKI platform will help the organization track the certificates centrally regardless of their location to overcome the unique challenges. It also offers automation to manage the certificates.
Approach towards cloud-security or multi-cloud environment

Organizations moving towards the cloud require strong authentication for their devices and users. For today’s increasingly diverse, multi-cloud environments, PKI solutions are ideal for securing digital trust. Standards-based, widely adopted, and flexible, they can provide strong security across a wide variety of environments, including enterprise systems, cloud storage, clients like email and document signing applications, virtualization, DevOps, and more.

PKI also enables organizations to strengthen authentication for dynamic cloud environments utilizing digital certificates and scale quickly to accommodate additional users, devices, and demands. Organizations can apply a unified approach to authentication, encryption, secure email, digital signing, and other PKI capabilities with the proper management platform. A modern approach to PKI will provide the flexibility for deployment in the cloud and on-premises, and in-country to meet specific requirements or application needs. A robust PKI management platform can also enable organizations to quickly deploy extremely high volumes of certificates, making the solution ideal for large, fast-growing enterprises. Organizations need PKI management platforms built with cloud-native and container-based technologies.
Code-signing

Code signing adds a layer of assurance for both internal and external-facing applications by informing the users that:
- The software they are using can be trusted,
- Any third party has not modified it since it was signed.

Modern PKI Best Practices

Proper planning

A detailed plan for PKI deployment is a must. Gartner says, “Security leaders that successfully reposition X.509 certificate management to a compelling business story, such as digital business and trust enablement, will increase program success by 60%, up from less than 10% today.”
Hire skilled resources

PKI is a critical infrastructure, so implementing and operating the PKI through the organization should be done with expert team members. They will need to outsource the PKI to a trusted expert. A managed PKI provider can help overcome this problem.
Audit the PKI

A regular audit of your PKI may help you overcome the security problems in your environment.
Store certificate and Key securely

Hackers can use various techniques to analyze and detect keys while they are in use or transit. Ensuring the keys are stored securely under FIPS 140-2 level 3 systems is a must.
Understand your use cases

Many organizations make this mistake; they design and deploy their PKI without brainstorming their use cases. It is essential to understand your organization’s use cases before finalizing the PKI design and deployment of PKI. When you know your use cases, you know what is best for your organization.
Root Key Ceremony

Implementing the Root Certificate Authority (CA) is almost like creating a “master key” to an organization’s network. The Root CA implementation is susceptible and should be handled and deployed in a controlled environment. The Root CA key Ceremony helps the organization record the event/activity formally, providing high assurance to the organization.

While deploying the Root CA, you must dedicate an HSM (Hardware Security Module) for your Root CA. This is a critical decision before deploying any of your PKI components.
Certificate Policies and Practices

In today’s digital world, a PKI is the best way for an organization to safeguard its sensitive data from unauthorized parties. Encryption serves as a lock and key to protect information from access by bad actors. Many organizations deploy their PKI as a project requirement and do not consider developing appropriate policies and procedures.
Certificate Policy (CP)
- A document that sets out the rights, duties, and obligations of each party in a Public Key Infrastructure.
- The Certificate Policy (CP) is a document that usually has a legal effect.
- A CP is usually publicly exposed by CAs, for example, on a Web Site (VeriSign, etc.)
Certificate Practice Statement (CPS)
- A document that sets out what happens in practice to support the policy statements made in the CP in a PKI.
- The Certificate Practice Statement (CPS) is a document that may have legal effect in limited circumstances.

Encryption Consulting’s Managed PKI

Encryption Consulting LLC (EC) will completely offload the Public Key Infrastructure environment, which means EC will build the PKI infrastructure to lead and manage the PKI environment (on-premises, PKI in the cloud, cloud-based hybrid PKI infrastructure) of your organization.

Encryption Consulting will deploy and support your PKI using a fully developed and tested set of procedures and audited processes. Admin rights to your Active Directory will not be required, and control over your PKI and its associated business processes will always remain with you. Furthermore, for security reasons, the CA keys will be held in FIPS140-2 Level 3 HSMs hosted either in your secure data center or in our Encryption Consulting datacenter in Dallas, Texas.

How Encryption Consulting Can Help

Encryption Consulting is a consulting company dedicated to protecting your organization from outside attackers. We offer many services, including certificate and key management, PKI assessment, design, implementation, PKI, and AWS training. Our encryption assessments help you identify any weaknesses in your network. At the same time, we design a roadmap to implement fixes for the security gaps, and we can help implement that roadmap. We can also help you implement and test your Disaster Recovery plan to ensure that no steps are missed and you are fully protected from malware like Ransomware. To learn more about our services and products, contact us at www.encryptionconsulting.com.

Resources

PKI: Securing a variety of use cases in today’s digital organizations

Everything You Need to Know About Time Stamping Authority

An optional but important component in Code Signing Architecture is Time Stamp Authority (TSA). Time stamping preserves the source time when the code was signed and allows software to be accepted by the OS and other client device platforms even after the certificate expires. Signed software is validated with the source time when the certificate was signed rather than the current time.

In this discussion whiteboard, what is a trusted time stamp and what is Time Stamping Authority (TSA)? What are various protocols followed by Time Stamping Authority (TSA)? What are various steps involved in time stamping process performed by Time Stamping Authority? How is this concept critical in code signing process? What is CodeSign Secure by Encryption Consulting? Let’s get into the topic to understand responses to these questions:

Code signing is a type of digital signature used to provide security and authentication for the intellectual property in the form of code or software program. Code signing process leverages several modules for completion of the process in order to provide technical security and integrity for your code/ software program. Time stamping is one of the key aspect of the code signing process architecture.

Let us go first understand what exactly is the code signing process and what are different components involved in the code signing architecture. This will lead us to the trusted time stamping concept and Time Stamping Authority (TSA). One important point to note is time stamping process can be applied to documents which are signed either through digital signatures or electronic signatures.

What is a Code Signing process?

In the recent past many technology firms are being targeted by hackers to tamper and corrupt the source code. These attacks heavily impact brand reputation and leads to huge losses for firms victimized. To tackle this scenario, Code Signing technique can be used for safeguarding the code integrity and to provide authenticity of the author to the end user by providing digital signatures.

Code Signing provides secure and trusted distribution of software preventing tampering, corruption, and forgery. Code signing improves end-user confidence in software/code integrity and sender authenticity.

Code signing is the process of applying a digital signature to any software program that is intended for release and distribution to another party or user, with two key objectives. One is to prove the authenticity and ownership of the software. The second is to prove the integrity of the software i.e. prove that the software has not been tampered with, for example by the insertion of any malicious code.

Code signing applies to any type of software: executables, archives, drivers, firmware, libraries, packages, patches, and updates. An introduction to code signing has been provided in earlier articles on this blog. In this article, we look at some of the business benefits of signing code.

Code signing is a process to validate the authenticity of software and it is one type of digital signature based on PKI. Code signing is a process to confirm the authenticity and originality of digital information such as a piece of software code. It assures users that this digital information is valid and establishes the legitimacy of the author. Code signing also ensures that this piece of digital information has not changed or been revoked after it was validly signed.

Code Signing plays an important role as it can enable identification of a legitimate software versus malware or rogue code. Digitally signed code ensures that the software running on computers and devices is trusted and unmodified.

Software powers your organization and reflects the true value of your business. Protecting the software with a robust code signing process is vital without limiting access to the code, assuring this digital information is not malicious code and establishing the legitimacy of the author.

Code Signing Architecture

Code Signing Architecture provides a detailed explanation on how the Code Signing process works along with its components. Below mentioned are the four important differentiating components in the Code Signing Architecture.

Code Signing System (CSS)
Certificate Authority (CA)
Time Stamp Authority (TSA)
Verifier

These four components together will achieve the full cycle completion of code signing process. Public Key Infrastructure (PKI) plays a crucial role in achieving the code signing for your important documents.

To understand more about Code signing process, read our blog posts here:

What is Code Signing? How does Code Signing work?

In the above architecture, our point of focus is on “Time Stamping Authority” which is an optional part of code signing process right now, but slowly it is gaining importance in achieving authenticity for your code/software program. So, what is time stamping process and how is this time stamping authority important for time stamping process? Let’s take a look now:

What is time stamping process?

Time stamping is an optional part of the code signing process, where validity of code signing signature by the software even after expiry of the certificate used for code signing. This acts like an additional control where the signature used for code signing process is preserved even after the expiry ensuring the smooth flow of operations without interruption.

Whenever the signed software’s executable is run/executed on any client machine/system, its digital signature is verified by the user’s operating system. Now, suppose the user has time stamped the software. The users’ computer will verify the signature based on the time it was digitally signed, rather than the current time of the system when the software is executed.

What is Time Stamping Authority (TSA)?

An optional but important component in Code Signing Architecture is Time Stamp Authority (TSA). Time stamping preserves the source time when the code was signed and allows software to be accepted by the OS and other client device platforms even after the certificate expires. Signed software is validated with the source time when the certificate was signed rather than the current time. Hence, it is always advisable to use Time stamping technique while performing code signing.

Digital signature signed code is sent to TSA for time stamping. TSA applies its own signature along with the valid source time stamp. TSA is independent from Code Signing System and synchronizes its clock with an authoritative time source.

Time stamping protocols

Time Stamping Authorities follow certain protocols for performing time stamping activity to ensure higher protection and security. There are two major protocols usually followed by TSAs for time stamping.

RFC 3161 – RFC 5035
Microsoft Authenticode

RFC 3161 – The time-stamping protocol defined in RFC 3161 requires that the Cryptographic Message Syntax (CMS) SignedData [RFC5652], used to apply a digital signature on the time-stamp token, include a signed attribute that identifies the signer’s certificate.
Authenticode applies digital signature technology to guarantee the authorship and integrity of binary data such as installable software. A client web browser, or other system components, can use the Authenticode signatures to verify the integrity of the data when the software is downloaded or installed. Authenticode signatures can be used with many software formats, including .cab, .exe, .ocx, and .dll.

To know more about the Microsoft Authenticode, please read through the page mentioned below:

https://docs.microsoft.com/en-us/windows/win32/seccrypto/time-stamping-authenticode-signatures

How does Time stamping authority perform time stamping process?

Public Key Infrastructures (PKIs) play a crucial role in Time Stamping Authority (TSA) performing time stamping process. Let us understand the high level steps that are involved in the time stamping process.

Step 1:

The client application connects with the Time Stamping Authority (TSA) service. Now, hash is created for the code or software program which needs to be code signed.

Step 2:

Hash created for the code is sent to Time Stamping Authority (TSA) for time stamping. Once the hash is sent to TSA, any changes made to code or software program hashed has to be communicated with TSA server.

Step 3:

Time stamping authority combines the hash of the original file received from client along with the trusted time stamp. The result is digitally signed with a secure private key. This signing process creates a “Time stamp token” which is sent back to the client.

Step 4:

The client receives the timestamp token created by Time Stamping Authority which is recorded along within the document or code signature.

Who can use Time stamping?

Trusted time stamping process can be add additional security control to the documents which are either digitally signed or electronically signed. Documents which are signed using electronic signature can be time stamped. Recipients can verify the integrity of the document post time stamp. For digitally signed documents, there are two main reasons for including a trusted timestamp when you digitally sign a document – ensuring Long-Term Validation (LTV) of the signature and adding non-repudiation or confidence around when the signature was actually applied.

Encryption Consulting provides CodeSign Secure platform for digitally code signing your most important and highly sensitive code and/or software programs to ensure security and integrity. Post performing code signing process through CodeSign Secure we would guide you in performing trusted time stamping process through a Time Stamping Authority (TSA).

Below is the brief provided on Encryption Consulting’s (EC) CodeSign Secure platform and its benefits.

Encryption consulting’s (EC) CodeSign Secure platform:

Encryption consulting (EC) CodeSign secure platform provides you with the facility to sign your software code and programs digitally. Hardware security modules (HSMs) store all the private keys used for code signing and other digital signatures of your organization. Organizations leveraging CodeSign Secure platform by EC can enjoy the following benefits:

Easy integration with leading Hardware Security Module (HSM) vendors.
Authorized users only access to the platform.
Key management service to avoid any unsafe storage of keys.
Enhanced performance by eliminating any bottlenecks caused.

Why to use EC’s CodeSign Secure platform?

There are several benefits of using Encryption consulting’s CodeSign Secure for performing your code sign operations. CodeSign Secure helps customers stay ahead of the curve by providing a secure Code Signing solution with tamper proof storage for the keys and complete visibility and control of Code Signing activities. The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys. Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security. Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security. Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security. Seamless authentication is provided to code signing clients via CodeSign Secure platform to make use of state-of-the-art security features including client-side hashing, multi-factor authentication, device authentication, and as well as multi-tier approvers workflows, and more. Support for InfoSec policies to improve adoption of the solution and enable different business teams to have their own workflow for Code Signing. CodeSign Secure is embedded with a state-of-the-art client-side hash signing mechanism resulting in less data travelling over the network, making it a highly efficient Code Signing system for the complex cryptographic operations occurring in the HSM.

Encryption Consulting’s Managed PKI / CodeSign Secure

Encryption Consulting LLC (EC) will completely offload the Public Key Infrastructure environment, which means EC will take care of building the PKI infrastructure to lead and manage the PKI environment (on-premises, PKI in the cloud, cloud-based hybrid PKI infrastructure) of your organization. Also, along with PKI, Encryption Consulting also assists you in performing code signing process for your important and highly sensitive documents, codes and software programs.

Conclusion

Encryption Consulting’s PKI-as-a-Service, or managed PKI, allows you to get all the benefits of a well-run PKI without the operational complexity and cost of operating the software and hardware required to run the show. Your teams still maintain the control they need over day-to-day operations while offloading back-end tasks to a trusted team of PKI experts.

Top Methods to Protect Your Company from Ransomware

Another major ransomware supply chain attack has occurred over the holiday weekend. On July 2nd, the IT Solutions Provider Kaseya issued a statement saying they had suffered a ransomware attack. This attack only affected 0.1% of Kaseya’s customers, but their customers are Managed Service Providers (MSPs), which means hundreds of smaller businesses were also affected by this ransomware attack. This attack follows in the wake of several other large ransomware attacks in the past few months, including the Colonial Gas Pipeline attack and the attack on the meat supplier JBS. Before we get the specifics on this attack, let’s first learn about who Kaseya are and what a ransomware attack is.

What is Kaseya?

Kaseya is an IT solutions provider who offers different software to Managed Service Providers and enterprises. These MSPs in turn offer their own services to other small customers, such as Software as a Service, PKI as a Service, and other similar services. This is one of the reasons that this attack was so effective, as each of these MSPs have several hundred small companies of their own that they accidentally affected with this ransomware. An example of the software that Kaseya provides is VSA, which is used to monitor and manage networks and endpoints.

What is ransomware?

Ransomware is a type of malware which encrypts all the files in a victim’s system. Once the files are encrypted, the threat actors normally leave a ransom note, telling the victim how much and where to send the ransom, while they in turn send the decryption key back to the victim. It is recommended to never pay the ransom to a threat actor who has encrypted your data, as they can either not give you the encryption key, they can download the information anyways and blackmail you in the future, or they may not even know how to decrypt it.

What happened in this attack?

On July 2nd, 2021, Kaseya announced that an attack had hit their tool, the VSA, and affected “a small number of on-premise customers.” Even though only a small number of customers were affected, that is still a significant number of victims. As we previously mentioned, many of the tools created by Kaseya are utilized by MSPs, and thus their clients were affected as well. Victims were recommended by Kaseya to shut off admin access to the hijacked tool, and they also pulled their SaaS servers and data centers offline.

The attack itself manipulated a vulnerability within Kaseya’s VSA tool where the attackers used an authentication bypass vulnerability within the tool’s web interface to distribute their malware. This let the threat actors get around security controls, upload their payload, and use SQL injection to execute their code within the VSA tool. To do this, the attackers utilized a rogue certificate. Once the endpoint of the MSP or user was infected, the endpoint would write a file into its working directory. From there, the machine would then run a number of PowerShell commands which work to stop and turn off a number of malware services on a Windows computer. The file in the working directory is then turned into an executable file, thus releasing the ransomware.

However, to use the executable file, a legitimate signature was still needed, which is where the rogue certificate comes in. The certificate was found to belong to an organization called PB03transport, which is a legitimate organization. This indicates that the threat actors had access to the private key of this organization, most likely obtained via phishing or a Man in the Middle attack. Once the ransomware infected an MSP, the malware was then given to other customers through an automated update containing the ransomware. The ransomware in question is called REvil ransomware and was uploaded to the VSA tool by the creators, the threat actors known as REvil or Sodinikibi. It is unknown at this time if the victims have all paid the attackers.

Stopping this Type of Attack

The sad truth of this attack is that it could have been prevented. Utilizing a rogue certificate, these threat actors crippled thousands of companies, when proper certificate management could have stopped this. Using a managed certificate management system or PKI-as-a-Service, like the kind Encryption Consulting offers, this rogue certificate would not have been created in the first place. With proper certificate monitoring and key inventorying, the stolen key could have been detected and subsequently deactivated. Instead, many companies may have to pay a ransom just to get their data back.