Reading time: 3 minutes, 27 seconds

LDAPS is one of the most crucial functionalities to properly protect and secure credentials in your PKI environment. By default, LDAP communications between client and server applications are not encrypted. This means that it would be possible to use a network monitoring device or software and view the communications traveling between LDAP client and server computers. This is especially problematic when an LDAP simple bind is used because credentials (username and password) are passed over the network unencrypted. This could quickly lead to the compromise of credentials.

Prerequisites

A functional Microsoft PKI should be available and configured. While viewing PKIView.msc, no errors should appear

If you need help in deploying your own PKI, you can refer to this article to build your own Two Tier PKI

Installing AD LDS

This step should be carried out on LDAP Server or on Domain Controllers which would be responsible for hosting LDAPS service.

  • Open Server Manager
  • From manage, open Add Roles and Features
  • On Before you Begin, click Next
  • On Installation type, ensure Role based or feature based installation, and click Next
  • On Server Selection, click Next.
  • On Server Roles, click Active Directory Lightweight Directory Services, and click Add Features, and then click Next
  • On Features, click Next
  • On AD LDS, click Next
  • On Confirmation, click Install
  • Post Installation, AD LDS needs to be configured

Configuring AD LDS

  • Run AD LDS setup wizard. Click Next on first page.
  • Ensure unique instance is selected, and click Next
  • Provide Instance name and Description, and click Next
  • Leave default ports and click Next

If AD LDS is installed on domain controller, then LDAP port would be 50000 and SSL port would be 50001

  • On Application Directory Partition, click Next
  • On File locations, click Next
  • On Service Account Selection, you may leave it on the Network service account, or choose a preferred account that can control LDAPS service
  • On AD LDS administrators, leave the current admin, or choose another account from the domain
  • Choose all LDF Files to be imported, and click Next
  • On Ready to Install, click Next
  • After Installation, click Finish

Publishing a certificate that supports Server Authentication

  • Login to the Issuing CA as enterprise admin
  • Ensure you are in Server Manager
  • From the Tools menu, open Certificate Authority

Expand the console tree, and right click on Certificate Templates

  • Select Kerberos Authentication (as it provides Server Authentication). Right click and select Duplicate Template. We can now customize the template.
  • Change Template Display Name and Template Name on General tab. Check Publish Certificate in Active Directory. This will ensure that the certificate appears when we enrol domain controllers using that template
  • On Request Handling, check Allow private key to be exported.
  • On the Security tab, provide Enroll permissions to appropriate users
  • Click Apply

Issue the Certificate on Issuing CA

  • Login to the Issuing CA as enterprise admin
  • Ensure you are in Server Manager
  • From the Tools menu, open Certificate Authority

Expand the console tree, and click on Certificate Templates

On the menu bar, click Action > New > Certificate Template to Issue

  • Choose the LDAPS certificate
  • Click OK and it should now appear in Certificate Templates

Requesting a certificate for Server Authentication

  • Log into LDAP server or domain controller.
  • Type win+R and run mmc
  • Click File and click Add/Remove Snap-in
  • Choose Certificates and click Add
  • Choose Computer account
  • If the steps are followed on LDAPServer where AD LDS is installed, click Local computer, or choose Another computer and choose where it would need to be installed
  • Expand the console tree, and inside Personal, click Certificates
  • Right click on Certificates and click All Tasks and select Request New Certificate
  • Follow the instructions, choose LDAPS template that we issued earlier and Install.}
  • Once Installed click Finish
  • Open the certificate, and in Details tab, navigate to Enhanced Key Usage to ensure Server Authentication is present.

Validating LDAPS connection

  • Login to LDAP Server as Enterprise admin
  • Type win+R and run ldp.exe
  • On the top menu, click on Connections, and then click Connect
  • In server, provide domain name, ensure SSL is checked and proper port is provided and click OK
  • No errors should appear. If connection was unsuccessful, the following output may appear

Conclusion

This should enable LDAPS which can be used to properly protect credentials used in your PKI environment as well as enable other applications to use LDAPS.

If you need help with your PKI environment, feel free to email us at info@encryptionconsulting.com.

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Reading time: 5 minutes

Setting up Audit is one of the key aspects of any security architecture. For ADCS, logging is important as well. You may enable and set up Active Directory Certificate Services auditing using the instructions given in this article.

First thing First!

The first step is to ensure that auditing is enabled on your ADCS servers.

For this, Run the auditpol command and make sure “Registry” and “Certificate Services” advanced auditing are turned on.

Wait, but what is auditpol?

Windows captures logs of all kinds which may not be useful to us and cause a lot of confusion and loss of focus. To address this, Microsoft has introduced auditpol. Auditpol is used to categorize granually these logs at user level.

Remember to refresh the group policy after you have enabled it!

Some more examples to use auditpol are shown below :

Example 1:

Example 2 :

In our ADCS use case we will use:

auditpol /get /category:*

The next step is to enable monitoring using the ADCS snap-in.

To do this, perform the following steps on the ADCS server.

  • Open Server Manager
  • Select Tools -> Certificate Authority
  • Right-click the CA name and select Properties.
  • Select monitor
  • Enable required monitoring settings
  • Backing up and restoring the CA database
  • Change CA configuration
  • Change CA security settings
  • Issuing and managing certificate requests
  • Revoke certificates and publish CRLs
  • Storing and retrieving archived keys
  • Starting and stopping the ADCS

The next step is to enable the certificate template changes using the certutil command.

certutil –setreg policy\EditFlags +EDITF_AUDITCERTTEMPLATELOAD

Some changes can be made directly through the registry, so registry auditing should be enabled. For this you need to:

  • Open regedit on the ADCS server
  • Find below Registry Key
  • HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\
  • Right click on Configuration and select Permissions
  • Click Details
  • Select Monitoring and click Add
  • Set the principal to Authenticated Users and configure the following permissions:
  • set value
  • create subkey
  • fire extinguishing
  • write DAC
  • write owner
  • read control

Restart the server and see your changes. After rebooting, you will see various event IDs in the security log.

Reboot your server and verify the changes. After the reboot, you should see different event IDs in your Security logs.

Now we have the ADCS auditing up and running.

You can also sieve the audit logs via Azure Arc and Azure Sentinel as well using “Data Collector Rules” in MS Azure.

About the Author

Gopal is a data protection senior consultant at Encryption Consulting LLC working with PKI and other services.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 3 minutes, 54 seconds

Cryptographic Service Providers (CSPs) store, access and create cryptographic keys– the building blocks of PKI. In the case of certificates, what type of cryptographic service depends on the provider, different types of keys and key lengths are available with different providers. Different examples include RSA, Elliptical Key or a host of others such as DES, 3DES, etc.

For hardware solutions such as Smart Cards and Hardware Security Modules (HSMs), third party software is sometimes needed for optimal performance. Newer Next Gen KSPs and more standard Microsoft CSPs are listed below for a comparison.

Since there are so many different providers, it’s best to divide into groups based on all around capabilities in every use case. The below tables show different cryptographic methods from modern to legacy. In reviewing this list, the primary things being evaluated are what types of keys can be used, their size, protections, and compatibility.

Modern Microsoft cryptography providers

Provider Name & TypeDescriptionPurposesCryptoDefault Microsoft Templates
Microsoft Software Key Storage Provider (CNG)Standard windows software-based RSA and ECC provider.Key Exchange
Digital Signature
Data Encryption
RSA
ECC SHA1
SHA2
OCSP Response Signing (KSP Required, Provider not specific)
Microsoft Smart Card Key Storage Provider (CNG)Supports smart card key creation and useKey Exchange
Digital Signature
Data Encryption
RSA
ECC SHA1
SHA2
None

Legacy Microsoft cryptography providers

Provider Name & TypeDescriptionPurposesCryptoDefault Microsoft Templates
Microsoft RSA SChannel Cryptographic Prodvider (CAPI)Supports hashing, data signing, and signature verification. The algorithm identifier CALG_SSL3_SHAMD5 is used for SSL 3.0 and TLS 1.0 client authentication. This CSP supports key derivation for the SSL2, PCT1, SSL3 and TLS1 protocols.Key ExchangeRSA SHA1CEP Encryption
Computer
Directory Email Replication
Domain Controller
Domain Controller Authentication
IPSec
IPSec (Offline)
Kerberos Authentication
RAS and IAS Server
Router (Offline request)
Web Server
Workstation Authentication
Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider (CAPI)Supports Diffie-Hellman key exchange (a 40-bit DES derivative), SHA hashing, DSS data signing, and DSS signature verification. Derived from Base DSS and Diffie-Hellman Cryptographic Provider. Adds support for RC2/4, DES and 3DES encryptionDigital SignatureRSA SHA1Authenticated Session
Basic EFS
CA Exchange
Code Signing
EFS Recovery Agent
Enrollment Agent
Enrollment Agent (Computer)
Exchange Enrollment Agent (Offline request)
Exchange Signature Only
Exchange User
Key Recovery Agent
Trust List Signing
User
User Signature Only
Microsoft DSS and Diffie-Hellman/Schannel Cryptographic Provider (CAPI)Supports hashing, data signing with DSS, generating Diffie-Hellman (D-H) keys, exchanging D-H keys, and exporting a D-H key. This CSP supports key derivation for the SSL3 and TLS1 protocols. This CSP supports key derivation for the SSL3 and TLS1 protocols.Key ExchangeRSA SHA1Web Server
Microsoft Base Cryptographic Provider (CAPI)A broad set of basic cryptographic functionality that can be exported to other countries or regions. No 3DES support. RC2/4 limited to 40bits.Digital Signatures
Data Encryption
RSA SHA1Administrator
Authenticated Session
Basic EFS
Code Signing
EFS Recovery Agent
Enrollment Agent
Enrollment Agent (Computer)
Exchange Enrollment Agent (Offline request)
Exchange Signature Only
Exchange User
Trust List Signing
User
User Signature Only
Microsoft DSS Cryptographic Provider (CAPI)Provides hashing, data signing, and signature verification capability using the Secure Hash Algorithm (SHA) and Digital Signature Standard (DSS) algorithms.Digital SignaturesRSA SHA1Authenticated Session
Code Signing
Enrollment Agent
Enrollment Agent (Computer)
Exchange Enrollment Agent (Offline request)
Exchange Signature Only
Trust List Signing
User Signature Only

Deprecated Microsoft cryptography providers

Provider Name & TypeDescriptionPurposesCryptoDefault Microsoft Templates
Microsoft Base Smart Card Crypto Provider (CAPI)Derived from Microsoft Strong Cryptographic Provider. Communicates with Smart Card Modules (minidriver).Digital Signatures
Data Encryption
RSA SHA1None
Microsoft Strong Cryptographic Provider (CAPI)An extension of the Microsoft Base Cryptographic Provider available with Windows XP and later. Default RSA CSP. Cryptographic Provider. Supports all the same key lengths, but lacks configurable Salt length for RC encryption algorithms.Digital Signatures
Data Encryption
RSA SHA1None
Microsoft Enhanced Cryptographic Provider (CAPI)Derived from Base Cryptographic Provider. The Enhanced Provider supports stronger security through longer keys and additional algorithms. Can only generate 128bit RC2/4 keys, can import smallerDigital Signatures
Data Encryption
RSA SHA1None
Microsoft RSA and AES Cryptographic Provider (CAPI) Microsoft Enhanced Cryptographic Provider with support for AES encryption algorithms.Digital Signatures
Data Encryption
RSA SHA1None
Microsoft Base DSS and Diffie-Hellman Cryptographic Provider (CAPI)A superset of the DSS Cryptographic Provider that also supports Diffie-Hellman key exchange, hashing, data signing, and signature verification using the Secure Hash Algorithm (SHA) and Digital Signature Standard (DSS) algorithms.Diffie Hellman (Key Exchange)
Digital Signatures
RSA SHA1None

Conclusion

In conclusion, Microsoft has a wide range of available cryptographic services, suitable for any application. With these tools, Encryption Consulting has worked with Top 500 companies to secure and update PKI solutions to ensure reliability and availability for cryptographic services.

About the Author

Caedon is a Consultant at Encryption Consulting, working with PKIs, and HSMs, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 6 minutes, 25 sec

What is Data Loss Prevention?

Data Loss Prevention (DLP) is a solution for exposing sensitive data.  DLP is used by organisations to safeguard and protect data as well as to adhere to legislation. Through their network, businesses transmit sensitive data to partners, clients, remote workers, and other authorised users, but occasionally an unauthorised user may be able to intercept it.

Organizations need to protect sensitive data due to multiple industry and government regulations such as HIPAA and PCI-DSS.

Why your organization needs data loss prevention?

A “borderless” network perimeter with numerous attack vectors has been produced by today’s digital transformation, which started with mobile devices and continued with embedded systems, social media applications, hypervisors, and the proliferation of connected devices.

Organizations need to make sure that their most sensitive data and assets are secured in order to adapt to this technological transformation. When implemented correctly, DLP offers visibility, granular control, and data security coverage to defend against human error-related data loss and external threats. The creation of a thorough data loss prevention strategy shouldn’t be put off; it may assist your business in safeguarding its “crown jewels,” ensuring compliance with the changing regulatory environment, and preventing the publication of the next data breach story.

You don’t know where the private information of your business is kept, where it is sent, or who is accessing it.

DLP technology gives IT and security employees a complete picture of where data is located, how it moves through the organisation, and how it is being used. It lets you to protect and maintain control over sensitive data, such as customer information, personally identifiable information (PII), financial information, and intellectual property. It does this by comparing network actions to your organization’s security regulations. Your firm will be able to develop the right rules to safeguard this data and decide which assets need to be protected and at what cost after having a complete grasp of this data.

Although your business has a plan in place to guard against external intrusion, it does not cover employee theft or the unintentional disclosure of sensitive data by partners and employees.

Data loss may not always occur as a result of outside, hostile attacks. One important factor is internal employees accidentally disclosing or improperly handling confidential information. In 28 percent of the attacks, insiders were involved, according to Verizon’s 2018 Data Breach Investigations Report. It can be particularly challenging to protect against insider threats because it’s difficult to tell when someone is abusing their rightful access to data. DLP has the ability to identify confidential information-containing files and stop them from leaving the network. It has the ability to implement policies that protect data on an as-needed basis and can stop sensitive data transfers to USB devices and other removable media.

For instance, access to a particular endpoint may be immediately barred in the event that a security event is discovered. In response to occurrences, policies may also quarantine or encrypt data

The responsibility, adverse exposure, penalties, and lost revenue linked to data breaches worry you.

Alarmingly frequently, data breaches have been in the news. Through fines, negative publicity, the loss of important clients, and legal action, they can wreak financial havoc on an organisation. The mean time to identify (MTTI) breaches have reportedly reached an average of 191 days, which equates to nearly six months of dwell time for attackers, according to the Ponemon Institute’s 2017 Cost of Data Breach Study. Lateral movement is made possible by dwell time, which is essential for boosting hackers’ chances of success.

You’re worried about your next audit and wish to continue adhering to the intricate laws.

Regulations like the GDPR and New York Cybersecurity Every regulated firm that collects, stores, and utilises sensitive customer data must raise the bar to meet new standards as a result of requirements, which are ushering in a new era of accountability. Failure to comply with regulations may result in fines of up to 4% of annual global turnover and orders to stop processing. Controls over technology are becoming important in some instances to achieve compliance. These controls are offered by DLP, together with policy templates and maps that cover certain requirements, streamline compliance, and permit the gathering and reporting of metrics.

Data must be safeguarded from security risks brought on by BYOD and IoT.

DLP assists in preventing the unintentional disclosure of sensitive data across all devices when used in conjunction with complementing safeguards. DLP can monitor data and dramatically lower the risk of data loss wherever it resides, whether it is in use, at rest in storage, or in transit over the network.

Types of DLP Solutions

An company might lose data in a number of ways. The numerous methods that sensitive data may be removed from an organisation should be able to be recognised by the DLP solution. The various DLP solution types include:

Endpoint DLP

Data on the network’s devices is monitored by an endpoint DLP solution. To monitor and safeguard the data stored on endpoints such as laptops, servers, smartphones, printers, etc., this solution is installed. Even when the endpoint is online or linked to a public network, endpoint DLP safeguards the data on such endpoints. Additionally, this method stops sensitive data from being transferred to USBs

Network DLP

This DLP system is put into place on the network and keeps track of data transfer. Any device linked to the network may monitor, safeguard, and prevent all incoming and outgoing data. All of the network-connected devices can be subject to the DLP policies. Data on offline devices cannot be protected by this solution; it can only secure data on devices that are connected to the network.

Email DLP

The email DLP system keeps track of emails and filters them based on particular keywords. This remedy can lessen email-based data leaks.

Cloud DLP

A cloud DLP solution keeps an eye on and safeguards the data kept in the cloud. Emails, documents, and other forms of files may all be protected and monitored with the service.

Techniques needed for your data loss prevention

  • Determine the primary data protection objective in order to determine the appropriate DLP solution for the organization.
  • Implement a centralised DLP programme and collaborate with various departments and business units to define standard DLP rules that control data for the organisation. Data visibility will rise as a result throughout the organisation.
  • Make an evaluation of the different forms of data and their importance to the company. Determine the type of data, whether it is sensitive, and where it is stored. Consider the data exit points. Then assess the danger of each type of data being compromised to the organisation.
  • Make a method for classifying data that includes both structured and unstructured information. Internal, private, public, personally identifiable information (PII), intellectual property, and other types of data may exist.
  • Create policies for data processing and correction for various sorts of data. DLP software comes with pre-configured rules based on laws like GDPR and HIPAA. These guidelines can be altered to suit the requirements of the company. Create controls to lower the danger to the data. To lessen the unique data risks, organisations should build granular, fine-tuned controls.
  • Employee education can lower the possibility of insiders accidentally leaking data. A good data loss prevention programme depends heavily on employee knowledge and comprehension of security standards. Employee understanding and adherence to data security policies and best practises can be improved with the support of awareness campaigns and trainings such as posters, emails, online trainings, and seminars.
  • Utilize indicators like the number of events, the mean time to incident response, and the proportion of false positives to gauge how effective your DLP system is.

Conclusion

A company’s security depends heavily on having the right cyber security platforms and solutions in place. Any firm can utilise DLP to stay ahead of threat actors, whether they are internal or external. Any business, especially banks and healthcare companies, must prioritise protecting sensitive consumer and corporate data. At Encryption Consulting, we place the utmost importance on cyber security. We work with organizations to create the most secure environment possible using methods such as DLP, Public Key Infrastructure (PKI), and encryption assessments. We provide assessment, implementation, and development services for PKI, encryption, and Hardware Security Modules (HSMs). If you have any questions, visit our website at www.encryptionconsulting.com.

About the Author

Kirtan Dua is a Cyber Security Consultant, working on PKI, security in the cloud, and key management.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time 3 minutes, 47 sec

Microsoft had given its digital imprimatur to a rootkit that has decrypted all the encrypted communications and sent them to the attacker-controlled servers. This malicious driver has been spread within gaming environments. This driver is known as “Netfilter,” whose primary purpose or critical role is as a rootkit that communicates with the Chinese command-and-control (C2) IPs. 

Discovery

Karsten Hahn, who is a researcher at security firm G Data, discovered this driver using his company’s malware detection system. The initial observation was declared a false alarm as Microsoft had digitally signed Netfilter under the company’s Windows Hardware Compatibility Program. After further testing and research, Karsten concluded that this was not a false warning or positive. He and his fellow researchers discovered that “The core functionality seems to be eavesdropping on SSL connections. In addition to the IP redirecting component, it also installs and protects a root certificate to the registry” [1] (by reverse engineer Johann Aydinbas on Twitter)

What is a Rootkit?

A rootkit is a type of malware written to prevent or stop itself from being shown in file directories, other standard OS functions, and task monitors. A root certificate is usually used to authenticate traffic sent through connections protected by the Transport Layer Security protocol; this helps encrypt the data in transit and ensures the server whether a user connected is genuine or an imposter.

Typically, these TLS certificates are issued by a Windows-trusted Certificate Authority (or CA), and by installing these root certificates in Windows, hackers can bypass the CA requirement.

Origin story

The driver Netfiler was seen communicating with China-based C&C IPs providing no legitimate functionality, which further led to suspicions. Around this time, G Data’s malware analyst Karsten Hahn shared the signature info publicly on Twitter and contacted Microsoft.

Figure 1: Malicious binary signed by Microsoft

According to Hahn, any code that runs in kernel mode must be tested and signed before being released publicly to ensure stability for the Operating System. At this time, BleepingComputer also began observing the behavior of C2 URLs and contacted Microsoft for a valid reason or explanation.

 The first few C2 URL returns a set of more routed separated by the pipe (“|”) symbol:

Figure 2 Navigating to the C2 URL

Each of these serves a purpose:

  • The URL which is ending in “/p” means it’s associated with proxy settings
  • “/s” denotes encoded redirection IP addresses.
  • “/h?” is for representing CPU-ID.
  • “/c” gave a root certificate
  • “/v?” denotes the malware’s self-update functionality.

According to BleepingComputer, the “/v?” path provided the URL to the malicious Netfilter driver in the question itself (at “/d3”):

Figure 3 Path to malicious Netfiler driver

The G Data researcher, Hahn spent quite some time sufficiently analyzing the driver, result concluded that this driver has self-update functionality. According to him, the sample has a self-update routine that sends its MD5 hash to the server through “hxxp://110.42.4.180:2081/v?v=6&m=”.

The server then replies with the URL for the latest sample with “OK” if the model is up-to-date and the malware replaces its file accordingly. 

Figure 4 Malware self-update functionality analyzed

Security Lapse

Microsoft said they investigate a malicious actor who distributed these negative drivers (Netfilter) within gaming environments. This actor submitted drivers for certification through the Windows Hardware Compatibility Program. These drivers were built by a third party, so Microsoft has suspended their account and reviewed their submissions for additional signs of malware. The company (Microsoft) could not find evidence of either the Windows Hardware Compatibility Program signing certificate or its WHCP signing infrastructure being compromised. So, they have since added Netfilter detections to the Windows Defender AV engine built into Windows and provided this detection to other AV providers. 

Update regarding the Malware [2]

  • Jun 26th, 12:26 PM ET: Clarified that BleepingComputer did not see the DoD list explicitly mentioning the alleged Chinese company, contrary to the details in the researcher’s report. Also reached out to Hahn for clarification.
  • Jun 27th, 04:58 AM ET: A previous version of the blog post mentioned another researcher, @cowonaut alleging that the company mentioned above was previously marked by the U.S. Department of Defense (DoD) as a “Communist Chinese military” company. The claim has since been retracted from the original blog post, and we have updated our article to reflect the same. However, BleepingComputer did not see Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd. present on any of the DoD lists available.

Conclusion

Despite the limitations, this security lapse was a serious one. Microsoft’s certification program was designed to block precisely the kind of attack which G Data first discovered. Microsoft has yet to say how they came to sign the malware digitally; company representatives also declined to explain.

Reference

microsoft-digitally-signs-malicious-rootkit-driver

microsoft-admits-to-signing-rootkit-malware-in-supply-chain-fiasco

About the Author

Subhayu Roy is a Cyber Intern at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

What is Code Signing?

Code signing is the process of authenticating software code/application/program/scripts to confirm the source of origin of the publisher and assure that the code has not been tampered or altered since it was signed.

Certificate Authorities (CA) confirm code signing source identity and bind their public key to a code signing certificate. This certificate enables validation of code sign with an authentic root certificate. Performing code sign will cater below three functions:

  • Provides authentication of code
  • Provides cryptographic protection
  • Software/code author validation

Top 5 benefits of “Code Signing”:

Let us take a look into the top 5 benefits users can enjoy by using “Code signing”:

  1. Validates code integrity: Code signing provides integrity check of the code using hash function. Hash function is used at the source to sign the code and the same hash has to be matched at the destination. This provides proof of code integrity. If the hash is not matched, users would either receive a security warning or code will fail to download.

    Verification can be performed using timestamp as well. Code signing certificates might include optional time stamp. Time stamp data strip is included along with signature during the time of signature. This process ensures the validity of certificate at the time of signature.

  2. Issuing company reputation and authenticity:Using code signing process for authentication and validation of software, code and/or programs eliminates the risk of program corruption and tampering. This will safeguard the company’s reputation as well as intellectual property.

    Enhancing trust on both sides of the transaction, companies can be more benefitted with customers trusting their software programs, files etc. for download. With increase in reputation one can expect considerable increase in customer loyalty.

  3. Increase in revenue:Now a days, software publishers and network platform provides are increasingly mandating code signing process from a trusted source/certificate authority (CA) for distribution of software among users.

    This is even more beneficial for small companies or individual developers to gain trust among customers through authenticity and increase their brand presence as well as revenue.

  4. Safe and secure user experience:As already discussed in one of the points mentioned above, Code signing process builds mutual trust amongst both the parties i.e. vendor as well as consumer. On top of it, customers who use code signed software or files can be sure of security as the code is properly authenticated and validated which prevents code tampering.

    Also, using code signing provides smooth user experience as there will be minimized security warnings and installation failures when code is signed by trusted certificate authority.

  5. Seamless integration with multiple platforms:Code signing process is now available on multiple platforms such as Apple iOS, Windows, Linux, Android, JAVA, Adobe AIR etc. Many of these platforms highly recommend code signing process for code distribution.

    Many browsers would require code signed using certificate from trusted certificate authority and reject any action commands provided through untrusted sources. One interesting fact is, Microsoft office macros and Firefox browser extensions also require code signing.

If your organization is looking for implementation of Code signing, please consult info@encryptionconsulting.com for further information

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 5 mins

Encryption is a process that takes plaintext as input and transforms it into an output (ciphertext) that reveals no information about the plaintext. Encryption adds a layer of defense for protecting data and ensures that if the data accidentally falls into an attacker’s hands, they cannot access the data without having access to the encryption keys. Even if an attacker obtains the storage devices containing your data, they will not be able to understand or decrypt it.

Data Encryption Options

Cloud storage encrypts data on the server-side before it is written to disk, at no additional charge. Besides this standard, there are additional ways to encrypt the data while using Cloud Storage.

Below are the available encryption options for Google Cloud:

Server-side encryption

Google Cloud Storage performs server-side encryption by default on all uploaded objects. All data is broken into chunks which can be up to several GB in size. Using envelope encryption, each chunk of data is encrypted with a unique Data Encryption Key (DEK) that is also encrypted with a Key Encryption Key (KEK). The encrypted version of the DEK is then stored alongside the encrypted data, and the encrypted chunks of data are distributed across Google’s storage systems

Google Cloud Storage supports server-side encryption with two key options:
Customer-supplied encryption keys

With the customer-supplied encryption key (CSEK) option, users must generate their own AES 256
symmetric key and provide it to google cloud storage for encryption/decryption operations. The CSEK is only stored in storage system memory and never persisted on any Google Cloud device

Cloud storage does not permanently store user’s key on Google’s servers or otherwise manage user’s key. Instead, the user provide key for each cloud storage operation, and the key is purged from Google’s server after completion of the operation. The customer-supplied encryption key is hashed and then purged from the storage system. The cryptographic hash is used to validate (future requests) but cannot be used to decrypt data or to reconstruct a key When the customer supplies the encryption key, cloud storage uses the key while encrypting

  • the object data
  • the object’s checksum
  • the object’s hash

Cloud Storage uses standard server-side keys to encrypt the remaining metadata for the object, including the object’s name.Encryption and Decryption workflow mentioned below:

  1. The CSEK is provided to Google Cloud Storage along with the data upload
  2. Data is broken into sub-file chunks
  3. A Google Cloud Storage system calls a common cryptographic library that Google maintains, called CrunchyCrypt, to generate a unique, one-time key called DEK
  4. Each data chunk is encrypted using a DEK
  5. The storage system then uses the CSEK as the KEK and encrypts the DEK
  6. The encrypted DEK is stored alongside the ciphertext chunk it encrypted in Google Cloud Storage while the plaintext version of the DEK is deleted from memory
  7. The customer-supplied encryption key is hashed and then purged from the storage system. The cryptographic hash is used to validate future requests but cannot be used to decrypt data or reconstruct the key
  8. The client or application requests data from Google Cloud Storage while supplying the CSEK
  9. Google Cloud Storage identifies the chunks in which the data is stored and where the chunks reside and retrieves the chunks
  10. For each data chunk, the storage system retrieves the encrypted DEK and decrypts it using the CSEK
  11. Once the decryption is done using DEK, the storage system discards the DEK and sends the decrypted data to the client or application that requested the data
Customer-managed encryption keys:

Customer-managed encryption keys are keys generated for users by Cloud Key Management Service (KMS), that the user manages themselves. These keys act as an additional encryption layer on top of the standard Cloud Storage encryption.The encryption and decryption workflow:

  1. Data is broken into sub-file chunks after being uploaded to Google Cloud
  2. A Google Cloud Storage system calls a common cryptographic library that Google maintains, called CrunchyCrypt, to generate a unique one-time use DEK
  3. Each data chunk is encrypted using a DEK
  4. The storage system then sends the DEK to Google’s Key Management Service (KMS) to be encrypted using that storage system’s associated Key Encryption Key (KEK)
  5. The encrypted DEK is stored alongside the ciphertext chunk it encrypted in Google Cloud Storage while the plaintext version of the DEK is deleted from memory
  6. When data is requested, Google Cloud Storage identifies the chunks in which the data is stored and where the chunks reside and retrieves the chunks
  7. For each data chunk, the storage system retrieves the encrypted DEK and sends it to Google’s KMS for decryption
  8. KMS sends the decrypted DEK to the storage system where it is used to decrypt the data
  9. The storage system discards the DEK and sends the decrypted data to the client that requested the data

Client-side encryption:

With this option, Users create and manages its own encryption keys. Users must encrypt the data before sending it to cloud storage. The encrypted data on the client side arrives at cloud storage in an encrypted state. When cloud storage receives the data, one more time the data will be encrypted. This second encryption is called server-side encryption, which Cloud Storage manages. While retrieving the data, cloud storage removes the server-side layer of encryption, but user must decrypt the client-side layer by themselves.

Benefits

Customer-managed keys provide the following benefits:

  • More Control over Data Access:
    • Customer-managed keys provide an extra level of security for customers with sensitive data.
    • When the customer decides to disable access, data can no longer be decrypted
  • Stop Data Breaches:
    • In this case, disabling customer-managed keys will allows customers to stop ongoing exfiltration of their data
  • More Control over Data Lifecycle:
    • Using customer-managed keys, sensitive data is encrypted with the customer’s key. Without customer’s/users consent no one can decrypt the data
    • The customer has full control over the data’s lifecycle
  • Secure
    • Compute assets are encrypted using the industry-leading AES-256 standard, and Google never retains users’ keys, meaning Google cannot decrypt user’s data at rest.
  • Comprehensive
    • Customer-Supplied Encryption Keys cover all forms of data at rest for Compute Engine, including boot and data persistent disks.
  • Fast
    • Google Compute Engine is already encrypting user’s data at rest, and Customer-Supplied Encryption Keys gives user greater control, without additional overhead.

About the Author

Parnashree Saha is a data protection senior consultant at Encryption Consulting LLC working with PKI, AWS cryptographic services, GCP cryptographic services, and other data protection solutions such as Vormetric, Voltage etc.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

  • Master Key Types: Microsoft Azure offers 2048, 3072, and 4096 bit RSA asymmetric master keys, but it does not support any symmetric master keys.
  • Encryption Modes: Microsoft Azure does not offer symmetric encryption methods, but does offer two asymmetric encryption methods: RSA OAEP and RSA PKCS#1v1.5.
  • Plaintext Size Limits: Microsoft Azure offers a plaintext size limit of 0.25KB.
  • Bring Your Own Key (BYOK) Options: To utilize BYOK, the key being used on the cloud must first be imported the Cloud Service Provider, and to import the key, it must first be wrapped. Microsoft Azure takes an RSA key that is wrapped by AES and RSA-OAEP. 
  • Signature Modes: To ensure the integrity of data-in-transit, signatures are used. Microsoft Azure offers RSA-PSS, RSA PKCS#1V1.5, ECDSA with P-256, ECDSA with P-512, ECDSA with SECP-256k1. and ECDSA with P-384 signature methods.
  • Cloud HSM Compliance: Each Cloud Service allows users to store keys in a cloud HSM, but the cloud HSM for each service has different compliancy certificates. Microsoft Azure’s regular Vault HSM is FIPS 140-2 level 2 compliant and its Managed HSM is FIPS 140-2 level 3 compliant.
  • Azure Key Vault Features: Azure Key Vault protects keys and secrets with HSMs or software appliances. Both Azure Services and the customer can access the keys and secrets that are stored. Azure Key Vault is FIPS 140-2 Level 2 compliant and only supports asymmetric keys. It also supports RSA keys of sizes 2048, 3072 and 4096and Elliptic Curve key types P-256, P-384, P-521, and P-256K (SECP256K1). Azure Key Vault supports customer managed keys and manages tokens, passwords, certificates, API keys, and other secrets.
  • Azure Dedicated HSM Features: Azure Dedicated HSM stores keys on an on-premises Luna HSM. This key storage is only accessible by the customer, allowing users to manage keys and not have to worry about the CSP having access to the keys. Azure Dedicated HSM is FIPS 140-2 Level 3 compliant and supports symmetric and asymmetric keys. It also supports RSA, DSA, Diffie-Hellman, Elliptic Curve Cryptography (ECDSA, ECDH, Ed25519, ECIES) with named, user-defined, and Brainpool curves, and KCDSA for asymmetric keys. Symmetric keys created with AES-GCM, Triple DES, DES, ARIA, SEED, RC2, RC4, RC5, and CAST are accepted by Azure Dedicated HSM. For Hash/Message Digest/HMAC, SHA-1, SHA-2, and SM3 are accepted, for key derivation SP800-108 Counter Mode is accepted, and for key wrapping SP800-38F is accepted. Azure Dedicated HSM is capable of offline key backup, and single device provisioning, but customer managed keys are not supported.

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

  • Master Key Types: Amazon Web Services (AWS) offers 2048, 3072, and 4096 bit RSA asymmetric master keys.  It is also one of the only Cloud Service Providers (CSPs) to offer 256 bit symmetric master keys.
  • Encryption Modes: AWS offers symmetric AES GCM and asymmetric RSA OAEP encryption methods.
  • Plaintext Size Limits: Amazon Web Services offers a plaintext size limit of 4KB.
  • Bring Your Own Key (BYOK) Options: To utilize BYOK, the key being used on the cloud must first be imported the Cloud Service Provider, and to import the key, it must first be wrapped. Amazon Web Services takes an AES-256 key that is wrapped by RSA 2048. 
  • Signature Modes: To ensure the integrity of data-in-transit, signatures are used. AWS offers RSA-PSS, RSA PKCS#1V1.5, ECDSA with P-256, ECDSA with P-512, ECDSA with SECP-256k1. and ECDSA with P-384 signature methods.
  • Cloud HSM Compliance: Each Cloud Service allows users to store keys in a cloud HSM, but the cloud HSM for each service has different compliancy certificates. Amazon Web Services regular KMS HSM is FIPS 140-2 level 2 compliant and the AWS Custom Keystore CloudHSM is FIPS 140-2 level 3 compliant.
  • Amazon KMS Features: AWS KMS has a managed service in AWS cloud for key storage. Both customers and AWS services can access keys stored in this way. AWS KMS is FIPS 140-2 Level 2 compliant and supports symmetric and asymmetric keys. It also supports RSAES_OAEP_SHA_1 and RSAES_OAEP_SHA_256 encryption algorithms with RSA 2048, RSA 3072, and RSA 4096 key types. Encryption algorithms cannot be used with the elliptic curve key types (ECC NIST P-256, ECC NIST P-384, ECC NIST-521, and ECC SECG P-256k1). When using elliptic curve key types, AWS KMS supports the ECDSA_SHA_256, ECDSA_SHA_384, and ECDSA_SHA_512 signing algorithms. AWS KMS is capable of limited key management, storage and auditing, and encryption.
  • Amazon CloudHSM Features: AWS CloudHSM has a dedicated hardware appliance in AWS cloud for key storage. This key storage is only accessible by the customer, allowing users to manage keys and not have to worry about the CSP having access to the keys.
    AWS CloudHSM is FIPS 140-2 Level 3 compliant and supports symmetric and asymmetric keys. It also supports 2048-bit to 4096-bit RSA keys, in increments of 256 bits, 128, 192, and 256-bit AES keys, 3DES 192-bit keys, and keys with the P-224, P-256, P-384, P-521, and secp256k1 curves. Only the P-256, P-384, and secp256k1 curves are supported for sign and verify.
    AWS CloudHSM is capable of key management, key storage and auditing, and being provided as the root of trust for PKIs.

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

  • Master Key Types: Google Cloud Platform (GCP) offers 2048, 3072, and 4096 bit RSA asymmetric master keys.  It is also one of the only Cloud Service Providers (CSPs) to offer 256 bit symmetric master keys.
  • Encryption Modes: GCP offers symmetric AES GCM and asymmetric RSA OAEP encryption methods.
  • Plaintext Size Limits: Google Cloud Platform offers a plaintext size limit of 64KB.
  • Bring Your Own Key (BYOK) Options: To utilize BYOK, the key being used on the cloud must first be imported the Cloud Service Provider, and to import the key, it must first be wrapped. Google Cloud Platform takes an AES-256 key that is wrapped by RSA 3072. 
  • Signature Modes: To ensure the integrity of data-in-transit, signatures are used. GCP offers RSA-PSS, RSA PKCS#1V1.5, ECDSA with P-256, and ECDSA with P-384 signature methods.
  • Cloud HSM Compliance: Each Cloud Service allows users to store keys in a cloud HSM, but the cloud HSM for each service has different compliancy certificates. All HSM keys on Google Cloud Platform are FIPS 140-2 level 3 compliant.
  • Google Cloud KMS Features: Google Cloud KMS can store keys in either an HSM or a software application. This key storage can be accessed by both the customer and the CSP. Google Cloud KMS is FIPS 140-2 Level 3 compliant if an HSM is used, and FIPS 140-2 Level 1 compliant if software keys are used. Google Cloud KMS supports symmetric and asymmetric keys. It also supports 256-bit Advanced Encryption Standard (AES-256) keys in Galois Counter Mode (GCM), padded with Cloud KMS-internal metadata and RSA keys of sizes 2048, 3072 and 4096.Google Cloud KMS is capable of key management, storage, auditing, encryption, encryption for Kubernetes, and both HSM and software key management.

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Let's talk