Global Encryption Trends 2023: Insights into data protection strategies Download Report

Tag: Encryption

Code Signing

What are the basic elements required for code signing?

by Kirtan Dua
Posted on Last updated on

Reading time: 10 minutes, 53 seconds

Trust is crucial in the software-driven society we live in. But how can we tell which software to rely on and which to avoid? We can thank code signing for that.

Developers use code signing to demonstrate a piece of software’s legitimacy and ensure that it originates from a reliable source and hasn’t been tampered with. Cryptography, more especially a certificate known as a code signing certificate, is necessary for code signing.

Customers should constantly be on the lookout for third parties posing as software providers while downloading software from the Internet. Software may be ensured that it is coming from the right source with the use of a tool like code signing. To ensure that consumers are receiving software that accomplishes what its creator claims it will, code signing is a process where a software developer or distributor digitally signs the file being sent out. The signature indicates that the code has not been altered from its original state.

Benefits of Code Signing

Code signing is a technique for adding a digital signature to a program, file, software update, or executable so that, upon installation and execution, its validity and integrity can be checked. It ensures to the receiver who the author is and that it hasn’t been opened and tampered with, much like a wax seal. To demonstrate, for instance, that your Windows 10 update genuinely came from Microsoft and not a hacker attempting to breach your machine, Microsoft developers, programmers, and software engineers utilize code signing.

You can be confident that you are downloading a file from a legitimate author or publisher and not from an attacker trying to steal your personal information and data thanks to code signing. In essence, it informs you that a bad guy hasn’t changed the code so you know it’s safe to install and run on your machine.

If you’ve ever seen the small window that appears when you attempt to launch a software you’ve downloaded, the one that asks, “Are you sure you want to run this? ” and identifies the publisher, then you know what I’m talking about. then you have experienced code signing. That dialogue box informs you that the patch for your Mac OS X is authentic and still in the same state as when it was signed by Apple Inc.

What Does Code Signing Do?

As a user, code signing serves a few distinct purposes that might assist you in determining if you should trust software downloads and other online interactions. Code signing is mostly used to verify the authorship of files, downloads, and software. For instance, you are more likely to install a download file supplied to you from Microsoft than one from any other source since it will seem to be much more reliable.

There will inevitably be updates for the software you install on your computer in the future. You may be sure that subsequent updates have come from the same source and are secure to run on your computer when they are code signed with the same key that was used to “seal” your initial downloads.

How Does Code Signing Work?

From the perspective of a developer, code signing has three main parts: unsigned software files; code-signing certificates; and code-signing apps. Applications for code signing are typically included with operating systems like Microsoft Windows, Mac OS X, etc. Certificate Authorities are frequently the source of the code signing certificates (CAs).

Public Key Encryption

When you encode a message to shield it from unauthorized viewers, you are using encryption. Decoding the message depends on knowing the key that puts the values back to their original state, enabling the message to be read. Typically, this is done by running it through a mathematical function (referred to as a “key”) to alter values. The key that encrypts the message and the key that decrypts it is distinct in public key encryption (also known as asymmetric encryption) (hence asymmetrical). It is known as a “public key” system because only one key—the “public key”—is used to secure the communication, while the other—the “private key”—is kept secret.

Private keys must be kept secure, confidential, and out of the hands of anybody who would try to intercept or tamper with messages in order for this type of encryption to work. The kind of transmission determines whether the public key is used to encode or decode the message. Encrypt using the private key and decode with the public key if you want everyone to be able to read the message but don’t want anyone to tamper with it. You encrypt using the public key but decode with the private key if you want everyone to be able to send messages but don’t want them intercepted by the incorrect person.

Hash Function

A form of encryption called hash functions is intended to be irreversible. Hash functions are designed to be one-way, utilizing a mathematical function that modifies the data in a way that can’t be undone, as opposed to encoding with a key and using a key to decode. The most typical comparison is like mixing paint. As an illustration, mixing blue (the original values) and yellow (the hash function) will always result in green, but there is no way to separate the two colors and get back the blue.

When you require a set value and don’t need to read the data again, hash functions are utilized. The most prevalent example is login passwords, which are frequently hashed by websites for storage. If there is ever a breach, all the hacker has obtained is a collection of random numbers. The website hashes your password once again and compares it to the previously saved hash value when you log in. They let you in if the information you provided matches what is in their records. They only need to know the value; they don’t need to read the password itself.

Code Signing Certificates

Before the developers can sign their work, they need to generate a public/private key pair. This is often done locally through software tools such as ‘OpenSSL’. Developers then give the public key and the organization’s identity information to a trustworthy CA. The CA verifies the authenticity of identity information and then issues the certificate to the developer. This is the code signing certificate which was signed by CA’s private key and contains the developer organization’s identity and the developer’s public key.

Developers take all the code they produced and hash it when they’re ready to “sign” it to prove authorship. The output value is then encoded using the previously stated private key, which is often created by the author, as well as the code signing certificate, which contains the public key and the author’s identity (proving the authorship). The result of this procedure is then included in the program that will be distributed.

This is an instance of code signing. The majority of browsers and operating systems come with the public key of the CA pre-installed. When a user downloads the program, they first authenticate the legitimacy of the code signing certificate incorporated in the signed software to ensure it’s from a reliable CA using the CA’s public key. The encrypted hash is then decrypted using the developer’s public key, which is subsequently taken out of the certificate.

The program is then hashed once more, and the result is contrasted with the decrypted value. The program has not been tampered with or damaged during transmission if the hash values generated by the user and the developer coincide. The user is then informed that the program is in the same condition as when the developer last left it and that it is safe to install and execute if the developer can be believed.

Root Certificates

Code signing can provide you, the end user, confidence in the reliability and validity of the downloaded program. However, you should also be mindful that malicious actors may produce a code signing certificate and a public-private key pair to give the impression that they were authorized by a legitimate CA. How do you determine whether certificates are reliable if anybody can create a code signing certificate?

Root certificates have a role in this. Code signing certificates can be compared to a family tree. You may trace certificates back to discover which signing certificate—your root certificate—is at the root of the tree in order to confirm where they originated. Because you can follow the “chain of trust” back to the initial signing authority with the root certificate, you can tell whether the other code signing certificates are reliable.

A business like Apple or Microsoft might be considered the root authority. The system will warn you not to trust the certificate that was used to sign the program you are attempting to download if your software’s signing certificate is unable to locate a reliable root certificate. Even a trusted authority may occasionally fail to be recognized if it is not installed on a browser or in the trust store of an operating system. For the browser or operating system to accept the root certificate as reliable and valid in these situations, you will need to manually put it on your trust store.

What Are the Types of Digital Certificates?

Different systems require different types of authentication. What works on a desktop is likely unsuitable for mobile systems and vice versa. Here are a few examples of the different certificates for both desktop and mobile software.

Desktop Certificates:

  • Microsoft
  • Java
  • Microsoft Office and VBA
  • Adobe AI

Mobile Certificates:

  • Windows Phone
  • Windows Phone Private Enterprise
  • Java Verified
  • Android

If you’re looking to sign and secure your software, you should first know what kind of software or system you are starting with and work from there.

What is the Use of a Digital Certificate?

A digital certificate is meant to provide the software or code you’re distributing to your users with an identity. Users can verify the program publisher using a digital certificate. Because these digital certificates are issued by certificate authorities, users have more faith in the publishers. The ability to track their product and the number of downloads gives digital certificates to software providers a lot of additional value.

How Long is a Digital Certificate Valid?

How long a certificate is valid is another typical query from those trying to obtain their own digital code signing certificate. Digital certificates normally only have a year or two of validity, however, the actual duration might vary depending on the issuer.

This validity is brief for the following two reasons:

Private keys and security certificates may and do become hacked. Any prior certifications, even those that have been stolen, become invalid upon renewal and change every year or two.

Technology is evolving at an even quicker rate than the rest of the globe. Five years ago, what was secure is no longer nearly as secure. Code signing certificates can be updated and changed to keep the certificate security current.

Where is Code Signing Used?

Code signing is used any place a developer wants a user to be sure of the source of a piece of software. This includes:

1. Windows applications and software patches

2. Apple software

3. Microsoft Office VBA objects and macros

4. .jar files

5. .air or .airi files

6. Essentially any executable

Be aware that, because of the distributed nature of Linux development, code signing is often not used for Linux-based software, so that software may come unsigned. If that happens, your computer will (if it gives any notice) will tell you it’s from an “unknown developer,” or something along those lines. Here are a few other applications and software that utilize code signing to increase their security.

  • iOS: Code signing in iOS for the App Store is done using Xcode. The purpose of signing your app is simply to let iOS know who signed the app originally and to make sure it hasn’t been altered since it was originally signed by the developer. If you need to revoke your iOS certificate, you will need to use your developer account or Xcode to complete the process.
  • Xcode: Xcode is used by iOS to code sign apps and ensure their security. Before any device can be uploaded and approved for the iTunes store it must have a valid Apple Developer ID with a valid certificate or profile. To successfully integrate your app, you will need to use a development certificate. In order to run the app on any device, you must use a distribution certificate to send out the app and test it.
  • C#: Visual C# uses strong name signing to get a unique sign code that is not available to anyone else in the world and cannot be spoofed. When using Visual C#, you can simply sign your deployment using the sn.exe tool. This functions as your signature by using sig check tool printing “Strong Name: Signed.”
  • Windows Certificate: Nearly any executable can be signed with a digital signature to verify the security and integrity of the file. For the file to be considered secure in Windows, it must be signed by a recognized certificate authority. Anyone who distributes malware under a valid certificate is held legally accountable for the software they distribute.
  • Visual Studio: Visual Studio is particularly helpful when it comes to strong name signing for assemblies—a notoriously difficult task. Strong name signing through Visual Studio allows other computers to trust the software developer.

Tags:

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Kirtan Dua is a Cyber Security Consultant, working on PKI, security in the cloud, and key management.

You might also be interested in

Why your code signing certificate will not work for Play App Signing?
Why your code signing certificate will not work for Play App Signing?
Understanding Docker Image Signing
Understanding Docker Image Signing
How useful are Client-Side Hashing in Code Signing for you?
How useful are Client-Side Hashing in Code Signing for you?

Explore More Topics

PKI

Microsoft PKI Cryptographic Service Providers That Every Organization Should Know About

by Caedon
Posted on Last updated on

Read time: 3 minutes, 54 seconds

Cryptographic Service Providers (CSPs) store, access and create cryptographic keys– the building blocks of PKI. In the case of certificates, what type of cryptographic service depends on the provider, different types of keys and key lengths are available with different providers. Different examples include RSA, Elliptical Key or a host of others such as DES, 3DES, etc.

For hardware solutions such as Smart Cards and Hardware Security Modules (HSMs), third party software is sometimes needed for optimal performance. Newer Next Gen KSPs and more standard Microsoft CSPs are listed below for a comparison.

Since there are so many different providers, it’s best to divide into groups based on all around capabilities in every use case. The below tables show different cryptographic methods from modern to legacy. In reviewing this list, the primary things being evaluated are what types of keys can be used, their size, protections, and compatibility.

Modern Microsoft cryptography providers

Provider Name & TypeDescriptionPurposesCryptoDefault Microsoft Templates
Microsoft Software Key Storage Provider (CNG)Standard windows software-based RSA and ECC provider.Key Exchange
Digital Signature
Data Encryption		RSA
ECC SHA1
SHA2		OCSP Response Signing (KSP Required, Provider not specific)
Microsoft Smart Card Key Storage Provider (CNG)Supports smart card key creation and useKey Exchange
Digital Signature
Data Encryption		RSA
ECC SHA1
SHA2		None

Legacy Microsoft cryptography providers

Provider Name & TypeDescriptionPurposesCryptoDefault Microsoft Templates
Microsoft RSA SChannel Cryptographic Prodvider (CAPI)Supports hashing, data signing, and signature verification. The algorithm identifier CALG_SSL3_SHAMD5 is used for SSL 3.0 and TLS 1.0 client authentication. This CSP supports key derivation for the SSL2, PCT1, SSL3 and TLS1 protocols.Key ExchangeRSA SHA1CEP Encryption
Computer
Directory Email Replication
Domain Controller
Domain Controller Authentication
IPSec
IPSec (Offline)
Kerberos Authentication
RAS and IAS Server
Router (Offline request)
Web Server
Workstation Authentication
Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider (CAPI)Supports Diffie-Hellman key exchange (a 40-bit DES derivative), SHA hashing, DSS data signing, and DSS signature verification. Derived from Base DSS and Diffie-Hellman Cryptographic Provider. Adds support for RC2/4, DES and 3DES encryptionDigital SignatureRSA SHA1Authenticated Session
Basic EFS
CA Exchange
Code Signing
EFS Recovery Agent
Enrollment Agent
Enrollment Agent (Computer)
Exchange Enrollment Agent (Offline request)
Exchange Signature Only
Exchange User
Key Recovery Agent
Trust List Signing
User
User Signature Only
Microsoft DSS and Diffie-Hellman/Schannel Cryptographic Provider (CAPI)Supports hashing, data signing with DSS, generating Diffie-Hellman (D-H) keys, exchanging D-H keys, and exporting a D-H key. This CSP supports key derivation for the SSL3 and TLS1 protocols. This CSP supports key derivation for the SSL3 and TLS1 protocols.Key ExchangeRSA SHA1Web Server
Microsoft Base Cryptographic Provider (CAPI)A broad set of basic cryptographic functionality that can be exported to other countries or regions. No 3DES support. RC2/4 limited to 40bits.Digital Signatures
Data Encryption		RSA SHA1Administrator
Authenticated Session
Basic EFS
Code Signing
EFS Recovery Agent
Enrollment Agent
Enrollment Agent (Computer)
Exchange Enrollment Agent (Offline request)
Exchange Signature Only
Exchange User
Trust List Signing
User
User Signature Only
Microsoft DSS Cryptographic Provider (CAPI)Provides hashing, data signing, and signature verification capability using the Secure Hash Algorithm (SHA) and Digital Signature Standard (DSS) algorithms.Digital SignaturesRSA SHA1Authenticated Session
Code Signing
Enrollment Agent
Enrollment Agent (Computer)
Exchange Enrollment Agent (Offline request)
Exchange Signature Only
Trust List Signing
User Signature Only

Deprecated Microsoft cryptography providers

Provider Name & TypeDescriptionPurposesCryptoDefault Microsoft Templates
Microsoft Base Smart Card Crypto Provider (CAPI)Derived from Microsoft Strong Cryptographic Provider. Communicates with Smart Card Modules (minidriver).Digital Signatures
Data Encryption		RSA SHA1None
Microsoft Strong Cryptographic Provider (CAPI)An extension of the Microsoft Base Cryptographic Provider available with Windows XP and later. Default RSA CSP. Cryptographic Provider. Supports all the same key lengths, but lacks configurable Salt length for RC encryption algorithms.Digital Signatures
Data Encryption		RSA SHA1None
Microsoft Enhanced Cryptographic Provider (CAPI)Derived from Base Cryptographic Provider. The Enhanced Provider supports stronger security through longer keys and additional algorithms. Can only generate 128bit RC2/4 keys, can import smallerDigital Signatures
Data Encryption		RSA SHA1None
Microsoft RSA and AES Cryptographic Provider (CAPI) Microsoft Enhanced Cryptographic Provider with support for AES encryption algorithms.Digital Signatures
Data Encryption		RSA SHA1None
Microsoft Base DSS and Diffie-Hellman Cryptographic Provider (CAPI)A superset of the DSS Cryptographic Provider that also supports Diffie-Hellman key exchange, hashing, data signing, and signature verification using the Secure Hash Algorithm (SHA) and Digital Signature Standard (DSS) algorithms.Diffie Hellman (Key Exchange)
Digital Signatures		RSA SHA1None

Conclusion

In conclusion, Microsoft has a wide range of available cryptographic services, suitable for any application. With these tools, Encryption Consulting has worked with Top 500 companies to secure and update PKI solutions to ensure reliability and availability for cryptographic services.

Tags:

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Caedon is a Consultant at Encryption Consulting, working with PKIs, and HSMs, and working as a consultant with high-profile clients.

You might also be interested in

Everything you need to know about Microsoft PKI
Everything you need to know about Microsoft PKI
SafeNet KSP: Provider DLL failed
SafeNet KSP: Provider DLL failed
How to extend certificate enrollment to another forest
How to extend certificate enrollment to another forest

Explore More Topics

Data Loss Prevention, Data Protection

Top 7 techniques that can prevent data loss prevention

by Kirtan Dua
Posted on Last updated on

Read time: 6 minutes, 25 sec

What is Data Loss Prevention?

Data Loss Prevention (DLP) is a solution for exposing sensitive data.  DLP is used by organisations to safeguard and protect data as well as to adhere to legislation. Through their network, businesses transmit sensitive data to partners, clients, remote workers, and other authorised users, but occasionally an unauthorised user may be able to intercept it.

Organizations need to protect sensitive data due to multiple industry and government regulations such as HIPAA and PCI-DSS.

Why your organization needs data loss prevention?

A “borderless” network perimeter with numerous attack vectors has been produced by today’s digital transformation, which started with mobile devices and continued with embedded systems, social media applications, hypervisors, and the proliferation of connected devices.

Organizations need to make sure that their most sensitive data and assets are secured in order to adapt to this technological transformation. When implemented correctly, DLP offers visibility, granular control, and data security coverage to defend against human error-related data loss and external threats. The creation of a thorough data loss prevention strategy shouldn’t be put off; it may assist your business in safeguarding its “crown jewels,” ensuring compliance with the changing regulatory environment, and preventing the publication of the next data breach story.

You don’t know where the private information of your business is kept, where it is sent, or who is accessing it.

DLP technology gives IT and security employees a complete picture of where data is located, how it moves through the organisation, and how it is being used. It lets you to protect and maintain control over sensitive data, such as customer information, personally identifiable information (PII), financial information, and intellectual property. It does this by comparing network actions to your organization’s security regulations. Your firm will be able to develop the right rules to safeguard this data and decide which assets need to be protected and at what cost after having a complete grasp of this data.

Although your business has a plan in place to guard against external intrusion, it does not cover employee theft or the unintentional disclosure of sensitive data by partners and employees.

Data loss may not always occur as a result of outside, hostile attacks. One important factor is internal employees accidentally disclosing or improperly handling confidential information. In 28 percent of the attacks, insiders were involved, according to Verizon’s 2018 Data Breach Investigations Report. It can be particularly challenging to protect against insider threats because it’s difficult to tell when someone is abusing their rightful access to data. DLP has the ability to identify confidential information-containing files and stop them from leaving the network. It has the ability to implement policies that protect data on an as-needed basis and can stop sensitive data transfers to USB devices and other removable media.

For instance, access to a particular endpoint may be immediately barred in the event that a security event is discovered. In response to occurrences, policies may also quarantine or encrypt data

The responsibility, adverse exposure, penalties, and lost revenue linked to data breaches worry you.

Alarmingly frequently, data breaches have been in the news. Through fines, negative publicity, the loss of important clients, and legal action, they can wreak financial havoc on an organisation. The mean time to identify (MTTI) breaches have reportedly reached an average of 191 days, which equates to nearly six months of dwell time for attackers, according to the Ponemon Institute’s 2017 Cost of Data Breach Study. Lateral movement is made possible by dwell time, which is essential for boosting hackers’ chances of success.

You’re worried about your next audit and wish to continue adhering to the intricate laws.

Regulations like the GDPR and New York Cybersecurity Every regulated firm that collects, stores, and utilises sensitive customer data must raise the bar to meet new standards as a result of requirements, which are ushering in a new era of accountability. Failure to comply with regulations may result in fines of up to 4% of annual global turnover and orders to stop processing. Controls over technology are becoming important in some instances to achieve compliance. These controls are offered by DLP, together with policy templates and maps that cover certain requirements, streamline compliance, and permit the gathering and reporting of metrics.

Data must be safeguarded from security risks brought on by BYOD and IoT.

DLP assists in preventing the unintentional disclosure of sensitive data across all devices when used in conjunction with complementing safeguards. DLP can monitor data and dramatically lower the risk of data loss wherever it resides, whether it is in use, at rest in storage, or in transit over the network.

Types of DLP Solutions

An company might lose data in a number of ways. The numerous methods that sensitive data may be removed from an organisation should be able to be recognised by the DLP solution. The various DLP solution types include:

Endpoint DLP

Data on the network’s devices is monitored by an endpoint DLP solution. To monitor and safeguard the data stored on endpoints such as laptops, servers, smartphones, printers, etc., this solution is installed. Even when the endpoint is online or linked to a public network, endpoint DLP safeguards the data on such endpoints. Additionally, this method stops sensitive data from being transferred to USBs

Network DLP

This DLP system is put into place on the network and keeps track of data transfer. Any device linked to the network may monitor, safeguard, and prevent all incoming and outgoing data. All of the network-connected devices can be subject to the DLP policies. Data on offline devices cannot be protected by this solution; it can only secure data on devices that are connected to the network.

Email DLP

The email DLP system keeps track of emails and filters them based on particular keywords. This remedy can lessen email-based data leaks.

Cloud DLP

A cloud DLP solution keeps an eye on and safeguards the data kept in the cloud. Emails, documents, and other forms of files may all be protected and monitored with the service.

Techniques needed for your data loss prevention

  • Determine the primary data protection objective in order to determine the appropriate DLP solution for the organization.
  • Implement a centralised DLP programme and collaborate with various departments and business units to define standard DLP rules that control data for the organisation. Data visibility will rise as a result throughout the organisation.
  • Make an evaluation of the different forms of data and their importance to the company. Determine the type of data, whether it is sensitive, and where it is stored. Consider the data exit points. Then assess the danger of each type of data being compromised to the organisation.
  • Make a method for classifying data that includes both structured and unstructured information. Internal, private, public, personally identifiable information (PII), intellectual property, and other types of data may exist.
  • Create policies for data processing and correction for various sorts of data. DLP software comes with pre-configured rules based on laws like GDPR and HIPAA. These guidelines can be altered to suit the requirements of the company. Create controls to lower the danger to the data. To lessen the unique data risks, organisations should build granular, fine-tuned controls.
  • Employee education can lower the possibility of insiders accidentally leaking data. A good data loss prevention programme depends heavily on employee knowledge and comprehension of security standards. Employee understanding and adherence to data security policies and best practises can be improved with the support of awareness campaigns and trainings such as posters, emails, online trainings, and seminars.
  • Utilize indicators like the number of events, the mean time to incident response, and the proportion of false positives to gauge how effective your DLP system is.

Conclusion

A company’s security depends heavily on having the right cyber security platforms and solutions in place. Any firm can utilise DLP to stay ahead of threat actors, whether they are internal or external. Any business, especially banks and healthcare companies, must prioritise protecting sensitive consumer and corporate data. At Encryption Consulting, we place the utmost importance on cyber security. We work with organizations to create the most secure environment possible using methods such as DLP, Public Key Infrastructure (PKI), and encryption assessments. We provide assessment, implementation, and development services for PKI, encryption, and Hardware Security Modules (HSMs). If you have any questions, visit our website at www.encryptionconsulting.com.

Tags:

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Kirtan Dua is a Cyber Security Consultant, working on PKI, security in the cloud, and key management.

You might also be interested in

Your DLP Solution For Data Leaks
Your DLP Solution For Data Leaks
Non-Fungible Token (NFTs) Vs Tokenization
Non-Fungible Token (NFTs) Vs Tokenization
What is session hijacking?
What is session hijacking?

Explore More Topics

Encryption, Security News, Security Operations

The Microsoft Signed Rootkit Malware That Can Decrypt All Encrypted Communications

by Subhayu
Posted on Last updated on

Read time 3 minutes, 47 sec

Microsoft had given its digital imprimatur to a rootkit that has decrypted all the encrypted communications and sent them to the attacker-controlled servers. This malicious driver has been spread within gaming environments. This driver is known as “Netfilter,” whose primary purpose or critical role is as a rootkit that communicates with the Chinese command-and-control (C2) IPs. 

Discovery

Karsten Hahn, who is a researcher at security firm G Data, discovered this driver using his company’s malware detection system. The initial observation was declared a false alarm as Microsoft had digitally signed Netfilter under the company’s Windows Hardware Compatibility Program. After further testing and research, Karsten concluded that this was not a false warning or positive. He and his fellow researchers discovered that “The core functionality seems to be eavesdropping on SSL connections. In addition to the IP redirecting component, it also installs and protects a root certificate to the registry” [1] (by reverse engineer Johann Aydinbas on Twitter)

What is a Rootkit?

A rootkit is a type of malware written to prevent or stop itself from being shown in file directories, other standard OS functions, and task monitors. A root certificate is usually used to authenticate traffic sent through connections protected by the Transport Layer Security protocol; this helps encrypt the data in transit and ensures the server whether a user connected is genuine or an imposter.

Typically, these TLS certificates are issued by a Windows-trusted Certificate Authority (or CA), and by installing these root certificates in Windows, hackers can bypass the CA requirement.

Origin story

The driver Netfiler was seen communicating with China-based C&C IPs providing no legitimate functionality, which further led to suspicions. Around this time, G Data’s malware analyst Karsten Hahn shared the signature info publicly on Twitter and contacted Microsoft.

Figure 1: Malicious binary signed by Microsoft

According to Hahn, any code that runs in kernel mode must be tested and signed before being released publicly to ensure stability for the Operating System. At this time, BleepingComputer also began observing the behavior of C2 URLs and contacted Microsoft for a valid reason or explanation.

 The first few C2 URL returns a set of more routed separated by the pipe (“|”) symbol:

Figure 2 Navigating to the C2 URL

Each of these serves a purpose:

  • The URL which is ending in “/p” means it’s associated with proxy settings
  • “/s” denotes encoded redirection IP addresses.
  • “/h?” is for representing CPU-ID.
  • “/c” gave a root certificate
  • “/v?” denotes the malware’s self-update functionality.

According to BleepingComputer, the “/v?” path provided the URL to the malicious Netfilter driver in the question itself (at “/d3”):

Figure 3 Path to malicious Netfiler driver

The G Data researcher, Hahn spent quite some time sufficiently analyzing the driver, result concluded that this driver has self-update functionality. According to him, the sample has a self-update routine that sends its MD5 hash to the server through “hxxp://110.42.4.180:2081/v?v=6&m=”.

The server then replies with the URL for the latest sample with “OK” if the model is up-to-date and the malware replaces its file accordingly. 

Figure 4 Malware self-update functionality analyzed

Security Lapse

Microsoft said they investigate a malicious actor who distributed these negative drivers (Netfilter) within gaming environments. This actor submitted drivers for certification through the Windows Hardware Compatibility Program. These drivers were built by a third party, so Microsoft has suspended their account and reviewed their submissions for additional signs of malware. The company (Microsoft) could not find evidence of either the Windows Hardware Compatibility Program signing certificate or its WHCP signing infrastructure being compromised. So, they have since added Netfilter detections to the Windows Defender AV engine built into Windows and provided this detection to other AV providers. 

Update regarding the Malware [2]

  • Jun 26th, 12:26 PM ET: Clarified that BleepingComputer did not see the DoD list explicitly mentioning the alleged Chinese company, contrary to the details in the researcher’s report. Also reached out to Hahn for clarification.
  • Jun 27th, 04:58 AM ET: A previous version of the blog post mentioned another researcher, @cowonaut alleging that the company mentioned above was previously marked by the U.S. Department of Defense (DoD) as a “Communist Chinese military” company. The claim has since been retracted from the original blog post, and we have updated our article to reflect the same. However, BleepingComputer did not see Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd. present on any of the DoD lists available.

Conclusion

Despite the limitations, this security lapse was a serious one. Microsoft’s certification program was designed to block precisely the kind of attack which G Data first discovered. Microsoft has yet to say how they came to sign the malware digitally; company representatives also declined to explain.

Reference

microsoft-digitally-signs-malicious-rootkit-driver

microsoft-admits-to-signing-rootkit-malware-in-supply-chain-fiasco

Tags:

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Subhayu Roy is a Cyber Intern at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

You might also be interested in

The Best Way To Generate PGP Key Pair
The Best Way To Generate PGP Key Pair
What goes into Developing an Enterprise Encryption Policy?
What goes into Developing an Enterprise Encryption Policy?
Build Your Defences Against DNS Cache Poisoning Attacks
Build Your Defences Against DNS Cache Poisoning Attacks

Explore More Topics

Encryption

Symmetric Vs. Asymmetric Encryption which is more Secure

by Anish Bhattacharya
Posted on Last updated on

Read time: 9 minutes

Asymmetric and symmetric encryptions are the types of encryptions used in cryptography. There is only one key involved in symmetric encryption, which is used for both encryption and decryption. The key has to be shared among the parties involved who wish to encrypt and decrypt data. In comparison, asymmetric encryption uses two separate keys which are related to each other mathematically. The keys are called Private keys and public keys. Generally, a certificate is associated with a public key, which holds the information about the public key owner. The certificate contains information such as name, organization name, algorithms used, etc. Even though symmetric and asymmetric encryption seems similar, symmetric encryption is comparably faster than asymmetric encryption; thus, performance-wise, asymmetric encryption is slower, which is why symmetric encryption is often used in conjunction with asymmetric encryption. We will explore more about this on the use cases discussed below.  

Symmetric Encryption

As discussed above, symmetric encryption uses the same key for encryption and decryption, so the sender would somehow send the key to the receiver to decrypt the encrypted data. The key involved has to be protected and transferred securely. If the key is lost, then the data cannot be decrypted, and if the key gets compromised, that will compromise the encryption. 

Thus, symmetric keys are transferred among parties using asymmetric encryption, ensuring that the symmetric key remains encrypted. Two different keys are now involved in encrypting and decrypting the data.  

Symmetric encryption is comparably much faster than asymmetric encryption, which is why it is still used massively today.  

Asymmetric Encryption

Asymmetric encryption uses two separate keys which are mathematically involved with each other. The first key is called the private key. The private key is the one that is heavily protected. Often this key remains in an HSM or an air-gapped computer to ensure the protection of the private key. The public key is derived from the private key and can be distributed. A certificate is often created with a public key containing information about the key’s owner and a few details about the key itself.  

The key pair relies on prime numbers of extended length. The public and private keys are computed simultaneously, using the same mathematical operation, namely trapdoor functions. The most characteristic of trapdoor functions is that they’re simple to calculate in one direction, nevertheless troublesome calculating in the reverse order. Using a private key, we can find the public key, but the private key cannot be obtained using the public key.  

Even though asymmetric encryption provides more protection to the keys, they are comparatively slower than symmetric encryption. For this reason, asymmetric encryption is often used to exchange the secret key, which can be used to establish symmetric encryption for faster data transfer and make encryption and decryption of the data faster. 

Use Cases

Symmetric Encryption
Symmetric Encryption uses one key for encryption and decryption, which is why it is best used to encrypt and decrypt local data. Some of the use cases involving symmetric encryption can be: 

  •  Data at rest: Data at rest refers to data stored in a physical drive and is not transferred among devices. This data can be stored in hard drives, SSD, flash drives, etc. Data at rest often involves data that can be valuable to attackers as it usually contains customer information, employee information, trade secrets, Intellectual Properties, etc. To be able to protect this data adequately, organizations use symmetric encryption.
    One effective way to encrypt all the data in a physical drive is to encrypt the drive itself. This is called whole disk or full disk encryption, which has fewer benefits than partial or folder encryption. Many files (such as Word files) create a temporary file while it is opened. This temporary file can remain unencrypted. Many Linux distribution does provide full disk encryption while installing the operating system, and Microsoft delivers BitLocker Drive Encryption for Windows. Full drive encryption does leave the boot volume unencrypted for the operating system to boot, but every other volume, including swap space and temporary files, remains encrypted.
  • Banking and Payment Industry: The banking and Payment Industry is one of the most secure industries, and there are many compliances involved in keeping it safe. Nevertheless, it is also one of the busiest industries, which requires them to be fast. Symmetric encryption provides fast encryption and decryption of a large amount of data, which includes the transaction. It can often contain Personal Identifiable Information (PII), which needs to be protected for being compliant with PCI DSS and preventing Identity Theft. They also need to ensure the identity of the user and the authenticity of the transactions fast. This is one of the reasons why the banking industry uses symmetric encryption.

Asymmetric Encryption 
Asymmetric Encryption is slower than symmetric encryption, so it is used for small amounts of data, such as exchanging secret keys or providing digital identities.

As organizations move to the digital age, digital signatures become crucial to identifying authentic data and ensuring someone’s identity. Digital signatures provide that the data involved has not been modified and if the data (which can include PDF, applications, etc.) is authentic.  The recipient of signed data will use a digital signature to demonstrate to a 3rd party that the claimed individual generated the signature. This is often called non-repudiation since the individual cannot simply repudiate the signature at a later time.

The following steps explain how a digital signature is used to exchange information between a sender and a receiver:

  1. First, the data that would be transferred is hashed using some hashing algorithms such as SHA-256. Hashing is a one-way function and produces a unique value for unique input. The original data cannot be obtained using the hash value. This ensures data integrity, as if the data is modified, the corresponding hash value will also change.
  2. The hash is then encrypted using the sender’s private key. This creates a digital signature.
  3. The digital signature would now be attached and sent to the sender.
  4. After receiving the data and the digital signature, the signature is decrypted using the sender’s public key, which provides the hash value generated on the first step.
  5. The receiver then hashes the obtained data.
  6. If the hash obtained on step 5 is equal to the hash receiver got on step 4, it ensured data integrity. If, however, the hashes do not match, then the data has been modified.

Digital signatures are meant to be used in emails, transferring data, distributing software, and other applications, requiring data integrity and ensuring the authenticity of the data origin.

Use case of Asymmetric and Symmetric Encryption

Asymmetric and symmetric encryption is often used in combination with each other to maintain a balance of performance, secure transfer, identification, etc. A single one may not be able to achieve alone. 

Use case 1: Messaging Applications

Many messaging applications such as WhatsApp, telegram, Signal provide end-to-end encryption to provide confidentiality of the users involved and authenticate users to communicate with each other securely. 

In end-to-end encryption, the messages and calls are encrypted so anyone apart from the users would not obtain plaintext information. Only the data is encrypted, but the headers, trailers, and routing information of the messages remain unencrypted.

One of the best features is that even if the key is somehow compromised from the user’s physical device, that key cannot be used to decrypt any previously encrypted text.

To be able to achieve this, both symmetric and asymmetric encryptions are used. Asymmetric encryption is used to initiate the conversation among the users, which involves exchanging secret keys for symmetric encryption. After the communication is established and a secret key is exchanged, symmetric encryption is used for the whole duration of the communication.

First, when the application is installed on the user’s end, the key pair is created. The user’s public key is registered and stored in the application server, but the private key remains in the user’s device. The user who wants to initiate the conversation obtains the receiver’s public key from the application server. Using the public key, the sender sends an encrypted message to the receiver. The encrypted message contains parameters to establish a symmetric session among the parties involved. The receiver would use their private key to decrypt the message and develop symmetric encryption between the sender and the receiver. Once the session has been established, clients exchange messages protected with a Message Key using AES256 in CBC mode for encryption and HMAC-SHA256 for authentication. The encrypted session would be recreated only when the application is re-installed, or the device is changed.  

Use case 2: HTTPS

HTTPS (Hypertext Transfer Protocol Secure) is a secure version of the HTTP protocol that uses the SSL/TLS protocol for encryption and authentication.  HTTPS is specified by RFC 2818 (May 2000) and uses port 443 by default instead of HTTP’s port 80. 

The HTTPS protocol makes it possible for website users to transmit sensitive data such as credit card numbers, banking information, and login credentials securely over the internet. For this reason, HTTPS is essential for securing online activities such as shopping, banking, and remote work. HTTPS is now the standard protocol for all websites, whether they exchange sensitive data with users. 

An HTTPS connection between a client and a server uses both symmetric and asymmetric encryption. Like the previous one, asymmetric encryption is first used to establish communication and exchange secrets, and then symmetric encryption is used for the rest of the communication. The key used for symmetric encryption is called session keys. Session keys are randomly generated when a session is created and are used for that particular session only.  The steps involved in HTTPS are: 

  1. When the client tried to connect to the server, the server first sends a TLS certificate. The respective CA would verify the certificate to ensure the authenticity of the certificate and the server involved.
  2. The certificate also contains cipher suits and the maximum TLS version supported.
  3. After the certificate is verified and the algorithms and TLS versions are set to be the maximum among the client and the server, the client generates a session key. The session key is encrypted using the server’s public key and is sent to the server.
  4. The server decrypts the session key using its private key.
  5. The session key is then used for symmetric encryption, and data is exchanged among the server and the client using the session key.
  6. The session continues with only symmetric encryption.

Conclusion

Symmetric encryption is indeed one of the fastest encryption techniques, but the secret key needs to be exchanged securely to be effective. Asymmetric encryption is thus used to exchange the key involved for symmetric encryption. In both use cases, asymmetric encryption is used briefly to exchange parameters and establish symmetric encryption used for the rest of the communication.  Being slow and resource exhaustive, asymmetric encryption is only used to cover the shortcomings of symmetric encryption. Thus, both of them are used together to achieve ideal secure communication, maintain privacy, achieve authenticity, data integrity, and proper authentication. 

Tags:

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

You might also be interested in

Decrypt The Importance Of Key Management In Cryptography For Your Organization
Decrypt The Importance Of Key Management In Cryptography For Your Organization
Does your organization have an Encryption Backdoor?
Does your organization have an Encryption Backdoor?
The Microsoft Signed Rootkit Malware That Can Decrypt All Encrypted Communications
The Microsoft Signed Rootkit Malware That Can Decrypt All Encrypted Communications

Explore More Topics

Encryption

Homomorphic Encryption – Basics

by Anish Bhattacharya
Posted on Last updated on

Read time: 5 minutes 2 seconds

Organizations nowadays are storing and performing computation of the data on the cloud instead of handling themselves. Cloud Service Providers (CSPs) provide these services at an affordable cost and low maintenance. But to ensure compliance and retain privacy, organizations need to transfer the data in an encrypted format, which does ensure the confidentiality of the data. However, once the data reaches the cloud, the CSP has to decrypt the data to perform operation or computation.

Decrypting the data to the CSP loses the data’s confidentiality, which may concern the organization for not being compliant to data privacy regulations such as GDPR, FIPS, PCI DSS,  CCPA, etc.

What is Homomorphic Encryption?

Homomorphic Encryption makes it possible to do computation while the data remains encrypted. This will ensure the data remains confidential while it is under process, which provides CSPs and other untrusted environments to accomplish their goals. At the same time, we retain the confidentiality of the data.

Like other asymmetric encryptions, homomorphic encryption is encrypted using a public key and can only be decrypted by the respective private key. But while the data is encrypted, operations can be performed on the data, which retains confidentiality, and helps organizations achieve compliance even when using untrusted environments.

Why do we need Homomorphic Encryption?

Data creation has been increased tremendously in recent times, sent/stored in multiple environments belonging to other parties such as CSPs or other third-party organizations. From startups to big organizations, everyone uses CSPs to store or process data, where tools such as Big Query are used for data processing.

CSPs do provide some control over the data customers store in their environments, but those controls depend on CSPs. While users can encrypt and store data on CSPs, conducting computation on the data would be limited. Thus, standard encryption is only limited to data storage alone and does not provide any meaningful analysis that can be used.

To be able to process data while ensuring data privacy, researchers are focusing on privacy-enabled computation. Homomorphic Encryption (HE) is one of the promising approaches in this direction.

Types of Homomorphic Encryption

Homomorphic Encryption allows computation on encrypted data without decrypting. Mathematical operations that can be performed on the ciphertext differentiates the types of Homomorphic Encryptions.
They are mainly of two types:

  1. Partial Homomorphic Encryption (PHE) (supports either addition/multiplication, but not both)
  2. Fully Homomorphic Encryption (FHE) (supports both addition and multiplication)

Partial Homomorphic Encryption such as RSA and Paillier cryptosystems does support additive and multiplicative homomorphism. In 2009, Craig Gentry proposed an FHE scheme based on lattices for the first time. An FHE scheme usually supports addition and multiplication ciphertexts as follows:

HE(a+b) = HE(a) + HE(b) and HE(a*b) = HE(a) * HE(b)

Addition/Multiplication of plaintext is equal to the addition/multiplication of two ciphertexts.

Applications

HE makes it possible to achieve privacy-preserving computation in almost every scenario. Some of those include:

  1. Private Search

    Search Engines rely on ads to generate revenue. While serving searches to their users, search engines get a better view of the user’s preferences. This does help them provide customized ads for the user they serve. Homomorphic encryption does solve the problem. Search Engines can crawl the encrypted data, serve them as the algorithm is designed to, and serve the user with encrypted data. The user would get the desired result, while the search engines remain unaware of the data requested, which keeps preferences private and more challenging to serve ads.

  2. Encrypted Databases

    In any cyber-attacks, databases are often the most crucial infrastructure to protect. It may cost an organization a considerable fine in compliance and have a bad reputation to go along. Several security measures are kept in place, which includes Encrypting a database. In case of a breach, the database would remain encrypted and decrypted by a specific key, preventing unauthorized access to the database.
    If we employ the standard encryption, the encrypted database will not allow any operations on the records. We can use deterministic encryption, order-preserving encryption, and order-revealing encryption to support the encrypted database. But these would lead to leakages, such as memory access patterns and search patterns.
    With Homomorphic Encryption, it is possible to encrypt data in the database to obtain confidentiality, while we can also perform operations and computation on the data. Only authorized users with the key to decrypt the database can access the data in the database.

  3. Computation on Cloud

    Cloud Computing saves money and reduces maintenance that an organization needs to maintain its infrastructure for the services offered. Organizations can lease cloud infrastructure on a need basis to run their applications. CSPs also provides the ability to scale up according to the load on the infrastructure. Since the service providers typically manage clouds, organizations require the CSP to be compliant and get better privacy and security for their organization.
    If we choose to keep the data encrypted on the cloud and perform operations on those encrypted data, it will make CSP’s compliance and security measures less relevant. CSPs can maintain the infrastructure that store and process the encrypted data, while never accessing the plaintext.

Limitations and Drawbacks

Homomorphic Encryption computations are slow, and only a finite number of operations can be performed on the encrypted data. FHE based computation is at least 106 times slower than computation on the plaintext.

Homomorphic Encryption is also not feasible for multiple users. If we have a database, which we would need multiple users to access, we would need to create a separate database for every user, which is encrypted using the user’s public key. This would become impractical if the number of users increases or the size of the database increases.

Conclusion

Homomorphic Encryption in the current state is computationally expensive and practically inefficient. It can certainly be used to encrypt data, while we can perform different computations on the data. HE enables privacy-preserving computation, which helps us work with untrusted environments while maintaining the data’s confidentiality. Check out Format Preserving Encryption if interested in privacy-preserving computations.

Tags:

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

You might also be interested in

Big Data – Data Encryption in Big Data
Big Data – Data Encryption in Big Data
How to fix the SSL Handshake Failed error?
How to fix the SSL Handshake Failed error?
PQC Standardization Project To Determine The Most Quantum-Safe Algorithms
PQC Standardization Project To Determine The Most Quantum-Safe Algorithms

Explore More Topics

Cloud Key Management

Cloud-based vs On-premises HSMs

by Dipanshu Bhatnagar
Posted on Last updated on

Read Time: 08 min.

Encryption is one of the basic building blocks for any organization containing sensitive data/information. Sensitive data compliant with data privacy regulations creates a brand value for your organization as your organization becomes less prone to data breaches. As we all know the strength of the encryption depends upon two critical factors

  1. Key length
  2. Security of the Keys

Key length is quantifiable and could be determined using the various encryption algorithms such as AES-128 or AES-256. On the other hand, the Security of the key is a subjective matter. As we all know, the more secure the keys are, private keys in asymmetric and shared keys in symmetric encryption, the more powerful the encryption landscape is.

When it comes to the Security of Keys, the best bet is to use HSMs (Hardware Security Module) which are NIST compliant i.e. FIPS-140-2-Level3.

Cloud-based HSM vs. On-Premises HSM

In today’s article, we will compare Cloud-based HSM and On-prem HSM and try to

Find an answer for what criteria a customer should choose as the appropriate option for their organization’s crypto security.

As organizations step up their cloud journey as fast as possible to utilize the advantages of the cloud e.g. scalability, flexibility, cost-effectiveness, they have to parallelly think about data security in their IT landscape. This makes encryption, and subsequently HSMs, an inevitable component of an organization’s Cybersecurity strategy.Based on the use cases, we can classify HSMs into two categories: Cloud-based HSMs and On-Prem HSMsIn regards to the classification of HSMs (On-prem vs Cloud-based HSM), kindly be clear that the cryptographic technology is the same, but delivered via different methods.

On-prem HSMs are specifically useful for storing encryption keys when the organization wants complete control over their keys and policies without having any dependency on the Cloud Service Provider (CSPs). However, this comes at substantial upfront investment in terms of hardware, skilled resources, management software licenses managing the HSM cluster etc.

On-prem HSMs also make sense when an organization uses a secure application which is extremely sensitive to latency. The secure application uses an On-prem HSM only, thus avoiding the latency. Another important use case is where an application with intensive cryptographic operations is in use due to security best practices, technological designs, and/or performance requirements. On-prem HSM is also beneficial to organizations which operate in countries with strict regulatory/compliance requirements on data localization, and where Cloud Service Providers (CSP) may not have a local datacenter in that geographic location. It also benefits organizations with foreseeable workloads, where it is highly unlikely that the business requirements and transaction volumes will exceed the capacity of the HSM in the near future.

On the other hand, Cloud-based HSMs offer out-and-out advantages of the cloud in addition to conventional features of HSMs. To dig deeper, we can further classify the Cloud-based HSM into two categories: Public Cloud HSM Services and Third- Party HSM Services. Some Public Cloud HSM Services offer Single-tenant/dedicated or Multi-tenant services (e.g. AWS, Azure) whereas others offer only Multi-tenant services (e.g. GCP KMS, Oracle Key Vault) thus, these HSM Services are best suited for organizations which are dependent upon single Cloud Service Provider (CSP). In Third Party HSM Services, you can leverage multi-cloud platforms managed through the central management portal (e.g. DPoD) thus, these HSM Services are best suited for organizations with multi-cloud strategies. These HSM Services also offer use-case-based modular services to lessen data protection cost. Some examples of these services are Key Vault, Oracle TDE (Transparent Data Encryption), Code/Digital Signing etc.

Cloud-based HSMs are extremely helpful in the case of SMB (small and medium business) organizations which already have some other IT service dependencies, and substantial upfront investments for On-prem HSMs may not be feasible in terms of cost- effectiveness. Another classic Cloud-based HSM use case is where enterprises want to test or pilot multiple vendor HSM services with minimal upfront investments before committing to a vendor. Also, it is useful in organizations where the workloads are less in the organization/department and application performance and latency requirements are not stringent enough to require a dedicated, On-prem HSM. This model is suitable for smaller organizations which prefer a foreseeable and PAYG (pay-as-you-go) based financial model offered by the Cloud Service Provider (CSP) rather than high initial capital investments required by an On-prem HSM. Organizations/departments with highly variable workloads which might require elasticity (i.e. scaling up and scaling down of the HSM infrastructure) do come under the umbrella of Cloud-based HSMs as well.

Move your IT infrastructure to Cloud.

Comparison at a Glance

 Cloud-based HSMOn-Premises HSM
HardwareNo hardware required# of hardware required including for resiliency, HA, Management Platform etc.
Payment ModelPAYG (pay-as-you-go)Upfront Cost
SetupEasyComplex
SoftwareIncluded in the costLicenses may be required for each partition and Client Software
Client DeploymentEasy with CSP documentationComplex and skill dependent
ComplianceResponsibility of CSPResponsibility of the organization
Operational OverheadLow as it’s a managed service from CSPHigh as its managed by organization
SLA (Service Level Agreements)Responsibility of CSPResponsibility of organization
Operational Technical KnowledgeMedium with CSP’s documentation & vendor supportHigh as its managed by organization
Total Cost of OwnershipLowHigh specifically for low # of partitions

*CSP: Cloud Service Provider

Conclusion

The HSM service is certainly a critical component while designing and deciding the data privacy measures for your organization’s PKI infrastructure. The decision between Cloud- based HSM or On-prem HSM is a function of TCO (total cost of ownership), number and complexity of the use cases, business, regulatory, legal compliances, foreseeable growth in the volume of the sensitive data, divergent data sources, and choice of business applications to name a few. Although Cloud-based HSM Services are becoming more popular considering the fact that more and more organizations are jumping to the cloud for its numerous benefits. However, On-prem HSMs become critical in the case when Cloud Service Provider (CSPs) hit some limitations, although they are very few in the count. To conclude, one thing remains consistently clear: the benefits offered by Public Key Infrastructure (PKI) can be completely undermined if private keys are compromised. Protecting and managing those keys is, therefore, a critical requirement to ensure enterprise data security. HSMs, whether On-prem or Cloud-based, are the best options today to fulfil that requirement.

Tags:

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

You might also be interested in

How Secure Are Key Management Service of Amazon (AWS KMS)?
How Secure Are Key Management Service of Amazon (AWS KMS)?
AWS Certificate Manager (ACM) – Best Practices
AWS Certificate Manager (ACM) – Best Practices
Microsoft Azure Services – Azure Key Vault
Microsoft Azure Services – Azure Key Vault

Explore More Topics

Cloud Key Management Service Options, Education Center

What is Secret Management?

by Puneet
Posted on Last updated on

Secret Management refers to tools or methods that are used to manage authentication credentials (or secrets). These may include passwords, access keys, API keys, and tokens that can be used in applications, services, privileged accounts or other sensitive areas of the IT ecosystem.

Advantages

  • By this approach, service accounts — generic administrative accounts which may be assumed by one or more users — can access these secrets, but no one else

Disadvantages

  • Not compliant with regulatory requirements which specify FIPS-certified hardware

Why is Secret Management important?

Passwords and access keys are some of the most used tools to authenticate users or automated applications onto the network or give access to specific services, systems, or information that might be otherwise classified. Since these secrets need to be transferred securely, secret management would need to account for and mitigate the risk portrayed on the secrets while in transit as well as on rest.

Some of the secrets include:

  • Passwords
  • API keys or other application keys/credentials
  • SSH Keys
  • Database and other system passwords
  • Certificates for secure communication (TLS/SSL and more).
  • Private encryption keys such as PGP
  • RSA and other one-time password devices

Challenges in Secret Management

As IT infrastructure grows and develops, it increases the complexity and the diversity of the secrets involved that needs to be properly protected. Those secrets should be securely stored, transmitted and audited securely.

Some of the common risk and considerations are:

  • Incomplete visibility and awareness:
    All privileged accounts, applications, tools, containers, or microservices deployed across the environment, and the associated passwords, keys, and other secrets. SSH keys alone may number in the millions at some organizations, which should provide an inkling of a scale of the secrets management challenge. This becomes a particular shortcoming of decentralized approaches where admins, developers, and other team members all manage their secrets separately, if they’re managed at all. Without oversight that stretches across all IT layers, there are sure to be security gaps, as well as auditing challenges.
  • Hardcoded/embedded credentials
    Privileged passwords and other secrets are needed to facilitate authentication for app-to-app (A2A) and application-to-database (A2D) communications and access. Often, applications and IoT devices are shipped and deployed with hardcoded, default credentials, which are easy to crack by hackers using scanning tools and applying simple guessing or dictionary-style attacks. DevOps tools frequently have secrets hardcoded in scripts or files, which jeopardizes security for the entire automation process.
  • Privileged credentials and the cloud
    Cloud and virtualization administrator consoles (as with AWS, Office 365, etc.) provide broad superuser privileges that enable users to rapidly spin up and spin down virtual machines and applications at massive scale. Each of these VM instances comes with its own set of privileges and secrets that need to be managed
  • DevOps tools
    While secrets need to be managed across the entire IT ecosystem, DevOps environments are where the challenges of managing secrets seem to be particularly amplified at the moment. DevOps teams typically leverage dozens of orchestration, configuration management, and other tools and technologies (Chef, Puppet, Ansible, Salt, Docker containers, etc.) relying on automation and other scripts that require secrets to work. Again, these secrets should all be managed according to best security practices, including credential rotation, time/activity-limited access, auditing, and more.
  • Third-party vendor accounts/remote access solutions
    How do you ensure that the authorization provided via remote access or to a third-party is appropriately used? How do you ensure that the third-party organization is adequately managing secrets?
  • Manual secrets management processes
    Leaving password security in the hands of humans is a recipe for mismanagement. Poor secrets hygiene, such as lack of password rotation, default passwords, embedded secrets, password sharing, and using easy-to-remember passwords, mean secrets are not likely to remain secret, opening up the opportunity for breaches. Generally, more manual secrets management processes equate to a higher likelihood of security gaps and malpractices.

Tags:

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

You might also be interested in

What is Public Key Cryptography?
What is Public Key Cryptography?
What is SSH Key Management? What are SSH Key Management best practices?
What is SSH Key Management? What are SSH Key Management best practices?
What is a Wildcard Domain Certificate?
What is a Wildcard Domain Certificate?

Explore More Topics

Cloud Key Management Service Options, Education Center

What is Hybrid Key Management System (KMS)?

by Puneet
Posted on Last updated on

Hybrid KMS is a centralized management of accounts across all leading CSP’s with custom API‘s for integration and the ability to manage all encryption key lifecycle management activities from the central console.

Many organizations simply prefer to own and physically oversee their own HSMs, but they also seek the accessibility and convenience of the cloud. A hybrid model would contain a combination of on-premises HSMs and cloud HSMs to account for:

  • Scalability
  • Backup
  • Failover

This model is often used by organizations that have large on-premises HSM estates, but want to limit further investments in on-premises and want to tap into the scalability of the cloud. With a hybrid infrastructure, if an organization sees an unexpectedly high volume, cloud-based HSMs can seamlessly provide additional capacity, preventing slowdowns or outages. 

A few years ago, on-premises were the only option for key management. That has changed and organizations now have the option to move fully to the cloud or adopt a hybrid model. As organizations are considering these options, they can evaluate based on these parameters: 

  • FIPS 140-2 Level 3 compliance and PCI DSS standards.
  • Scalability
  • Compliance
  • High Availability
  • Integration
  • Resources
  • Cost

If an organization is facing scalability issues, interruptions, access failure, it might be time to extend their critical infrastructure beyond physical premises. Organizations have several options: moving to the cloud, renting rack space, or looking for hybrid options.

Tags:

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

You might also be interested in

What is FIPS? How do you become compliant with FIPS?
What is FIPS? How do you become compliant with FIPS?
What are the stages in a certificate’s lifecycle? How do you protect the certificate lifecycle?
What are the stages in a certificate’s lifecycle? How do you protect the certificate lifecycle?
What is Encryption?
What is Encryption?

Explore More Topics

Cloud Key Management Service Options, Education Center

What are the services provided by Microsoft Azure?

by Puneet
Posted on Last updated on

  • Master Key Types: Microsoft Azure offers 2048, 3072, and 4096 bit RSA asymmetric master keys, but it does not support any symmetric master keys.
  • Encryption Modes: Microsoft Azure does not offer symmetric encryption methods, but does offer two asymmetric encryption methods: RSA OAEP and RSA PKCS#1v1.5.
  • Plaintext Size Limits: Microsoft Azure offers a plaintext size limit of 0.25KB.
  • Bring Your Own Key (BYOK) Options: To utilize BYOK, the key being used on the cloud must first be imported the Cloud Service Provider, and to import the key, it must first be wrapped. Microsoft Azure takes an RSA key that is wrapped by AES and RSA-OAEP. 
  • Signature Modes: To ensure the integrity of data-in-transit, signatures are used. Microsoft Azure offers RSA-PSS, RSA PKCS#1V1.5, ECDSA with P-256, ECDSA with P-512, ECDSA with SECP-256k1. and ECDSA with P-384 signature methods.
  • Cloud HSM Compliance: Each Cloud Service allows users to store keys in a cloud HSM, but the cloud HSM for each service has different compliancy certificates. Microsoft Azure’s regular Vault HSM is FIPS 140-2 level 2 compliant and its Managed HSM is FIPS 140-2 level 3 compliant.
  • Azure Key Vault Features: Azure Key Vault protects keys and secrets with HSMs or software appliances. Both Azure Services and the customer can access the keys and secrets that are stored. Azure Key Vault is FIPS 140-2 Level 2 compliant and only supports asymmetric keys. It also supports RSA keys of sizes 2048, 3072 and 4096and Elliptic Curve key types P-256, P-384, P-521, and P-256K (SECP256K1). Azure Key Vault supports customer managed keys and manages tokens, passwords, certificates, API keys, and other secrets.
  • Azure Dedicated HSM Features: Azure Dedicated HSM stores keys on an on-premises Luna HSM. This key storage is only accessible by the customer, allowing users to manage keys and not have to worry about the CSP having access to the keys. Azure Dedicated HSM is FIPS 140-2 Level 3 compliant and supports symmetric and asymmetric keys. It also supports RSA, DSA, Diffie-Hellman, Elliptic Curve Cryptography (ECDSA, ECDH, Ed25519, ECIES) with named, user-defined, and Brainpool curves, and KCDSA for asymmetric keys. Symmetric keys created with AES-GCM, Triple DES, DES, ARIA, SEED, RC2, RC4, RC5, and CAST are accepted by Azure Dedicated HSM. For Hash/Message Digest/HMAC, SHA-1, SHA-2, and SM3 are accepted, for key derivation SP800-108 Counter Mode is accepted, and for key wrapping SP800-38F is accepted. Azure Dedicated HSM is capable of offline key backup, and single device provisioning, but customer managed keys are not supported.

Tags:

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

You might also be interested in

Zero Trust Security
Zero Trust Security
How is Encryption and Decryption done in an SQL Server?
How is Encryption and Decryption done in an SQL Server?
What is HIPAA? How do you become compliant with HIPAA?
What is HIPAA? How do you become compliant with HIPAA?

Explore More Topics

Let's talk