Reading time: 3 minutes, 27 seconds

LDAPS is one of the most crucial functionalities to properly protect and secure credentials in your PKI environment. By default, LDAP communications between client and server applications are not encrypted. This means that it would be possible to use a network monitoring device or software and view the communications traveling between LDAP client and server computers. This is especially problematic when an LDAP simple bind is used because credentials (username and password) are passed over the network unencrypted. This could quickly lead to the compromise of credentials.

Prerequisites

A functional Microsoft PKI should be available and configured. While viewing PKIView.msc, no errors should appear

If you need help in deploying your own PKI, you can refer to this article to build your own Two Tier PKI

Installing AD LDS

This step should be carried out on LDAP Server or on Domain Controllers which would be responsible for hosting LDAPS service.

  • Open Server Manager
  • From manage, open Add Roles and Features
  • On Before you Begin, click Next
  • On Installation type, ensure Role based or feature based installation, and click Next
  • On Server Selection, click Next.
  • On Server Roles, click Active Directory Lightweight Directory Services, and click Add Features, and then click Next
  • On Features, click Next
  • On AD LDS, click Next
  • On Confirmation, click Install
  • Post Installation, AD LDS needs to be configured

Configuring AD LDS

  • Run AD LDS setup wizard. Click Next on first page.
  • Ensure unique instance is selected, and click Next
  • Provide Instance name and Description, and click Next
  • Leave default ports and click Next

If AD LDS is installed on domain controller, then LDAP port would be 50000 and SSL port would be 50001

  • On Application Directory Partition, click Next
  • On File locations, click Next
  • On Service Account Selection, you may leave it on the Network service account, or choose a preferred account that can control LDAPS service
  • On AD LDS administrators, leave the current admin, or choose another account from the domain
  • Choose all LDF Files to be imported, and click Next
  • On Ready to Install, click Next
  • After Installation, click Finish

Publishing a certificate that supports Server Authentication

  • Login to the Issuing CA as enterprise admin
  • Ensure you are in Server Manager
  • From the Tools menu, open Certificate Authority

Expand the console tree, and right click on Certificate Templates

  • Select Kerberos Authentication (as it provides Server Authentication). Right click and select Duplicate Template. We can now customize the template.
  • Change Template Display Name and Template Name on General tab. Check Publish Certificate in Active Directory. This will ensure that the certificate appears when we enrol domain controllers using that template
  • On Request Handling, check Allow private key to be exported.
  • On the Security tab, provide Enroll permissions to appropriate users
  • Click Apply

Issue the Certificate on Issuing CA

  • Login to the Issuing CA as enterprise admin
  • Ensure you are in Server Manager
  • From the Tools menu, open Certificate Authority

Expand the console tree, and click on Certificate Templates

On the menu bar, click Action > New > Certificate Template to Issue

  • Choose the LDAPS certificate
  • Click OK and it should now appear in Certificate Templates

Requesting a certificate for Server Authentication

  • Log into LDAP server or domain controller.
  • Type win+R and run mmc
  • Click File and click Add/Remove Snap-in
  • Choose Certificates and click Add
  • Choose Computer account
  • If the steps are followed on LDAPServer where AD LDS is installed, click Local computer, or choose Another computer and choose where it would need to be installed
  • Expand the console tree, and inside Personal, click Certificates
  • Right click on Certificates and click All Tasks and select Request New Certificate
  • Follow the instructions, choose LDAPS template that we issued earlier and Install.}
  • Once Installed click Finish
  • Open the certificate, and in Details tab, navigate to Enhanced Key Usage to ensure Server Authentication is present.

Validating LDAPS connection

  • Login to LDAP Server as Enterprise admin
  • Type win+R and run ldp.exe
  • On the top menu, click on Connections, and then click Connect
  • In server, provide domain name, ensure SSL is checked and proper port is provided and click OK
  • No errors should appear. If connection was unsuccessful, the following output may appear

Conclusion

This should enable LDAPS which can be used to properly protect credentials used in your PKI environment as well as enable other applications to use LDAPS.

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Reading time: 10 minutes, 53 seconds

Trust is crucial in the software-driven society we live in. But how can we tell which software to rely on and which to avoid? We can thank code signing for that.

Developers use code signing to demonstrate a piece of software’s legitimacy and ensure that it originates from a reliable source and hasn’t been tampered with. Cryptography, more especially a certificate known as a code signing certificate, is necessary for code signing.

Customers should constantly be on the lookout for third parties posing as software providers while downloading software from the Internet. Software may be ensured that it is coming from the right source with the use of a tool like code signing. To ensure that consumers are receiving software that accomplishes what its creator claims it will, code signing is a process where a software developer or distributor digitally signs the file being sent out. The signature indicates that the code has not been altered from its original state.

Benefits of Code Signing

Code signing is a technique for adding a digital signature to a program, file, software update, or executable so that, upon installation and execution, its validity and integrity can be checked. It ensures to the receiver who the author is and that it hasn’t been opened and tampered with, much like a wax seal. To demonstrate, for instance, that your Windows 10 update genuinely came from Microsoft and not a hacker attempting to breach your machine, Microsoft developers, programmers, and software engineers utilize code signing.

You can be confident that you are downloading a file from a legitimate author or publisher and not from an attacker trying to steal your personal information and data thanks to code signing. In essence, it informs you that a bad guy hasn’t changed the code so you know it’s safe to install and run on your machine.

If you’ve ever seen the small window that appears when you attempt to launch a software you’ve downloaded, the one that asks, “Are you sure you want to run this? ” and identifies the publisher, then you know what I’m talking about. then you have experienced code signing. That dialogue box informs you that the patch for your Mac OS X is authentic and still in the same state as when it was signed by Apple Inc.

What Does Code Signing Do?

As a user, code signing serves a few distinct purposes that might assist you in determining if you should trust software downloads and other online interactions. Code signing is mostly used to verify the authorship of files, downloads, and software. For instance, you are more likely to install a download file supplied to you from Microsoft than one from any other source since it will seem to be much more reliable.

There will inevitably be updates for the software you install on your computer in the future. You may be sure that subsequent updates have come from the same source and are secure to run on your computer when they are code signed with the same key that was used to “seal” your initial downloads.

How Does Code Signing Work?

From the perspective of a developer, code signing has three main parts: unsigned software files; code-signing certificates; and code-signing apps. Applications for code signing are typically included with operating systems like Microsoft Windows, Mac OS X, etc. Certificate Authorities are frequently the source of the code signing certificates (CAs).

Public Key Encryption

When you encode a message to shield it from unauthorized viewers, you are using encryption. Decoding the message depends on knowing the key that puts the values back to their original state, enabling the message to be read. Typically, this is done by running it through a mathematical function (referred to as a “key”) to alter values. The key that encrypts the message and the key that decrypts it is distinct in public key encryption (also known as asymmetric encryption) (hence asymmetrical). It is known as a “public key” system because only one key—the “public key”—is used to secure the communication, while the other—the “private key”—is kept secret.

Private keys must be kept secure, confidential, and out of the hands of anybody who would try to intercept or tamper with messages in order for this type of encryption to work. The kind of transmission determines whether the public key is used to encode or decode the message. Encrypt using the private key and decode with the public key if you want everyone to be able to read the message but don’t want anyone to tamper with it. You encrypt using the public key but decode with the private key if you want everyone to be able to send messages but don’t want them intercepted by the incorrect person.

Hash Function

A form of encryption called hash functions is intended to be irreversible. Hash functions are designed to be one-way, utilizing a mathematical function that modifies the data in a way that can’t be undone, as opposed to encoding with a key and using a key to decode. The most typical comparison is like mixing paint. As an illustration, mixing blue (the original values) and yellow (the hash function) will always result in green, but there is no way to separate the two colors and get back the blue.

When you require a set value and don’t need to read the data again, hash functions are utilized. The most prevalent example is login passwords, which are frequently hashed by websites for storage. If there is ever a breach, all the hacker has obtained is a collection of random numbers. The website hashes your password once again and compares it to the previously saved hash value when you log in. They let you in if the information you provided matches what is in their records. They only need to know the value; they don’t need to read the password itself.

Code Signing Certificates

Before the developers can sign their work, they need to generate a public/private key pair. This is often done locally through software tools such as ‘OpenSSL’. Developers then give the public key and the organization’s identity information to a trustworthy CA. The CA verifies the authenticity of identity information and then issues the certificate to the developer. This is the code signing certificate which was signed by CA’s private key and contains the developer organization’s identity and the developer’s public key.

Developers take all the code they produced and hash it when they’re ready to “sign” it to prove authorship. The output value is then encoded using the previously stated private key, which is often created by the author, as well as the code signing certificate, which contains the public key and the author’s identity (proving the authorship). The result of this procedure is then included in the program that will be distributed.

This is an instance of code signing. The majority of browsers and operating systems come with the public key of the CA pre-installed. When a user downloads the program, they first authenticate the legitimacy of the code signing certificate incorporated in the signed software to ensure it’s from a reliable CA using the CA’s public key. The encrypted hash is then decrypted using the developer’s public key, which is subsequently taken out of the certificate.

The program is then hashed once more, and the result is contrasted with the decrypted value. The program has not been tampered with or damaged during transmission if the hash values generated by the user and the developer coincide. The user is then informed that the program is in the same condition as when the developer last left it and that it is safe to install and execute if the developer can be believed.

Root Certificates

Code signing can provide you, the end user, confidence in the reliability and validity of the downloaded program. However, you should also be mindful that malicious actors may produce a code signing certificate and a public-private key pair to give the impression that they were authorized by a legitimate CA. How do you determine whether certificates are reliable if anybody can create a code signing certificate?

Root certificates have a role in this. Code signing certificates can be compared to a family tree. You may trace certificates back to discover which signing certificate—your root certificate—is at the root of the tree in order to confirm where they originated. Because you can follow the “chain of trust” back to the initial signing authority with the root certificate, you can tell whether the other code signing certificates are reliable.

A business like Apple or Microsoft might be considered the root authority. The system will warn you not to trust the certificate that was used to sign the program you are attempting to download if your software’s signing certificate is unable to locate a reliable root certificate. Even a trusted authority may occasionally fail to be recognized if it is not installed on a browser or in the trust store of an operating system. For the browser or operating system to accept the root certificate as reliable and valid in these situations, you will need to manually put it on your trust store.

What Are the Types of Digital Certificates?

Different systems require different types of authentication. What works on a desktop is likely unsuitable for mobile systems and vice versa. Here are a few examples of the different certificates for both desktop and mobile software.

Desktop Certificates:

  • Microsoft
  • Java
  • Microsoft Office and VBA
  • Adobe AI

Mobile Certificates:

  • Windows Phone
  • Windows Phone Private Enterprise
  • Java Verified
  • Android

If you’re looking to sign and secure your software, you should first know what kind of software or system you are starting with and work from there.

What is the Use of a Digital Certificate?

A digital certificate is meant to provide the software or code you’re distributing to your users with an identity. Users can verify the program publisher using a digital certificate. Because these digital certificates are issued by certificate authorities, users have more faith in the publishers. The ability to track their product and the number of downloads gives digital certificates to software providers a lot of additional value.

How Long is a Digital Certificate Valid?

How long a certificate is valid is another typical query from those trying to obtain their own digital code signing certificate. Digital certificates normally only have a year or two of validity, however, the actual duration might vary depending on the issuer.

This validity is brief for the following two reasons:

Private keys and security certificates may and do become hacked. Any prior certifications, even those that have been stolen, become invalid upon renewal and change every year or two.

Technology is evolving at an even quicker rate than the rest of the globe. Five years ago, what was secure is no longer nearly as secure. Code signing certificates can be updated and changed to keep the certificate security current.

Where is Code Signing Used?

Code signing is used any place a developer wants a user to be sure of the source of a piece of software. This includes:

1. Windows applications and software patches

2. Apple software

3. Microsoft Office VBA objects and macros

4. .jar files

5. .air or .airi files

6. Essentially any executable

Be aware that, because of the distributed nature of Linux development, code signing is often not used for Linux-based software, so that software may come unsigned. If that happens, your computer will (if it gives any notice) will tell you it’s from an “unknown developer,” or something along those lines. Here are a few other applications and software that utilize code signing to increase their security.

  • iOS: Code signing in iOS for the App Store is done using Xcode. The purpose of signing your app is simply to let iOS know who signed the app originally and to make sure it hasn’t been altered since it was originally signed by the developer. If you need to revoke your iOS certificate, you will need to use your developer account or Xcode to complete the process.
  • Xcode: Xcode is used by iOS to code sign apps and ensure their security. Before any device can be uploaded and approved for the iTunes store it must have a valid Apple Developer ID with a valid certificate or profile. To successfully integrate your app, you will need to use a development certificate. In order to run the app on any device, you must use a distribution certificate to send out the app and test it.
  • C#: Visual C# uses strong name signing to get a unique sign code that is not available to anyone else in the world and cannot be spoofed. When using Visual C#, you can simply sign your deployment using the sn.exe tool. This functions as your signature by using sig check tool printing “Strong Name: Signed.”
  • Windows Certificate: Nearly any executable can be signed with a digital signature to verify the security and integrity of the file. For the file to be considered secure in Windows, it must be signed by a recognized certificate authority. Anyone who distributes malware under a valid certificate is held legally accountable for the software they distribute.
  • Visual Studio: Visual Studio is particularly helpful when it comes to strong name signing for assemblies—a notoriously difficult task. Strong name signing through Visual Studio allows other computers to trust the software developer.

About the Author

Kirtan Dua is a Cyber Security Consultant, working on PKI, security in the cloud, and key management.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 3 minutes, 54 seconds

Cryptographic Service Providers (CSPs) store, access and create cryptographic keys– the building blocks of PKI. In the case of certificates, what type of cryptographic service depends on the provider, different types of keys and key lengths are available with different providers. Different examples include RSA, Elliptical Key or a host of others such as DES, 3DES, etc.

For hardware solutions such as Smart Cards and Hardware Security Modules (HSMs), third party software is sometimes needed for optimal performance. Newer Next Gen KSPs and more standard Microsoft CSPs are listed below for a comparison.

Since there are so many different providers, it’s best to divide into groups based on all around capabilities in every use case. The below tables show different cryptographic methods from modern to legacy. In reviewing this list, the primary things being evaluated are what types of keys can be used, their size, protections, and compatibility.

Modern Microsoft cryptography providers

Provider Name & TypeDescriptionPurposesCryptoDefault Microsoft Templates
Microsoft Software Key Storage Provider (CNG)Standard windows software-based RSA and ECC provider.Key Exchange
Digital Signature
Data Encryption
RSA
ECC SHA1
SHA2
OCSP Response Signing (KSP Required, Provider not specific)
Microsoft Smart Card Key Storage Provider (CNG)Supports smart card key creation and useKey Exchange
Digital Signature
Data Encryption
RSA
ECC SHA1
SHA2
None

Legacy Microsoft cryptography providers

Provider Name & TypeDescriptionPurposesCryptoDefault Microsoft Templates
Microsoft RSA SChannel Cryptographic Prodvider (CAPI)Supports hashing, data signing, and signature verification. The algorithm identifier CALG_SSL3_SHAMD5 is used for SSL 3.0 and TLS 1.0 client authentication. This CSP supports key derivation for the SSL2, PCT1, SSL3 and TLS1 protocols.Key ExchangeRSA SHA1CEP Encryption
Computer
Directory Email Replication
Domain Controller
Domain Controller Authentication
IPSec
IPSec (Offline)
Kerberos Authentication
RAS and IAS Server
Router (Offline request)
Web Server
Workstation Authentication
Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider (CAPI)Supports Diffie-Hellman key exchange (a 40-bit DES derivative), SHA hashing, DSS data signing, and DSS signature verification. Derived from Base DSS and Diffie-Hellman Cryptographic Provider. Adds support for RC2/4, DES and 3DES encryptionDigital SignatureRSA SHA1Authenticated Session
Basic EFS
CA Exchange
Code Signing
EFS Recovery Agent
Enrollment Agent
Enrollment Agent (Computer)
Exchange Enrollment Agent (Offline request)
Exchange Signature Only
Exchange User
Key Recovery Agent
Trust List Signing
User
User Signature Only
Microsoft DSS and Diffie-Hellman/Schannel Cryptographic Provider (CAPI)Supports hashing, data signing with DSS, generating Diffie-Hellman (D-H) keys, exchanging D-H keys, and exporting a D-H key. This CSP supports key derivation for the SSL3 and TLS1 protocols. This CSP supports key derivation for the SSL3 and TLS1 protocols.Key ExchangeRSA SHA1Web Server
Microsoft Base Cryptographic Provider (CAPI)A broad set of basic cryptographic functionality that can be exported to other countries or regions. No 3DES support. RC2/4 limited to 40bits.Digital Signatures
Data Encryption
RSA SHA1Administrator
Authenticated Session
Basic EFS
Code Signing
EFS Recovery Agent
Enrollment Agent
Enrollment Agent (Computer)
Exchange Enrollment Agent (Offline request)
Exchange Signature Only
Exchange User
Trust List Signing
User
User Signature Only
Microsoft DSS Cryptographic Provider (CAPI)Provides hashing, data signing, and signature verification capability using the Secure Hash Algorithm (SHA) and Digital Signature Standard (DSS) algorithms.Digital SignaturesRSA SHA1Authenticated Session
Code Signing
Enrollment Agent
Enrollment Agent (Computer)
Exchange Enrollment Agent (Offline request)
Exchange Signature Only
Trust List Signing
User Signature Only

Deprecated Microsoft cryptography providers

Provider Name & TypeDescriptionPurposesCryptoDefault Microsoft Templates
Microsoft Base Smart Card Crypto Provider (CAPI)Derived from Microsoft Strong Cryptographic Provider. Communicates with Smart Card Modules (minidriver).Digital Signatures
Data Encryption
RSA SHA1None
Microsoft Strong Cryptographic Provider (CAPI)An extension of the Microsoft Base Cryptographic Provider available with Windows XP and later. Default RSA CSP. Cryptographic Provider. Supports all the same key lengths, but lacks configurable Salt length for RC encryption algorithms.Digital Signatures
Data Encryption
RSA SHA1None
Microsoft Enhanced Cryptographic Provider (CAPI)Derived from Base Cryptographic Provider. The Enhanced Provider supports stronger security through longer keys and additional algorithms. Can only generate 128bit RC2/4 keys, can import smallerDigital Signatures
Data Encryption
RSA SHA1None
Microsoft RSA and AES Cryptographic Provider (CAPI) Microsoft Enhanced Cryptographic Provider with support for AES encryption algorithms.Digital Signatures
Data Encryption
RSA SHA1None
Microsoft Base DSS and Diffie-Hellman Cryptographic Provider (CAPI)A superset of the DSS Cryptographic Provider that also supports Diffie-Hellman key exchange, hashing, data signing, and signature verification using the Secure Hash Algorithm (SHA) and Digital Signature Standard (DSS) algorithms.Diffie Hellman (Key Exchange)
Digital Signatures
RSA SHA1None

Conclusion

In conclusion, Microsoft has a wide range of available cryptographic services, suitable for any application. With these tools, Encryption Consulting has worked with Top 500 companies to secure and update PKI solutions to ensure reliability and availability for cryptographic services.

About the Author

Caedon is a Consultant at Encryption Consulting, working with PKIs, and HSMs, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 6 minutes, 25 sec

What is Data Loss Prevention?

Data Loss Prevention (DLP) is a solution for exposing sensitive data.  DLP is used by organisations to safeguard and protect data as well as to adhere to legislation. Through their network, businesses transmit sensitive data to partners, clients, remote workers, and other authorised users, but occasionally an unauthorised user may be able to intercept it.

Organizations need to protect sensitive data due to multiple industry and government regulations such as HIPAA and PCI-DSS.

Why your organization needs data loss prevention?

A “borderless” network perimeter with numerous attack vectors has been produced by today’s digital transformation, which started with mobile devices and continued with embedded systems, social media applications, hypervisors, and the proliferation of connected devices.

Organizations need to make sure that their most sensitive data and assets are secured in order to adapt to this technological transformation. When implemented correctly, DLP offers visibility, granular control, and data security coverage to defend against human error-related data loss and external threats. The creation of a thorough data loss prevention strategy shouldn’t be put off; it may assist your business in safeguarding its “crown jewels,” ensuring compliance with the changing regulatory environment, and preventing the publication of the next data breach story.

You don’t know where the private information of your business is kept, where it is sent, or who is accessing it.

DLP technology gives IT and security employees a complete picture of where data is located, how it moves through the organisation, and how it is being used. It lets you to protect and maintain control over sensitive data, such as customer information, personally identifiable information (PII), financial information, and intellectual property. It does this by comparing network actions to your organization’s security regulations. Your firm will be able to develop the right rules to safeguard this data and decide which assets need to be protected and at what cost after having a complete grasp of this data.

Although your business has a plan in place to guard against external intrusion, it does not cover employee theft or the unintentional disclosure of sensitive data by partners and employees.

Data loss may not always occur as a result of outside, hostile attacks. One important factor is internal employees accidentally disclosing or improperly handling confidential information. In 28 percent of the attacks, insiders were involved, according to Verizon’s 2018 Data Breach Investigations Report. It can be particularly challenging to protect against insider threats because it’s difficult to tell when someone is abusing their rightful access to data. DLP has the ability to identify confidential information-containing files and stop them from leaving the network. It has the ability to implement policies that protect data on an as-needed basis and can stop sensitive data transfers to USB devices and other removable media.

For instance, access to a particular endpoint may be immediately barred in the event that a security event is discovered. In response to occurrences, policies may also quarantine or encrypt data

The responsibility, adverse exposure, penalties, and lost revenue linked to data breaches worry you.

Alarmingly frequently, data breaches have been in the news. Through fines, negative publicity, the loss of important clients, and legal action, they can wreak financial havoc on an organisation. The mean time to identify (MTTI) breaches have reportedly reached an average of 191 days, which equates to nearly six months of dwell time for attackers, according to the Ponemon Institute’s 2017 Cost of Data Breach Study. Lateral movement is made possible by dwell time, which is essential for boosting hackers’ chances of success.

You’re worried about your next audit and wish to continue adhering to the intricate laws.

Regulations like the GDPR and New York Cybersecurity Every regulated firm that collects, stores, and utilises sensitive customer data must raise the bar to meet new standards as a result of requirements, which are ushering in a new era of accountability. Failure to comply with regulations may result in fines of up to 4% of annual global turnover and orders to stop processing. Controls over technology are becoming important in some instances to achieve compliance. These controls are offered by DLP, together with policy templates and maps that cover certain requirements, streamline compliance, and permit the gathering and reporting of metrics.

Data must be safeguarded from security risks brought on by BYOD and IoT.

DLP assists in preventing the unintentional disclosure of sensitive data across all devices when used in conjunction with complementing safeguards. DLP can monitor data and dramatically lower the risk of data loss wherever it resides, whether it is in use, at rest in storage, or in transit over the network.

Types of DLP Solutions

An company might lose data in a number of ways. The numerous methods that sensitive data may be removed from an organisation should be able to be recognised by the DLP solution. The various DLP solution types include:

Endpoint DLP

Data on the network’s devices is monitored by an endpoint DLP solution. To monitor and safeguard the data stored on endpoints such as laptops, servers, smartphones, printers, etc., this solution is installed. Even when the endpoint is online or linked to a public network, endpoint DLP safeguards the data on such endpoints. Additionally, this method stops sensitive data from being transferred to USBs

Network DLP

This DLP system is put into place on the network and keeps track of data transfer. Any device linked to the network may monitor, safeguard, and prevent all incoming and outgoing data. All of the network-connected devices can be subject to the DLP policies. Data on offline devices cannot be protected by this solution; it can only secure data on devices that are connected to the network.

Email DLP

The email DLP system keeps track of emails and filters them based on particular keywords. This remedy can lessen email-based data leaks.

Cloud DLP

A cloud DLP solution keeps an eye on and safeguards the data kept in the cloud. Emails, documents, and other forms of files may all be protected and monitored with the service.

Techniques needed for your data loss prevention

  • Determine the primary data protection objective in order to determine the appropriate DLP solution for the organization.
  • Implement a centralised DLP programme and collaborate with various departments and business units to define standard DLP rules that control data for the organisation. Data visibility will rise as a result throughout the organisation.
  • Make an evaluation of the different forms of data and their importance to the company. Determine the type of data, whether it is sensitive, and where it is stored. Consider the data exit points. Then assess the danger of each type of data being compromised to the organisation.
  • Make a method for classifying data that includes both structured and unstructured information. Internal, private, public, personally identifiable information (PII), intellectual property, and other types of data may exist.
  • Create policies for data processing and correction for various sorts of data. DLP software comes with pre-configured rules based on laws like GDPR and HIPAA. These guidelines can be altered to suit the requirements of the company. Create controls to lower the danger to the data. To lessen the unique data risks, organisations should build granular, fine-tuned controls.
  • Employee education can lower the possibility of insiders accidentally leaking data. A good data loss prevention programme depends heavily on employee knowledge and comprehension of security standards. Employee understanding and adherence to data security policies and best practises can be improved with the support of awareness campaigns and trainings such as posters, emails, online trainings, and seminars.
  • Utilize indicators like the number of events, the mean time to incident response, and the proportion of false positives to gauge how effective your DLP system is.

Conclusion

A company’s security depends heavily on having the right cyber security platforms and solutions in place. Any firm can utilise DLP to stay ahead of threat actors, whether they are internal or external. Any business, especially banks and healthcare companies, must prioritise protecting sensitive consumer and corporate data. At Encryption Consulting, we place the utmost importance on cyber security. We work with organizations to create the most secure environment possible using methods such as DLP, Public Key Infrastructure (PKI), and encryption assessments. We provide assessment, implementation, and development services for PKI, encryption, and Hardware Security Modules (HSMs). If you have any questions, visit our website at www.encryptionconsulting.com.

About the Author

Kirtan Dua is a Cyber Security Consultant, working on PKI, security in the cloud, and key management.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time 3 minutes, 47 sec

Microsoft had given its digital imprimatur to a rootkit that has decrypted all the encrypted communications and sent them to the attacker-controlled servers. This malicious driver has been spread within gaming environments. This driver is known as “Netfilter,” whose primary purpose or critical role is as a rootkit that communicates with the Chinese command-and-control (C2) IPs. 

Discovery

Karsten Hahn, who is a researcher at security firm G Data, discovered this driver using his company’s malware detection system. The initial observation was declared a false alarm as Microsoft had digitally signed Netfilter under the company’s Windows Hardware Compatibility Program. After further testing and research, Karsten concluded that this was not a false warning or positive. He and his fellow researchers discovered that “The core functionality seems to be eavesdropping on SSL connections. In addition to the IP redirecting component, it also installs and protects a root certificate to the registry” [1] (by reverse engineer Johann Aydinbas on Twitter)

What is a Rootkit?

A rootkit is a type of malware written to prevent or stop itself from being shown in file directories, other standard OS functions, and task monitors. A root certificate is usually used to authenticate traffic sent through connections protected by the Transport Layer Security protocol; this helps encrypt the data in transit and ensures the server whether a user connected is genuine or an imposter.

Typically, these TLS certificates are issued by a Windows-trusted Certificate Authority (or CA), and by installing these root certificates in Windows, hackers can bypass the CA requirement.

Origin story

The driver Netfiler was seen communicating with China-based C&C IPs providing no legitimate functionality, which further led to suspicions. Around this time, G Data’s malware analyst Karsten Hahn shared the signature info publicly on Twitter and contacted Microsoft.

Figure 1: Malicious binary signed by Microsoft

According to Hahn, any code that runs in kernel mode must be tested and signed before being released publicly to ensure stability for the Operating System. At this time, BleepingComputer also began observing the behavior of C2 URLs and contacted Microsoft for a valid reason or explanation.

 The first few C2 URL returns a set of more routed separated by the pipe (“|”) symbol:

Figure 2 Navigating to the C2 URL

Each of these serves a purpose:

  • The URL which is ending in “/p” means it’s associated with proxy settings
  • “/s” denotes encoded redirection IP addresses.
  • “/h?” is for representing CPU-ID.
  • “/c” gave a root certificate
  • “/v?” denotes the malware’s self-update functionality.

According to BleepingComputer, the “/v?” path provided the URL to the malicious Netfilter driver in the question itself (at “/d3”):

Figure 3 Path to malicious Netfiler driver

The G Data researcher, Hahn spent quite some time sufficiently analyzing the driver, result concluded that this driver has self-update functionality. According to him, the sample has a self-update routine that sends its MD5 hash to the server through “hxxp://110.42.4.180:2081/v?v=6&m=”.

The server then replies with the URL for the latest sample with “OK” if the model is up-to-date and the malware replaces its file accordingly. 

Figure 4 Malware self-update functionality analyzed

Security Lapse

Microsoft said they investigate a malicious actor who distributed these negative drivers (Netfilter) within gaming environments. This actor submitted drivers for certification through the Windows Hardware Compatibility Program. These drivers were built by a third party, so Microsoft has suspended their account and reviewed their submissions for additional signs of malware. The company (Microsoft) could not find evidence of either the Windows Hardware Compatibility Program signing certificate or its WHCP signing infrastructure being compromised. So, they have since added Netfilter detections to the Windows Defender AV engine built into Windows and provided this detection to other AV providers. 

Update regarding the Malware [2]

  • Jun 26th, 12:26 PM ET: Clarified that BleepingComputer did not see the DoD list explicitly mentioning the alleged Chinese company, contrary to the details in the researcher’s report. Also reached out to Hahn for clarification.
  • Jun 27th, 04:58 AM ET: A previous version of the blog post mentioned another researcher, @cowonaut alleging that the company mentioned above was previously marked by the U.S. Department of Defense (DoD) as a “Communist Chinese military” company. The claim has since been retracted from the original blog post, and we have updated our article to reflect the same. However, BleepingComputer did not see Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd. present on any of the DoD lists available.

Conclusion

Despite the limitations, this security lapse was a serious one. Microsoft’s certification program was designed to block precisely the kind of attack which G Data first discovered. Microsoft has yet to say how they came to sign the malware digitally; company representatives also declined to explain.

Reference

microsoft-digitally-signs-malicious-rootkit-driver

microsoft-admits-to-signing-rootkit-malware-in-supply-chain-fiasco

About the Author

Subhayu Roy is a Cyber Intern at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read Time: 3 minutes

Crypto-shredding is the technique to discard the encryption keys for the encrypted data without zeroizing/deleting the encrypted data, hence making the data undecipherable.

Over the past many years, the topic of data protection has been hitting the headlines. The unstoppable movement of data from various sources is susceptible to various risks and threats that had impacted millions of users in a short time. In the present technological era, data encryption has become the de-facto standard within the various industries; however, the management of encrypted data has become an uphill task for the stakeholders.

While discussing the management of encrypted data, there are two types of encrypted data to be looked into: Active encrypted data & Passive encrypted data.

With the active encrypted data, the data is used by various crypto-systems and being handled appropriately within the security ecosystem, whereas, with the passive encrypted data, the data is not used actively and is ready to be destructed.

Challenges in data destruction

Data destruction is a challenging task while exercising it as an individual’s right for erasure, specifically in reference to data protection regulations such as GDPR. While exercising the right to erasure, the organization has to look up all the references of concerned data within their databases, logs, backups, etc., find the relevant data and delete it from their systems; however, this is not a straightforward task and contains pros & cons of its own.

Next comes the solution to this problem, i.e., crypto-shredding.

Crypto-shredding: Solution to data destruction

As we know, in the crypto-shredding, the encryption is key is discarded/destroyed, and since the key is destroyed, the data that is encrypted by the key automatically becomes unusable as it can’t decrypt it without the key; however, we need to make sure there are no other copies of the key which could be used by bad actors to decrypt the data as the data is still available and lies in an encrypted fashion.

Also, there could be another possibility of breaking the encryption algorithm that can be safely discarded as if the algorithm would have been breakable. It would be considered and marked as vulnerable by the relevant authorities, and any organization would not be using it in the first place itself to encrypt the data.

Considering the above pointers, we can safely assume that the crypto-shredding is equivalent to deleting/zeroizing the data itself.

Crypto-shredding tackles the problem of searching/indexing the specific data reference across the entire infrastructure in a different way by focusing only on one crucial aspect, i.e., management of encryption keys. For example, when the new data is created and is supposed to be stored/backed up/replicated. Before performing any action on this, the data would be encrypted first and then processed further for any action. When the data is supposed to be deleted, rather than searching the data references in your infrastructure, it simply deletes the encryption keys to make the data undecipherable.

Till now, we have understood the strengths of crypto-shredding. Let’s look at the weaknesses as well:

  1. If the encryption applied to the data is not strong enough, the data breach could still occur, and in this case, the process of crypto-shredding won’t be useful.
  2. Since the crypto-shredding deletes the keys only, the encrypted data still exists, and that would require the management of storage in your environment.
  3. As the whole concept of crypto-shredding revolves around the key deletion, the organizations must have an efficient key management system that involves secure key deletion.

Conclusion

Currently, there are no standards in place for crypto-shredding as such. However, certain compliance standards require something called “the right to be forgotten” where the customer has the right to ask that all their personal data be completely deleted without undue delay. Crypto-shredding is an efficient technique to manage the passive encrypted data, but with its own limitations. Many organizations still do not use crypto-shredding as it’s not prescribed by authorities such as NIST, GDPR, etc. Instead of crypto-shredding, customers can take a look at NIST Special Publication 800-88 revision 1, which is a NIST document discussing the sanitization of data. 

Resources

NIST.SP.800-88r1

About the Author

Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read Time: 10 min

Let’s define NIST Cyber Security Framework in brief. 

The NIST Cyber Security Framework known as NIST CSF is a cybersecurity assessment-type framework developed by the NIST (National Institute of Standards and Technology). The core purpose of the NIST CSF is to protect the nation’s critical infrastructure using a set of cybersecurity best practices and recommendations. It’s a voluntary, risk-based, and outcome-oriented cybersecurity framework to help your organization to categorize its security activities around five key functions 1) Identify 2) Protect, 3) Detect, 4) Respond, and 5) Recover.

 Let’s look at each function briefly:

Identify – The Identify function assist you to evolve an overall cybersecurity risk management approach to systems, people, assets, data, and capabilities in the organization. It helps you to identify the critical assets, overall business environment, governance model, and supply chain. 

Protect – The protect function helps you to set up defensive controls based on the inputs from identify function such as critical assets, risk tolerance/acceptance levels. It also emphasizes the importance of access control & identity management, protecting data, and training & awareness to users. 

Detect – The detection functions help you to detect anomalies, malicious activities, and other events effectively by continuous security monitoring and with the help of other detection processes & procedures. 

Respond – To complete the detection function, respond helps you to take the right action immediately through incident response planning, mitigation actions for events, accurate analysis, communication to the designated stakeholders, and continuous improvement with each event.

Recover – Recover function assists you to get back to the pre-attack condition with the help of recovery planning, continuous improvement, and communication to the designated stakeholders.

NIST Cyber Security Framework Overview: Core, Tiers, and Profile

The NIST CSF consists of three sections:

The core section represents cybersecurity practices, technical, operational, process security controls, and outcomes that support the five risk management functions such as Identify, Protect, Detect, Respond, and Recover.

The tiers section emphasizes the organization’s processes of managing risks while remaining aligned with NIST CSF.

The profiles characterize how effectively an organization’s cybersecurity program is managing its risk. It also expresses the state of an organization’s “as is” and ‘’to be’’ cybersecurity postures.


NIST Cyber Security Framework and AWS Cloud

Earlier AWS team published a guide on how to implement the NIST CSF in an AWS cloud environment. AWS recommends using NIST CSF as a mechanism to have baseline security in place that can improve the cloud security objectives of an organization. NIST CSF contains a comprehensive controls catalogue derived from the ISO/IEC 27001 (1), NIST SP 800-53 (2), COBIT (3), ANSI/ISA-62443 (4), and the Top 20 Critical Security Controls (CSC) (5).

There is a listing on the AWS portal that specifies the alignment of NIST CSF to various AWS services that are known as “AWS Services and Customer Responsibility matrix for Alignment to the CSF” (6). This is a comprehensive list that customers can use to align their needs with the CSF in the AWS cloud for their security requirements. Also, this enables the customer to design their baseline security requirements to meet their security goals.

AWS Cloud Adoption Framework

Before setting up a baseline, it is important for a customer to have a clear understanding of their business use cases and the customer-owned responsibilities for “security in the AWS cloud”. The customer should review the “AWS Cloud Adoption Framework” (7) to evaluate the governance model that will be required while implementing the NIST CSF into the AWS cloud services. The AWS CAF (Cloud Adoption Framework) lists pointers known as “CAF Perspectives” to identify gaps in security skills, capabilities, and cybersecurity processes.

NIST CSF Functions and Responsibilities (Customer-owned & AWS-owned)

AWS team has come up with the concept of NIST CSF Functions categories & sub-categories into 108-outcome based security activities. Every function depicts the Customer-owned and AWS-owned responsibilities that mean security of the cloud owned by AWS and security in the cloud owned by the Customer. Business owners/stakeholders can use the AWS link of “AWS Services and Customer Responsibility matrix for Alignment to the CSF” to tailor their needs as per the organization’s tiers and profile level in the CSF.

The below figure represents the CSF core functions (Identify, Protect, Detect, Respond, and Recover) with categories defined and those that have been converted to 108-outcome based security activities (8) by AWS.

Till now we have discussed the NIST CSF alignment with the AWS Cloud Services and how the customer can use CAF (Cloud Adoption Framework) to evaluate the skill gap, capability, and cybersecurity processes using the CAF Perspectives.    

Let’s discuss how appropriate AWS services can be leveraged to set up effective Security Architecture using NIST Cyber Security Framework.

The table below provides a summarized view of AWS Cloud Services categorized into the NIST CSF Core Functions based on the nature of the service:

#IdentifyProtectDetectRespondRecover
1OrganizationsShieldGuardDutyCloudWatchOpsWorks
2Security HubCertificate ManagerMacieLambdaCloudFormation
3ConfigKMSInspectorDetectiveS3 Glacier
4Trusted AdvisorNetwork FirewallSecurity HubCloudTrailSnapshot
5Systems ManagerWAF Systems ManagerArchive
6Control TowerFirewall Manager Step FunctionsCloudEndure Disaster Recovery
7 CloudHSM   
8 IAM   
9 Direct Connect   
10VPC    
11 Single-Sign-On   

Conclusion:

Having the AWS Cloud Services aligned with the NIST CSF enables the customer to improve their cloud security posture with appropriate risk management and industry-compliant cloud services. Encryption Consulting, a leading cyber-security firm, offers various AWS and NIST related cybersecurity consulting Services catering to its customers a risk and security control maturity assessment based on the outlined standards. Encryption Consulting helps customers to get them familiarized with NIST CSF and AWS security tools & documentation and assist them in conducting a meaningful and quantifiable cybersecurity assessment while keeping the organization’s business goals intact.

Resources:
  1. ISO/IEC 27001:2013, Information Technology – Security techniques – Information Security management systems – Requirements. ISO. Retrieved February 18, 2021, from: https://www.iso.org/standard/54534.html
  2. NIST Special Publication (SP) 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations. National Institute for Standards and Technology. Retrieved February 18, 2021, from: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
  3. Control Objectives for Information and Related Technology (COBIT), an ISACA Framework. Information Systems Audit and Control Association (ISACA). Retrieved February 18, 2021 from: https://www.isaca.org/resources/cobit
  4. ANSI/ISA-62443-2-4-2018 / IEC 62443-2-4:2015+AMD1:2017 CSV, Security for industrial automation and control systems. International Society of Automation (ISACA).
  5. The 20 CIS Controls & Resources. Center for Internet Security (CIS). Retrieved February 18, 2021, from: https://www.cisecurity.org/controls/cis-controls-list/
  6. AWS Services and Customer Responsibility Matrix for Alignment to the CSF can be downloaded from here: https://aws.amazon.com/compliance/nist/
  7. An overview of the AWS Cloud Adoption Framework (CAF), Ver. 2. Amazon Web Services, Inc.
  8. An overview of AWS capabilities that can be leveraged with NIST CSF: https://d1.awsstatic.com/whitepapers/compliance/NIST_Cybersecurity_Framework_CSF.pdf

About the Author

Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read Time: 7 min

In today’s world, protecting your data is the most critical job at hand for any security expert. Once the data is protected with the help of some data protection tool and passphrases or passwords, then the next challenge is how to protect the passphrases or passwords or secrets itself. That’s when you need a software or hardware tool which can help you manage the secrets effectively and efficiently. AWS Secrets Manager is one such tool that can manage, retrieve, and rotate the passwords, database credentials, API keys, and other secrets throughout their lifecycle. It provides the central credential management with security at its best, resulting in avoidance of hard coding of credentials in the code.

Today, we will discuss the AWS Secrets Manager and its role in credential management facilitating some of the critical security use cases.

Characteristics of AWS Secrets Manager

AWS Secrets Manager provides various characteristics with respect to credentials management, such as:

  1. Integration with AWS KMS: AWS Secrets Manager is fully integrated with AWS KMS service and encrypts secrets as data-at-rest encryption with the Customer managed KMS keys. While retrieving the secrets, it decrypts the secrets using the same CMK KMS keys used earlier for encryption and transmits the secrets to your local environment securely.
  2. Secret Rotation: AWS Secrets Manager enables you to meet security and compliance requirements as per your organization’s goal. It provides you the secret rotation functionality on-demand or on a scheduled basis through the AWS management console, AWS SDK, or AWS CLI.
  3. Integrating with AWS Database services: AWS Secrets Manager supports native AWS database services such as Amazon RDS, Amazon DocumentDB, and Amazon Redshift. It also provides you the capability to rotate other types of secrets such as API Keys, OAuth tokens, and other credentials with the help of customized lambda functions.
  4. Contains multiple versions of secrets: AWS Secrets Manager can contain multiple versions of secrets with the help of staging labels attached with the version while rotating the secrets. Each secrets’ version contains a copy of the encrypted secret value.
  5. Manage access with fine-grained policies:  AWS Secrets Manager provides you flexible access management using IAM policies and resource-based policies. For e.g., you can retrieve secrets from your custom application running on EC2 to connect to a specific database instance (on-prem or cloud).
  6. Secure and audit secrets centrally: AWS Secrets Manager is fully integrated with AWS CloudTrail service for logging and audit purposes. For e.g., AWS CloudTrail will show the API calls related to creating the secret, retrieving the secret, deleting the secret, etc.

We have discussed some of the characteristics of the Secrets Manager. Now, below are the key points to be kept in mind while working with Secrets Manager:

  1. You can manage secrets for databases, resources in On-prem & AWS cloud, SaaS applications, third-party API keys, and SSH keys, etc.
  2. AWS Secrets Manager provides compliance with all the major industry standards such as HIPAAPCI-DSS, ISO, FedRAMP, SOC, etc.
  3. Secrets Manager doesn’t store the secrets in plaintext in persistent storage.
  4. Since the Secrets Manager provides the secrets over the secure channel, it doesn’t allow any request from any host in an unsecure fashion.
  5. Secrets Manager supports the AWS tags feature, so you can implement tag-based access control on secrets managed by the secrets manager.
  6. To keep the traffic secured and without passing through the open internet, you can configure a private endpoint within your VPC to allow communication between your VPC and Secrets Manager.
  7. Secrets Manager doesn’t delete the secrets immediately; rather, it schedules the deletion for a minimum period of 7 days. Within those 7 days, you may recover the secrets depending upon your requirements and post the scheduled period; the secrets are deleted permanently. However, through the AWS CLI, you may delete any secrets on an immediate basis.
  8. The AWS Secrets Manager offers a cost-effective pricing model where it charges $0.40 per secret per month or $0.05 per 10K API calls.

Use cases for AWS Secrets Manager

  1.  Secrets Manager avoids the need for hard-coding the credentials or sensitive information in your application code. It serves the purpose of having an API call to the secrets manager to retrieve the secret programmatically. Having this mechanism in place restricts anyone from compromising sensitive information or credentials as secret information doesn’t exist in the plaintext in the code.
  2. Secrets Manager provides centralized credential management, which reduces the operational burden resulting in the active rotation of credentials at regular intervals to improve the security posture of the organization.

Resources: https://aws.amazon.com/secrets-manager/pricing/

Conclusion:

Secret management plays a critical role in data protection for any organization in any environment (On-prem or Cloud). AWS Secrets Manager provides a rich feature set when it comes to secret management solutions. It supports a wide variety of secrets such as database credentials, credentials for On-prem resources, SaaS application credentials, API keys, and SSH keys, etc. In today’s security world, there are a number of secret management solutions available; however, considering the fact that AWS Secrets Manager works seamlessly in the AWS environment, it also provides great compatibility with other environments (On-prem) as well.

About the Author

Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 7 min

In today’s Internet world, the image of a green pad lock in the browser is unanimously thought to be a synonym of trust. This green pad lock is being used to represent active and valid SSL certificates, indicating the trustworthiness in terms of security and proper authentication of your website. Protecting your website is crucial for your organization’s reputation and gaining customers’ trust.

SSL (Secure Socket Layer) provides end-to-end security between the client and server, by establishing a secure channel with the help of encryption. SSL exchanges the cryptographic information on behalf of the client and server and forms a trust relationship between them to ensure the information exchanged is private and secure.

One of the most important aspects in the SSL certificate lifecycle is its expiry. The dates associated with the expiry of the certificate play a very critical role to provide assurance of the server’s security landscape. The validity of the server’s certificate presents the unique identity of the server to the browser to comprehend the identity of the server.
Fixing expired certificates without any prolonged delay is vital to any organization to avoid any data theft or damage. Websites with no or expired certificates are prone to attacks which lead to serious consequences.

Why do certificates expire?

There have been long debates in regard to why long-lasting certificates don’t exist.
The answer is very simple – Security. Let me explain you why & how.
The certificate enables two attributes: Authentication and Encryption
The authentication attribute of a certificate validates and verifies the true identity of the end entity, i.e., domain, by various means during the validation process. Based on the validation process outcome, certificate is supposed to be issued for end entity to owner A.

Now, let’s assume the ownership of the end entity changes from owner A to owner B, however, the certificate issued to the end entity is still valid. What if the new owner B misuses the certificate or domain in the name of owner A, as the certificate still contains the information proprietary to owner A. Thus, it’s important for Certificate Authorities that are issuing trusted certificates to ensure that the information they’re using to authenticate domains and organizations is as up-to-date and accurate as possible, hence it is mandatory to associate an expiry date with the certificate.

Significance of expired SSL certificates

As mentioned earlier, every SSL certificate has a validity period associated with it. Once this period is over, the SSL certificate becomes invalid and the browser starts displaying a warning message on the webpage.
In general, the validity period of SSL certificates is 3 years or less. During this period, the certificate signifies that the information contained therein is accurate and up-to-date. This also manifests trustworthiness, legitimate ownership of the domain, security, and privacy on the platform.

It is important for your organization to monitor the certificates regularly and renew them before they are expired. In the field, the Certificate Authority vendors send out notifications at regular intervals for the renewal of the certificate to be expired in the near future, else the expired certificate might result in an outage for the business users and mission-critical applications. In addition, there are vendors which provide certificate lifecycle management solutions through their proprietary software. These software solutions automate the overall certificate lifecycle management process, including renewal of the certificates.

Fixing expired SSL certificate

Organizations should always be alerted before the certificate is expired, however, that’s not the case all the time. Following is the way to renew an expired certificate:
Renew the expired certificate

  1. Generating a New CSR (Certificate Signing Request)

    This can be generated on the platform of your SSL service provider or by contacting your SSL service provider.

  2. Selecting the appropriate SSL Certificate

    You need to select the appropriate SSL certificate as per your requirements. There are various certificates that carry different validation levels

  3. Domain Validation

    Domain validation is needed in order to prove ownership of the domain by your organization. In general, there are three methods for domain validation:

    • Email validation
    • HTTP validation
    • DNS-based validation
  4. Installing the SSL Certificate

    Once the domain validation is completed, a new certificate is issued for your domain. Once the new certificate is received via email, you can go ahead and install the certificate on the server or appliance.

Note: In general, the SSL certificate can be renewed before the certificate is expired. If the certificate is already expired, then you might need to raise a new request to issue a new certificate.

Implications of an expired SSL certificate

When using an expired SSL certificate, there is a continuous risk to the encryption and mutual authentication of website. Websites with expired certificates are prone to attacks by hackers. Unsecured websites could be hacked and critical information might be leaked out.
Browsers show a warning message for websites with expired certificates. This might result in the loss of business for your organization, as some prospective customers might choose not to initiate business communication with someone who is not secure.
In the Internet age, a secure online presence presents lots of business opportunities, with respect to prospective customers however, this requires your SSL certificate to be up-to-date to maintain a trust relationship.

Conclusion

Keeping SSL certificates active is crucial in maintaining authenticity and trustworthiness of your website. In addition to safeguarding the information, SSL certificates help to establish positive customer impacts. Understanding certificate expiration and why to fix expired certificates is important in enhancing the reputation of your brand and business.

Tags:

About the Author

Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

When a message is sent across a connection, normally a TLS/SSL connection is used to encrypt the data in the message. To create this connection, a TLS Handshake occurs. Inside of that Handshake, the client and server exchange available cipher suites to ensure they use the same ciphers during the TLS Handshake.

A cipher suite provides instructions on how to secure the TLS/SSL connection by providing information on which ciphers are used by the client or server to create keys, authenticate users, etc. Cipher suites must be traded between the client and server to ensure the ciphers used in the TLS Handshake match and the client and server can understand each other.

How does a TLS handshake work?


A TLS Handshake is the process undertaken between a client and server to create a secure connection and encrypt the data sent through that connection. A TLS Handshake contains the following steps:

  1. Client Hello

    The client hello stage involves the client sending a request to the server to communicate. The TLS version, cipher suites supported, and a string of random bytes known as the “client random” are included in the hello.

  2. Server Hello

    In the server hello, the server acknowledges the client hello and ensures it is using a TLS version that is compatible with the client TLS version. The server also selects a compatible cipher suite from the ones offered by the client, and sends its certificate, the server random (similar to the client random), and the public key to the client.

  3. Certificate Validation

    The validity of the server’s certificate is then checked by the client through the certificate authority. The certificate authority, or CA, is a highly trusted entity given the responsibility of signing and generating digital certificates.

  4. Pre-Master String

    In this stage, the client encrypts a random string of bytes, called the “Pre-Master String”, with the server’s public key and sends it back to the server. This ensures that only the server can decrypt the key with its own private key, which adds an extra layer of security to the process.

  5. Session Key Creation

    The server then decrypts the pre-master key, and both the client and server create session keys from the client random, the server random, and the premaster string.

  6. Finished Messaging

    Finally, the client and server send each other messages saying they have finished creating their keys, and they compare keys with each other. If the session keys match, the TLS Handshake is completed, and the session keys are used to encrypt and decrypt any data sent between the server and client.

Now that we understand how a TLS Handshake works, we can focus on cipher suites in a TLS Handshake specifically.

Cipher Suites

Cipher suites contain four different components:

  1. Key Exchange Algorithm

    The information exchange process requires a secure connection to send unencrypted data, or a key shared between the client and server. This key will be used by the client to encrypt data and the server to decrypt that data. Since one key is used for both encryption and decryption, symmetric encryption is being used. To share that key, an algorithm, called the key exchange algorithm, was created to encrypt the symmetric encryption key in transfer. This ensures the integrity of the data as well as the security of the symmetric encrypting key. The key exchange algorithm is an encryption algorithm shared between client and server so each side of the connection can decrypt and use the symmetric encryption key. RSA, DH, ECDH and ECDHE are all examples of key exchange algorithms.

  2. Authentication Algorithm

    This algorithm is a way of ensuring the identity of the sender. Usually a password and username are used in the process of authenticating the client. The most common authentication algorithms are RSA, DSA and ECDSA.

  3. Bulk Data Encryption Algorithm

    The bulk data encryption algorithm is the algorithm used to encrypt the central data of the message. As the main part of the message is what attackers are attempting to steal or modify, the algorithm used here should be extremely secure. AES, 3DES and CAMELLA are the most common bulk data encryption algorithms used by cipher suites.

  4. Message Authentication Code (MAC) Algorithm

    The MAC is a section of information sent along to authenticate the client. The MAC algorithm is the algorithm used to encrypt the MAC. The server compares the MAC received and the MAC they calculate to ensure they match. Normally a Cyclic Redundancy Check algorithm, or CRC, is used with a MAC to check for damaged portions of the message, but a CRC cannot protect against intentional changes to the MAC. If an attacker obtains the message, changes the MAC, and calculates a new checksum, then the server will never know that the MAC was changed. SHA and MD5 are the most commonly used MAC algorithms.

An example of a version 1.2 cipher suite naming is TLS_DHE_RSA_AES256_SHA256. The first portion, TLS, specifies what the cipher suite is used for. TLS is the most common reason used for cipher suites. The second algorithm name, DHE, is the key exchange algorithm used. RSA is the authentication algorithm, AES256 is the bulk data encryption algorithm, and SHA256 is the MAC algorithm. Version 1.2 cipher suite names are short, but other cipher suite versions support different algorithms and are even shorter. The most widely used cipher suite version is version 1.2, even though version 1.3 already exists. The reason for using an older version over a newer version is the amount of options offered by each version. Version 1.2 cipher suites offer 37 ciphers and contain 4 ciphers, not including the reason the cipher suite is being used. Version 1.3, on the other hand, only offers 5 ciphers and includes 2 algorithms in its naming. Version 1.2 also offers more secure algorithms compared to 1.3. The naming of the cipher suite, and the amount of ciphers offered in a cipher suite in version 1.3 shorten the TLS Handshake significantly, however. Version 1.3 naming looks like this: TLS_ AES_256_GCM_SHA384. The fewer ciphers used, and the shorter the name, the faster the TLS Handshake.

Conclusion

Cipher suites are an integral part to the TLS Handshake, telling the client and server how to encrypt their information for the other to understand. The TLS Handshake, which connects a client and server in a secure connection, is used every day to connect to websites, so ensuring it is the most secure it can be is extremely important. Cipher suites are just one way to ensure safe and trusted connections. Code signing, proper certificate management, and secure SSH keys are all other secure connection methods that must also be implemented properly, to ensure the most secure connection to servers.

About the Author

Riley Dickens is a Consultant at Encryption Consulting, working with PKIs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Let's talk