practical mtls
play

PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE - PowerPoint PPT Presentation

Mar 09, 2023 •113 likes •736 views

MINIMIZING THE WINDOW OF COMPROMISE PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3 PROBLEM VLAN-TASTIC MICROSERVICE ARCHITECTURE S1 DB S2 S1 S3 PROBLEM CORRECT MICROSERVICE ARCHITECTURE

  1. MINIMIZING THE WINDOW OF COMPROMISE PRACTICAL MTLS Ying Li @cyli

  2. PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3

  3. PROBLEM VLAN-TASTIC MICROSERVICE ARCHITECTURE S1 DB S2 S1 S3

  4. PROBLEM CORRECT MICROSERVICE ARCHITECTURE S1 DB S2 S1 S3

  5. PROBLEM APPLICATION TLS LIFECYCLE Bootstrap Revoke Renew

  6. PROBLEM BOOTSTRAP • CSR ➡ CA • Configuration

  7. PROBLEM RENEW • Schedule

  8. PROBLEM RENEW • Schedule • CSR ➡ CA • Configuration

  9. PROBLEM RENEW • Schedule • CSR ➡ CA • Configuration • Restart

  10. PROBLEM REVOKE • CRL • OCSP [Stapling]

  11. PRINCIPLE AUTOMATE, AUTOMATE, AUTOMATE • Promotes adoption of mTLS

  12. PRINCIPLE AUTOMATE, AUTOMATE, AUTOMATE • Promotes adoption of mTLS • Single location for private key

  13. PRINCIPLE AUTOMATE, AUTOMATE, AUTOMATE • Promotes adoption of mTLS • Single location for private key • Shorter certificate expiry

  14. SWARMKIT OVERVIEW https://github.com/docker/swarmkit

  15. SWARMKIT OVERVIEW CLUSTER Worker Worker Manager Manager Manager Worker Worker Worker Worker

  16. SWARMKIT OVERVIEW Node Node CLUSTER Worker Worker Manager Node Node Manager Manager Worker Worker Node Node Worker Worker

  17. SWARMKIT OVERVIEW CLUSTER Worker Worker Manager raft store Manager Manager Worker Worker Worker Worker

  18. SWARMKIT OVERVIEW CLUSTER Node Node CA raft store CA CA Node Node Node Node

  19. SWARMKIT’S IMPLEMENTATION

  20. SWARMKIT’S IMPLEMENTATION BOOTSTRAP Token Random Version Secret SWMTKN-1-mx8suomaom825bet6-cm6zts22rl4hly2 Known Hash Prefix of Root CA

  21. SWARMKIT’S IMPLEMENTATION BOOTSTRAP CA 1. Retrieve, validate Root CA certificate. 1 Node

  22. SWARMKIT’S IMPLEMENTATION BOOTSTRAP CA 1. Retrieve, validate Root CA certificate. 2 2. CSR + secret token ➡ CA. (TLS) 1 Node

  23. SWARMKIT’S IMPLEMENTATION BOOTSTRAP CA 1. Retrieve and validate Root CA Public key material. 2 2. CSR + secret token ➡ CA. (TLS) 1 3 3. Get certificate. (TLS) Node

  24. SWARMKIT’S IMPLEMENTATION RENEW 50% 80% Valid Valid From Until

  25. SWARMKIT’S IMPLEMENTATION RENEW CA 1. CSR + ➡ CA. (mTLS) 2.Get certificate. (mTLS) 1 2 Node

  26. SWARMKIT’S IMPLEMENTATION RENEW 1. Trigger extra leader election 2. Workers all need to reconnect Restart to managers 3. Reschedule work

  27. SWARMKIT’S IMPLEMENTATION RENEW

  28. SWARMKIT’S IMPLEMENTATION RENEW

  29. SWARMKIT’S IMPLEMENTATION RENEW Server Existing connections New connections

  30. SWARMKIT’S IMPLEMENTATION RENEW Client Existing connections New connections

  31. SWARMKIT’S IMPLEMENTATION REVOKE

  32. SWARMKIT’S IMPLEMENTATION REVOKE REMOVE CRLS, OCSP [Stapling]

  33. SWARMKIT’S IMPLEMENTATION REMOVE NODE BLACKLIST Node ID Certificate Expiry a8h1vsk3k9o5nwea858ty9kma 2017-08-26 01:02:52 UTC k80l2au3yq9f7x6r2oca13vwt 2017-07-15 11:35:23 UTC n970d5be9ccgnreg4iti4jho3 2017-08-01 22:59:05 UTC

  34. SWARMKIT’S IMPLEMENTATION REMOVE Worker/Manager Manager Request Validate node ID against blacklist Authorize role Perform work Response Worker/Manager Manager

  35. SWARMKIT’S IMPLEMENTATION REMOVE BLACKLIST VS WHITELIST

  36. SWARMKIT’S IMPLEMENTATION REMOVE Manager delayed join Manager Manager

  37. SWARMKIT’S IMPLEMENTATION REMOVE Manager Manager Manager

  38. PROBLEM Rotate CA

  39. PROBLEM CA ROTATION • (conf.) All nodes: trust old and new CA 1 • (wait.) Verify all nodes

  40. PROBLEM CA ROTATION • (conf.) All nodes: trust old and new CA 1 • (wait.) Verify all nodes • (conf.) All nodes: renew certificates 2 • (wait.) Verify all nodes

  41. PROBLEM CA ROTATION • (conf.) All nodes: trust old and new CA 1 • (wait.) Verify all nodes • (conf.) All nodes: renew certificates 2 • (wait.) Verify all nodes • (conf.) All nodes: trust new CA only 3 • (wait.) Verify all nodes

  42. PRINCIPLE CROSS-SIGNED INTERMEDIATE Root A Root Root B B Key Info: A Key Info: B X Signed by: A Signed by: B Leaf cert: X Signed by: B Root: B

  43. PRINCIPLE CROSS-SIGNED INTERMEDIATE Root A Root Root B A Key Info: A Key Info: B X Signed by: A Signed by: B Leaf cert: X Signed by: B Root: A

  44. PRINCIPLE CROSS-SIGNED INTERMEDIATE Root A Root A Key Info: A Root A Intermediate Root B’ B DN: A Signed by: A Key Info: B Key Info: B DN: B DN: B Signed by: A Signed by: B

  45. PRINCIPLE CROSS-SIGNED INTERMEDIATE Root A Leaf cert: X Signed by: B’ Root A Intermediate B’ Root: A X

  46. PRINCIPLE CROSS-SIGNED INTERMEDIATE Root A Leaf cert: X Signed by: B Root A Root B Intermediate B’ Root: B X

  47. SWARMKIT’S IMPLEMENTATION CA ROTATION • (conf.) All nodes: trust old and new CA • (wait.) Verify all nodes • Generate cross-signed intermediate

  48. SWARMKIT’S IMPLEMENTATION CA ROTATION • Generate cross-signed intermediate • (conf.) All nodes: renew certificates 1 • (wait.) Verify all nodes

  49. SWARMKIT’S IMPLEMENTATION CA ROTATION • Generate cross-signed intermediate • (conf.) All nodes: renew certificates 1 • (wait.) Verify all nodes • (conf.) All nodes: trust new CA 2 • (wait.) Verify all nodes • Throw away cross-signed intermediate

  50. SWARMKIT’S IMPLEMENTATION CA ROTATION: BEFORE ROTATION Node Trust Cluster Root A Root A Root: Trust Root: Root A Node TLS Cluster Root A Certificate: Cert Issuer: Root A Z

  51. SWARMKIT’S IMPLEMENTATION CA ROTATION: START ROTATION Node Trust Cluster Root A Root A Root: Trust Root: Root A Root A Node TLS Cluster Certificate: Cert Issuer: Root A Root A Intermediate Z B’

  52. SWARMKIT’S IMPLEMENTATION CA ROTATION: NODE CERT RENEWAL Node Trust Cluster Root A Root A Root: Trust Root: Root Root A Node TLS Cluster A Certificate: Cert Issuer: Root A Intermediate Root A B Intermediate B’ X

  53. SWARMKIT’S IMPLEMENTATION CA ROTATION: NODE CERT RENEWAL Node1 Node2 Node3 Node4 Node5 Root A Root A Root A Root A Root A Trust Root Root Root Root Root Root A A A TLS A A Ro A Ro A Ro A Certificate Intermediate Intermediate Intermediate B B B Z Z X X X

  54. SWARMKIT’S IMPLEMENTATION CA ROTATION: ROTATE TRUST ROOT Node Trust Cluster Root B Root B Root: Trust Root: Root A Root A Node TLS Cluster Certificate: Cert Issuer: Root A Intermediate Root B B Root A Intermediate B’ X

  55. SWARMKIT’S IMPLEMENTATION CA ROTATION: ROTATE TRUST ROOT Node1 Node2 Node3 Node4 Node5 Root B Root B Root A Root A Root B Trust Root Root Root Root Root Root A A A A A TLS Ro A Ro A Ro A Ro A Ro A Certificate Intermediate Intermediate Intermediate Intermediate Intermediate B B B B B X X X X X

  56. SWARMKIT’S IMPLEMENTATION CA ROTATION: FINISH ROOT ROTATION Node Trust Cluster Root B Root B Root: Trust Root: Root A Node TLS Cluster Root B Certificate: Cert Issuer: Root A Intermediate Root B B X

  57. DEMO

  58. SUMMARY MINIMIZING THE WINDOW OF COMPROMISE

  59. SUMMARY MINIMIZING THE WINDOW OF COMPROMISE • automatic bootstrap, renewal • short certificate expiry

  60. SUMMARY MINIMIZING THE WINDOW OF COMPROMISE • automatic bootstrap, renewal • short certificate expiry • certificate revocation • CA rotation

  61. SUMMARY MORE INFORMATION https://github.com/docker/swarmkit https://diogomonica.com/2017/01/11/hitless-tls-certificate-rotation-in-go/ https://github.com/cloudflare/cfssl (@cyli)

Recommend

Practical Experience with Practical Experience with Practical Experience with Practical

Practical Experience with Practical Experience with Practical Experience with Practical

Practical Experience with Practical Experience with Practical Experience with Practical Experience with performance monitoring performance monitoring performance monitoring performance monitoring Ryszard Jurga CERN openlab March 29, 2006

577 views • 24 slides
ARDUINO & ELECTRONICS PRACTICAL PRACTICAL SESSION 1 Part of SmartProducts ARDUINO &

ARDUINO & ELECTRONICS PRACTICAL PRACTICAL SESSION 1 Part of SmartProducts ARDUINO &

ARDUINO & ELECTRONICS PRACTICAL PRACTICAL SESSION 1 Part of SmartProducts ARDUINO & ELECTRONICS PRACTICAL Fjodor van Slooten PRACTICAL SESSION 1 W241 (Horst-wing West) f.vanslooten@utwente.nl Goal: Become familiar with Electronics

437 views • 18 slides
Practical Neuropsychology for the NZ setting; from Assessment Planning to Formulation of

Practical Neuropsychology for the NZ setting; from Assessment Planning to Formulation of

Practical Neuropsychology for the NZ setting; from Assessment Planning to Formulation of Practical Recommendations. Dr Susan Shaw Outline This workshop is based upon practical experience Includes what neuropsychologists in NZ do well,

747 views • 36 slides
Practical Bioinformatics Mark Voorhies 5/15/2015 Mark Voorhies Practical Bioinformatics

Practical Bioinformatics Mark Voorhies 5/15/2015 Mark Voorhies Practical Bioinformatics

Practical Bioinformatics Mark Voorhies 5/15/2015 Mark Voorhies Practical Bioinformatics Gotchas Indentation matters Mark Voorhies Practical Bioinformatics Clustering exercises Visualizing the distance matrix Mark Voorhies Practical

705 views • 46 slides
Practical Bioinformatics Mark Voorhies 5/ 24/ 2013 Mark Voorhies Practical Bioinformatics

Practical Bioinformatics Mark Voorhies 5/ 24/ 2013 Mark Voorhies Practical Bioinformatics

Practical Bioinformatics Mark Voorhies 5/ 24/ 2013 Mark Voorhies Practical Bioinformatics Clustering exercises { Visualizing the distance matrix Mark Voorhies Practical Bioinformatics Scripting Cluster Running Cluster3 from the command line

401 views • 7 slides
Practical Analog Filters Overview Types of practical filters Filter specifications

Practical Analog Filters Overview Types of practical filters Filter specifications

Practical Analog Filters Overview Types of practical filters Filter specifications Tradeoffs Many examples J. McNames Portland State University ECE 222 Practical Analog Filters Ver. 1.04 1 Ideal Filters Lowpass Highpass

643 views • 48 slides
Practical Bioinformatics Mark Voorhies 5/26/2015 Mark Voorhies Practical Bioinformatics Habits

Practical Bioinformatics Mark Voorhies 5/26/2015 Mark Voorhies Practical Bioinformatics Habits

Practical Bioinformatics Mark Voorhies 5/26/2015 Mark Voorhies Practical Bioinformatics Habits are things you get for free, without requiring any special work. Cory Doctorow Advice to Writers, 4/5/2012 Mark Voorhies Practical

521 views • 27 slides
Practical Bioinformatics Mark Voorhies 5/22/2015 Mark Voorhies Practical Bioinformatics PAM

Practical Bioinformatics Mark Voorhies 5/22/2015 Mark Voorhies Practical Bioinformatics PAM

Practical Bioinformatics Mark Voorhies 5/22/2015 Mark Voorhies Practical Bioinformatics PAM (Dayhoff) and BLOSUM matrices PAM1 matrix originally calculated from manual alignments of highly conserved sequences (myoglobin, cytochrome C, etc.)

979 views • 71 slides
Curricular Practical Training (CPT) International Students Curricular Practical Training (CPT)

Curricular Practical Training (CPT) International Students Curricular Practical Training (CPT)

Curricular Practical Training (CPT) International Students Curricular Practical Training (CPT) Defined as employment which is an integral or important part of the students curriculum Today we will discuss: Rules and Regulations

82 views • 7 slides
Office of International Engagement Optional Practical Training (OPT) Optional Practical

Office of International Engagement Optional Practical Training (OPT) Optional Practical

Office of International Engagement Optional Practical Training (OPT) Optional Practical Training A period in which undergraduate and graduate students with an F-1 or F-3 status who have completed or have been pursuing a degree for one full

479 views • 14 slides
Practical Bioinformatics Mark Voorhies 4/16/2018 Mark Voorhies Practical Bioinformatics

Practical Bioinformatics Mark Voorhies 4/16/2018 Mark Voorhies Practical Bioinformatics

Practical Bioinformatics Mark Voorhies 4/16/2018 Mark Voorhies Practical Bioinformatics JavaTreeView link-out for ENSEMBL Mouse http://www.ensembl.org/Mus musculus/Gene/Summary?g=HEADER Mark Voorhies Practical Bioinformatics Science! Mark

767 views • 20 slides
Practical Bioinformatics Mark Voorhies 5/23/2019 Mark Voorhies Practical Bioinformatics

Practical Bioinformatics Mark Voorhies 5/23/2019 Mark Voorhies Practical Bioinformatics

Practical Bioinformatics Mark Voorhies 5/23/2019 Mark Voorhies Practical Bioinformatics JavaTreeView link-out for ENSEMBL Mouse http://www.ensembl.org/Mus musculus/Gene/Summary?g=HEADER Mark Voorhies Practical Bioinformatics Science! Mark

330 views • 13 slides
Practical examples using Adlib API Bert Degenhart Drenth Rui Mendes Practical examples using

Practical examples using Adlib API Bert Degenhart Drenth Rui Mendes Practical examples using

Practical examples using Adlib API Bert Degenhart Drenth Rui Mendes Practical examples using Adlib API Commands categories Search Write Select Lock Utilities Choosing the correct implementation jQuery plugin

670 views • 51 slides
Practical Use of XML XML Practical Use of Rostislav Titov IT-AIS-EB (e-Business) Section CERN

Practical Use of XML XML Practical Use of Rostislav Titov IT-AIS-EB (e-Business) Section CERN

CERN European Organization for Nuclear Research IT Department e Business Section Practical Use of XML XML Practical Use of Rostislav Titov IT-AIS-EB (e-Business) Section CERN Geneva, Switzerland XML XML eXtensible Markup

474 views • 36 slides
AngkorVR Advanced Practical Richard Schnpflug and Philipp Rettig Advanced Practical Tasks

AngkorVR Advanced Practical Richard Schnpflug and Philipp Rettig Advanced Practical Tasks

AngkorVR Advanced Practical Richard Schnpflug and Philipp Rettig Advanced Practical Tasks - Virtual exploration of the Angkor Wat temple complex - Based on Pheakdey Nguonphan 's Thesis called " Computer Modeling, Analysis and

309 views • 30 slides
Practical Bioinformatics Mark Voorhies 5/21/2019 Mark Voorhies Practical Bioinformatics Change

Practical Bioinformatics Mark Voorhies 5/21/2019 Mark Voorhies Practical Bioinformatics Change

Practical Bioinformatics Mark Voorhies 5/21/2019 Mark Voorhies Practical Bioinformatics Change of Coordinates http://xkcd.com/123/ Mark Voorhies Practical Bioinformatics Principal Components Analysis (PCA) Is there a point of view that

264 views • 11 slides
Trusting Trusting the Cloud with the Cloud with Practical Interact Practical Interactive ive

Trusting Trusting the Cloud with the Cloud with Practical Interact Practical Interactive ive

Trusting Trusting the Cloud with the Cloud with Practical Interact Practical Interactive ive Proofs Proofs Graham Cormode G.Cormode@warwick.ac.uk Amit Chakrabarti (Dartmouth) Andrew McGregor (U Mass Amherst) Justin Thaler (Harvard/Yahoo!)

257 views • 14 slides
Practical Software Design & Style Practical Software Design & Style | 15 Sep 2017 | 1/25

Practical Software Design & Style Practical Software Design & Style | 15 Sep 2017 | 1/25

Practical Software Design & Style Practical Software Design & Style | 15 Sep 2017 | 1/25 Practical Software Design & Style Computational science has to develop the same professional integrity as theoretical and experimental

361 views • 25 slides
Basic Topics in PROLOG Practical matters Practical Matters Two Prologs are installed on the

Basic Topics in PROLOG Practical matters Practical Matters Two Prologs are installed on the

Basic Topics in PROLOG Practical matters Practical Matters Two Prologs are installed on the OSU Ling. Dept. UNIX machines: A Brief Reminder Sicstus: Cases and Structural Induction starting: Inputs and Outputs at UNIX

290 views • 14 slides
Module 7 Practical Exercise Module 7 - Practical Exercise Background You and your team are a

Module 7 Practical Exercise Module 7 - Practical Exercise Background You and your team are a

Module 7 Practical Exercise Module 7 - Practical Exercise Background You and your team are a part of the CAA Safety Oversight Department for EDTO Airways, an established WP-911 EDTO operator with 180 Minute EDTO approval for a fleet of 4 WP-911

596 views • 13 slides
Practical Bioinformatics Mark Voorhies 5/11/2015 Mark Voorhies Practical Bioinformatics

Practical Bioinformatics Mark Voorhies 5/11/2015 Mark Voorhies Practical Bioinformatics

Introduction to Python Practical Bioinformatics Mark Voorhies 5/11/2015 Mark Voorhies Practical Bioinformatics Introduction to Python Good ideas shamelessly lifted from David Erle and Josh Pollack Mark Voorhies Practical Bioinformatics

718 views • 46 slides
Public key cryptography: a practical Public key cryptography: a practical approach approach

Public key cryptography: a practical Public key cryptography: a practical approach approach

Public key cryptography: a practical Public key cryptography: a practical approach approach Israel Herraiz <isra@herraiz.org> <israel.herraiz@upm.es> KeyID FE0A7AF3 Fingerprint D0DA E915 BFDD E5CD 8BA0 B159 7E97 2ACB FE0A 7AF3

996 views • 43 slides
Practical Bioinformatics Mark Voorhies 4/9/2018 Mark Voorhies Practical Bioinformatics

Practical Bioinformatics Mark Voorhies 4/9/2018 Mark Voorhies Practical Bioinformatics

Practical Bioinformatics Mark Voorhies 4/9/2018 Mark Voorhies Practical Bioinformatics Clustering exercises Visualizing the distance matrix Mark Voorhies Practical Bioinformatics Dictionaries d i c t i o n a r y = { A : T ,

77 views • 5 slides
Genetic simplex model: practical Sanja Franic, Conor Dolan Practical: estimate the genetic and

Genetic simplex model: practical Sanja Franic, Conor Dolan Practical: estimate the genetic and

Genetic simplex model: practical Sanja Franic, Conor Dolan Practical: estimate the genetic and environmental contributions to temporal stability and change in full-scale IQ measured at four time points (mean ages 5.5, 6.8, 9.7, 12.2, SDs .3,

282 views • 24 slides

More recommend