practical mtls
play

PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE - PowerPoint PPT Presentation

Mar 09, 2023 •113 likes •736 views

MINIMIZING THE WINDOW OF COMPROMISE PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3 PROBLEM VLAN-TASTIC MICROSERVICE ARCHITECTURE S1 DB S2 S1 S3 PROBLEM CORRECT MICROSERVICE ARCHITECTURE

  1. MINIMIZING THE WINDOW OF COMPROMISE PRACTICAL MTLS Ying Li @cyli

  2. PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3

  3. PROBLEM VLAN-TASTIC MICROSERVICE ARCHITECTURE S1 DB S2 S1 S3

  4. PROBLEM CORRECT MICROSERVICE ARCHITECTURE S1 DB S2 S1 S3

  5. PROBLEM APPLICATION TLS LIFECYCLE Bootstrap Revoke Renew

  6. PROBLEM BOOTSTRAP • CSR ➡ CA • Configuration

  7. PROBLEM RENEW • Schedule

  8. PROBLEM RENEW • Schedule • CSR ➡ CA • Configuration

  9. PROBLEM RENEW • Schedule • CSR ➡ CA • Configuration • Restart

  10. PROBLEM REVOKE • CRL • OCSP [Stapling]

  11. PRINCIPLE AUTOMATE, AUTOMATE, AUTOMATE • Promotes adoption of mTLS

  12. PRINCIPLE AUTOMATE, AUTOMATE, AUTOMATE • Promotes adoption of mTLS • Single location for private key

  13. PRINCIPLE AUTOMATE, AUTOMATE, AUTOMATE • Promotes adoption of mTLS • Single location for private key • Shorter certificate expiry

  14. SWARMKIT OVERVIEW https://github.com/docker/swarmkit

  15. SWARMKIT OVERVIEW CLUSTER Worker Worker Manager Manager Manager Worker Worker Worker Worker

  16. SWARMKIT OVERVIEW Node Node CLUSTER Worker Worker Manager Node Node Manager Manager Worker Worker Node Node Worker Worker

  17. SWARMKIT OVERVIEW CLUSTER Worker Worker Manager raft store Manager Manager Worker Worker Worker Worker

  18. SWARMKIT OVERVIEW CLUSTER Node Node CA raft store CA CA Node Node Node Node

  19. SWARMKIT’S IMPLEMENTATION

  20. SWARMKIT’S IMPLEMENTATION BOOTSTRAP Token Random Version Secret SWMTKN-1-mx8suomaom825bet6-cm6zts22rl4hly2 Known Hash Prefix of Root CA

  21. SWARMKIT’S IMPLEMENTATION BOOTSTRAP CA 1. Retrieve, validate Root CA certificate. 1 Node

  22. SWARMKIT’S IMPLEMENTATION BOOTSTRAP CA 1. Retrieve, validate Root CA certificate. 2 2. CSR + secret token ➡ CA. (TLS) 1 Node

  23. SWARMKIT’S IMPLEMENTATION BOOTSTRAP CA 1. Retrieve and validate Root CA Public key material. 2 2. CSR + secret token ➡ CA. (TLS) 1 3 3. Get certificate. (TLS) Node

  24. SWARMKIT’S IMPLEMENTATION RENEW 50% 80% Valid Valid From Until

  25. SWARMKIT’S IMPLEMENTATION RENEW CA 1. CSR + ➡ CA. (mTLS) 2.Get certificate. (mTLS) 1 2 Node

  26. SWARMKIT’S IMPLEMENTATION RENEW 1. Trigger extra leader election 2. Workers all need to reconnect Restart to managers 3. Reschedule work

  27. SWARMKIT’S IMPLEMENTATION RENEW

  28. SWARMKIT’S IMPLEMENTATION RENEW

  29. SWARMKIT’S IMPLEMENTATION RENEW Server Existing connections New connections

  30. SWARMKIT’S IMPLEMENTATION RENEW Client Existing connections New connections

  31. SWARMKIT’S IMPLEMENTATION REVOKE

  32. SWARMKIT’S IMPLEMENTATION REVOKE REMOVE CRLS, OCSP [Stapling]

  33. SWARMKIT’S IMPLEMENTATION REMOVE NODE BLACKLIST Node ID Certificate Expiry a8h1vsk3k9o5nwea858ty9kma 2017-08-26 01:02:52 UTC k80l2au3yq9f7x6r2oca13vwt 2017-07-15 11:35:23 UTC n970d5be9ccgnreg4iti4jho3 2017-08-01 22:59:05 UTC

  34. SWARMKIT’S IMPLEMENTATION REMOVE Worker/Manager Manager Request Validate node ID against blacklist Authorize role Perform work Response Worker/Manager Manager

  35. SWARMKIT’S IMPLEMENTATION REMOVE BLACKLIST VS WHITELIST

  36. SWARMKIT’S IMPLEMENTATION REMOVE Manager delayed join Manager Manager

  37. SWARMKIT’S IMPLEMENTATION REMOVE Manager Manager Manager

  38. PROBLEM Rotate CA

  39. PROBLEM CA ROTATION • (conf.) All nodes: trust old and new CA 1 • (wait.) Verify all nodes

  40. PROBLEM CA ROTATION • (conf.) All nodes: trust old and new CA 1 • (wait.) Verify all nodes • (conf.) All nodes: renew certificates 2 • (wait.) Verify all nodes

  41. PROBLEM CA ROTATION • (conf.) All nodes: trust old and new CA 1 • (wait.) Verify all nodes • (conf.) All nodes: renew certificates 2 • (wait.) Verify all nodes • (conf.) All nodes: trust new CA only 3 • (wait.) Verify all nodes

  42. PRINCIPLE CROSS-SIGNED INTERMEDIATE Root A Root Root B B Key Info: A Key Info: B X Signed by: A Signed by: B Leaf cert: X Signed by: B Root: B

  43. PRINCIPLE CROSS-SIGNED INTERMEDIATE Root A Root Root B A Key Info: A Key Info: B X Signed by: A Signed by: B Leaf cert: X Signed by: B Root: A

  44. PRINCIPLE CROSS-SIGNED INTERMEDIATE Root A Root A Key Info: A Root A Intermediate Root B’ B DN: A Signed by: A Key Info: B Key Info: B DN: B DN: B Signed by: A Signed by: B

  45. PRINCIPLE CROSS-SIGNED INTERMEDIATE Root A Leaf cert: X Signed by: B’ Root A Intermediate B’ Root: A X

  46. PRINCIPLE CROSS-SIGNED INTERMEDIATE Root A Leaf cert: X Signed by: B Root A Root B Intermediate B’ Root: B X

  47. SWARMKIT’S IMPLEMENTATION CA ROTATION • (conf.) All nodes: trust old and new CA • (wait.) Verify all nodes • Generate cross-signed intermediate

  48. SWARMKIT’S IMPLEMENTATION CA ROTATION • Generate cross-signed intermediate • (conf.) All nodes: renew certificates 1 • (wait.) Verify all nodes

  49. SWARMKIT’S IMPLEMENTATION CA ROTATION • Generate cross-signed intermediate • (conf.) All nodes: renew certificates 1 • (wait.) Verify all nodes • (conf.) All nodes: trust new CA 2 • (wait.) Verify all nodes • Throw away cross-signed intermediate

  50. SWARMKIT’S IMPLEMENTATION CA ROTATION: BEFORE ROTATION Node Trust Cluster Root A Root A Root: Trust Root: Root A Node TLS Cluster Root A Certificate: Cert Issuer: Root A Z

  51. SWARMKIT’S IMPLEMENTATION CA ROTATION: START ROTATION Node Trust Cluster Root A Root A Root: Trust Root: Root A Root A Node TLS Cluster Certificate: Cert Issuer: Root A Root A Intermediate Z B’

  52. SWARMKIT’S IMPLEMENTATION CA ROTATION: NODE CERT RENEWAL Node Trust Cluster Root A Root A Root: Trust Root: Root Root A Node TLS Cluster A Certificate: Cert Issuer: Root A Intermediate Root A B Intermediate B’ X

  53. SWARMKIT’S IMPLEMENTATION CA ROTATION: NODE CERT RENEWAL Node1 Node2 Node3 Node4 Node5 Root A Root A Root A Root A Root A Trust Root Root Root Root Root Root A A A TLS A A Ro A Ro A Ro A Certificate Intermediate Intermediate Intermediate B B B Z Z X X X

  54. SWARMKIT’S IMPLEMENTATION CA ROTATION: ROTATE TRUST ROOT Node Trust Cluster Root B Root B Root: Trust Root: Root A Root A Node TLS Cluster Certificate: Cert Issuer: Root A Intermediate Root B B Root A Intermediate B’ X

  55. SWARMKIT’S IMPLEMENTATION CA ROTATION: ROTATE TRUST ROOT Node1 Node2 Node3 Node4 Node5 Root B Root B Root A Root A Root B Trust Root Root Root Root Root Root A A A A A TLS Ro A Ro A Ro A Ro A Ro A Certificate Intermediate Intermediate Intermediate Intermediate Intermediate B B B B B X X X X X

  56. SWARMKIT’S IMPLEMENTATION CA ROTATION: FINISH ROOT ROTATION Node Trust Cluster Root B Root B Root: Trust Root: Root A Node TLS Cluster Root B Certificate: Cert Issuer: Root A Intermediate Root B B X

  57. DEMO

  58. SUMMARY MINIMIZING THE WINDOW OF COMPROMISE

  59. SUMMARY MINIMIZING THE WINDOW OF COMPROMISE • automatic bootstrap, renewal • short certificate expiry

  60. SUMMARY MINIMIZING THE WINDOW OF COMPROMISE • automatic bootstrap, renewal • short certificate expiry • certificate revocation • CA rotation

  61. SUMMARY MORE INFORMATION https://github.com/docker/swarmkit https://diogomonica.com/2017/01/11/hitless-tls-certificate-rotation-in-go/ https://github.com/cloudflare/cfssl (@cyli)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Practical Experience with Practical Experience with Practical Experience with Practical

Practical Experience with Practical Experience with Practical Experience with Practical

Practical Experience with Practical Experience with Practical Experience with Practical Experience with performance monitoring performance monitoring performance monitoring performance monitoring Ryszard Jurga CERN openlab March 29, 2006

577 views • 24 slides
ARDUINO & ELECTRONICS PRACTICAL PRACTICAL SESSION 1 Part of SmartProducts ARDUINO &

ARDUINO & ELECTRONICS PRACTICAL PRACTICAL SESSION 1 Part of SmartProducts ARDUINO &

ARDUINO & ELECTRONICS PRACTICAL PRACTICAL SESSION 1 Part of SmartProducts ARDUINO & ELECTRONICS PRACTICAL Fjodor van Slooten PRACTICAL SESSION 1 W241 (Horst-wing West) f.vanslooten@utwente.nl Goal: Become familiar with Electronics

437 views • 18 slides
Practical Neuropsychology for the NZ setting; from Assessment Planning to Formulation of

Practical Neuropsychology for the NZ setting; from Assessment Planning to Formulation of

Practical Neuropsychology for the NZ setting; from Assessment Planning to Formulation of Practical Recommendations. Dr Susan Shaw Outline This workshop is based upon practical experience Includes what neuropsychologists in NZ do well,

747 views • 36 slides
Practical Bioinformatics Mark Voorhies 5/15/2015 Mark Voorhies Practical Bioinformatics

Practical Bioinformatics Mark Voorhies 5/15/2015 Mark Voorhies Practical Bioinformatics

Practical Bioinformatics Mark Voorhies 5/15/2015 Mark Voorhies Practical Bioinformatics Gotchas Indentation matters Mark Voorhies Practical Bioinformatics Clustering exercises Visualizing the distance matrix Mark Voorhies Practical

705 views • 46 slides
Practical Bioinformatics Mark Voorhies 5/ 24/ 2013 Mark Voorhies Practical Bioinformatics

Practical Bioinformatics Mark Voorhies 5/ 24/ 2013 Mark Voorhies Practical Bioinformatics

Practical Bioinformatics Mark Voorhies 5/ 24/ 2013 Mark Voorhies Practical Bioinformatics Clustering exercises { Visualizing the distance matrix Mark Voorhies Practical Bioinformatics Scripting Cluster Running Cluster3 from the command line

401 views • 7 slides
Practical Analog Filters Overview Types of practical filters Filter specifications

Practical Analog Filters Overview Types of practical filters Filter specifications

Practical Analog Filters Overview Types of practical filters Filter specifications Tradeoffs Many examples J. McNames Portland State University ECE 222 Practical Analog Filters Ver. 1.04 1 Ideal Filters Lowpass Highpass

643 views • 48 slides
Practical Bioinformatics Mark Voorhies 5/26/2015 Mark Voorhies Practical Bioinformatics Habits

Practical Bioinformatics Mark Voorhies 5/26/2015 Mark Voorhies Practical Bioinformatics Habits

Practical Bioinformatics Mark Voorhies 5/26/2015 Mark Voorhies Practical Bioinformatics Habits are things you get for free, without requiring any special work. Cory Doctorow Advice to Writers, 4/5/2012 Mark Voorhies Practical

521 views • 27 slides
Practical Bioinformatics Mark Voorhies 5/22/2015 Mark Voorhies Practical Bioinformatics PAM

Practical Bioinformatics Mark Voorhies 5/22/2015 Mark Voorhies Practical Bioinformatics PAM

Practical Bioinformatics Mark Voorhies 5/22/2015 Mark Voorhies Practical Bioinformatics PAM (Dayhoff) and BLOSUM matrices PAM1 matrix originally calculated from manual alignments of highly conserved sequences (myoglobin, cytochrome C, etc.)

979 views • 71 slides
Curricular Practical Training (CPT) International Students Curricular Practical Training (CPT)

Curricular Practical Training (CPT) International Students Curricular Practical Training (CPT)

Curricular Practical Training (CPT) International Students Curricular Practical Training (CPT) Defined as employment which is an integral or important part of the students curriculum Today we will discuss: Rules and Regulations

82 views • 7 slides
Office of International Engagement Optional Practical Training (OPT) Optional Practical

Office of International Engagement Optional Practical Training (OPT) Optional Practical

Office of International Engagement Optional Practical Training (OPT) Optional Practical Training A period in which undergraduate and graduate students with an F-1 or F-3 status who have completed or have been pursuing a degree for one full

479 views • 14 slides
Practical Bioinformatics Mark Voorhies 4/16/2018 Mark Voorhies Practical Bioinformatics

Practical Bioinformatics Mark Voorhies 4/16/2018 Mark Voorhies Practical Bioinformatics

Practical Bioinformatics Mark Voorhies 4/16/2018 Mark Voorhies Practical Bioinformatics JavaTreeView link-out for ENSEMBL Mouse http://www.ensembl.org/Mus musculus/Gene/Summary?g=HEADER Mark Voorhies Practical Bioinformatics Science! Mark

767 views • 20 slides
Practical Bioinformatics Mark Voorhies 5/23/2019 Mark Voorhies Practical Bioinformatics

Practical Bioinformatics Mark Voorhies 5/23/2019 Mark Voorhies Practical Bioinformatics

Practical Bioinformatics Mark Voorhies 5/23/2019 Mark Voorhies Practical Bioinformatics JavaTreeView link-out for ENSEMBL Mouse http://www.ensembl.org/Mus musculus/Gene/Summary?g=HEADER Mark Voorhies Practical Bioinformatics Science! Mark

330 views • 13 slides
Practical examples using Adlib API Bert Degenhart Drenth Rui Mendes Practical examples using

Practical examples using Adlib API Bert Degenhart Drenth Rui Mendes Practical examples using

Practical examples using Adlib API Bert Degenhart Drenth Rui Mendes Practical examples using Adlib API Commands categories Search Write Select Lock Utilities Choosing the correct implementation jQuery plugin

670 views • 51 slides
Practical Use of XML XML Practical Use of Rostislav Titov IT-AIS-EB (e-Business) Section CERN

Practical Use of XML XML Practical Use of Rostislav Titov IT-AIS-EB (e-Business) Section CERN

CERN European Organization for Nuclear Research IT Department e Business Section Practical Use of XML XML Practical Use of Rostislav Titov IT-AIS-EB (e-Business) Section CERN Geneva, Switzerland XML XML eXtensible Markup

474 views • 36 slides
AngkorVR Advanced Practical Richard Schnpflug and Philipp Rettig Advanced Practical Tasks

AngkorVR Advanced Practical Richard Schnpflug and Philipp Rettig Advanced Practical Tasks

AngkorVR Advanced Practical Richard Schnpflug and Philipp Rettig Advanced Practical Tasks - Virtual exploration of the Angkor Wat temple complex - Based on Pheakdey Nguonphan 's Thesis called " Computer Modeling, Analysis and

309 views • 30 slides
Practical Bioinformatics Mark Voorhies 5/21/2019 Mark Voorhies Practical Bioinformatics Change

Practical Bioinformatics Mark Voorhies 5/21/2019 Mark Voorhies Practical Bioinformatics Change

Practical Bioinformatics Mark Voorhies 5/21/2019 Mark Voorhies Practical Bioinformatics Change of Coordinates http://xkcd.com/123/ Mark Voorhies Practical Bioinformatics Principal Components Analysis (PCA) Is there a point of view that

264 views • 11 slides
FIGHT AGAINST CORRUPTION IN TURKISH PUBLIC PROCUREMENT SYSTEM Mustafa aatay Tayrek Head

FIGHT AGAINST CORRUPTION IN TURKISH PUBLIC PROCUREMENT SYSTEM Mustafa aatay Tayrek Head

FIGHT AGAINST CORRUPTION IN TURKISH PUBLIC PROCUREMENT SYSTEM Mustafa aatay Tayrek Head of International Relations Department Public Procurement Authority Content Introduction Turkish Public Procurement System Legislative

1.18k views • 22 slides
Cairo, Egypt on 5-6 April 2017. THE WEST AFRICA REGIONAL SYSTEM TO COMBAT WEST AFRICA REGIONAL

Cairo, Egypt on 5-6 April 2017. THE WEST AFRICA REGIONAL SYSTEM TO COMBAT WEST AFRICA REGIONAL

Counterfeit ICT Devices, Conformance and Interoperability Testing Challenges in Africa Cairo, Egypt on 5-6 April 2017. THE WEST AFRICA REGIONAL SYSTEM TO COMBAT WEST AFRICA REGIONAL SYSTEM TO COMBAT COUNTERFEIT DEVICES WEST AFRICA REGIOTO

474 views • 26 slides
Tax Havens ns Blacklists klists and similar lar regimes es in Iberoameric oamerica Chairman:

Tax Havens ns Blacklists klists and similar lar regimes es in Iberoameric oamerica Chairman:

Tax Havens ns Blacklists klists and similar lar regimes es in Iberoameric oamerica Chairman: Prof. Dr. Martin Wenz General Reporter: Andrs Bez Blacklisting Aim Protection of national tax base and tax revenue against Distortions

439 views • 14 slides
Smart Vis isitor Tracking System VISITOR Visitor Tracking Features: Quick and seamless visitor

Smart Vis isitor Tracking System VISITOR Visitor Tracking Features: Quick and seamless visitor

Smart Vis isitor Tracking System VISITOR Visitor Tracking Features: Quick and seamless visitor entrance & exit. Real-time indoor & outdoor tracking of visitors. SMS, screen pop up & email alerts. Alerts if a visitor strays from

382 views • 12 slides
EU SAFA Programme - IACAs perspective ir. Erik MOYSON Director Safety & Technical

EU SAFA Programme - IACAs perspective ir. Erik MOYSON Director Safety & Technical

2 nd SAFA Regulators and Industry Forum, 25 October 2012, Cologne, Germany EU SAFA Programme - IACAs perspective ir. Erik MOYSON Director Safety & Technical erik.moyson@iaca.be SAFA Programme 2 nd SAFA Regulators and Industry Forum :

523 views • 36 slides
Smart Digital Homes Developers Credibility Headed by Qualified Engineers with rich domain

Smart Digital Homes Developers Credibility Headed by Qualified Engineers with rich domain

Presents Smart Digital Homes Developers Credibility Headed by Qualified Engineers with rich domain knowledge & expertise Seasoned ownership in Real Estate with rich experience of 15 years Known as market leaders for introducing

382 views • 24 slides
ASX PRESS RELEASE 1 September 2016 Australian Investor Roadshow Presentation BrainChip Holdings

ASX PRESS RELEASE 1 September 2016 Australian Investor Roadshow Presentation BrainChip Holdings

ASX PRESS RELEASE 1 September 2016 Australian Investor Roadshow Presentation BrainChip Holdings Ltd (ASX: BRN) ( BrainChip or the Company ), is pleased to release the attached Investor Roadshow Presentation to be made to Australian

707 views • 29 slides
3CX V16 Presentation New Features and Improvements One Small Step for 3CX...One Big Step for

3CX V16 Presentation New Features and Improvements One Small Step for 3CX...One Big Step for

3CX V16 Presentation New Features and Improvements One Small Step for 3CX...One Big Step for Communications Improve customer service Boost employee productivity Easier system admin Lower license costs V16 - Deliver Better

534 views • 40 slides

More recommend