SLIDE 1
PRACTICAL MTLS
MINIMIZING THE WINDOW OF COMPROMISE
Ying Li @cyli
TYPICAL MICROSERVICE ARCHITECTURE
PROBLEM
S1 S1 S2 S3 DB
VPC
PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE - - PowerPoint PPT Presentation
PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE - - PowerPoint PPT Presentation
MINIMIZING THE WINDOW OF COMPROMISE PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3 PROBLEM VLAN-TASTIC MICROSERVICE ARCHITECTURE S1 DB S2 S1 S3 PROBLEM CORRECT MICROSERVICE ARCHITECTURE
SLIDE 2
SLIDE 3
VLAN-TASTIC MICROSERVICE ARCHITECTURE
PROBLEM
S1 S1 S2 S3 DB
SLIDE 4
CORRECT MICROSERVICE ARCHITECTURE
PROBLEM
S1 S1 S2 S3 DB
SLIDE 5
APPLICATION TLS LIFECYCLE
Bootstrap Revoke Renew
PROBLEM
SLIDE 6
- CSR ➡ CA
- Configuration
BOOTSTRAP
PROBLEM
SLIDE 7
- Schedule
RENEW
PROBLEM
SLIDE 8
- Schedule
- CSR ➡ CA
- Configuration
RENEW
PROBLEM
SLIDE 9
- Schedule
- CSR ➡ CA
- Configuration
- Restart
PROBLEM
RENEW
SLIDE 10
- CRL
- OCSP [Stapling]
REVOKE
PROBLEM
SLIDE 11
AUTOMATE, AUTOMATE, AUTOMATE
- Promotes adoption of mTLS
PRINCIPLE
SLIDE 12
AUTOMATE, AUTOMATE, AUTOMATE
- Promotes adoption of mTLS
- Single location for private key
PRINCIPLE
SLIDE 13
AUTOMATE, AUTOMATE, AUTOMATE
- Promotes adoption of mTLS
- Single location for private key
- Shorter certificate expiry
PRINCIPLE
SLIDE 14
SWARMKIT OVERVIEW
https://github.com/docker/swarmkit
SLIDE 15
SWARMKIT OVERVIEW
Worker Manager Manager Manager Worker Worker Worker Worker Worker
CLUSTER
SLIDE 16
SWARMKIT OVERVIEW
Worker Manager Manager Manager Worker Worker Worker Worker Worker
CLUSTER
Node Node Node Node Node Node
SLIDE 17
SWARMKIT OVERVIEW
Worker Manager Manager Manager Worker Worker Worker Worker Worker raft store
CLUSTER
SLIDE 18
SWARMKIT OVERVIEW
Node CA CA CA Node Node Node Node Node raft store
CLUSTER
SLIDE 19
SWARMKIT’S IMPLEMENTATION
SLIDE 20
BOOTSTRAP
SWMTKN-1-mx8suomaom825bet6-cm6zts22rl4hly2 Known Prefix Token Version Hash
- f Root CA
Random Secret
SWARMKIT’S IMPLEMENTATION
SLIDE 21
- 1. Retrieve, validate Root CA
certificate.
BOOTSTRAP
1
CA
Node
SWARMKIT’S IMPLEMENTATION
SLIDE 22
- 1. Retrieve, validate Root CA
certificate.
- 2. CSR + secret token ➡ CA. (TLS)
BOOTSTRAP
1 2
CA
Node
SWARMKIT’S IMPLEMENTATION
SLIDE 23
- 1. Retrieve and validate Root CA
Public key material.
- 2. CSR + secret token ➡ CA. (TLS)
- 3. Get certificate. (TLS)
BOOTSTRAP
1 2 3
CA
Node
SWARMKIT’S IMPLEMENTATION
SLIDE 24
RENEW
Valid From Valid Until 50% 80%
SWARMKIT’S IMPLEMENTATION
SLIDE 25
- 1. CSR + ➡ CA. (mTLS)
2.Get certificate. (mTLS)
RENEW
1 2
CA
Node
SWARMKIT’S IMPLEMENTATION
SLIDE 26
RENEW
Restart
- 1. Trigger extra leader election
- 2. Workers all need to reconnect
to managers
- 3. Reschedule work
SWARMKIT’S IMPLEMENTATION
SLIDE 27
RENEW
SWARMKIT’S IMPLEMENTATION
SLIDE 28
RENEW
SWARMKIT’S IMPLEMENTATION
SLIDE 29
RENEW
Server
Existing connections New connections
SWARMKIT’S IMPLEMENTATION
SLIDE 30
RENEW
Client
Existing connections New connections
SWARMKIT’S IMPLEMENTATION
SLIDE 31
REVOKE
SWARMKIT’S IMPLEMENTATION
SLIDE 32
REVOKE
SWARMKIT’S IMPLEMENTATION
REMOVE
CRLS, OCSP [Stapling]
SLIDE 33
REMOVE
SWARMKIT’S IMPLEMENTATION
NODE BLACKLIST
Node ID Certificate Expiry
a8h1vsk3k9o5nwea858ty9kma 2017-08-26 01:02:52 UTC k80l2au3yq9f7x6r2oca13vwt 2017-07-15 11:35:23 UTC n970d5be9ccgnreg4iti4jho3 2017-08-01 22:59:05 UTC
SLIDE 34
REMOVE
SWARMKIT’S IMPLEMENTATION
Worker/Manager Manager
Request Validate node ID against blacklist Authorize role Perform work Response
Worker/Manager Manager
SLIDE 35
REMOVE
SWARMKIT’S IMPLEMENTATION
BLACKLIST VS WHITELIST
SLIDE 36
REMOVE
SWARMKIT’S IMPLEMENTATION
Manager Manager Manager delayed join
SLIDE 37
REMOVE
SWARMKIT’S IMPLEMENTATION
Manager Manager Manager
SLIDE 38
Rotate CA
PROBLEM
SLIDE 39
CA ROTATION
PROBLEM
- (conf.) All nodes: trust old and new CA
- (wait.) Verify all nodes
1
SLIDE 40
CA ROTATION
PROBLEM
- (conf.) All nodes: trust old and new CA
- (wait.) Verify all nodes
- (conf.) All nodes: renew certificates
- (wait.) Verify all nodes
1 2
SLIDE 41
CA ROTATION
PROBLEM
- (conf.) All nodes: trust old and new CA
- (wait.) Verify all nodes
- (conf.) All nodes: renew certificates
- (wait.) Verify all nodes
- (conf.) All nodes: trust new CA only
- (wait.) Verify all nodes
1 2 3
SLIDE 42
CROSS-SIGNED INTERMEDIATE
Root A
Key Info: A Signed by: A
Root
B Key Info: B Signed by: B
Root
B X Leaf cert: X Signed by: B Root: B
PRINCIPLE
SLIDE 43
CROSS-SIGNED INTERMEDIATE
Root A
Key Info: A Signed by: A
Root
B Key Info: B Signed by: B
Root
A X Leaf cert: X Signed by: B Root: A
PRINCIPLE
SLIDE 44
CROSS-SIGNED INTERMEDIATE
Root A
Key Info: A DN: A Signed by: A
Root
B Key Info: B DN: B Signed by: B Key Info: B DN: B Signed by: A
Root A Root A
Intermediate
B’
PRINCIPLE
SLIDE 45
Leaf cert: X Signed by: B’ Root: A
Root A Root A
Intermediate
B’ X
CROSS-SIGNED INTERMEDIATE
PRINCIPLE
SLIDE 46
Root A Root A
Intermediate
B’
Root B
Leaf cert: X Signed by: B Root: B X
CROSS-SIGNED INTERMEDIATE
PRINCIPLE
SLIDE 47
CA ROTATION
SWARMKIT’S IMPLEMENTATION
- (conf.) All nodes: trust old and new CA
- (wait.) Verify all nodes
- Generate cross-signed intermediate
SLIDE 48
CA ROTATION
SWARMKIT’S IMPLEMENTATION
- Generate cross-signed intermediate
- (conf.) All nodes: renew certificates
- (wait.) Verify all nodes
1
SLIDE 49
CA ROTATION
SWARMKIT’S IMPLEMENTATION
- Generate cross-signed intermediate
- (conf.) All nodes: renew certificates
- (wait.) Verify all nodes
- (conf.) All nodes: trust new CA
- (wait.) Verify all nodes
- Throw away cross-signed intermediate
1 2
SLIDE 50
CA ROTATION: BEFORE ROTATION
SWARMKIT’S IMPLEMENTATION
Node Trust Root: Node TLS Certificate: Cluster Trust Root: Cluster Cert Issuer:
Root A Root A Root A Root A Root A
Z
SLIDE 51
CA ROTATION: START ROTATION
SWARMKIT’S IMPLEMENTATION
Node Trust Root: Node TLS Certificate:
Root A Root A Root A
Intermediate
B’ Cluster Trust Root: Cluster Cert Issuer:
Root A Root A Root A
Z
SLIDE 52
CA ROTATION: NODE CERT RENEWAL
SWARMKIT’S IMPLEMENTATION
Node Trust Root: Node TLS Certificate:
Root A Root A Root A
Intermediate
B’ Cluster Trust Root: Cluster Cert Issuer:
Root A
Root
A
Root A
Intermediate
B X
SLIDE 53
CA ROTATION: NODE CERT RENEWAL
SWARMKIT’S IMPLEMENTATION Node1 Node2 Node3 Node4 Node5 Trust Root TLS Certificate
Root A
Root A Z RootA
Ro A
IntermediateB X
RootA
Ro A
IntermediateB X
RootA
Ro A
IntermediateB X
Root A ZRoot A Root A Root A Root A
SLIDE 54
CA ROTATION: ROTATE TRUST ROOT
SWARMKIT’S IMPLEMENTATION
Node Trust Root: Node TLS Certificate:
Root B
Cluster Trust Root: Cluster Cert Issuer:
Root B
Root A
Root A
Intermediate
B
Root
B X
Root A Root A
Intermediate
B’
SLIDE 55
CA ROTATION: ROTATE TRUST ROOT
SWARMKIT’S IMPLEMENTATION Node1 Node2 Node3 Node4 Node5 Trust Root TLS Certificate
Root B Root B Root B
RootA
Ro A
IntermediateB X
RootA
Ro A
IntermediateB X
RootA
Ro A
IntermediateB X
RootA
Ro A
IntermediateB X
RootA
Ro A
IntermediateB X
Root A Root A
SLIDE 56
CA ROTATION: FINISH ROOT ROTATION
SWARMKIT’S IMPLEMENTATION
Node Trust Root: Node TLS Certificate:
Root B
Cluster Trust Root: Cluster Cert Issuer:
Root B Root B
Root A
Root A
Intermediate
B
Root
B X
SLIDE 57
DEMO
SLIDE 58
SUMMARY
MINIMIZING THE WINDOW OF COMPROMISE
SLIDE 59
SUMMARY
MINIMIZING THE WINDOW OF COMPROMISE
- automatic bootstrap, renewal
- short certificate expiry
SLIDE 60
SUMMARY
MINIMIZING THE WINDOW OF COMPROMISE
- automatic bootstrap, renewal
- short certificate expiry
- certificate revocation
- CA rotation
SLIDE 61
SUMMARY
MORE INFORMATION
https://github.com/docker/swarmkit
https://diogomonica.com/2017/01/11/hitless-tls-certificate-rotation-in-go/
https://github.com/cloudflare/cfssl
(@cyli)