5. MTLS - Securing Service Mesh Architectures
Secure Microservices Architecture
on Zero Trust Network
S1
S1
S2
S3
S3
S2
S2
S5 S5
S4 S5
6. MTLS - Securing Service Mesh Architectures
External
User
Internal
User
Edge
Server
Edge
Server
Reverse
Proxy
Service
Server
Server
Service
Datastore
Cluster
Cluster
Gateway
External
Network
Internal
Network
MTLS
MTLS
MTLS
MTLS
MTLS
MTLS
MTLS
MTLS
MTLS
MTLS
TLS
TLS
9. MTLS - Securing Service Mesh Architectures
X.509 v1 Standard
X.509 v2 Standard
X.509 v3 Standard
- (extensions)
X9.31 Standard
X9.45 Standard
X9.55 Standard
X9.57 Standard
X9.62 Standard
X9.79-4 Standard
X9.95 Standard
X9.98 Standard
1988-1995 1997-1999 2001-2013
ASC X9 - Federal Standards (US companies only)
- TSA (Time Stamp Authority) and Time Stamp Entity
- Protection Profiles for Certificate Issuing Systems
PKCS - Public Key Cryptography Standards
10. MTLS - Securing Service Mesh Architectures
Public Key
Issuer
Signature
Issuer Name/
Organisation
Common Name/
Organisation
Subject Alternative
Names
Dates valid
X509.v3 Certificate
Extensions (14)
Encoding
ASN.1
DER/PEM
PKCS[1-15]
X509.v3 Certificate
11. MTLS - Securing Service Mesh Architectures
(g mod n) mod n = (g mod n) mod n
a b b a
a, g, n
A = g mod n
Key = B mod p Key = A mod p
B = g mod n
Alice Bob
g, n, A
B
b
ba
a bg = “Exponent”
n = “Modulo”
x509 Certificate:
Diffie-Hellman Key Exchange (Modular Arithmetic)
12. MTLS - Securing Service Mesh Architectures
Private Key
Public Key
Public Key
Private Key
DSA
Verify
DSA
Verify
SHA256
SHA256
DSA
Signature
DSA
Signature
==
==
a, g, n
a, g, n
DSA - Digital Signature Algorithm (designed by NSA in 1991)
13. MTLS - Securing Service Mesh Architectures
Private Key
Public Key
Public Key
Private Key
Decrypt
Decrypt
Data Chunk
Data Chunk
RSA
Encryption
RSA
Encryption
a, g, n
a, g, n
RSA Data Encryption (Session Key Exchange, 2-Way Auth)
14. MTLS - Securing Service Mesh Architectures
Root CA CA Service
Root CA
Private key
CA
Private key
Sign
SignSelf Sign
Leaf certIntermediate certRoot cert
Chain of trust
15. MTLS - Securing Service Mesh Architectures
Root cert
Intermediate Intermediate Intermediate
Intermediate
IntermediateIntermediateIntermediateIntermediate
LeafLeaf Leaf Leaf
Chain of trust
16. MTLS - Securing Service Mesh Architectures
Client Server
Client Hello
Server Hello
Server Certificate
Client Cert Request
Server Done
Client Certificate
Certificate Verify
Certificate Verify
Change Connection State
Change Connection State
Finished
Finished
TLS Session
Client Key Exchange
MTLS Handshake
18. MTLS - Securing Service Mesh Architectures
160411233010221Z0
160411233010221Z0
160411233010221Z0
160411233010221Z0
160411233010221Z0
160411233010221Z0
….
160411233010221Z0
CRL
Check if certificate
serial is on the CRL
Client
GET request
/crl
CA Server
CRL - Certificate Revocation List
19. MTLS - Securing Service Mesh Architectures
POST request
/ocsp
Response Status
Responder ID
Cert Status
Cert ID
OCSP Signature
Cert
OCSP
Check if certificate
status is Revoked on
OCSP
Client
OCSP Server
OCSP - Online Certificate Status Protocol
25. MTLS - Securing Service Mesh Architectures
IP
TCP
SSL
Application
MTLS (SSL Wrapper)
Certs Supervisor
MTLS Wrapper
26. MTLS - Securing Service Mesh Architectures
1. Retrieve and install the Root CA Certificate
1. Retrieve and validate Signing CA Certificate
1. Retrieve the Signed Certificate
Signing CA
Service
1 2 3
Keymaker Client
Bootstrap
27. MTLS - Securing Service Mesh Architectures
1. Submit a new CSR using old Key Pair
1. Retrieve the new Signed Certificate
Signing CA
Service
1 2
Automatic Certificate Rotation
28. MTLS - Securing Service Mesh Architectures
Certificate 1
Certificate 2
Certificate 3
Tn
Tn+
1
Tn+
2
Tn+
3
Short Term Certificates (STC) - 90 days
29. MTLS - Securing Service Mesh Architectures
1. Set TLS/SSL with Client Certificate Verification on
your Application/Service
1. Validate the Client Certificate against the CA Cert
1. TLS Session
Service
1 2 3
Service
MTLS wrapper
MTLS wrapper
MTLS
31. MTLS - Securing Service Mesh Architectures
Offline CA
Signing CA
Service
OCSP
Service
RA
Service
services devices
Root CA
HSM device
Internal PKI
32. MTLS - Securing Service Mesh Architectures
Offline CA
Signing CA
Service
OCSP
Service
RA
Service
services devices
Root CA
HSM device
Attack vectors
33. MTLS - Securing Service Mesh Architectures
Offline CA
Signing CA
Service
OCSP
Service
RA
Service
Root CA
HSM device
Monitoring
Monitoring
Monitoring
PKI
Monitoring
PKI Monitoring
34. MTLS - Securing Service Mesh ArchitecturesMTLS - Securing Service Mesh Architectures
THANK YOU