SlideShare une entreprise Scribd logo

MTLS - Securing Microservice Architecture with Mutual TLS Authentication

Télécharger en tant que PPTX, PDF
Laurentiu Meirosu
Laurentiu Meirosu

MTLS Authentication and End-to-End Encryption for Data in transit on the Microservice and Service Mesh Architectures. PKI (Public Key Infrastructure) Anatomy - PKCS (Public Key Cryptography Standards) - X509.v3 Certificates - Chain of Trust Provisioning and Securing Services/Devices - Provisioning Services - Provisioning Devices TOFU (Trust on First Use) Bootstrapping Services - MTLS Wrapper - Automatic Certificate Rotation - STC (Short Term Certificates) Private PKI Architecture - Attack vectors - PKI monitoring

Logiciels
1  sur  34
MTLS - Securing Service Mesh ArchitecturesMTLS - Securing Service Mesh Architectures MTLSSecuring Microservice Architecture with Mutual TLS Authentication Larry Meirosu Twitter: @lmeirosu | Email: larry@wixel.co.uk
MTLS - Securing Service Mesh Architectures MTLS ATLS BGPSec RPKI DNSSec IPSec TLS DTLS WPA3 /SSL
MTLS - Securing Service Mesh Architectures
MTLS - Securing Service Mesh Architectures Unsecure Microservice Architecture on Trusted Networks S1 S1 S2 S3 S3 S2 S2 S5 S5 S4 S5 VPC
MTLS - Securing Service Mesh Architectures Secure Microservices Architecture on Zero Trust Network S1 S1 S2 S3 S3 S2 S2 S5 S5 S4 S5
MTLS - Securing Service Mesh Architectures External User Internal User Edge Server Edge Server Reverse Proxy Service Server Server Service Datastore Cluster Cluster Gateway External Network Internal Network MTLS MTLS MTLS MTLS MTLS MTLS MTLS MTLS MTLS MTLS TLS TLS
MTLS - Securing Service Mesh Architectures PKI Anatomy
MTLS - Securing Service Mesh Architectures SSL 1.0 SSL 2.0 Prohibited (RFC 6101) SSL 3.0 TLS 1.0 Insecure (RFC 2246) TLS 1.1 Insecure TLS 1.2 Secure TLS 1.3 Draft 22 “TLS 2.0” 1999 1994 2013 TLS/SSL Versions
MTLS - Securing Service Mesh Architectures X.509 v1 Standard X.509 v2 Standard X.509 v3 Standard - (extensions) X9.31 Standard X9.45 Standard X9.55 Standard X9.57 Standard X9.62 Standard X9.79-4 Standard X9.95 Standard X9.98 Standard 1988-1995 1997-1999 2001-2013 ASC X9 - Federal Standards (US companies only) - TSA (Time Stamp Authority) and Time Stamp Entity - Protection Profiles for Certificate Issuing Systems PKCS - Public Key Cryptography Standards
MTLS - Securing Service Mesh Architectures Public Key Issuer Signature Issuer Name/ Organisation Common Name/ Organisation Subject Alternative Names Dates valid X509.v3 Certificate Extensions (14) Encoding ASN.1 DER/PEM PKCS[1-15] X509.v3 Certificate
MTLS - Securing Service Mesh Architectures (g mod n) mod n = (g mod n) mod n a b b a a, g, n A = g mod n Key = B mod p Key = A mod p B = g mod n Alice Bob g, n, A B b ba a bg = “Exponent” n = “Modulo” x509 Certificate: Diffie-Hellman Key Exchange (Modular Arithmetic)
MTLS - Securing Service Mesh Architectures Private Key Public Key Public Key Private Key DSA Verify DSA Verify SHA256 SHA256 DSA Signature DSA Signature == == a, g, n a, g, n DSA - Digital Signature Algorithm (designed by NSA in 1991)
MTLS - Securing Service Mesh Architectures Private Key Public Key Public Key Private Key Decrypt Decrypt Data Chunk Data Chunk RSA Encryption RSA Encryption a, g, n a, g, n RSA Data Encryption (Session Key Exchange, 2-Way Auth)
MTLS - Securing Service Mesh Architectures Root CA CA Service Root CA Private key CA Private key Sign SignSelf Sign Leaf certIntermediate certRoot cert Chain of trust
MTLS - Securing Service Mesh Architectures Root cert Intermediate Intermediate Intermediate Intermediate IntermediateIntermediateIntermediateIntermediate LeafLeaf Leaf Leaf Chain of trust
MTLS - Securing Service Mesh Architectures Client Server Client Hello Server Hello Server Certificate Client Cert Request Server Done Client Certificate Certificate Verify Certificate Verify Change Connection State Change Connection State Finished Finished TLS Session Client Key Exchange MTLS Handshake
MTLS - Securing Service Mesh Architectures Public Key Certificate Signing Request Certificate Authority Certificate Authority Private Key X.509 Certificate Subject CSR - Certificate Signing Request
MTLS - Securing Service Mesh Architectures 160411233010221Z0 160411233010221Z0 160411233010221Z0 160411233010221Z0 160411233010221Z0 160411233010221Z0 …. 160411233010221Z0 CRL Check if certificate serial is on the CRL Client GET request /crl CA Server CRL - Certificate Revocation List
MTLS - Securing Service Mesh Architectures POST request /ocsp Response Status Responder ID Cert Status Cert ID OCSP Signature Cert OCSP Check if certificate status is Revoked on OCSP Client OCSP Server OCSP - Online Certificate Status Protocol
MTLS - Securing Service Mesh Architectures Provisioning
MTLS - Securing Service Mesh Architectures Service A Service B Certificate AuthorityCSR CSR CRTCRT Provisioning Services
MTLS - Securing Service Mesh Architectures Certificate Authority Registration Authority Provisioning Devices (Trust on First Use)
MTLS - Securing Service Mesh Architectures Certificate Authority Provisioner/ Orchestrator CSR Cert Isolated Network Provisioning Devices
MTLS - Securing Service Mesh Architectures Bootstrapping
MTLS - Securing Service Mesh Architectures IP TCP SSL Application MTLS (SSL Wrapper) Certs Supervisor MTLS Wrapper
MTLS - Securing Service Mesh Architectures 1. Retrieve and install the Root CA Certificate 1. Retrieve and validate Signing CA Certificate 1. Retrieve the Signed Certificate Signing CA Service 1 2 3 Keymaker Client Bootstrap
MTLS - Securing Service Mesh Architectures 1. Submit a new CSR using old Key Pair 1. Retrieve the new Signed Certificate Signing CA Service 1 2 Automatic Certificate Rotation
MTLS - Securing Service Mesh Architectures Certificate 1 Certificate 2 Certificate 3 Tn Tn+ 1 Tn+ 2 Tn+ 3 Short Term Certificates (STC) - 90 days
MTLS - Securing Service Mesh Architectures 1. Set TLS/SSL with Client Certificate Verification on your Application/Service 1. Validate the Client Certificate against the CA Cert 1. TLS Session Service 1 2 3 Service MTLS wrapper MTLS wrapper MTLS
MTLS - Securing Service Mesh Architectures PKI Architecture
MTLS - Securing Service Mesh Architectures Offline CA Signing CA Service OCSP Service RA Service services devices Root CA HSM device Internal PKI
MTLS - Securing Service Mesh Architectures Offline CA Signing CA Service OCSP Service RA Service services devices Root CA HSM device Attack vectors
MTLS - Securing Service Mesh Architectures Offline CA Signing CA Service OCSP Service RA Service Root CA HSM device Monitoring Monitoring Monitoring PKI Monitoring PKI Monitoring
MTLS - Securing Service Mesh ArchitecturesMTLS - Securing Service Mesh Architectures THANK YOU

Recommandé

The Rise of Secrets Management
The Rise of Secrets ManagementThe Rise of Secrets Management
The Rise of Secrets Management
Akeyless
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
Alex Schoof
 
SSL intro
SSL introSSL intro
SSL intro
Three Lee
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
Asad Ali
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
Amazon Web Services
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
JaroslavChmurny
 
SSL
SSLSSL
SSL
theekuchi
 

Recommandé

The Rise of Secrets Management
The Rise of Secrets ManagementThe Rise of Secrets Management
The Rise of Secrets Management
Akeyless
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
Alex Schoof
 
SSL intro
SSL introSSL intro
SSL intro
Three Lee
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
Asad Ali
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
Amazon Web Services
 
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark CapturesSSL/TLS Introduction with Practical Examples Including Wireshark Captures
SSL/TLS Introduction with Practical Examples Including Wireshark Captures
JaroslavChmurny
 
SSL
SSLSSL
SSL
theekuchi
 
Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101
OneLogin
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
n|u - The Open Security Community
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application Security
CA Technologies
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM
Amazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
Amazon Web Services
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
Moshe Ferber
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
Torsten Lodderstedt
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
 
Ssl https
Ssl httpsSsl https
Ssl https
Andrada Boldis
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
Amazon Web Services
 
Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?
Zscaler
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI Technology
Sylvain Maret
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases
Netskope
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
Diogo Mónica
 

Contenu connexe

Tendances

Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101
OneLogin
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 

Tendances (20)

Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application Security
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
Ssl https
Ssl httpsSsl https
Ssl https
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
 
Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI Technology
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
 
5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases
 

Similaire à MTLS - Securing Microservice Architecture with Mutual TLS Authentication

Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
Diogo Mónica
 

Similaire à MTLS - Securing Microservice Architecture with Mutual TLS Authentication (20)

Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
 
Moby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit PresentationMoby SIG Orchestration Security Summit Presentation
Moby SIG Orchestration Security Summit Presentation
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
 
Sequere socket Layer
Sequere socket LayerSequere socket Layer
Sequere socket Layer
 
IBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-DiveIBM MQ V8 Security: Latest Features Deep-Dive
IBM MQ V8 Security: Latest Features Deep-Dive
 
Ajal jose
Ajal joseAjal jose
Ajal jose
 
Ciphers
CiphersCiphers
Ciphers
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured CommunicationsTLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured Communications
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...
 
Best Practices of IoT in the Cloud
Best Practices of IoT in the CloudBest Practices of IoT in the Cloud
Best Practices of IoT in the Cloud
 
Web Security
Web SecurityWeb Security
Web Security
 
Service Mesh 101 - Digging into your service
Service Mesh 101 - Digging into your service Service Mesh 101 - Digging into your service
Service Mesh 101 - Digging into your service
 
Hyperledger Fabric Architecture
Hyperledger Fabric ArchitectureHyperledger Fabric Architecture
Hyperledger Fabric Architecture
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
An Introduction to AWS IoT
An Introduction to AWS IoTAn Introduction to AWS IoT
An Introduction to AWS IoT
 
Simplifying the secure data center
Simplifying the secure data centerSimplifying the secure data center
Simplifying the secure data center
 
Client server computing in mobile environments part 2
Client server computing in mobile environments part 2Client server computing in mobile environments part 2
Client server computing in mobile environments part 2
 

Dernier

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 

Dernier (20)

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 

MTLS - Securing Microservice Architecture with Mutual TLS Authentication

  • 1. MTLS - Securing Service Mesh ArchitecturesMTLS - Securing Service Mesh Architectures MTLSSecuring Microservice Architecture with Mutual TLS Authentication Larry Meirosu Twitter: @lmeirosu | Email: larry@wixel.co.uk
  • 2. MTLS - Securing Service Mesh Architectures MTLS ATLS BGPSec RPKI DNSSec IPSec TLS DTLS WPA3 /SSL
  • 3. MTLS - Securing Service Mesh Architectures
  • 4. MTLS - Securing Service Mesh Architectures Unsecure Microservice Architecture on Trusted Networks S1 S1 S2 S3 S3 S2 S2 S5 S5 S4 S5 VPC
  • 5. MTLS - Securing Service Mesh Architectures Secure Microservices Architecture on Zero Trust Network S1 S1 S2 S3 S3 S2 S2 S5 S5 S4 S5
  • 6. MTLS - Securing Service Mesh Architectures External User Internal User Edge Server Edge Server Reverse Proxy Service Server Server Service Datastore Cluster Cluster Gateway External Network Internal Network MTLS MTLS MTLS MTLS MTLS MTLS MTLS MTLS MTLS MTLS TLS TLS
  • 7. MTLS - Securing Service Mesh Architectures PKI Anatomy
  • 8. MTLS - Securing Service Mesh Architectures SSL 1.0 SSL 2.0 Prohibited (RFC 6101) SSL 3.0 TLS 1.0 Insecure (RFC 2246) TLS 1.1 Insecure TLS 1.2 Secure TLS 1.3 Draft 22 “TLS 2.0” 1999 1994 2013 TLS/SSL Versions
  • 9. MTLS - Securing Service Mesh Architectures X.509 v1 Standard X.509 v2 Standard X.509 v3 Standard - (extensions) X9.31 Standard X9.45 Standard X9.55 Standard X9.57 Standard X9.62 Standard X9.79-4 Standard X9.95 Standard X9.98 Standard 1988-1995 1997-1999 2001-2013 ASC X9 - Federal Standards (US companies only) - TSA (Time Stamp Authority) and Time Stamp Entity - Protection Profiles for Certificate Issuing Systems PKCS - Public Key Cryptography Standards
  • 10. MTLS - Securing Service Mesh Architectures Public Key Issuer Signature Issuer Name/ Organisation Common Name/ Organisation Subject Alternative Names Dates valid X509.v3 Certificate Extensions (14) Encoding ASN.1 DER/PEM PKCS[1-15] X509.v3 Certificate
  • 11. MTLS - Securing Service Mesh Architectures (g mod n) mod n = (g mod n) mod n a b b a a, g, n A = g mod n Key = B mod p Key = A mod p B = g mod n Alice Bob g, n, A B b ba a bg = “Exponent” n = “Modulo” x509 Certificate: Diffie-Hellman Key Exchange (Modular Arithmetic)
  • 12. MTLS - Securing Service Mesh Architectures Private Key Public Key Public Key Private Key DSA Verify DSA Verify SHA256 SHA256 DSA Signature DSA Signature == == a, g, n a, g, n DSA - Digital Signature Algorithm (designed by NSA in 1991)
  • 13. MTLS - Securing Service Mesh Architectures Private Key Public Key Public Key Private Key Decrypt Decrypt Data Chunk Data Chunk RSA Encryption RSA Encryption a, g, n a, g, n RSA Data Encryption (Session Key Exchange, 2-Way Auth)
  • 14. MTLS - Securing Service Mesh Architectures Root CA CA Service Root CA Private key CA Private key Sign SignSelf Sign Leaf certIntermediate certRoot cert Chain of trust
  • 15. MTLS - Securing Service Mesh Architectures Root cert Intermediate Intermediate Intermediate Intermediate IntermediateIntermediateIntermediateIntermediate LeafLeaf Leaf Leaf Chain of trust
  • 16. MTLS - Securing Service Mesh Architectures Client Server Client Hello Server Hello Server Certificate Client Cert Request Server Done Client Certificate Certificate Verify Certificate Verify Change Connection State Change Connection State Finished Finished TLS Session Client Key Exchange MTLS Handshake
  • 17. MTLS - Securing Service Mesh Architectures Public Key Certificate Signing Request Certificate Authority Certificate Authority Private Key X.509 Certificate Subject CSR - Certificate Signing Request
  • 18. MTLS - Securing Service Mesh Architectures 160411233010221Z0 160411233010221Z0 160411233010221Z0 160411233010221Z0 160411233010221Z0 160411233010221Z0 …. 160411233010221Z0 CRL Check if certificate serial is on the CRL Client GET request /crl CA Server CRL - Certificate Revocation List
  • 19. MTLS - Securing Service Mesh Architectures POST request /ocsp Response Status Responder ID Cert Status Cert ID OCSP Signature Cert OCSP Check if certificate status is Revoked on OCSP Client OCSP Server OCSP - Online Certificate Status Protocol
  • 20. MTLS - Securing Service Mesh Architectures Provisioning
  • 21. MTLS - Securing Service Mesh Architectures Service A Service B Certificate AuthorityCSR CSR CRTCRT Provisioning Services
  • 22. MTLS - Securing Service Mesh Architectures Certificate Authority Registration Authority Provisioning Devices (Trust on First Use)
  • 23. MTLS - Securing Service Mesh Architectures Certificate Authority Provisioner/ Orchestrator CSR Cert Isolated Network Provisioning Devices
  • 24. MTLS - Securing Service Mesh Architectures Bootstrapping
  • 25. MTLS - Securing Service Mesh Architectures IP TCP SSL Application MTLS (SSL Wrapper) Certs Supervisor MTLS Wrapper
  • 26. MTLS - Securing Service Mesh Architectures 1. Retrieve and install the Root CA Certificate 1. Retrieve and validate Signing CA Certificate 1. Retrieve the Signed Certificate Signing CA Service 1 2 3 Keymaker Client Bootstrap
  • 27. MTLS - Securing Service Mesh Architectures 1. Submit a new CSR using old Key Pair 1. Retrieve the new Signed Certificate Signing CA Service 1 2 Automatic Certificate Rotation
  • 28. MTLS - Securing Service Mesh Architectures Certificate 1 Certificate 2 Certificate 3 Tn Tn+ 1 Tn+ 2 Tn+ 3 Short Term Certificates (STC) - 90 days
  • 29. MTLS - Securing Service Mesh Architectures 1. Set TLS/SSL with Client Certificate Verification on your Application/Service 1. Validate the Client Certificate against the CA Cert 1. TLS Session Service 1 2 3 Service MTLS wrapper MTLS wrapper MTLS
  • 30. MTLS - Securing Service Mesh Architectures PKI Architecture
  • 31. MTLS - Securing Service Mesh Architectures Offline CA Signing CA Service OCSP Service RA Service services devices Root CA HSM device Internal PKI
  • 32. MTLS - Securing Service Mesh Architectures Offline CA Signing CA Service OCSP Service RA Service services devices Root CA HSM device Attack vectors
  • 33. MTLS - Securing Service Mesh Architectures Offline CA Signing CA Service OCSP Service RA Service Root CA HSM device Monitoring Monitoring Monitoring PKI Monitoring PKI Monitoring
  • 34. MTLS - Securing Service Mesh ArchitecturesMTLS - Securing Service Mesh Architectures THANK YOU