Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to encrypt everything that moves and keep it usable


Published on

Introduction to PKI and encryption

Published in: Software
  • Be the first to comment

  • Be the first to like this

How to encrypt everything that moves and keep it usable

  1. 1. UNCLASSIFIED//COMSEC//CRYPTO UNCLASSIFIED//COMSEC//CRYPTO nsa How to Encrypt Everything That Moves and Keep It Usable Denis Gundarev, Application Solutions Architect, VMware @fdwl Delivered From: @FDWL Dated: 20150722 Page 0
  2. 2. UNCLASSIFIED//COMSEC//CRYPTO UNCLASSIFIED//COMSEC//CRYPTO nsafdwl@E0D23:~# gpg –d message -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi %username%, my name is Denis Gundarev, I’m a Senior MTS/Architect at VMware I hope you understand that the opinions expressed here represent my own and not those of my employer. All data and information provided in this presentation is for informational purposes only. -----BEGIN PGP SIGNATURE----- iD8DBkjNWQIQFFxqRFCkjNWQIMEeCgg7y6IUikeCgg7yjNWQIW6eCgg7y3QE= =aAhr -----END PGP SIGNATURE-----
  3. 3. FIPS 140-2 Compliant & Common Criteria Certified Certified Security Worldwide recognition as the industry standard for App and Desktop security XenApp & XenDesktop are Common Criteria Certified XenApp & XenDesktop are FIPS compliant, simplifying highly regulated compliance FIPS Compliance Documents Common Criteria Certificates
  4. 4. Workspace PortalHorizon Clients Virtual Desktops RDS Hosted DesktopsRDS Hosted Applications Horizon 6 Enterprise App Volumes Desktop PoolsApp Pools
  5. 5. Agenda  Introduction to PKI  TLS for you  IPsec is your friend  Security regulations in a real world 7
  6. 6. Introduction to Public Key Infrastructure (PKI)
  7. 7. Certificates
  8. 8. Root Certification Authority Subordinate Certification Authority Certificate Certificate Certificate Certificate Public Key Infrastructure
  9. 9. Privet! I will send you encrypted message, use secret word “secret” to decrypt it! Hello x secret= ЙЦГШЩЗЪФ ЮБЬИЧЯЖД / secret = Nice to meet you ЙЦГШЩЗЪФ! ЙЦГШЩЗЪФ / secret= HelloЮБЬИЧЯЖД! Nice to meet you x secret= ЮБЬИЧЯЖД Got It! Symmetric Encryption
  10. 10. I want to send you a private message but don’t want anyone else to read it… Hello x a12f2d8ac = ЙЦГШЩЗЪФ ЙЦГШЩЗЪФ! ЙЦГШЩЗЪФ / privatesecret= Hello Got It! Not a problem, here’s my public key – a12f2d8ac Asymmetric Encryption
  11. 11. Howdy-doo! hablemos español! Here’s my ID, public key and my 6bcfae6a Privet! I want to speak privately with Yosemite Sam. I can speak Russian, Chinese, Spanish and English here’s my random e77dfb41 Hmm, California, USA, ok I trust your ID Encrypt (convertir en Español (E77dfb41 + 6bcfae6a)) Here’s pre- master, en español, encrypted with your private Decrypt (pre- master) Lo tengo! (Got it!) 𝑀𝐴𝐶 = 𝑏2 − 4𝑎𝑐 2𝑎 𝑀𝐴𝐶 = 𝑏2 − 4𝑎𝑐 2𝑎 es tan genial para hablar en privado sí, es difícil hablar libre en estos días SSL/TLS Handshake Hmm, California, USA, ok I trust your ID
  12. 12. Just need to see your I.D. please. Sorry, but we don’t sell beer to Russians
  13. 13. 20
  14. 14. I heard that self- signed certificates are not secure!!!
  15. 15. Keep Private Keys Private  NTFS ACL  Windows private key ACL  Use Hardware Security modules  Windows support out of the box  Apache support  Avoid using shared wildcard certificates
  16. 16. Subordinate Certification Authority ESX Hosts Network equipment Users Public Key Infrastructure Root Certification Authority Mobile devices
  17. 17. TLS recommendations  Use TLS or DTLS for everything that moves over the wire  RDP  XenDesktop to-vda/  Horizon View 60-scenarios-ssl-certificates.pdf  SQL Server sql-server-encryption-on-the-wire.aspx  LDAP certificate.aspx  Use other encryption methods for other protocols  SMB Encryption in-windows-server-2012.aspx  Horizon View 60-security.pdf
  18. 18. TLS recommendations  Disable weak ciphers and SSL 3.0  Windows  Apache  Nginx  NetScaler  F5  Use TLS internally  Use an appropriate Certification Authority  Switch to SHA256 - authority-to-sha256.aspx
  19. 19. Know the difference  Self-signed vs. preinstalled certificate  Check the date/name  Intended usage  Make sure that you use correct templates  Encryption vs. Obfuscation  Unsecured private key = obfuscation
  20. 20. IPSec is so 90s!!!
  21. 21. Demo time
  22. 22. FIPS/Common Criteria  Remember who do you trust  Certified software/hardware doesn’t secure you automatically.  Security policy “System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.” does not affect third-party and breaks .net  Certification may take years, release cycle usually shorter
  23. 23. Compliance  A foolproof plan for security  Nothing is foolproof to a sufficiently talented fool  Standardized environments are easier to hack  Additional budget for IT  Enforcing documentation  Just a checklist to impress auditor
  24. 24. your questions. It’s now safe to ask