Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
MTLS - Securing Service Mesh ArchitecturesMTLS - Securing Service Mesh Architectures
MTLSSecuring Microservice Architectur...
MTLS - Securing Service Mesh Architectures
MTLS
ATLS
BGPSec RPKI
DNSSec
IPSec TLS
DTLS
WPA3
/SSL
MTLS - Securing Service Mesh Architectures
MTLS - Securing Service Mesh Architectures
Unsecure Microservice Architecture
on Trusted Networks
S1
S1
S2
S3
S3
S2
S2
S5 ...
MTLS - Securing Service Mesh Architectures
Secure Microservices Architecture
on Zero Trust Network
S1
S1
S2
S3
S3
S2
S2
S5...
MTLS - Securing Service Mesh Architectures
External
User
Internal
User
Edge
Server
Edge
Server
Reverse
Proxy
Service
Serve...
MTLS - Securing Service Mesh Architectures
PKI Anatomy
MTLS - Securing Service Mesh Architectures
SSL 1.0
SSL 2.0
Prohibited (RFC 6101)
SSL 3.0 TLS 1.0
Insecure (RFC 2246)
TLS 1...
MTLS - Securing Service Mesh Architectures
X.509 v1 Standard
X.509 v2 Standard
X.509 v3 Standard
- (extensions)
X9.31 Stan...
MTLS - Securing Service Mesh Architectures
Public Key
Issuer
Signature
Issuer Name/
Organisation
Common Name/
Organisation...
MTLS - Securing Service Mesh Architectures
(g mod n) mod n = (g mod n) mod n
a b b a
a, g, n
A = g mod n
Key = B mod p Key...
MTLS - Securing Service Mesh Architectures
Private Key
Public Key
Public Key
Private Key
DSA
Verify
DSA
Verify
SHA256
SHA2...
MTLS - Securing Service Mesh Architectures
Private Key
Public Key
Public Key
Private Key
Decrypt
Decrypt
Data Chunk
Data C...
MTLS - Securing Service Mesh Architectures
Root CA CA Service
Root CA
Private key
CA
Private key
Sign
SignSelf Sign
Leaf c...
MTLS - Securing Service Mesh Architectures
Root cert
Intermediate Intermediate Intermediate
Intermediate
IntermediateInter...
MTLS - Securing Service Mesh Architectures
Client Server
Client Hello
Server Hello
Server Certificate
Client Cert Request
...
MTLS - Securing Service Mesh Architectures
Public Key
Certificate Signing
Request
Certificate Authority
Certificate Author...
MTLS - Securing Service Mesh Architectures
160411233010221Z0
160411233010221Z0
160411233010221Z0
160411233010221Z0
1604112...
MTLS - Securing Service Mesh Architectures
POST request
/ocsp
Response Status
Responder ID
Cert Status
Cert ID
OCSP Signat...
MTLS - Securing Service Mesh Architectures
Provisioning
MTLS - Securing Service Mesh Architectures
Service A Service B
Certificate
AuthorityCSR CSR
CRTCRT
Provisioning Services
MTLS - Securing Service Mesh Architectures
Certificate Authority Registration
Authority
Provisioning Devices (Trust on Fir...
MTLS - Securing Service Mesh Architectures
Certificate
Authority
Provisioner/
Orchestrator
CSR Cert
Isolated Network
Provi...
MTLS - Securing Service Mesh Architectures
Bootstrapping
MTLS - Securing Service Mesh Architectures
IP
TCP
SSL
Application
MTLS (SSL Wrapper)
Certs Supervisor
MTLS Wrapper
MTLS - Securing Service Mesh Architectures
1. Retrieve and install the Root CA Certificate
1. Retrieve and validate Signin...
MTLS - Securing Service Mesh Architectures
1. Submit a new CSR using old Key Pair
1. Retrieve the new Signed Certificate
S...
MTLS - Securing Service Mesh Architectures
Certificate 1
Certificate 2
Certificate 3
Tn
Tn+
1
Tn+
2
Tn+
3
Short Term Certi...
MTLS - Securing Service Mesh Architectures
1. Set TLS/SSL with Client Certificate Verification on
your Application/Service...
MTLS - Securing Service Mesh Architectures
PKI Architecture
MTLS - Securing Service Mesh Architectures
Offline CA
Signing CA
Service
OCSP
Service
RA
Service
services devices
Root CA
...
MTLS - Securing Service Mesh Architectures
Offline CA
Signing CA
Service
OCSP
Service
RA
Service
services devices
Root CA
...
MTLS - Securing Service Mesh Architectures
Offline CA
Signing CA
Service
OCSP
Service
RA
Service
Root CA
HSM device
Monito...
MTLS - Securing Service Mesh ArchitecturesMTLS - Securing Service Mesh Architectures
THANK YOU
Upcoming SlideShare
Loading in …5
×

MTLS - Securing Microservice Architecture with Mutual TLS Authentication

1,405 views

Published on

MTLS Authentication and End-to-End Encryption for Data in transit on the Microservice and Service Mesh Architectures.

PKI (Public Key Infrastructure) Anatomy
- PKCS (Public Key Cryptography Standards)
- X509.v3 Certificates
- Chain of Trust

Provisioning and Securing Services/Devices
- Provisioning Services
- Provisioning Devices TOFU (Trust on First Use)

Bootstrapping Services
- MTLS Wrapper
- Automatic Certificate Rotation
- STC (Short Term Certificates)

Private PKI Architecture
- Attack vectors
- PKI monitoring

Published in: Software
  • Be the first to comment

MTLS - Securing Microservice Architecture with Mutual TLS Authentication

  1. 1. MTLS - Securing Service Mesh ArchitecturesMTLS - Securing Service Mesh Architectures MTLSSecuring Microservice Architecture with Mutual TLS Authentication Larry Meirosu Twitter: @lmeirosu | Email: larry@wixel.co.uk
  2. 2. MTLS - Securing Service Mesh Architectures MTLS ATLS BGPSec RPKI DNSSec IPSec TLS DTLS WPA3 /SSL
  3. 3. MTLS - Securing Service Mesh Architectures
  4. 4. MTLS - Securing Service Mesh Architectures Unsecure Microservice Architecture on Trusted Networks S1 S1 S2 S3 S3 S2 S2 S5 S5 S4 S5 VPC
  5. 5. MTLS - Securing Service Mesh Architectures Secure Microservices Architecture on Zero Trust Network S1 S1 S2 S3 S3 S2 S2 S5 S5 S4 S5
  6. 6. MTLS - Securing Service Mesh Architectures External User Internal User Edge Server Edge Server Reverse Proxy Service Server Server Service Datastore Cluster Cluster Gateway External Network Internal Network MTLS MTLS MTLS MTLS MTLS MTLS MTLS MTLS MTLS MTLS TLS TLS
  7. 7. MTLS - Securing Service Mesh Architectures PKI Anatomy
  8. 8. MTLS - Securing Service Mesh Architectures SSL 1.0 SSL 2.0 Prohibited (RFC 6101) SSL 3.0 TLS 1.0 Insecure (RFC 2246) TLS 1.1 Insecure TLS 1.2 Secure TLS 1.3 Draft 22 “TLS 2.0” 1999 1994 2013 TLS/SSL Versions
  9. 9. MTLS - Securing Service Mesh Architectures X.509 v1 Standard X.509 v2 Standard X.509 v3 Standard - (extensions) X9.31 Standard X9.45 Standard X9.55 Standard X9.57 Standard X9.62 Standard X9.79-4 Standard X9.95 Standard X9.98 Standard 1988-1995 1997-1999 2001-2013 ASC X9 - Federal Standards (US companies only) - TSA (Time Stamp Authority) and Time Stamp Entity - Protection Profiles for Certificate Issuing Systems PKCS - Public Key Cryptography Standards
  10. 10. MTLS - Securing Service Mesh Architectures Public Key Issuer Signature Issuer Name/ Organisation Common Name/ Organisation Subject Alternative Names Dates valid X509.v3 Certificate Extensions (14) Encoding ASN.1 DER/PEM PKCS[1-15] X509.v3 Certificate
  11. 11. MTLS - Securing Service Mesh Architectures (g mod n) mod n = (g mod n) mod n a b b a a, g, n A = g mod n Key = B mod p Key = A mod p B = g mod n Alice Bob g, n, A B b ba a bg = “Exponent” n = “Modulo” x509 Certificate: Diffie-Hellman Key Exchange (Modular Arithmetic)
  12. 12. MTLS - Securing Service Mesh Architectures Private Key Public Key Public Key Private Key DSA Verify DSA Verify SHA256 SHA256 DSA Signature DSA Signature == == a, g, n a, g, n DSA - Digital Signature Algorithm (designed by NSA in 1991)
  13. 13. MTLS - Securing Service Mesh Architectures Private Key Public Key Public Key Private Key Decrypt Decrypt Data Chunk Data Chunk RSA Encryption RSA Encryption a, g, n a, g, n RSA Data Encryption (Session Key Exchange, 2-Way Auth)
  14. 14. MTLS - Securing Service Mesh Architectures Root CA CA Service Root CA Private key CA Private key Sign SignSelf Sign Leaf certIntermediate certRoot cert Chain of trust
  15. 15. MTLS - Securing Service Mesh Architectures Root cert Intermediate Intermediate Intermediate Intermediate IntermediateIntermediateIntermediateIntermediate LeafLeaf Leaf Leaf Chain of trust
  16. 16. MTLS - Securing Service Mesh Architectures Client Server Client Hello Server Hello Server Certificate Client Cert Request Server Done Client Certificate Certificate Verify Certificate Verify Change Connection State Change Connection State Finished Finished TLS Session Client Key Exchange MTLS Handshake
  17. 17. MTLS - Securing Service Mesh Architectures Public Key Certificate Signing Request Certificate Authority Certificate Authority Private Key X.509 Certificate Subject CSR - Certificate Signing Request
  18. 18. MTLS - Securing Service Mesh Architectures 160411233010221Z0 160411233010221Z0 160411233010221Z0 160411233010221Z0 160411233010221Z0 160411233010221Z0 …. 160411233010221Z0 CRL Check if certificate serial is on the CRL Client GET request /crl CA Server CRL - Certificate Revocation List
  19. 19. MTLS - Securing Service Mesh Architectures POST request /ocsp Response Status Responder ID Cert Status Cert ID OCSP Signature Cert OCSP Check if certificate status is Revoked on OCSP Client OCSP Server OCSP - Online Certificate Status Protocol
  20. 20. MTLS - Securing Service Mesh Architectures Provisioning
  21. 21. MTLS - Securing Service Mesh Architectures Service A Service B Certificate AuthorityCSR CSR CRTCRT Provisioning Services
  22. 22. MTLS - Securing Service Mesh Architectures Certificate Authority Registration Authority Provisioning Devices (Trust on First Use)
  23. 23. MTLS - Securing Service Mesh Architectures Certificate Authority Provisioner/ Orchestrator CSR Cert Isolated Network Provisioning Devices
  24. 24. MTLS - Securing Service Mesh Architectures Bootstrapping
  25. 25. MTLS - Securing Service Mesh Architectures IP TCP SSL Application MTLS (SSL Wrapper) Certs Supervisor MTLS Wrapper
  26. 26. MTLS - Securing Service Mesh Architectures 1. Retrieve and install the Root CA Certificate 1. Retrieve and validate Signing CA Certificate 1. Retrieve the Signed Certificate Signing CA Service 1 2 3 Keymaker Client Bootstrap
  27. 27. MTLS - Securing Service Mesh Architectures 1. Submit a new CSR using old Key Pair 1. Retrieve the new Signed Certificate Signing CA Service 1 2 Automatic Certificate Rotation
  28. 28. MTLS - Securing Service Mesh Architectures Certificate 1 Certificate 2 Certificate 3 Tn Tn+ 1 Tn+ 2 Tn+ 3 Short Term Certificates (STC) - 90 days
  29. 29. MTLS - Securing Service Mesh Architectures 1. Set TLS/SSL with Client Certificate Verification on your Application/Service 1. Validate the Client Certificate against the CA Cert 1. TLS Session Service 1 2 3 Service MTLS wrapper MTLS wrapper MTLS
  30. 30. MTLS - Securing Service Mesh Architectures PKI Architecture
  31. 31. MTLS - Securing Service Mesh Architectures Offline CA Signing CA Service OCSP Service RA Service services devices Root CA HSM device Internal PKI
  32. 32. MTLS - Securing Service Mesh Architectures Offline CA Signing CA Service OCSP Service RA Service services devices Root CA HSM device Attack vectors
  33. 33. MTLS - Securing Service Mesh Architectures Offline CA Signing CA Service OCSP Service RA Service Root CA HSM device Monitoring Monitoring Monitoring PKI Monitoring PKI Monitoring
  34. 34. MTLS - Securing Service Mesh ArchitecturesMTLS - Securing Service Mesh Architectures THANK YOU

×