Protecting Keys/Secrets in Network Automation Solutions. Dhananjay Pavgi, Tech Mahindra Ltd Srinivasa Addepalli, Intel

Similar documents
ONAP Security using trusted solutions. Intel & Tech Mahindra

Service Mesh and Related Microservice Technologies in ONAP

Adding value to your MS customers

TPM v.s. Embedded Board. James Y

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Intel Software Guard Extensions

Software Vulnerability Assessment & Secure Storage

Unicorn: Two- Factor Attestation for Data Security

Securing ArcGIS Services

Tableau Server Security in Depth

CIS 4360 Secure Computer Systems SGX

Unbound and Oasis KMIP Interoperability

PKI Credentialing Handbook

Creating the Complete Trusted Computing Ecosystem:

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Trusted Platform Module explained

Dyadic Security Enterprise Key Management

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Security Fundamentals

Dyadic Enterprise. Unbound Key Control For Azure Marketplace. The Secure-As-Hardware Software With a Mathematical Proof

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

Delivering High-mix, High-volume Secure Manufacturing in the Distribution Channel

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

Trusted Computing Group

TransKrypt Security Server

Thales e-security. Security Solutions. PosAm, 06th of May 2015 Robert Rüttgen

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

U.S. E-Authentication Interoperability Lab Engineer

Securing Cloud Computing

Who s Protecting Your Keys? August 2018


PrecisionAccess Trusted Access Control

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Securing ArcGIS Server Services An Introduction

Atmel Trusted Platform Module June, 2014

BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX

ARM European Technical Symposium The security challenges that IoT and Mobile Computing Devices are facing. Pierre Garnier, COO

On Demand Cryptographic Resources for Your Virtual Data Center and the Cloud: Introducing SafeNet s Crypto Hypervisor

SSH Product Overview

Advanced Systems Security: Cloud Computing Security

CyberArk Privileged Threat Analytics

Evolution Of Cyber Threats & Defense Approaches

Connecting Securely to the Cloud

SafeNet HSM solutions for secure virtual amd physical environments. Marko Bobinac SafeNet PreSales Engineer

How WebSafe Can Protect Customers from Web-Based Attacks. Mark DiMinico Sr. Mgr., Systems Engineering Security

Boot Attestation Service 3.0.0

Massively Parallel Hardware Security Platform

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

Windows IoT Security. Jackie Chang Sr. Program Manager

Pass, No Record: An Android Password Manager

Security and Privacy in Cloud Computing

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

C1: Define Security Requirements

Systems View -- Current. Trustworthy Computing. TC Advantages. Systems View -- Target. Bootstrapping a typical PC. Boot Guarantees

GSE/Belux Enterprise Systems Security Meeting

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Getting Into Mobile Without Getting Into Trouble

Old, New, Borrowed, Blue: A Perspective on the Evolution of Mobile Platform Security Architectures

ONAP Micro-service Design Improvement. Manoj Nair, NetCracker Technologies

Auto-Scaling Capability Support in ONAP

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Applications of Attestation:

Why AWS CloudHSM Can Revolutionize AWS

Security Policy Document Version 3.3. Tropos Networks

Simple Security for Startups. Mark Bate, AWS Solutions Architect

PHYSICAL NETWORK FUNCTION (PNF)

Top Nine Kubernetes Settings You Should Check Right Now to Maximize Security

Facebook API Breach. Jake Williams Rendition Infosec

Laura Arribas Vodafone WAC 6th ETSI Security Workshop January ETSI, Sophia Antipolis, France

CSWAE Certified Secure Web Application Engineer

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

Venafi Server Agent Agent Overview

New Approaches to Connected Device Security

DevOps CICD for VNF a NetOps Approach

TRESCCA Trustworthy Embedded Systems for Secure Cloud Computing

Service Orchestration- Need for Users

Cisco Desktop Collaboration Experience DX650 Security Overview

AKAMAI WHITE PAPER. Security and Mutual SSL Identity Authentication for IoT. Author: Sonia Burney Solutions Architect, Akamai Technologies

NFV SEC TUTORIAL. Igor Faynberg, CableLabs Chairman, NFV Security WG

M2M / IoT Security. Eurotech`s Everyware IoT Security Elements Overview. Robert Andres

Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017

Murray Goldschmidt. Chief Operating Officer Sense of Security Pty Ltd. Micro Services, Containers and Serverless PaaS Web Apps? How safe are you?

Microsoft UEFI Certification Authority

Container-Native Applications

Building Trust in the Internet of Things

Service Mesh and Microservices Networking

Yubico with Centrify for Mac - Deployment Guide

Intel s s Security Vision for Xen

IoT It s All About Security

CIS Controls Measures and Metrics for Version 7

Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control

Securing Microservice Interactions in Openstack and Kubernetes

Enhance your Cloud Security with AMD EPYC Hardware Memory Encryption

Topics. Ensuring Security on Mobile Devices

Zumobi Brand Integration(Zbi) Platform Architecture Whitepaper Table of Contents

Technical Brief Distributed Trusted Computing

Exposing The Misuse of The Foundation of Online Security

Transcription:

Protecting Keys/Secrets in Network Automation Solutions Dhananjay Pavgi, Tech Mahindra Ltd Srinivasa Addepalli, Intel

Agenda Introduction Private Key Security Secret Management Tamper Detection Summary

Protecting Credentials : Private Keys, Security Certificates aren t enough (Trojans via Vulnerabilities and Phishing, Malicious VMM administrators) Heart bleed attack Vulnerability in OpenSSL, that expose private keys. How widespread is this? The most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% https://www.symantec.com/connect/blogs/how-attackerssteal-private-keys-digital-certificates https://blog.netspi.com/stealing-unencrypted-ssh-agentkeys-from-memory/ - tools to extract keys from memory. https://wiki.xenproject.org/wiki/virtual_machin e_introspection - Libvmi that enable VMM Software to look into the VM memory Can be used to extract VM secrets. Implications : Financial loss and brand loss from web site spoofing, account misuse, money withdrawals and huge fines.

Attack Surfaces & Threats In case of Network Automation projects ONAP SDC SO OOF SDNC APPC MSB DCAE MC VFC POLICY DB Untrusted Network MUSIC AAF CA Major threats - Credential (Private keys & Passwords) Stealing - Files & DB - Memory - Images with default passwords - Captured traffic - Tampering - OS/VMM - Container/VM image - Data Stealing - From files, Databases, Disks VIM Edge Cloud Edge Cloud Edge Cloud VIM VIM VNFs VNFs VNFs NFVI NFVI NFVI Edge deployments increase attack surface significantly Micro Service architectures Key at every container. Edge Clouds Keys at every NFVI, VNF, VIM

Adversaries Different type of adversaries Unprivileged Software Adversary System Software Adversary Network Adversary Software Side-Channel Adversary Hardware Adversary Comments Adversary who has user space privileges Adversary who gets root privileges Adversary who exploits vulnerabilities in software Adversary who can get hold of information due to shared resources. Adversary who is hardware expert and gets access to hardware

Observations Observations Many services still use password based authentication Various database servers, Publish/Subscribe brokers, Log Service, VIM and many more Passwords are stored in files in many services. Passwords and Certificate private keys are sent to services via environment variables or files (mostly in clear) There are no checks on whether the server is tampered, before sending sensitive information Security project intention is to make it hard for adversaries to get hold of credentials (keys & Passwords), secrets and blacklist compute nodes if tampered.

Digging Deeper : Private keys Security - Need VM S Container Hypervisor/CRI 05 65 73 95 % $@ ^ & VM/Container 05 65 73 95 Hypervisor VM Container Hypervisor/CRI VM/Container Key handle Hypervisor Concern : Snapshot cloud & memory swap features puts the keys in storage in clear Key exposure to cloud provider administrators, attackers Need: Keys shall not be in clear in storage memory. Concern : Keys are in clear in application memory. Exploits to application can result into Keys being stolen by attackers. 65% of vulnerabilities can be used to gather information, including keys. Examples: Heartbleed attack 17% of all servers in 2014 are vulnerable -> It provides that majority of servers store the keys in clear. Need: Keys shall not be in clear in application memory.

Private Key Security Challenges in Micro Services world Micro Service Architecture External Services Internal Services (Due to decomposition) Many Micro Services and Scale-out Each Service requires Certificate & private key (for Mutual TLS) Usage of Internal CA (Less expensive, On-demand) Polyglot - Micro Services implemented in different languages in a project Every language has their own Crypto library Service Mesh technologies (eg. ISTIO) does not reduce attack surface Side car As many side cars as number of services Service meshes have their own CA. Cloud world use technologies PKCS11 based Network HSMs (e.g CloudHSM) to protect keys and perform security cryptography. Keys are never in clear in memory or storage.

Good news - Many Crypto libraries support PKCS11 for Private Key Security C/C++ APP Go APP Java APP Python OpenSSL GoCrypto Java Crypto PyOpenSSL libp11 Crypto11 Sun PKCS11 Libp11 PKCS11 Interface HSM HSM HSM HSM ONAP and other open source projects are polyglot. PKCS11 seems to be the right interface We selected PKCS11 to protect keys.

ONAP Security Project Architecture blocks for CA Service Language specific Crypto SoftHSMv2 External HSM SGX Plugin ONAP Java CA / ISTIO CA PKCS11 Enablement TPM Plugin CA Private key Security is very important. Should be able to use External HSM. Current plan: - Upgrade ONAP Java CA with PKCS11 - Integrate SoftHSM - Upgrade SoftHSM to take advantage of HW security (start with TPM plugin and use SGX later) - Future: Update ISTIO CA with PKCS11. TPM, SGX and TZ all have following properties: - Ability to upload private key securely or generate keys securely. - Never exposes private keys out of HW boundary. - Perform RSA/ECDSA/DSA private key operations (Sign) and Decrypt in case of RSA

ONAP Security Project Architecture blocks for Micro Services Service Existing ONAP Service logic Language specific Crypto SoftHSMv2 SGX Plugin PKCS11 Enablement TPM Plugin SW store Service pod Existing ONAP Service container Side car Proxy (e.g envoy) PKCS11 Enablement Openssl SoftHSM SGX/TPM Each Service requires secure storage & secure crypto execution on private keys Some highlights: PKCS11 enablement - Ensures that each service uses PKCS11 key label instead of private key Usage of local HW facilities (such as TPM and SGX). Usage of SoftHSMv2 as HSM with hardware support

Secret Management Service - Need ONAP SDC SO OOF SDNC APPC MSB MUSIC AAF CA Need Avoid passwors sprawl in files. DCAE MC VFC POLICY DB Avoid passing passwords via environment variables to services VIM Untrusted Network Edge Cloud Edge Cloud Edge Cloud VIM VIM VNFs VNFs VNFs NFVI NFVI NFVI Avoid clear passwords in storage. Should support not only secret protection not only at Micro Services, but also at remote edges (VIM, VNFs, NFVI) Not only containers, but VMs, bare-metal SW etc

Secret Server In ONAP 3 1 Secret Management Service 5 2 Auth Service (AAF) Create secrets at central place. Secure secrets using HW Security Get Secrets on demand basis. Zeroization secret upon usage by Service. 1 S1 S1 Service 4 6 Creating Secret Domain 1. Admin user creates authentication session by passing username/password OR grant token given by Auth Service. 2. SMS validates the Admin user credentials using Auth Service 3. Admin user instructs SMS to create secret domain (Policies, CA-Cert, Set of Subject name prefix to allow vs permissions) Service instance bring up (Assumes that service already got the certificate provisioned) 4. Service makes Secret service request via TLS. (Create Secret/Read Secret) 5. SMS validates the certificate credentials, if valid and if policy allows it, perform the operation. Also, create and return SMS-token for future operations. 6. SMS returns the results Service uses secrets for service specific processing

Secret Service: Architecture Blocks Service Secret Client agent Sercret Service Secret Management Service Vault Plugin HashiCorp Vault TPM/SGX plugin ONAP R2 will have Secret Management functionality. Being done in generic fashion (can be adopted by other projects) Master key is protected using HW security (TPM to start with and SGX in future). Future: Keep the secret secure at the service level (Caching the keys) for performance reasons)

Tamper Detection Need VIM ONAP SDC SO OOF SDNC APPC MSB DCAE MC VFC POLICY DB MUSIC AAF CA Edge Cloud Edge Cloud Edge Cloud VNFs NFVI Untrusted Network VIM VNFs NFVI DB of trusted nodes VIM VNFs NFVI Need Software tampering can result in stealing data and monitoring sensitive data. Discovering of any tampering (Tampering proof itself should not tampered) Tampering detection BIOS, OS/VMM, User space libraries/services Secure VNF images at edges (IP protection as well as for tampering) Bring up VNFs on trusted compute nodes

Tamper Detection Marinating DB of trusted/untrusted Servers Server Measurement agent Linux IMA Measure VNF images Measure User space Libs/executables Measure OS/VMM Measure BIOS TPM PCRs Integrity Service Measurement Service Verification Service Trust DB Service Query Service Privacy CA Status: We feel that there is a need for this in ONAP and planning to propose it as a project. Integrity Service : Gets the measurements and verifies using white listed values to check for any tampering. Maintains the DB of trusted and untrusted servers. Provides query services for others to get information on trust of servers. Server agents: Measures the SW component integrity at boot up. Measures any new installed software Usage of TPM: measured values are stored in TPM

Summary (What we have learned so far) Micro Service architecture increases attack surface. Edge-Clouds can be attack mounting points. New HW Servers have built-in HW security (TCG TPM, SGX etc..) Combining learnings from Cloud addressing new attack surfaces and leveraging HW technologies - Private key security using HSMs with security rooted in HW. - Secret protection rooted in HW. - Tamper detection using TCG TPM. Please join us and contribute.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback