Encrypting Imposter Syndrome

Written By Robert Cao

The blog will serve as a note taking medium for my cramming/learning/studying for a encryption role. I’ll be using TryHackMe’s Public Key Infrastructure Room (link). GL HF!

 

  • They are the foundation of encrypting sensitive data, authenticating users and devices, and ensuring the integrity of communication channels.

  • Integrate key management processes early in DevOps lead to a more secure and efficient pipeline

  • Key management is not just a security measure but a compliance mandate for PCI DSS, GDPR, and/or HIPAA

  • The Key Management Lifecycle (KML) comprises of several stages that will help effectively manage crypto keys

  • KML is a.k.a. cryptoperiod

Key Life Cycle

  1. Key Generation

    • Creating secure and compliant keys means guaranteeing their strength and their randomness

  2. Key Distribution

    • This stage involves securely transmitting keys, ensuring they are not intercepted or compromised, to the intended users and systems

  3. Key Storage

    • Secure storage employs encrypted databases or specialized hardware security modules (HSMs)

    • Effective storage also includes access controls and audit logs to ensure only authorized entities can access the keys

  4. Key Usage

    • This phase is to monitor and control the how, when, and by whom the key are used

    • Prevents unauthorized usage

  5. Key Backup & Recovery

    • Creating secure copies of crypto keys to avoid losing access to keys in case of deletion or corruption

  6. Key Rotation

    • Replaces old keys wiht new ones at regular intervals or in response to specific events

  7. Key Revocation

    • Process of invalidating a key before its schedule expiration

    • Necessary when keys are compromised, the user is no longer authorized, or the key is suspected to be exposed to unauthorized access

  8. Key Destruction

    • When a key is no longer needed or its lifecycle has ended it’s destroyed to ensure it cannot be recovered or used

    • Destruction is safely deleting the key due to the expiration/end of the cryptoperiod assigned

    • Sometimes archiving is necessary over destruction

    • Purge periods are set so that when you delete a key you can still retrieve it after x amount of days before full deletion

Best Practices

  1. For key generations…

    • Use strong Random Number Generators (RNGs) in Key Generation

    • Use industry standards for generation algorithms and key lengths

      • Check NIST for key algorithms

    • Ensure key generation environment is secure

      • Use HSMs to provide tamper-proof environments for generation, storage and management

    • Validate all parameters of key generation

      • Verify the randomness source, algorithm configurations, and key length are appropriate for the intended use

    • Option 1: Bastion Host in the Cloud

      • Isolated jump servers that have no internet access

      • Only accessible through ssh keys and MFA

      • Security hardened box

    • Option 2: Generate Directly in Secure Storage Solutions

      • Directly generated in the vault

      • Azure Key Vault and HashiCorp Vault comply with security standards and regulations already

      • Built with KLM in mind to have key rotations, revocation, or destruction features available

  2. For key distributions…

    • Use secure protocols

      • Protocols like TLS (Transport Layer Security) and mTLS (mutual TLS) can transmission of keys over networks

    • Employ PKI

      • Public Key Infrastructure

      • Utilizing public and private keys to distribute key usage

    • Use trusted delivery methods

      • Encrypted emails, encrypted file exchanges, SFTP

    • Implement trust but verify

      • Before transmitting verify the identity of the receiving party

    • Provide secure storage solutions

      • Educate and equip the recipients with the tools and knowledge to store keys

    • Option 1: symmetric key distributions

    • Option 2: asymmetric key distributions

    • Option 3: key distribution centers

      • secure and centralized system that distributes keys to communicating parties

    • Option 4: pre-shared keys

      • used in scenarios where a restricted number of parties require secure communications

  3. For key storage…

    • HSMs are physical devices that are designed to generate, store, and manage cryptographic keys securely

      • Offer tamper-resistant hardware that securely handles key generation, encryption, decryption, and signing operations

    • Cloud-based key management services

      • AWS KMS, Azure Key Vault, Google Cloud KMS

        • Scalable, high availability, and built-in compliance

    • RBAC (role-based access control) restricts access to cryptographic keys by segregating responsibility with roles for individual users

      • Ensures only necessary permissions to access keys are granted based on their operational requirements

    • ABAC (attribute-based access control) grouping of permissions is based on user attributes

    • Use MFA for those with access

    • Ensure logging is enabled

  4. Key rotation and revocation strategies

    • Rotation policies

      • Define cryptoperiods - shorter for frequently used keys or highly sensitive keys

      • Automate rotation using tools like Azure Key Vault or HashiCorp Vault

      • Set up alerts for events that will warrant rotation

    • Revocation policies

      • Use CRLs (Certificate Revocation Lists) or OCSP (Online Certificate Status Protocol) - allows entities to verify whether a certificate associated with a key is still valid

      • For non-PKI systems, mechanisms in place to check for status of keys before use

      • Notify stakeholders when rotations or revocations

      • Update/verify access controls of the new key

PKI Basics

  1. Public Key Infrastructure

    • Builds trust between users and websites

  2. Public Key Cryptography

    • AKA asymmetric crypto

      • Uses 2 keys a public and a private key

        • Public key is shared openly with users

        • Private key is secured to the owners

        • Anything encrypted with the public key can only be decrypted by the private key

  3. Certificate Components

    • Think of it as an ID card that confirms a person, device or website’s identity

    • A certificate confirms that a specific key belongs to a its owner

    • CN (Common Name)

      • name of the entity the certificate is issued to

    • O (Organization)

      • name of the org the cert is issued to, may or not may not be the website owner

    • Validity Period

      • AKA cryptoperiod

      • shows how long the cert is valid for

    • SHA-256 Fingerprints

      • unique identifier for the cert

      • public key fingerprint represents the unique ID for the public key in the cert

Best Practices for PKI Security

It is common to have certificates to expire 1-2 years and rotate 60-90 days.

Sectigo

Sectigo is a root CA

I’ve purchased certificates from Sectigo for a client to build an API.

I’ve revoked certificates from Sectigo during security incidents for clients.

Robert Cao
Previous

Crack Windows Hashes
Next

Web App Pen Test Playbook