Security Certs, HSMs, RSA
Certificate management(Industrywide problem managing certs):
- Managed certs inventory with spreadsheets, tools like Venafi, OpenSSL, CertBot, MS AD CS, AWS ACM, Keycloak IAM, Sectigo
- cert generation, expiration, renewal, revocation, distribution (need to manage certs lifecycle as finite state machine(FSM)
- used for encryption, digital signature, authentication(including mutual auth)
- Cert lifecycle:
- cert trust map/diagram:?CA Root, intermediate, endpoint(infra[system,LB], app)
- X.509 digital certs signing, assymmetric PKI, TLS/SSL?
- Some credit/debit cards also use non-X.509 format certs, vendor specific, Apple has certs under proprietary NDA, global payments certs under binary format, EMVco certs also use binary format.
Hands on Experience on HSM is?
- Utimaco HSMs in Kohls DC https://www.utimaco.com
?= compromised keys, fallen out of PCI compliance?
?= ID and eliminate SPoFs
?= payment app config table file with HSMs, pay partners
?= 3am daily update KEK with payment partners, registers and stores
?= legacy HSM format Variant, now AKB (Atalla Key Block/Bundle)
?= access HSM using SCA
?= key store for symmetric keys using AES, 3DES to encrypt/decrypt data
?= MFK(Variant legacy format, current Atalla Key Block), BDK, AEK(AES master key), KEK(Key Encryption/Exchange Keys)
?= KEK keystore for keys at rest
?= KWK key wrapping keys for encrypt/decrypt keys in flight or rest
?= key store for asymmetric keys RSA, ECC for secure communication, digital signature, key exchange
?= Hashing key store for SHA, MD5 for data integrity and passwords storage
?= Cert private key store, X.509 PKI certs used in digital signing or decrypt encrypted data
?= tamper indication, be gentle with your HSMs
?= key ceremony to create and install new uncompromised keys
?= SCA for key ceremony, firmware upgrades, legacy Variant format, new?
?= no monitoring agents, health monitoring thru SNMP, SyslogNG==>splunk
??
- Thales HSMs and Utimaco HSMs in certain DC
?= access HSM using special interface device
?= key store for symmetric encryption keys using AES, 3DES to encrypt/decrypt data
?= MFK, BDK, AEK, KEK(Key Encryption/Exchange Keys)
?= KEK keystore for keys at rest
?= KWK key wrapping keys for encrypt/decrypt keys in flight or rest
?= key store for asymmetric keys RSA, ECC for secure communication, digital signature, key exchange
?= Hashing key store for SHA, MD5 for data integrity and passwords storage
?= Cert private key store, X.509 PKI certs used in digital signing or decrypt encrypted data?
?= tamper indication
?= key ceremony to create and install new uncompromised keys
?= no monitoring agents, health monitoring thru SNMP
Good knowledge on RSA encryption methodologies .?
- RSA uses asymmetric encryption methods, public(encrypt) and private(decrypt) keys
- RSA-PSS for digital signatures
- RSA-KEM for key exchange
- RSAES-OAEP key padding
- RSA-DEM/AES