Upload
cisco-devnet
View
263
Download
0
Embed Size (px)
Citation preview
We’re ready. Are you?
February 15 - 19, 2016 • Berlin, Germany
Targeted Threat (APT) Defense for Applications
Featuring pxGrid
David JonesComputer Relations Specialist
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Why are we here?
Was looking like this:
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Ask dave
5% of SySAdmin accounts or their laptops may be compromised at any moment
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Top 10 varieties of threat actions over timeSource: 2014 Verizon Data Breach Investigation Report
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
By the numbersSource Verizon 2015 DBIR
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Source: Verizon 2015 DBIR
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
99.9%OF THE EXPLOITED VULNERABILITIES WERE COMPROMISED MORE THAN A YEAR AFTER THE CVE WAS PUBLISHED
Source: Verizon 2015 DBIR
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
“The only comment I have is that it’s sad we live in this country and have to look outside of the united states for affordable medicine.”
Excerpt From: Krebs, Brian. “Spam Nation.” Sourcebooks, Inc, 2014.
9
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
From the recent news:
“Juniper said that someone managed to get into its systems and write "unauthorized code" that "could allow a knowledgeable attacker to gain administrative access."
“LANDESK has found remnants of text files with lists of source code and build servers that the attackers compiled,” John said. “They know for a fact that the attackers have been slowly [archiving] data from the build and source code servers, uploading it to LANDESK’s web servers, and downloading it.”
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Nation State Run Book
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
DataCenter
Infestation & Lateral Movement 1. User desktop infected WCE or
Mimikatz is started
2. Privileged user or Application logs in -WCE hijacks credentials
3. Rootkit remotely installed on server in datacenter
4. Super user performs task on datacenter server, malware hijacks credentials
5. Malware spreads throughout datacenter
Malware details• Targeting out of date plugins (Flash, Word, Acrobat Reader, Java)
• Malware customized to avoid AV signatures• Higher they get – the more unique the malware
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
DataCenter
Infestation - Remediation
1. Super user logs in with SmartCard and has scoped access to other hosts
2. Malware not propagated throughout data center
3. Prevent privileged user or Application from logging into desktop.
4. Privileged user instead logs into administrator station.
5. Malware is not spread to data center
6. Upgrade Applications and Operating System baseline and Train Users
7. Initial attack fails
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Infestation Abuses AppliedSoftware Publishing Infrastructure
1. Engineer desktop infected. Access to source code and Build server available
2. SysAdmin targeted for access to systems and/or their Distribution Credentials.
3. SysAdmin laptop infected
4. Either way Customers are infected
Build Cluster
Code Repository
Software Developer
Distribution
update.company.com
ManufacturingCustomers
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Infestation Abuses Applied - RemediationSoftware Publishing Infrastructure
1. Image singing deployed
2. Customer devices validate images
3. Distribution servers validate images and use their own multi factor instead of passwords
4. Engineer & SysAdmin use smartcard instead of password
5. Developer and SysAdmin endpoints secured
Build Cluster
Code Repository
Software Developer
Distributionupdate.company.com
ManufacturingCustomers
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Software Publishing remediationNeed to remove the ability for developers to run a build from code that has not been checked into the repositoryRepository must log and report on differences between previous versionsReviewers must review those change logs for production releasesMulti factor must be required to check code into the repository and also to run a build. Builds should require two people Builds must be cryptographically signed and build timeEach stage of the distribution should validate the image signature
That way, the only way to inject a back door is for the developer to miss the change to their own code and for the reviewers of changes to also miss it.
That said, it would be easy to forget to do these things after a while or during a customer crisis requiring an emergency build. Back to the must review at full GA production releases.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Controls
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Secure Administration Controls
SCP
Production Resources
AdministrationEnd point
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Security Control Points
OTP
Windows SCP
Linux SCP
Perimeter Defense
RDP
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
• Sandbox Detonation • pDNS• NetFlow• Host Based IP/DS on low value computers• Windows Event Logs• Log all of these to the same place so they can be correlated
Monitoring and Detection
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
• Windows• GPOs/AppLocker
• Linux• Puppet/Perl
• Both• Change the default passwords• Full reconciliation of configuration settings• Log of executables executed on critical systems. • Location of binary can be a giveaway• Verify binary Signatures• Accounts trying to log into hosts that they are not authorized to log into
Security Configuration ManagementProactively maintain security controls
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Control Use Cases
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Blocking Lateral movement Scoped Access with GPOs
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Network device product management
Only allow SSH From SCP
Programmatic Interface only from specific host servers
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
MDM product management suiteClient and Management Traffic over HTTPS
Client App
Admin UI
App Replication
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Mail Server product management
Only allow SSH From SCP BSDi Mail
ApplianceAppliance
Mail Server
Only allow PwrShell from Prov Box
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Database
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Virtual Machine hosting product(s) management
UCS
VMWare or OpenStack/KVM
Tenant1
TenantX
Tenant3
Tenant2
CSG Common Identity or DSX
Commodity dual
Internal Admin Token
ACLs BlockingAdmin Ports
SCP
Web Server Plugin
Infra Admin
Internal Tenant
Partner
Authentication Mechanism
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
CSIRT Monitoring sso.yourcompany.com
Cisco Premise
Secure Cloud Administration – 3rd Party
Security Control Point aka Jump Box
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Application to Application
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Simple Application Credential Management
Application 1 Application B
Logged Sudo Access to Credential
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Remove the Credential From the Application
Get Creds
Application 1 Application B
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
App to App - Target
OAuth Token request flow
Application 1 Application B
TLS Encrypted TunnelMachine Certificate
Machine Certificate
User JanDoe
Delegated JanDoe
EncryptedStorage
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
• ACT2 Lite• HSM• TPM• USB• Files….
Certificate Storage
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Application to ApplicationBest Practice - pxGrid
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Cisco Platform Exchange Grid – pxGridNetwork-Wide Context Sharing
That Didn’t Work So Well!
pxGrid ContextSharingSingle Framework
Direct, Secured Interfaces
I have NBAR info!I need identity…
I have firewall logs!I need identity…
SIO
I have sec events!I need reputation…
I have NetFlow!I need entitlement…
I have reputation info!I need threat data…
I have MDM info!I need location…
I have app inventory info!I need posture…
I have identity & device-type!I need app inventory & vulnerability…
I have application info!I need location & auth-group…
I have threat data!I need reputation…
I have location!I need identity…
BENEFITS of pxGrid, it can…
• Establish that secure TLS tunnel for you
• Be leveraged as your communications bus with XMPPIncluding discovery of services available
• Verify Integrity of each endpoint communicating in the Grid
• Be used without you writing *that* code
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
ISE Integration
pxGrid
Radius
1.802.1X
User Session
PublishUserSGTDeviceLocation
Auth
UserMeta Data
User Group
ISE Server
Switch
Internet
FireSIGHTManagementCenter
Sensor
UserMeta Data
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
pxGrid
Certificate Registration
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
• Bi-direction certificate authentication is better then one way with passwords
• Current pxGrid Java API stores certificates in files (JKS)• If the certificates are not protected they become available to theft
pxGrid Certificate Security3rd Party Applications
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
• Ability to use OpenSSL SSLContext directives to specify cert context• This could be HSM, TPM, USB, other
pxGrid Certificate Security - Future3rd Party Applications
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
• Java API only supports JKS Files• JKS files and the passwords to open them must be protected
pxGrid Certificate Security - Current3rd Party Applications
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
• Place certificate password in a file• Run your application with a dedicated account with no password and no default shell – “AppUser”
• Protect the storage of pword and JKS file with file systems permissions like: AppUser rw- --- ---
• Require logged sudo to access those files
pxGrid Certificate Security - Linux3rd Party Applications
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Getting Started with pxGrid
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
• Install Java• Download the SDK • Download the Configuration and testing guide• Will walk you through using certificates, external data sources and tests
• Bourne Shell scripts to test connectivity and basic functions• Code you can mess with to do the same in Java and C
Getting started with pxGrid
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
For Example – Query by IP./session_query_by_ip.sh -a 10.0.0.37 -u dave -k myKeys.jks -p demoPas$ -t myKeys_root.jks -q demoPas$
-------properties -------version=1.0.2-30-SNAPSHOThostnames=10.0.0.37username=davegroup=Sessiondescription=nullkeystoreFilename=myKeys.jkskeystorePassword=demoPas$truststoreFilename=myKeys_root.jkstruststorePassword=demoPas$--------------------------12:50:33.356 [Thread-1] INFO com.cisco.pxgrid.ReconnectionManager -StartedConnecting...Connected12:50:34.961 [Thread-1] INFO com.cisco.pxgrid.ReconnectionManager -ConnectedIP address (or <enter> to disconnect): 10.0.0.15Session=ip=[10.0.0.15], Audit Session Id=0A0000020000000F004BE344, User Name=jeppich, AD User DNS Domain=lab6.com, AD Host DNS Domain=null, AD User NetBIOS Name=LAB6, AD Host NETBIOS Name=null, Calling station id=00:0C:29:79:02:A8, Session state=AUTHENTICATED, ANCstatus=null, Security Group=null, Endpoint Profile=Add_Device, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/43, RADIUSAVPairs=[ Acct-Session-Id=00000009], Posture Status=null, Posture Timestamp=, Session Last Update Time=Thu Jul 23 13:42:25 EDT 2015
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Called Source Code
// set configurationTLSConfiguration config = new TLSConfiguration();;
config.setHosts(hostnames);;config.setUserName(username);;config.setGroup(Group.SESSION.value());;config.setKeystorePath(keystoreFilename);;config.setKeystorePassphrase(keystorePassword);;config.setTruststorePath(truststoreFilename);;config.setTruststorePassphrase(truststorePassword);;
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Called Source Code - Continued// initialize xgrid connectionGridConnection con = new GridConnection(config);;con.addListener(new SampleConnectionListener());;
// use reconnection manager to ensure connection gets re-established …
// create query we'll use to make callSessionDirectoryQuery query = SessionDirectoryFactory.createSessionDirectoryQuery(con);;
Session session = query.getActiveSessionByIPAddress(InetAddress.getByName(ip));;if (session != null)
SampleUtilities.print(session);;System.out.println("");;
else
System.out.println("session not found");;
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Example – Download Session Directory./session_download.sh -a 10.0.0.37 -u dave -k myKeys.jks -p demoPas$ -t myKeys_root.jks -q demoPas$
…Session=ip=[10.0.0.15], Audit Session Id=0A0000020000000F004BE344, User Name=jeppich, AD User DNS Domain=lab6.com, AD Host DNS Domain=null, AD User NetBIOS Name=LAB6, AD Host NETBIOS Name=null, Calling station id=00:0C:29:79:02:A8, Session state=AUTHENTICATED, ANCstatus=null, Security Group=null, Endpoint Profile=Add_Device, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/43, RADIUSAVPairs=[ Acct-Session-Id=00000009], Posture Status=null, Posture Timestamp=, Session Last Update Time=Thu Jul 23 13:42:25 EDT 2015
Session=ip=[10.0.0.37], Audit Session Id=0A0000020000000E004156F4, User Name=00:0C:29:87:8D:1F, AD User DNS Domain=null, AD Host DNS Domain=null, AD User NetBIOS Name=null, AD Host NETBIOS Name=null, Calling station id=00:0C:29:87:8D:1F, Session state=STARTED, ANCstatus=null, Security Group=null, Endpoint Profile=VMWare-Device, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/37, RADIUSAVPairs=[ Acct-Session-Id=00000005], Posture Status=null, Posture Timestamp=, Session Last Update Time=Thu Jul 23 09:41:25 EDT 2015
Session=ip=[10.0.0.3], Audit Session Id=0A0000020000000D00036A42, User Name=18:E7:28:2E:29:CB, AD User DNS Domain=null, AD Host DNS Domain=null, AD User NetBIOS Name=null, AD Host NETBIOS Name=null, Calling station id=18:E7:28:2E:29:CB, Session state=STARTED, ANCstatus=null, Security Group=null, Endpoint Profile=Cisco-Device, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/37, RADIUSAVPairs=[ Acct-Session-Id=00000007], Posture Status=null, Posture Timestamp=,Session Last Update Time=Thu Jul 23 09:43:42 EDT 2015
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Called Source CodeSessionDirectoryQuery sd = SessionDirectoryFactory.createSessionDirectoryQuery(con);
SessionIterator iterator = sd.getSessionsByTime(start, end, filter);iterator.open();
Date startedAt = new Date();System.out.println("starting at " + startedAt.toString() + "...");
int count = 0;Session s = iterator.next();while (s != null)
// when testing performance, comment out the following line. otherwise// excessive console IO will adversely affect resultsSampleUtilities.print(s);
s = iterator.next();count++;
if (count % 1000 == 0) System.out.println("count: " + count);
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Quarantine That Machine by IP// create query we'll use to make call
EPSClientStub stub = new EPSClientStub();EPSQuery query = stub.createEPSQuery(con);
// quarantine ip addresses based on user input
try query.quarantineByIP(ip);
catch (GCLException e) System.out.println("GCLException msg=" + e.getMessage());
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Un-Quarantine that Machine by MAC// quarantine ip addresses based on mac addresses
Scanner scanner = new Scanner(System.in);while (true)
System.out.print("mac address (or <enter> to disconnect): ");String mac = scanner.nextLine();
if (mac == null || "".equals(mac)) break;
try query.unquarantineByMAC(mac);
catch (GCLException e) System.out.println("GCLException msg=" + e.getMessage());
scanner.close();
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
• development SDK and client information. https://developer.cisco.com/site/pxgrid/
pxGrid – More Information
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Image Verification
Secure Boot and ACT-2 Lite
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
From the recent news:
“Juniper said that someone managed to get into its systems and write "unauthorized code" that "could allow a knowledgeable attacker to gain administrative access."
“LANDESK has found remnants of text files with lists of source code and build servers that the attackers compiled,” John said. “They know for a fact that the attackers have been slowly [archiving] data from the build and source code servers, uploading it to LANDESK’s web servers, and downloading it.”
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Secure Boot
55
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID 56
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
• Cisco Secure Boot – FPGA as the hardware anchor
• CPU Based – with CPU as the hardware anchor• Bootcode Hardening – hardware anchor in boot flash
Secure Boot Options
57
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Cisco Secure Boot Sequence
58
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
ACT2 Lite Overview
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
"ACT-2 provides the mechanism for the highest possible assurance for identity for our products."
- Bob Bell
60
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
ACT-2 Lite Overview
Hardware Anchored Identity – Creating and installing an identity which is immutably and irrevocably linked to a specific hardware instance
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
• ACT-2Lite is an initial step to solving the Hardware Anchored Identity issue
• ACT-2Lite is composed of• A hardware component – ACT-2Lite Chip• A software component – ACT-2Lite Support Library• A mechanism to link and control device identity – Identity Insertion Process• Based on a commercially available smart chip and cryptographic library • Protects the identity credentials with smart chip measures
What is an ACT-2 Lite Chip?
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
• Provides identity assurance that hardware and software on a device have not been tampered with or are in other ways counterfeit
• Has it’s own provisioned identity embedded in hardware (Hardware anchored Identity)
• A device that can perform cryptographic functions.
• Can provide secure storage for license keys and similar data
• Cannot be accessed by the end user
What is an ACT-2 Lite Chip?
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
ACT-2Lite Capabilities• To provide hardware anchored identity• X.509v3 identity certificates
• RSA asymmetric cryptography• ECC asymmetric cryptography
• To provide limited cryptographic operations• keys do not leave the chip• encrypted data normally stored on chip but may be stored in host FLASH• performs HASH, HMAC, symmetric key cryptography, and asymmetric key cryptography
• To provide secure on-chip storage of information• access control based on roles• data encrypted at rest
• Entropy source• Contains a non-deterministic random bit source• Contains a FIPS approvable deterministic random bit source
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
• Manage its own users and objects stored in it
• Read information from and about the SUDI and the ACT-2 Chip
• Provide User Resource utilization – EEPROM and RAM
• Create deterministic random numbers
• HASH functions
• HMAC functions
• Symetric Crypto functions
• RSA functions
• ECC functions
Things ACT-2 Can Do
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Host to ACT-2 Lite Chip relationship diagram
Application Specific Hardware(e.g. switch ports and console interfaces)
Application Specific Host Processor(e.g. Intel Xeon chipset with RAM and FLASH)
ACT-2LiteSupport Library
ACT-2Lite Chip
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
ACT-2 Identity Insertion Process
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
ACT-2 Lite Identity Insertion Process
• Ensures that there is a one-to-one mapping between identities issued and physical hardware instances
• Protects critical credential information from loss of confidentiality
• Provides for a constant tracking of the location of both ACT-2Lite Chips and the associated Identities from the time the chip is manufactured until it is installed into a hardware instance of a product
68
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
ACT-2
Identity Insertion Process
• Generates)unique)chip)serial)number)• Delivers)eCSKMP)to)backend)• Delivers)chips)to)CM)
Chip)Manufacturer)
• Generates)SUDI)Cer@ficate)during)IIP)• Generates)CLIIP)offline)from)eCSKMP)• Handles)the)reconcilia@on)for)issuing)new)real)@me)CLIIP)files)or)new)SUDI)cer@ficates))
Cisco)Backend)(CBE))
• Authen@cate)Manufacturing)User)through)token)• Interface)with)UUT)and)CBE)pass)CLIIP)toDiags)• Request)SUDI)cert)from)CBE)and)pass)SUDI)to)Diags))
Auto)Test))
• Receive)CLIIP)from)Autotest)and)install)in)ACTN2)chip)• Generate)SUDI)request)and)pass)to)Autotest)• Receive)SUDI)cert)and)install)in)ACTN2)chip)• Authen@cate)the)ACTN2)chip)by)Validate)the)SUDI)and)CLIIP)cer@ficate)are)correctly)installed.)
BU)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
ACT-2 Lite Examples
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
• ACT-2 is accessed through the TAM Library API• You must first open(connect) the ACT-2 device and authenticate to it to perform operations.
• Authenticating to it involves validating the product ID from the SUDI and the SN to complete the anti-counterfeit verification
• ACT-2 has it’s own users, admin and restricted which must authenticate to it with PINs in order to access the chip
ACT-2 Basics
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
RSA Key Generation and Private Key Encryption
status = tam_lib_rsa_keypair_gen(tam_handle,session_id,key_length,e_value,TAM_LIB_ZEROIZE,TAM_LIB_MEM_RAM,&key_object_id);;
if (status != TAM_RC_OK) printf("\n%s-%u ERROR sid=0x%x status=0x%0x-%s",
__FUNCTION__, __LINE__,session_id,status, tam_lib_rc2string(status));;
return (status);;
status = tam_lib_rsa_private_encr(tam_handle,session_id,key_object_id,orig_object_id,&encr_object_id);;
if (status != TAM_RC_OK) printf("\n%s-%u ERROR sid=0x%x status=0x%0x-%s",
__FUNCTION__, __LINE__,session_id,status, tam_lib_rc2string(status));;
return (status);;
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
RSA Public Key Encryption and Private Key Decryption
status = tam_lib_rsa_public_encr(tam_handle,session_id,key_object_id,orig_object_id,&encr_object_id);;
if (status != TAM_RC_OK) printf("\n%s-%u ERROR sid=0x%x status=0x%0x-%s",
__FUNCTION__, __LINE__,session_id,status, tam_lib_rc2string(status));;
return (status);;
status = tam_lib_rsa_private_decr(tam_handle,session_id,key_object_id,encr_object_id,&decr_object_id);;
if (status != TAM_RC_OK) printf("\n%s-%u ERROR sid=0x%x status=0x%0x-%s",
__FUNCTION__, __LINE__,session_id,status, tam_lib_rc2string(status));;
return (status);;
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
http://wwwin.cisco.com/security-trust/trust_eng/tsi/tat/tam/act2/getting_started.shtml
Code Samples: EDCS-1272160
ACT-2 Lite Reference
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Assuming that they run on a platform with ACT-2, you could set up one of the restricted users (an ACT-2 user role) is the keeper of the keys for the JKS file. The app would first submit the JKS file to the ACT-2 using that restricted user role to be encrypted using a key maintained within the scope of the role. Later, when the file is to be used, the encrypted file is sentto the chip again under the scope of the restricted user role and retrieve the decrypted form of the file which is then kept in memory. It is then submitted through the JAVA system for use. When it is done, the memory copy is either discarded (if clean) or re-encrypted (if dirty).
If they have a TPM, there are similar operations that can be performed but they are not as exclusive as the ACT-2 restricted user scenario presented above.
If they have no hardware crypto module, there is a software TAm which is implemented as part of the TAM library which, while not as secure as ACT-2, could be used to provide software protections above the basic OS protections.
Protecting JKS file with ACT2
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Cisco Common Security Modules
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
• CiscoSSL – SSL and TLS support functions based on OpenSSL enhanced with functions to reach FIPS compliance
• CiscoSafeC and CiscoJ – Provide secure development libraries to reach FIPS compliance
• Cisco RA - Cisco Registration Authority (CiscoRA) is a common security module that provides registration authority services in a public key infrastructure (PKI). CiscoRA has several possible use cases
• Cisco EST – Implementation of Enrollment over Secure Transport (EST) is a newly-defined certificate enrollment protocol (IETF RFC 7030)
• Cisco TAM - Trust Anchor module (TAm) for accessing ACT-2 Lite chips
• Cisco SSM - The Cisco Secure Storage Module (CiscoSSM) is a light weight alterative to the Trust Anchor module (TAm) Services
Common Security Modules
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
CSM Reference Architecture
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Cisco RA Reference Architecture
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Cisco EST Reference Architecture
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
https://cisco.jiveon.com/groups/common-security-modules/pages/software-documentation-release-info
Common Security Modules Reference
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Thank you
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID