1.How To Build And OperateA Certificate AuthorityCenter of Mediocrity (CACOM)T.Rob WyattManaging Partner, IoPT Consulting704-443-TROB (8762)t.rob@ioptconsulting.comhttps://ioptconsulting.comCapitalware's MQ Technical Conference v2.0.1.4

2. This presentation reflectsMy current opinions regarding WMQ securityThe product itself continues to evolve (even in PTFs)Attacks only get better with timeThis version of the presentation is based onWebSphere MQ v7.1 & v7.5This content will be revised over time so please be sureto check for the latest version at https://t-rob.net/linksYour thoughts and ideas are welcome 3. What is a Certificate Authority?The role of a CA in the security modelWhy run your own CA?Some example CA Best PracticesCA Second-Best (and lesser) PracticesThe CA Maturity ModelWrapping up 4. A disinterested 3rd partyA stable, long-lived entityA pool of specialized and deep security skillsAn implementation of strict physical controlsAn implementation of strict human processesAn investigatory serviceA revocation servicePart of a consortium that provides a consistentset of well-defined services 5. Oh yeahThey sign certificates once in a while. 6. What is a Certificate Authority?The role of a CA in the security modelWhy run your own CA?Some example CA Best PracticesCA Second-Best (and lesser) PracticesThe CA Maturity ModelWrapping up 7. First need to understand the certificate.BoundtoAn identity A key Pair =A certificate 8. First need to understand the certificate.The identity andkey are boundusing acryptographicIdentity Bound to Key Pair = Certificatesignature. 9. First need to understand the certificate.Self-signed meansthat the key inthe certificate isthe same oneused to sign theIdentity Bound to Key Pair = Certificatecertificate. 10. First need to understand the certificate.Special Note: Self-signed does NOTmean signed with our internal CA.Self-signed has a specific technicalmeaning describing the relationshipbetween the identity and the key usedto bind it.Identity Bound to Key Pair = Certificate 11. First need to understand the certificate.When thecertificate issigned by anexternal key, it isIdentity Bound to Key Pair = Certificatesaid to beCA-signed. 12. Signs the certificate.Validates the claimed identity.Enforce policy on the Distinguished Name fields.Ensures unique names within its namespace.Provides revocation services.Maintains key lifecycle for root, intermediateand signed certificates.Disinterested 3rd party provides bilateral trust. 13. Relying parties typically need much less securitythan the CA.Generate the cert signing requests securely.Review and approve requests at the CA.Keep the keystore files private.Most of the heavy lifting is offloaded to the CA. 14. What is a Certificate Authority?The role of a CA in the security modelWhy run your own CA?Some example CA Best PracticesCA Second-Best (and lesser) PracticesThe CA Maturity ModelWrapping up 15. Cost savings.Convenience.The trick is to fully account for all of the serviceand security provided by the CA.Replacing those services internally is expensive.Omitting them is dangerous.How do you find the balance? 16. What is a Certificate Authority?The role of a CA in the security modelWhy run your own CA?Some example CA Best PracticesCA Second-Best (and lesser) PracticesThe CA Maturity ModelWrapping up 17. SAS70 key ceremony used to generate roots.Root certs stored in an offline HSM.Dual-knowledge access controls for roots.Multiple intermediate signers.Secure, robust provisioning process for certsand revocation entries.Highly available and separate provisioning andrevocation infrastructure. 18. ISO 21188:2006 Public key infrastructure forfinancial services Practices and policy frameworkETSI TS 101 456 v1.2.1ETSI TS 102 042 V1.1.1Webtrust Program For Certification Authorities 19. What is a Certificate Authority?The role of a CA in the security modelWhy run your own CA?Some example CA Best PracticesCA Second-Best (and lesser) PracticesThe CA Maturity ModelWrapping up 20. To run a true Center of Mediocrity, one mustfirst determine which CA Best Practices to omit.The quickest way to begin is to omit all of themright off the bat.Then add back in those that give theappearance of security at little or no cost.The CACOM is your BFF. Once you have it, youllnever get the money to build a CACOE. Why?Because what we have seems to work just fine. 21. The stories you are about to hear are true.Only the names have been changedto protect the (not so) innocent.My name is T.Rob. I carry a laptop. 22. All of the items in the following pages wereobserved in Production somewhere.Banking, finance, insurance, healthcare, govt.These are your vendors! 23. Hundreds of thousands of entries explain whichcommands to issue in order to set up a CertificateAuthority.Try to find even one that tells you the commandsand describes some of the physical and proceduralcontrols commercial CAs use and why running aninternal CA without these controls is a bad idea. 24. Hardware Security Modules are so expensive!And vaults? Dont even go there!Most CACOMs today store the root cert on anadministrators workstation or laptop. If you startout this way, eventually moving it to a server in alocked datacenter will appear very secure bycomparison and nobody will ask about an HSM, avault or a key signing ceremony. Booyah! 25. Certificate provisioning and revocation must behighly available to support critical business apps.So if the CA is run off of administratorsworkstations, it stands to reason that eachadministrator must be able to manage certsindependently. Give each admin their own copyof the root cert. Or if a central server is used, givea copy of the root to each admin for emergencies. 26. Intermediate signers provide classes of service,isolation, higher security for the root cert, etc.But someone has to manage those things, and wedo that with Notepad. We plan to evaluate severalPKI products someday and we will start usingintermediate certs then. 27. Certificate extensions can specify policies thatcontrol the ways that a certificate can be used.Understanding and checking certificate policiesrequires deep skill. Certs with no policies set canbe used for many purposes, such as encryption,code signing or signing other certificates. Theseare very versatile. What could go wrong? 28. Security certified administrators who understandX.509 certificates, TLS/SSL and all of the PKCSstandards are expensive! Formally building skillsin house is less expensive, but takes time.Fortunately, your average administrator can pickup all they need to know with a few Googlesearches! Certifications and formal training are SOoverrated, right? 29. A certificate represents an identity.Because the Center of Mediocrity is concernedmainly with cost, it is common to re-use the samepersonal certificate across multiple, evenunrelated, systems. A QMgr is a QMgr is a QMgr,right? Generate a single cert called QMgr and bedone with it. 30. Anyone who can read the configuration files andkeystores can use your personal cert.Fortunately, only authorized admins ever haveaccess to the filesystem in a CACOM so filesystemcontrols are redundant.Whats that you say? Layered defense is good?Not when aspiring to mediocrity! 31. Credentials need to be both provisioned andrevoked. Sometimes they need to be revoked priorto their natural expiry.A primary characteristic of a mediocre CA is that arevocation responder service is planned for later.A revocation service that is not highly available isjust as bad, possibly worse. 32. Ideally, personal certs are generated where theywill be used and not moved. Central managementand key backup is possible but difficult to dosecurely.In a CACOM, centrally generated certs aredistributed over FTP, email, shared drives, etc. 33. Sometimes it isnt your CA that places you at risk,but rather your business partners CA.A CACOM will assume the partners certificatesare trustworthy without question. The next slidesare examples of this. 34. The root cert is the thing that controls who canbind an identity to a key pair. Any trusted root cangenerate a cert claiming any identity.Now that the internal CE Center of Mediocrity hasbecome so popular, you will have occasion to trustthe internal root CA certificates of your businesspartners. Go ahead and drop these right into thetrust store. What could go wrong? 35. If you are using AMS with Privacy (encryption)then you will need to trust the personal cert of theapp, user or business partner. A commercial CAwill have set the IsCA=No and PathLength=0 flagsto ensure that personal certificates cannot alsosign other certificates.The typical CACOM does not know or care aboutsuch things and will place any certificate from anysource into the trust store. What could go wrong? 36. What is a Certificate Authority?The role of a CA in the security modelWhy run your own CA?Some example CA Best PracticesCA Second-Best (and lesser) PracticesThe CA Maturity ModelWrapping up 37. BaselineSecurityLevelSkill LevelBest! 38. BaselineSecurityLevelSkill LevelBest!Worse thandoing nothing 39. Possibly, yes! Because People take more risks when theybelieve it is safe to do so. Poor implementation can make it easierBaselineSecurityLevel You rarely get a second chance toimplement security.Skill LevelBest!to break in.Wore thandoing nothing 40. What is a Certificate Authority?The role of a CA in the security modelWhy run your own CA?Some example CA Best PracticesCA Second-Best (and lesser) PracticesThe CA Maturity ModelWrapping up 41. Running a robust internal CA is expensive.Can be cost justified, given enough certs.Cost savings almost always correspond to someloss of effective security. Know what you areomitting and the offsetting risk.Deep skill is essential! Formal training is highlyrecommended.Beware of other peoples CACOM! 42. Capitalware's MQ Technical Conference v2.0.1.4Questions & Answers 43. Thank you!T.Rob WyattManaging Partner, IoPT Consulting704-443-TROB (8762)t.rob@ioptconsulting.comhttps://ioptconsulting.com