27 September 2023
Transport Layer Security (TLS) and Public Key Infrastructure (PKI) provide the foundational technologies for securing communications and authenticating identities. While many organizations have implemented basic TLS and PKI to protect websites and enable VPNs, fully realizing the potential of these technologies requires more advanced deployments.
This article explores some of the more sophisticated capabilities unlocked through further TLS and PKI training, including private certification authorities, certificate pinning, securing internal systems, monitoring encrypted traffic, and preparing for emerging threats like quantum computing. Expanding skills empowers security teams to build comprehensive, resilient cryptographic architectures.
If you are considering training you should look no further than our TLS & PKI "in Practice" training course the perfect option should you be looking to train your team or as an individual.
Before diving into advanced topics, let's briefly recap core TLS and PKI concepts covered in Securing Business - How Companies Are Leveraging TLS and PKI:
These basics enable security measures like encrypted web applications and remote access. Now let's level up our TLS and PKI expertise.
Public key pinning (or certificate pinning) is an advanced technique that associates a host with their specific TLS certificate or public key. This prevents impersonation even if an attacker obtains a valid certificate for that host from another CA.
For example, a bank could configure their mobile app to only trust their specific bank-issued certificate. Even if an attacker got a valid certificate for
bank.com from another CA, the app would reject it since it's not pinned to the expected certificate.
Browsers support various forms of pinning including HTTP Public Key Pinning (HPKP) and Certificate Transparency. For maximum control, apps can implement pinning at the application layer by comparing the certificate or public key of any server they connect to against an expected value.
Pinning increases security, but requires diligent certificate renewal and key rotation procedures to avoid availability issues. Overall, pinning provides another layer of protection for critical connections.
While public CAs like Let’s Encrypt facilitate simple TLS deployment, private CAs are necessary for full control, customization, and scalability of PKI:Benefits of private CAs include:
Major platforms like Windows Server, OpenSSL, and CloudFlare make deploying your own root and intermediate CAs straightforward:
You can then integrate your private CA with certificate management systems like EJBCA or Dogtag to issue TLS server and client certificates across your organization in a controlled fashion.
TLS is commonly used to secure external connections from clients to servers. However, encryption between internal systems is also critical to reduce lateral attacker movement and contain breaches.
Companies should require mutual TLS for server-to-server connections including application APIs, databases, load balancers, message queues, configuration management servers, and more. Self-signed certificates or a private PKI can authenticate internal services.
For containers and microservices, Kubernetes and service meshes like Istio provide automatic mutual TLS authentication between pods and namespaces while keeping encryption off the host network.
Segmenting internal networks with zero trust principles and requiring TLS everywhere significantly reduces risks and blast radii.
One objection some organizations raise against ubiquitous TLS is the inability to inspect encrypted traffic for threats and policy violations. TLS inspection capabilities address this through selectively decrypting traffic so security devices like firewalls can scan it:
There are two common approaches to TLS inspection:Forward Proxy:
Challenges include handling newer TLS 1.3 encryption and keeping trust stores current as services rotate certificates. Overall, balanced inspection maintains security without ceding visibility.
As complexity increases, occasional TLS issues can arise from misconfigurations, version incompatibilities, expired certificates, and more. Understanding how to debug TLS helps quickly identify and resolve problems:Useful TLS troubleshooting tools include:
openssl- Test connections, analyze certificates, debug handshakes.
Wireshark- Inspect network packet captures containing TLS traffic.
nmap- Probe for supported TLS protocols and ciphers.
keytool- Inspect Java/OpenSSL keystores and certificates.
gnutls-cli- Alternative to openssl for testing TLS issues.
Methodically validating required certificates are in trust stores, handshakes complete each step, and compatible parameters are negotiated between parties aids rapid issue isolation.
Emerging quantum computing threatens current public key cryptography due to its potential to quickly factor large numbers and break encryption schemes like RSA.
Post-quantum (PQ) cryptography is the transition to quantum-resistant algorithms like:
Hybrid certificates with both traditional and PQ keys enable a gradual shift. Prioritizing PQ-ready platforms and crypto agility prepares your organization for the quantum leap.
Manually tracking TLS certificate expirations and renewals does not scale for large environments. Automating certificate lifecycles improves reliability and efficiency.
The ACME protocol allows automatic deployment of free certificates from Let's Encrypt. Many CAs now support generating certificates via API calls.
Configuration management tools like Ansible, Puppet, and Chef can integrate with CAs to automatically orchestrate deployment of certificates across servers and devices.
Monitoring systems can also trigger renewals when a threshold lifetime is reached. This reduces outages from expired certificates.
This overview highlights some of the advanced capabilities unlocked by comprehensive TLS and PKI training tailored to cybersecurity professionals.
Beyond technical skills, training also provides:
Investing in expertise allows your organization to maximize the value of TLS and PKI for defense-in-depth.
Basic TLS and PKI deployments provide a starting point for encryption and authentication. Additional training unlocks more sophisticated capabilities to enhance defenses and address emerging threats.
Private certification authorities, certificate pinning, securing internal systems, decrypting traffic for inspection, troubleshooting issues, and planning for the quantum leap require dedicated expertise development.
Upleveling skills and architectures ensures your organization fully leverages TLS and PKI as foundational cybersecurity technologies now and in the future. There are always new possibilities to explore.
Pinning protects against certificate impersonation and man-in-the-middle attacks by verifying hosts only use expected certificates. This prevents forged certificates from being trusted.What expertise is needed to deploy private CAs?
Successfully deploying private CAs requires knowledge of PKI, cryptography, certificate profiles, revocations, integrations with other systems, and automation through training.Should all internal traffic be encrypted?
Encrypting intra-system communications makes lateral movement much harder for attackers who gain internal access. Require TLS between services.
Go beyond basic TLS and PKI and master advanced capabilities like certificate pinning, deploying private CAs, securing internal systems, decrypting traffic for inspection, and cryptographic agility.
To learn how this is being used please feel free to read Securing Business - How Companies are Leveraging TLS and PKI
And start to train with our TLS & PKI "in Practice" training course