Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What's mtLS? @ Docker London

What's mtLS? @ Docker London

Mutual TLS, or mTLS, is a widely used standard for improving the security for authentication. It's an extension of TLS, which is used for HTTPS, but in addition to the client verifying that the server, the server also verifies that the client.

mTLS is already widely used and is the cornerstone of the Zero Trust Networking movement, but how does it work? In this talk, we will go over the fundamentals of mTLS and create a simple web app that users mTLS as the authentication method. We will use technologies like Docker and Nginx to accomplish this, show the benefits over traditional authentication methods (such as API keys and passwords)

Viktor Petersson

November 27, 2019

More Decks by Viktor Petersson

Other Decks in Technology


  1. OUTLINE What's mTLS? Our use case/scenario Demo (all praise thy

    mighty demo gods) Recap @vpetersson wott.io
  2. WHAT'S WOTT? @vpetersson wott.io Security tool for developers Provides cryptographic

    identity (x509) Ongoing security audit of fleet A security dashboard Workflow integrations (Github, Slack etc) (DevSecOps)
  3. THE SCENARIO We got clients (workstation/server/container) That needs to talk

    to our API securely We don't want to use regular credentials @vpetersson wott.io
  4. CONCEPTS OVERVIEW TLS vs Mutual TLS Zero Trust Networking vs

    Perimeter based security Public Key Infrastructure (PKI) and root of trust @vpetersson wott.io
  5. PERIMETER SECURITY VS ZERO TRUST Perimeter based security Defend the

    moat with firewall(s) Example: Infra from the 90s Zero Trust Networking Assume everything is hostile (even internal traffic) Encrypt and verify everything Example: Istio and BeyondCorp Read "Zero Trust Networks" by Doug Barth and Evan Gilman for more details @vpetersson wott.io
  6. PUBLIC KEY INFRASTRUCTURE (PKI) Where you get your SSL certificates

    Let's Encrypt, Commodo, Verisign Browsers trust "public CAs"* The CA is your "root of trust" Roll your own or use an existing CA (like WoTT) @vpetersson wott.io * This is a bit complicated and out of scope
  7. TODAY'S GOAL Use Mutual TLS (mTLS) for transport layer Rotate

    the keys periodically in an automated fashion* Access control using cryptographic identity No use of API keys or username+password @vpetersson wott.io * Performed automatically by the WoTT Agent
  8. INFRA SETUP Preparation before the talk Spun up a small

    VM on GCE Docker Compose for setting up containers Nginx App server (Django App) SSL cert from Let's Encrypt We will use WoTT's PKI, but you can also roll your own @vpetersson wott.io
  9. APP OVERVIEW Python/Django app Uses HTTP headers from Nginx for

    access control This is a PoC with known attack vectors, so don't blindly use this in production as-is @vpetersson wott.io
  10. CURL ALL DA THINGZ $ sudo curl -s \ --key

    /opt/wott/certs/client.key \ --cert /opt/wott/certs/client.crt \ https://dockerlon.vpetersson.com/api/ | jq { "msg": "You shall not pass!" } @vpetersson wott.io
  11. CURL ALL DA THINGZ $ sudo curl \ --key /opt/wott/certs/client.key

    \ --cert /opt/wott/certs/client.crt \ https://dockerlon.vpetersson.com/api/ | jq { "msg": "Welcome x.d.wott.local. We've been expecting you." } @vpetersson wott.io
  12. CONCLUSION mTLS doesn't have to be scary Easier and more

    secure than passwords Credential rotation built-in The foundation of Zero Trust Networking @vpetersson wott.io
  13. GET IN TOUCH Check out our agent mTLS and CVE

    audit of your nodes Ping us at [email protected] or visit wott.io @vpetersson wott.io