Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What's mtLS? @ Docker London

Viktor Petersson
November 27, 2019
Technology
0
480

What's mtLS? @ Docker London

Mutual TLS, or mTLS, is a widely used standard for improving the security for authentication. It's an extension of TLS, which is used for HTTPS, but in addition to the client verifying that the server, the server also verifies that the client.

mTLS is already widely used and is the cornerstone of the Zero Trust Networking movement, but how does it work? In this talk, we will go over the fundamentals of mTLS and create a simple web app that users mTLS as the authentication method. We will use technologies like Docker and Nginx to accomplish this, show the benefits over traditional authentication methods (such as API keys and passwords)

Viktor Petersson

November 27, 2019
Tweet

More Decks by Viktor Petersson

See All by Viktor Petersson
Navigating the SBOM landscape: Formats, relevance, and tooling in 2024 @ BSides Bristol '24
vpetersson
0
27
State of Open Con '24
vpetersson
0
52
From Pets to Cattle
vpetersson
0
120
Beyond Just a Menu Display
vpetersson
0
65
The history of how Screenly OSE became the most popular digital signage project on GitHub
vpetersson
0
140
The DevSecOps Iceberg @ Cloud Native London
vpetersson
0
360
The "S" in "IoT" stands for "Security"
vpetersson
0
210
Living on the Edge @ Kubernetes London
vpetersson
0
110
The 'S' in IoT Stands for Security (a.k.a. Internet of Shit)
vpetersson
0
310

Other Decks in Technology

See All in Technology
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
190
EventHub Startup CTO of the year 2024 ピッチ資料
eventhub
0
110
SREによる隣接領域への越境とその先の信頼性
shonansurvivors
2
510
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
0
980
OCI Vault 概要
oracle4engineer
PRO
0
9.7k
地理情報データをデータベースに格納しよう~ GPUを活用した爆速データベース PG-Stromの紹介 ~
sakaik
1
150
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
750
これまでの計測・開発・デプロイ方法全部見せます! / Findy ISUCON 2024-11-14
tohutohu
3
360
個人でもIAM Identity Centerを使おう!(アクセス管理編)
ryder472
3
180
[FOSS4G 2024 Japan LT] LLMを使ってGISデータ解析を自動化したい!
nssv
1
210
社内で最大の技術的負債のリファクタリングに取り組んだお話し
kidooonn
1
550

Featured

See All Featured
Faster Mobile Websites
deanohume
305
30k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
Into the Great Unknown - MozCon
thekraken
32
1.5k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Docker and Python
trallard
40
3.1k
Documentation Writing (for coders)
carmenintech
65
4.4k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Building Adaptive Systems
keathley
38
2.3k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Why Our Code Smells
bkeepers
PRO
334
57k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k

Transcript

  1. WHAT'S MTLS? Oh and wait, how does that relate to

    Docker? wott.io @vpetersson

  2. OUTLINE What's mTLS? Our use case/scenario Demo (all praise thy

    mighty demo gods) Recap @vpetersson wott.io

  3. @vpetersson wott.io

  4. WHAT'S WOTT? @vpetersson wott.io Security tool for developers Provides cryptographic

    identity (x509) Ongoing security audit of fleet A security dashboard Workflow integrations (Github, Slack etc) (DevSecOps)

  5. THE SCENARIO We got clients (workstation/server/container) That needs to talk

    to our API securely We don't want to use regular credentials @vpetersson wott.io

  6. THE SCENARIO Nginx App App Client Client @vpetersson wott.io

  7. CONCEPTS OVERVIEW TLS vs Mutual TLS Zero Trust Networking vs

    Perimeter based security Public Key Infrastructure (PKI) and root of trust @vpetersson wott.io

  8. HOW TLS WORKS @vpetersson wott.io

  9. HOW MUTUAL TLS WORKS @vpetersson wott.io

  10. PERIMETER SECURITY VS ZERO TRUST Perimeter based security Defend the

    moat with firewall(s) Example: Infra from the 90s Zero Trust Networking Assume everything is hostile (even internal traffic) Encrypt and verify everything Example: Istio and BeyondCorp Read "Zero Trust Networks" by Doug Barth and Evan Gilman for more details @vpetersson wott.io

  11. PUBLIC KEY INFRASTRUCTURE (PKI) Where you get your SSL certificates

    Let's Encrypt, Commodo, Verisign Browsers trust "public CAs"* The CA is your "root of trust" Roll your own or use an existing CA (like WoTT) @vpetersson wott.io * This is a bit complicated and out of scope

  12. @vpetersson wott.io

  13. TODAY'S GOAL Use Mutual TLS (mTLS) for transport layer Rotate

    the keys periodically in an automated fashion* Access control using cryptographic identity No use of API keys or username+password @vpetersson wott.io * Performed automatically by the WoTT Agent

  14. INFRA SETUP Preparation before the talk Spun up a small

    VM on GCE Docker Compose for setting up containers Nginx App server (Django App) SSL cert from Let's Encrypt We will use WoTT's PKI, but you can also roll your own @vpetersson wott.io

  15. APP OVERVIEW Python/Django app Uses HTTP headers from Nginx for

    access control This is a PoC with known attack vectors, so don't blindly use this in production as-is @vpetersson wott.io

  16. ACCESS CONTROL OVERVIEW @vpetersson wott.io

  17. DEPLOYING OUR APP @vpetersson wott.io

  18. DEPLOYING OUR APP $ docker-compose up [...] @vpetersson wott.io We're

    going to use dockerlon.vpetersson.com

  19. CURL ALL DA THINGZ $ curl -I https://dockerlon.vpetersson.com/api/ HTTP/2 403

    [...] @vpetersson wott.io

  20. @vpetersson wott.io

  21. ACCESS CONTROL OVERVIEW @vpetersson wott.io

  22. NGINX MAGIC @vpetersson wott.io

  23. ONTO THE CLIENT (DEMO) @vpetersson wott.io

  24. @vpetersson wott.io DEMO GOD

  25. @vpetersson wott.io

  26. CURL ALL DA THINGZ $ sudo curl -s \ --key

    /opt/wott/certs/client.key \ --cert /opt/wott/certs/client.crt \ https://dockerlon.vpetersson.com/api/ | jq { "msg": "You shall not pass!" } @vpetersson wott.io

  27. @vpetersson wott.io

  28. ACCESS CONTROL OVERVIEW @vpetersson wott.io

  29. APP MAGIC @vpetersson wott.io THIS IS A PROOF OF CONCEPT.

    DON'T USE IN PRODUCTION.

  30. WHITELIST THE DEVICE @vpetersson wott.io

  31. WHO AM I? $ sudo wott-agent whoami x.d.wott.local @vpetersson wott.io

  32. @vpetersson wott.io

  33. CURL ALL DA THINGZ $ sudo curl \ --key /opt/wott/certs/client.key

    \ --cert /opt/wott/certs/client.crt \ https://dockerlon.vpetersson.com/api/ | jq { "msg": "Welcome x.d.wott.local. We've been expecting you." } @vpetersson wott.io

  34. ACCESS CONTROL OVERVIEW @vpetersson wott.io

  35. @vpetersson wott.io

  36. CONCLUSION mTLS doesn't have to be scary Easier and more

    secure than passwords Credential rotation built-in The foundation of Zero Trust Networking @vpetersson wott.io

  37. GET IN TOUCH Check out our agent mTLS and CVE

    audit of your nodes Ping us at [email protected] or visit wott.io @vpetersson wott.io

  38. REFERENCES https://github.com/vpetersson/django-mtls https://wott.io/blog/tutorials/2019/07/15/mtls-with-nginx https://tools.ietf.org/html/draft-ietf-oauth-mtls-17 @vpetersson wott.io

  39. @vpetersson wott.io Where's the bar?