We have all been taught the Best Practices for Password Management. There is no shortage of publications providing guidance on password management.
- Don't use Personally Identifiable Information (PII) in your password
- Don't use any word that can be found in the dictionary
- Create passwords at with at least eight characters
- Change your critical passwords on a regular basis (although this theory is being challenged)
So why do we not have these same discussions around Certificate or Key Pair Management?
(This is not a trainer on cryptography, but rather a discussion on proper management)
- An SSLCertificate (x.509) is used to secure your webite or service from tampering.
- SSH keypairs are used to secure your authentication to a server or service.
- pgp keypairs are typically used for signing or encrypting files or mail.
- RSA tokens are used typically to provide a more secure second factor of authentication
These provide similar functionality as a username/password. They provide authority as to who you are, to the system you are communicating with. They also provide the user with a sense of security/confidentiality.
However, keypairs and certificates, like passwords, can be compromised! Even the mighty RSA SecureID is not impervious to attack.
Typically, ssh keys are used to automate authentication to a host. That said, according to ssh.com
"About 10 percent of all SSH user keys provide root access, creating a major security and compliance issue"
Many administrators use the same keys across multiple hosts. Similar to using the same password, this could be an issue when that key is compromised. These very people are also the ones who have sudo access to privileged resources. A compromised machine could be silently used for a man in the middle attack.
I suggest that we need to start managing keypairs and certificates in a similar fashion to passwords.
Keypair best practices:
- Create a corporate policy for Keypairs and Certificates!
- Treat your passphrase as you would a regular password (rules above)
- When creating a keypair, do not use a blank passphrase
- Don't use Personally Identifiable Information (PII) in your passphrase
- Use different keypairs for critical systems, privileged access, and regular access
- Do not share your private key with anyone.... ANYONE
- Change your keypairs on a regular basis (maybe not as frequent as passwords, but...)
Beyond simply managing your current keypairs and certificates, you should do a discovery to see how many stagnant or unused keypairs are in your environment. Both Venafi and SSH.Com have discovery tools that will assist in identifying how prevalent keys and certificates are within your environment. They will scan your network, and catalog existing SSL certificates and assymetric keys, providing pertinent information regarding expiry, ownership, strength, etc...
There are many companies in the marketplace that provide x.509 / SSL Certificate discovery and management, but few have stepped up yet for managing those critical ssh/and pgp keypairs.
Ok, I've started the discussion... let's talk...
This document presents current recommended practice for managing SSH
user keys for automated access. It provides guidelines for
discovering, remediating, and continuously managing SSH user keys and
other authentication credentials.
Resources:
Verisign Certificate Management
SSH Auditing - New Detected Vulnerabilities and New Features for Nessus
SSH Auditing - New Detected Vulnerabilities and New Features for Nessus
No comments:
Post a Comment