In the digital society, security is one of the fundamental building blocks. And it needs transparency and cooperation. Earlier this year, we launched the Keyfactor Community, to collaborate even closer with the developer community, by enabling users to easily download, test, use, and contribute to our software, as well as share ideas through a secure setting.
Last week, it was finally time for us to host the first live Community Tech Meetup in Stockholm. It turned out to be great day packed with new learnings, interesting topics, and insightful discussions. I had an amazing time meeting many of you in person again after many months of covid isolation and online meetings.
Around 40 highly skilled security professionals joined us for workshops and networking at Berns, a beautiful and historic establishment in the heart of Stockholm. The day kicked off with an excellent keynote by Hasain Alshakarti, Principal Cybersecurity Advisor at Truesec providing insights gained from his team’s experience in responding to security incidents and conducting forensic investigations after cyberattacks.
For the workshops, post-quantum readiness was one of the main themes throughout the day. While few have tried it yet, post-quantum cryptography is now ready to be tested and played with. Additional topics included Helm charts for deploying PKI, container signing with Cosign and Connaisseur, and IoT identity management with a Keyfactor Control Test from Azure marketplace.
Post-Quantum Hybrid Cryptography in Practice
Even though the Round 3 finalists from the NIST (National Institute of Standards and Technology) Post-Quantum Competition have been announced, there will still be a couple of years until a standard is in place. And no one knows how many years it will be until quantum computers are a real threat, if ever. In the meantime, many IT leaders are wondering how to prepare their organization and how long we can expect data to stay secure with the classical algorithms for encryption.
In the first workshop of the day, Keyfactor’s David Hook, VP Software Engineering for Bouncy Castle, and Roy Basmacier, Software Engineer, explained how to start preparing by using a hybrid cryptography solution, combining classical and post-quantum algorithms for encryption. This way, a classical algorithm can be quantum-hardened while maintaining the security it offers. We were presented with several standardized mechanisms for hybrid techniques as well as how they can be applied already today with Bouncy Castle.
All post-quantum public key encryption algorithms are designed to use as Key Encapsulation Mechanisms (KEMs). These differ from Key Transport mechanisms such as OAEP in that the KEM provides a random secret to use for key transport, instead of encrypting the symmetric key directly. This characteristic of a post-quantum KEM makes it ideal for use in hybrid algorithms based on either key agreement or key transport.
As part of the workshop, David and Roy presented how to apply KEMs with classical algorithms using both the non-FIPS and FIPS version of Bouncy Castle.
Repeatable Deployments and Container Signing Enable DevOps PKI
Today, network and system administrators are under a lot of pressure to secure their environments, implement zero trust, and separate internal corporate networks with multiple layers of security. To achieve this, they need security solutions that are easy to deploy, use, and integrate. Automation helps transform previously static security functions to being more dynamic and adapted to agile organizations in DevOps settings. And with automation, the time for deployments can be decreased by impressive factors while limiting human errors that manual installations may involve.
Our guest speaker Edgar Pombal, DevOps and Systems Administrator at Siemens, showed how his organization leverages Ansible playbooks for automating PKI tasks such as deployment, updates, hardening, testing, and monitoring. With its ease of use and preconfigured workflows, Ansible is a good choice for managing these tasks. The Siemens PKI serves many business lines including rail, manufacturing, and building management. As the number of certificates in use is rapidly increasing, automation is crucial.
As another way to enable the repeatable and scalable deployment, team members Sven Rajala, US Federal & East Coast Sales Engineer, and Alfredo Neira, Sr Director of Global Professional Services, showed how to deploy EJBCA and SignServer using Helm charts, which help define, install, and upgrade Kubernetes applications.
Hardening the software supply chain is a requirement today and Anton Hodell demonstrated how to secure cloud deployments with signed containers in a simple way using Cosign, Connaisseur and SignServer.
IoT identity management with Keyfactor Control as Azure Test Drive
Before your organization sets off on an IoT journey, it’s important that all aspects of the solution, from data collection to identity management, are tested in your own environment. With Keyfactor Control as a Test Drive from the Azure marketplace, you can try out IoT identity management connected to your application for free for 30 days, making it suitable for example for a proof of concept.
In another workshop, Keyfactor’s Harry Haramis, SVP of Cloud & SaaS Marketplaces, and Alex Gregory, VP of Marketplace Products, showed how to get the Keyfactor Control Test Drive up and running and tied into an existing Azure IoT tenant. The Test Drive provides the full functionality of Keyfactor Control and is connected to EJBCA as a Docker container for issuing certificates.
This setup provides central management of device identities, as well as secure provisioning and automation for your Azure IoT Hub. Another benefit is crypto agility – with one platform for managing all identities, any future changes of cryptographic algorithms can be performed at scale and without recalls.
Flexible Deployments and Post-Quantum Readiness in EJBCA and SignServer
The day ended with product-focused Q&A sessions around EJBCA and SignServer.
Mike Agrenius Kushner, Senior Product Architect, Henrik Sunmark, Product Owner, and I presented some features that are aiming to make life easier for users, like the Easy Rest Client for EJBCA, Docker deployment, automation with Ansible playbooks, and several integration possibilities.
As shown, EJBCA as well as SignServer can be deployed in several ways including hybrid cloud solutions, for example having certificate authorities (CAs) on-premises and validation authorities (VAs) in the cloud.
The post-quantum readiness theme continued in the product sessions with a couple of demos. For EJBCA, we presented how to use the NIST PQC candidates with certificates, in an easy-to-use manner the Bouncy Castle Kotlin API. And in the SignServer session with Magnus Normark, Product Manager, and Markus Kilås, Senior Product Architect, quantum-safety was covered as they demonstrated how to sign code with SignServer using the SPHINCS+ algorithm.
The evening continued with dinner and networking in the nice atmosphere at Berns.