I try to create a protocol to remote attestate my agents. I deploye for example 3 agents. These 3 agents something decide to migrate, so i need to attestate the location that the agent decide.
Every agent have a TPM module, so everyone have a key pair, and a certificate emited by the CAm but i dont know how to do the protocol without the figure of a CA because this was a requisite.
Anyone can help me?
Related
I wanted to test the code that I have developed to support multiple certificate authorities (CAs) signing the certificate. I have set up 3 virtual machines on my physical computer. One of them (VM) is running desktop Linux as a work machine, while the other two are running Server Linux as node 1 and node 2. Ideally, these virtual machines will serve as CA0, CA1, and CAs2 to form a tree topology that is top CA and its two consigners. For example, after Domain creates a certificate sign request (CSR) and gets verified by the registration authority (RA), the RA will send this request to multiple CAs, but the first CA/Top CA (Work Machine) will receive this request and sign it using a BLS signature, then pass it to the other two CAs (node 1 and node 2) to also witness or sign it with their keys, and send it back to the first CA, which will merge the compact signature and then return it to the RA. I have already tested the code using the ethereum smart contract ropsten netnet and it is working. My question is whether there are any helpful guidelines on how I can achieve this on the virtual machines I have set up. I created virtual machines using NAT and assigned each machine a static IP address. I'm stuck on how to run my code to allow three CAs or nodes to communicate in signing the certificate. My code is on github.
Thanks.ope my question is clear.
In case of Point to Site VPN connection between one to one i.e. Windows Server on Azure and one Windows 10 laptop at premises, it’s okay to create a root certificate of one computer but in case of more than one computer in a LAN in the premise, do I need to create the root certificate of all computers of the LAN and do I need to configure P2S for all computers at Virtual Gateway Network separately?
I don’t think so. Pls clarify.
You understanding is right. You just create a root certificate and a client certificate. The root certificate should be upload to Azure. The client certificate can be shared with you pcs. For more details, please refer to https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps
Is there any autonomous/programmatic way to create many VPS/cloud servers that securely serve a web page that will be accepted by off-the-shelf browsers without buying a new domain name for every VPS? I'm trying to find a solution that is fast, secure, and completely autonomous and it totally stumps me.
Creating many servers programmatically is easy--eg. create DigitalOcean droplets with their API. I also understand how to programmatically setup a web server and secure it with TLS using Let's Encrypt. The part that stumps me is how to setup TLS autonomously for an arbitrary number of VPSs.
What I've tried/though of so far:
Self-signed cert for the IP address of the new VPS won't be accepted by browsers without warnings of plague and death
Let's Encrypt does not support bare IP addresses, only domain names and I can't find any provider that offers bare IP certs with automated and cheap verification
I could buy a wildcard cert and create a new (random?) subdomain for every VPS but then it could take hours for the DNS records to propagate to my end user
I could setup ahead of time a few hundred subdomains, point IP addresses to them and then secure them with a wildcard cert but that would be really expensive, like $4/month per IP address to reserve it
I could use something like DigitalOcean's floating IPs and assign them to the VPS as it's created but again, that costs $4/month to reserve each floating IP
I could use a wildcard cert with pre-setup subdomains that are pointed to by a DDNS and update the DDNS when the new VPS is created. But again, as far as I understand DDNS, it could take hours or at least minutes for the propagation.
I could only secure one server with TLS then proxy traffic from the outside world through that server and then to the VPSs using self-signed certs. This would probably work but add latency and a performance bottleneck. The application is already needing high performance and low latency so this is not attractive.
Is there something I haven't thought of? Anyone with out of the box ideas?
Any DNS or DDNS gurus out there who know how to instantly assign a new subdomain to a new IP address? Can you avoid caching delays with random subdomains? Any cert authorities who issue automated bare IP address certs?
Thank you!
Background: My client sells a piece of software that runs only on Linux and they want to enable their customers to user that software occasionally in the cloud from any browser. My plan is to program a cloud hypervisor that serves a web interface, takes a request from the customer to use the software, spins up a new DigitalOcean droplet with an image that runs the software, connects the customer's browser to a VNC-to-websocket proxy, then destroys the droplet when the session is over.
To automate the infrastructure give a try to terraform for now probably is the most consistent and "easy" way of creating all your instances.
Now for using TLS on all your domain/subdomain probably the easiest solution is to delegate this to CloudFlare (considering you app is a web page HTTP/HTTPS):
Cloudflare-issued SSL certificates cover the root-level domain (eg- example.com) and one level of subdomains (eg- *.example.com)
In case you need to get the certificate and later use it like for a local web instance or an SMTP server you can still use lestencrypt but do the verification via DNS, this way, you don't need a web server and can "programmatically" manage your certificates, the how you deploy them or put them in your instances is another topic, maybe for that "ansible" could help to automate that process.
I have some wireless linux devices which need to securely exchange data. They do not need internet access. How can I set up a secure private network? I was able to successfully communicate via an adhoc network following:
https://wiki.archlinux.org/index.php/ad-hoc_networking
Unfortunately wpa supplicant does not support WPA2 for adhoc networking.
How can 2 nodes securely communicate?
Could one become a WPA2 wireless access point they both connect to and exchange data via a TLS socket?
Perhaps one could become a hotspot? Or do I need to setup a private network using something like the ipsec framework strongswan?
Or maybe a TLS socket over an adhoc network is secure? WPA2 can be cracked in a few hours with open source software.
How about SSH? Traffic is encrypted.
Does anybody know how to "reset" the VPN tunnel of Windows Azure Virtual Network? The networking guys here are asking me to do so. What they mean is to "refresh" the connection. Since I'm not a VPN expert I don't fully understand this request. They told me this is frecuent when configuring VPN tunnels on hardware VPN concentrators (such as Cisco, Juniper, etc).
With Windows Azure Virtual Network, once you configured the VPN connection the connection is available all the time and if by any reason the connection was down, the tunnel should typically be automatically reestablished.
Also once you configure the VPN, the tunnel reestablished within a few seconds. Also sometime the connectivity status may not update on portal immediately as portal update happens in about 5 mins however the VPN may be established underneath. Users are not able to refresh the VPN by portal or using Powershell at this point.
Adding onto Avkash's response, Azure will attempt to establish a VPN tunnels with your on-premise device periodically, so there is no need for manual steps on your device.
To dive a bit into the internals, the Azure gateway attempts to establish an IPsec tunnel. To create this tunnel, the Azure gateway and your VPN device needs to negotiate a series of security associations. These are called Phase 1 (isakmp) and Phase 2 (ipsec) SAs. These SAs contains mutually agreed upon parameters (security keys, lifetimes, etc) that both device will use to encrypt packets between the two endpoints.
When you say that you want to "reset" your connection, I'm assuming you're looking for steps to clear and renegotiate these SAs. You can do this from your device's side, by issuing the following commands after logging into your device. This should notify the Azure side and cause renegotiation to occur.
Cisco ASA & ISR devices
clear crypto isakmp sa
clear crypto ipsec sa
Juniper SSG/ISG devices
clear ike all
Juniper SRX/J devices
clear security ike security-associations