Spring Boot + MongoDB project

AWS ACM PCA for AWS IoT and SSL Pinning

aws_acm_pca

Photo by Micah Williams on Unsplash

 

AWS ACM PCA

ACM Private CA enables the creation of private certificate authority (CA) hierarchies, including root and subordinate CAs[2].

What is a certificate authority (CA)?

A certificate authority (CA), also sometimes referred to as a certification authority, is a company or organization that acts to validate the identities of entities[1]. There are many companies in the world that are CAs. You can buy services from them and use them to enable HTTPS in your websites among other things.

In your Browser's address bar, there is a padlock icon and by clicking on it you can see the CA for the certificate that is being used by the website you are in.

CA
Figure 1: CA

The above diagram shows the root CA(Google Trust Services - GlobalSign Root CA-R2) for the blogger.com platform. These certificates were provided by a company called GlobalSign

You will also see that there are three certificates in the image in a hierarchical structure. More about that can be found in the next section.

Certificate authority (CA) Hierarchies

In large organizations, responsibility for issuing certificates can be delegated to several different CAs[5].


CA_Hierarchies
Figure 2: CA Hierarchies(source: Redhat)

The root CA's certificate is a self-signed certificate that is maintained by a Company such as GlobalSign. Subordinate CA's certificates are signed by the root CA while these Subordinate CAs can sign other Certificates which forms a hierarchy(Figure 2).

According to a report that was created about the 2011 DigiNotar incident[6], companies have implemented many security measures to protect the root certificates. If the root certificate got compromised somehow, hackers can issue certificates to other parties that could use those certificates for hacking.

This incident happened in 2011 led to the Certificate Transparency project. More about this later.

More about AWS ACM PCA

There are companies out there like GlobalSign where you can buy Certificates for your needs. With AWS ACM PCA you can create your own root certificates under your name or company name without the costs of operating an on-premises CA.


The above video explains how to create a Private CA and use that to secure your website with HTTPS.

Whenever you import certificates to AWS Certificate Manager from ACM PCA, It publishes the certificates to CT logs on issuance and on renewal, unless you disable Certificate Transparency logging[7]. Browsers such as Chrome uses these CT logs to validate the certificates.

Certificate Transparency 

Google's Certificate Transparency project aims to safeguard the certificate issuance process by providing an open framework for monitoring and auditing HTTPS certificates[4]. There are more than 12 billion certificates in these logs as of today(2021-02-08). All the certificates issued by companies including AWS ACM PCA are logged in these logs in order to be trusted by the web browsers.

How_CT_logs_work
Figure 3: How CT logs work (source: https://certificate.transparency.dev/howctworks/)

ACM PCA for AWS IoT

IoT Devices use X.509 certificates to perform mutual authentication with AWS IoT[8]. Before start using your IoT devices via AWS Services, the device needs to be provisioned first. AWS Just-in-time registration(JITR) is a great tool to connect and initialize IoT devices with AWS IoT. 

Just-in-time registration registers a device with AWS IoT when it connects for the first time [9]. During this process, a certificate, together with a policy will be created for the device to handle Authentication and Authorization for the device.

In order to support multi-region for your IoT infrastructure, you have to bring your own certificate to AWS IoT instead of certificates issues by AWS IoT[10]. In order to bring your own certificates, you can use AWS ACM PCA.

AWS_IoT_JITR
Figure 4: AWS IoT JITR (source: https://github.com/aws-samples/iot-provisioning-secretfree)

ACM PCA for SSL Pinning

SSL pinning is a process that you can use in your application to validate a remote host by associating that host directly with its X.509 certificate or public key instead of with a certificate hierarchy[12]. SSL public key pinning is no longer recommended for browsers[13].  Browsers like chrome use CT logs instead of pinning. SSL pinning can also prevent connections through man-in-the-middle certificate authorities either known or unknown to the application’s user[14]. 

Applications such as Charles can be used to intercept requests between mobile and the server, and extract data. Charles can be used as a proxy server and issues certificates that your mobile app can trust. By utilizing SSL pinning we can make sure that the application trusts certificates only from the server and not from proxy servers such as Charles.


When using AWS Services, there are a few ways to implement certificates pinning.
  1. Import a certificate that you bought from another company to the AWS Certificate Manager (ACM) and do SSL Pinning.
  2. If using public certificates, pin to all available AWS root Certificates not to the ACM certificate itself because those are renewed automatically by ACM. Automatic renewal could break your app integrations.
  3. Use AWS ACM PCA to create a private CA and import the certificate to ACM. Use the imported certificate to do SSL pinning.

Example

https://square.github.io/okhttp/4.x/okhttp/okhttp3/-certificate-pinner/



References

  1. https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaWelcome.html
  2. https://www.ssl.com/faqs/what-is-a-certificate-authority/
  3. https://certificate.transparency.dev/howctworks/
  4. https://transparencyreport.google.com/https/certificates
  5. https://access.redhat.com/documentation/en-us/red_hat_certificate_system/10/html/planning_installation_and_deployment_guide/introduction_to_public_key_cryptography-certificates_and_authentication#Certificates_and_Authentication-How_CA_Certificates_Establish_Trust
  6. https://slate.com/technology/2016/12/how-the-2011-hack-of-diginotar-changed-the-internets-infrastructure.html
  7. https://aws.amazon.com/blogs/security/how-to-get-ready-for-certificate-transparency/
  8. https://docs.aws.amazon.com/iot/latest/developerguide/iot-provision.html
  9. https://iot-device-management.workshop.aws/en/provisioning-options/just-in-time-registration.html
  10. AWS re:Invent 2018: Implementing Multi-Region AWS IoT, ft. Analog Devices (IOT401) (https://youtu.be/vq7m1IUjxdk)
  11. https://github.com/aws-samples/iot-provisioning-secretfree
  12. https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-pinning
  13. https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
  14. https://square.github.io/okhttp/4.x/okhttp/okhttp3/-certificate-pinner/
  15. https://www.charlesproxy.com/


Comments

Post a Comment