To guarantee data integrity and confidentiality in Alfresco, we need to implement authentication and encryption at-rest and in-transit. With micro services proliferation, orchestrating platforms, complex topologies of services and multiple programming languages, there is a demand of new ways to manage service-to-service communication, and in some cases, without the application needing to be aware. In addition to that, compliance requirements around encryption and authentication come to the picture requiring new ways to handle them. This talk will review encryption at-rest solutions for ADBP, and will be also discuss about solutions for encryption and authentication between services. This will be an introduction to service mesh and TLS/mTLS. We will see a demo of ACS running with Istio over EKS along with tools like WaveScope, Kiali, Jaeger, Grafana, Service Graph and Prometheus.

1. Encryption At-Rest and In-Transit: Survival Guide
Toni de la Fuente
Lead SecOps and Security Architect
Edinburgh, January 30th 2019

2. Learn. Connect. Collaborate.
Who am I
Click to speaker

3. Agenda • Requirements
• Encryption Foundations
• Encryption At-Rest
– Native on premises
– Third party on premises
– Cloud
• Encryption In-Transit
– TLS and mTLS
– Service to Service
– Service Mesh

4. Requirements

5. Learn. Connect. Collaborate.
Requirements:
• Organization policies
and compliance
• Industry or
government
regulations
• Protect privacy
• Minimizes
unauthorized access
to data
CIA triad:
Information
Security
Integrity
Availability
Confidentiality
Authenticity
Accountability
Non-repudiation

6. Encryption Foundations

7. Learn. Connect. Collaborate.
Foundations
• Encryption keeps confidentiality and a key un-encrypt: AES
(symmetric), Blowfish (symmetric), RSA (asymmetric)
• Hashing checks integrity of data by creating a hash or digest
with one-way function (signatures): SHA, MD5, MD4, etc.
• Encoding is for maintaining data usability and can be reversed
by employing the same algorithm that encoded the content:
ASCII, Unicode, URL Encoding, Base64
• Obfuscation is used to prevent people from understanding the
meaning of something, like source code

8. Learn. Connect. Collaborate.
Symmetric key encryption
Alice wants to send an encrypted
message to Boriss:
Key
(1234)
Plaintext
Ciphertext
A B C D E F G H I J K
99rwV+HMzEX4ux1O9t0TwQ==
Algorithm
Blowfish, AES,
DES, TripleDES,
etc.
They both use
the same key to
encrypt and
decryptThis process is usually FAST

9. Learn. Connect. Collaborate.
Asymmetric key encryption: public and private keys
Alice wants to send an encrypted
message to Boriss:
Alice uses Boriss’
Public Key
(1234)
Plaintext
Ciphertext
A B C D E F G H I J K
99rwV+HMzEX4ux1O9t0TwQ==
Algorithm
RSA, ElGamal,
etc.
Boriss uses his Private
Key to decrypt
(5678)
Alice only
needs to know
Bob’s public
keyThis process is usually SLOW

10. Learn. Connect. Collaborate.
Certificates: X.509 (RFC6818)
A certificate has:
• subject name
• subject’s public key
• issuer name (CA name)
• validity
• signed by CA

11. Learn. Connect. Collaborate.
Tools and Common File Formats
• Many tools like OpenSSL, keytool, cfssl, mkcert, minica
• Encoding:
– DER: binary cert encoded with DER .cer or .crt files
– PEM: ASCII (base64 encoded) cert .cer or .crt or .pem files
“----BEGIN CERTIFICATE----” “----END CERTIFICATE----”
• File extension:
– .crt: Unix/Linux convention for a DER or Base64 PEM
– .cer: MS convention for a DER or Base64 PEM
– .key: public or private key PKCS#8. DER or PEM

12. Encryption at-rest

13. Learn. Connect. Collaborate.
What is encryption at-rest?
Protect stored data from unauthorized access
using encryption at block, file, directory, file
system or full disk level with keys

14. Learn. Connect. Collaborate.
Where do we store information today?
• Alfresco CS Content Store
• Alfresco CS Database
• Alfresco CS Indexes
• Alfresco CS Shared File Store (new Transformation Service)
• Alfresco PS Database
• Alfresco Identity Database (Keycloak)
• Alfresco mobile Apps
DBs
DBs
DBs
File
System
Network
Storage

15. Learn. Connect. Collaborate.
How can we encrypt stored data?
• Natively → Encryption add-on for Alfresco Content Store (application
side encryption)
Repo Storage
doc doc doc doc
Encrypted content
store feature
added
DB
Indexes /
Transformations
• Uses Java Cryptography Extension
(supports HW encryption)
• Each content element encrypted with
individual symmetric key (AES 128 bit
default). Symmetric keys are stored in
alf_content_url_encryption table
• Content keys then encrypted with
asymmetric master key-pair (RSA)

16. Learn. Connect. Collaborate.
How can we encrypt stored data?
• Third parties → for Alfresco Content Store and everything else
Repo Storage
doc doc doc doc
Encrypted content
store feature
added
DB
Indexes /
Transformations
• File system level tools
• AWS EBS or S3 Server Side
Encryption, RDS volume
encryption
• MSSQL or Oracle TDE

17. An introduction to mTLS and Service Mesh

18. Encryption in-transit

19. Learn. Connect. Collaborate.
Intro
• What is encryption in-transit?
• TLS and mTLS
• SSL Offloading
• Our Research and POCs:
– Service to Service
– Service Mesh

20. Learn. Connect. Collaborate.
What is encryption in-transit?
Protect moving data from unauthorized
access using encryption on the wire with
protocols like TLS or IPsec and keys

21. Learn. Connect. Collaborate.
TLS and mTLS
• SSL/TLS History:
– 1995: SSL v2 (deprecated in 2011)
– 1996: SSL v3 (deprecated in 2015)
– 1999: TLS 1.0 (deprecation 2020) *
– 2006: TLS 1.1 (deprecation 2020) *
– 2008: TLS 1.2 *
– 2018: TLS 1.3
* Vulnerable depending on browser or cipher
used (POODLE, FREAK RC4 attacks and
others)
• TLS: are cryptographic protocols
that provide communications
security over a computer network.
It uses symmetric cryptography
to encrypt data transmitted and
public-key cryptography for
authentication. Authentication
usually is from the server side only
(using X.509 certs).
• mTLS: mutual authentication using
X.509 cert, commonly used
between servers, applications or
services.

22. Learn. Connect. Collaborate.
SSL Offloading
Repo Storage
doc doc doc doc
DBs
File System
Indexes /
Transformations
Service A
Service B
Service C
Service D
Service E Service F
HTTP over
TLS
LB
Plain HTTP

23. Learn. Connect. Collaborate.
How does TLS and mTLS look like together?
Repo Storage
doc doc doc doc
DBs
File System
Indexes /
Transformations
Service A
Service B
Service C
Service D
Service E Service FJDBC over
TLS
HTTP over
TLS
HTTP over
TLS with
mutual
Authenticati
on = mTLS
LB
HTTP over
TLS

24. Learn. Connect. Collaborate.
mTLS: Java Implementation High Level Overview
Service A
Service C
Service B
-Service A is client of Service
B and server for Service C
-Service B is client for Service
C and server for Service A
-Service C is client for Service
A and server for Service B
Client Server
keystore
truststore
keystore
truststore
1. Service connection requested
2. Provides server certificate
3. Client
verifies
server cert
authenticity
using CA
cert
4. Provides client certificate
5. Server
Verifies
client cert
authenticity
using CA
cert
6. They agree and share a
symmetric session key for
encryption and decryption and
communication starts
Server
Certific
ate
Server
Private
Key
CA
Certific
ate
CA
Certific
ate
Client
Certific
ate
Client
Private
Key

25. Disclaimer
• The information contained in these presentations is intended to inform the
developer community based on a working prototype and should not be relied
upon in making purchasing decisions.
• The content is for informational purposes only and may not be incorporated into
any contract.
• The information presented is not a commitment, promise, or legal obligation to
deliver any material, code or functionality.
• Any references to the development, release, and timing of any features or
functionality described for these products remains at Alfresco's sole discretion
• Product capabilities, timeframes and features are subject to change and should
not be viewed as Alfresco commitments.

26. Learn. Connect. Collaborate.
Our Research
Service to Service Service Mesh
Remember:
We want to see what is the best way to implement encryption and authentication between services!
Tested with Alfresco CS 6.1, our Helm charts and EKS in AWS.

27. But Let’s Recap First

28. Learn. Connect. Collaborate.
Internet
LB /
Proxy
Tomcat Tomcat Tomcat
DB
File
Storage
1. Load balancing
2. Application
3. Data
#10YearsChallenge
2009

29. Learn. Connect. Collaborate.
#10YearsChallenge
2019

30. Learn. Connect. Collaborate.
Layers!
+ Virtual
Machine
+ Host
+ Infrastructure
vendor
https://adam.shostack.org/blog/2018/05/threat-model-thursday-google-on-kubernetes/
Java VM

31. SIMPLICITY IS GONE

32. Learn. Connect. Collaborate.
Service-to-Service Encryption in-transit and
Authentication POC
• mTLS configuration per service/microservice
• Automated with customized Helm chart and
services
• Repo and Solr communication was already
mTLS
• Limitations:
– Repository service can’t do mTLS with
transformation services: handshake fails
– SSL certificate CN must match with
domain name of internal services
(requires usage of a CA)
– mTLS between ELB and ingress
– Automating certificate generation via
Helm chart
Kudos to Abdul Mohammed!

33. Learn. Connect. Collaborate.
Service Mesh Intro
• Challenges managing microservice architecture or service-oriented architecture
– Multiple services, different IP, different hosts
– Routing and discovery challenges
– Network security challenges
– Compatibility
– Multi-level network awareness
• Patterns:
– Sidecar
– Ambassador
– Adapter or Node Agent
• Known open source options:
– Istio (Google, IBM and Lyft) - mTLS stable
– Linkerd (Buoyant.io) - mTLS experimental
– Consul (Hashicorp) - mTLS through Consul Connect
– App Mesh (AWS) preview - no mTLS support

34. Learn. Connect. Collaborate.
Istio Requirements and Features
• Requirements:
– For us: end-to-end encryption and authentication
– Discovery, load balancing, failure recovery, metrics, monitoring, A/B testing, canary
releases, rate limiting and access control.
• Istio Features:
– Automatic load balancing for HTTP, gRPC, WebSocket, and TCP traffic.
– Fine-grained control of traffic behavior with rich routing rules, retries, failovers, and fault
injection.
– A pluggable policy layer and configuration API supporting access controls, rate limits and
quotas.
– Automatic metrics, logs, and traces for all traffic within a cluster, including cluster ingress
and egress.
– Secure service-to-service communication in a cluster with strong identity-based
authentication and authorization.

35. Learn. Connect. Collaborate.
Istio Architecture
● Data Plane
● Control Plane
● Components:
● Envoy: proxy per
{micro}service
● Mixer: policies,
telemetry and plugins
● Pilot: service discovery
● Citadel: manages certs
for authorization and
authentication
● Galley: istio API
● Others: ingress and
egress gateways,
injector, etc.
https://istio.io/docs/concepts/security/architecture.svg

36. Demo

37. Learn. Connect. Collaborate.
Related
Sessions
• TODAY
– 13:30-14:00 Shea Nangle: Best Practices for
DIY Alfresco Security
– 15:00-15:30 Gavin Cornwell & Morris Singer:
Alfresco Digital Business Platform on EKS
• TOMORROW
– 15:00-15:30 Sergiu Vidrascu: Developing on
Kubernetes
– 15:00-15:30 Ciju Joseph: Azure Devops and
Alfresco DBP
– 16:00-16:30 Luis Cabaciera & Victor Moreira:
GDPR Watchdog

38. Questions?

39. Thanks!

40. Learn. Connect. Collaborate.
References and
Recommended
Lectures
• Liz Rice: GopherCon 2018: The Go Programmer's Guide to Secure
Connections https://www.youtube.com/watch?v=kxKLYDLzuHA
• Hanno: CCC 2018: The Rocky Road to TLS 1.3 and better Internet
Encryption https://media.ccc.de/v/35c3-9607-
the_rocky_road_to_tls_1_3_and_better_internet_encryption