CloudTrust Countersign Made Easy

Cloudtrust countersign

in 2015 we created a first prototype of the CTP API written in Google's go language we are using it to test validate and fine-tune the CTP API specification we also used it to create a simple demo that they will now describe to you we imagine the scenario where a customer Alice wants to provision a set of secure blogs with some specific security guarantees a guaranteed level of SSL TLS encryption and a guaranteed level of uptime in order to set the stage for our demo we need to examine what it means in terms of SLA let's first examine Alice's uptime requirements of time as a metric is typically the expressed as a function of the ratio between the qualified downtime and the total running time of a service now let's look at what this means in terms of concrete numbers if I promise you 99.95 percent uptime it means that over 10 days you will experiment at most seven minutes and 12 seconds downtime over 10 hours 20 seconds downtime and over 10 minutes just half a second now if we lower our expectations and if I promise you 80% of time only it means that you will experiment at most 48 hours of downtime over 10 days two hours of downtime over 10 hours and 2 minutes downtime over 10 minutes to illustrate the expressive power of CTP we will imagine that Alice our customer has mixed requirements she's fine with downtime that does not exceed 7 minutes over 10 days however she never wants to experiments a service loss that lasts for more than 2 minutes over a period of 10 consecutive minutes next if we turn our attention to the security of the tls/ssl connection we will use the cryptographic strength of the underlying cryptographic algorithms that are used to secure the connection as our security metric I'd like to note here that the security of a TL SSL connection depends on more than just this metric it does also has to do with implementation issues for example but for the purpose of this demo it will work as a fine example however this can get confusing for non-experts because the security of a tls/ssl connection depends not on one but on several algorithms each with different bit and key sizes for example you will get RSA 1,024 bits aes 128 bits and a hash function that outputs 160 bits what we need is a uniform quantitative scale that can be used to compare these algorithms and give a global score to the tls/ssl connection luckily for us it turns out that a project called EU crypt did exactly that a few years ago they created a table similar to the following one that says for example that a symmetric key of 96 bits is equivalent to a RSA modulus of 1776 bits and a hash function that outputs 160 bits this gives you a level of 5 or in other words a security level that is deemed adequate until the year 2020 we have a level 6 with longer keys that is secure until 2030 and a level 7 that takes us to 2040 these levels give us a convenient metric for cryptographic strength in this demo we will imagine that alice is happy with level 6 or above now that we have analysed Alice's requirements in terms of metrics we can rephrase them more formally in numbers by saying that Alice wants a TLS SSL connection with the cryptographic strength that is greater or equal to 6 and uptime over 10 days that is greater than 99 point 95 percent and over 10 minutes that is at least 80 percent here we have translated security requirements into constraints over quantitative security attributes of a service and ctp as an open API allows a customer like Alice to query a provider about the value of these attributes while the service is running allowing continuous monitoring of the security level of the service in this demo we will imagine that alice found a provider that is willing to satisfy these requirements so Alice sets up a secure blog with this specific provider then maybe she decides to set up a second one and we can imagine of course that there are multiple tenants so Bob another tenant sets up a blog then maybe a second one and soon these customers are monitoring the security level of the service they're offering to their users with CTP in order to simulate a cloud provider that would be able to offer this capability to their customers with CTP we used docker technology which is a container based technology it allowed us a lot of flexibility in creating SSL Certificates on the fly adding customized Apache web configuration adding software agent for uptime injecting all in a new docker container and launching immediately so basically what we have is a secure blog sass interface that runs on top of docker Apache droplet and the necessary LS manager which itself runs on top of the infrastructure the bottom part of the stack is the responsibility of the provider while the top part is the responsibility of the customer we will basically be playing with the bottom part to show false that could happen on the provider side and how they can be detected with CTP from now on we will pretend to be a cloud provider and use Dockers Yui to visualize the containers that have been allocated to our customers we imagine that alice is provisioning a set of web servers using this platform we can see on the screen that she has created three instances each with a different name similarly if we wait a bit more we can see the Bob our second customer has provisioned to other instances we can now connect to one of the web servers that Alice has provisioned and see what is happening there in particular if we click to visualize the website certificate describing the TLS connection we will first get a confirmation that we are working with RSA and AES encryption with 128 bits if we drill down in the certificate we can see that the RSA public key modulus has a length of 4096 bits this is very good because this confirms that the cryptographic strength of our TLS connection matches or exceeds the level Alice was requesting now we will play the role of Alice the customer she wants to monitor the service with CTP she will use a CTP client to connect to the CTP server once the client is started we see a dashboard view of the service we can see that everything is green everything is OK availability for 10 minutes 10 hours and 10 days is a hundred percent everything is alright and confidentiality of the TLS connection is also alright the objectives the promise is made by the provider are all true if we look at the detailed view offered by the CTP client we can see that Alice has a set of three assets the three blogs she has provision the three web services she has provisioned if we look at the first one we will see that it has two attributes availability and the confidentiality of the data transfer the measurement of ability is done every ten minutes ten hours and ten days and here on the screen we can see that it is one which is equivalent to a hundred percent for ten days ten hours and ten minutes and below we see the promise the commitment made by the provider expressed as JavaScript expression it is true because everything right now is working perfectly fine if we take a look at the TLS confidentiality level we will see that the cryptographic strength level is actually seven Alice wanted six so this is even better than what she wanted and the promise made by the provider in the SLA is also true everything is alright now we will induce a modification of the ssl/tls security by modifying the configuration file of one of Alice's blogs this simulates a human error or a malicious attack in practice here what we're going to do is replace the cipher suit that is actually currently in Apache configuration with another one that is a much lower quality that uses simple desk keys of 56 bits the result of this change is visible immediately in the dashboard one of the line has changed color and the objective is now false if we look at details in the CTP client and scroll down to the security TLS security level we see that actually the level has now dropped to one and this is not in sync anymore with the commitment made by the provider which is underlined below the level should be greater than 6 so we now know that the objective has failed next we will simulate downtime by putting the machine on pause in the docker Yui this simulates a problem on the providers side after a few minutes the sensors in the network will fail to pick up activity from the instance we paused the instances calculated uptime over 10 minutes will slowly fall below the threshold defining the SLA this is visible on dashboard the line turns into red the objective is now false if we take a look at the detailed view in the CTP client and we scroll down to the particular instances that has been affected we can look at the details numbers that are related to availability we see that the measured value of ability over 10 minutes 10 hours and 10 days is now not 100% anymore over 10 minutes it is now below 0.8 which corresponds to less than 80% the objective is not verified any more the machine has been down for more than two minutes if we go back to the docker Yui and unpause the machine then after a while the sensors in the network will detect activity and the level of ability will go back over 80% on the dashboard this will be immediately visible with a change of color and this pretty much concludes our demo this video Illustrated some of the fundamental concepts of CTP allowing customers to monitor the security of their service in real-time or near real-time using a standardized API this typically for customers who have high demands in terms of assurance requirements transparency and control for more information about CTP please follow the links shown on the screen