Eran Stiller — Create your own serverless PKI with .NET & Azure Key Vault

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hi everyone welcome a good morning I hope you a good time at the party last night and like to think elf waking up early the morning after to come here so welcome to this session on create your own service PKI with dotnet and a dirty vault now before we dive deep into this session I'd like to start with a little story this story begins at one of my customers who is not your regular software company it was actually a hardware manufacturing company this customer what he did is they built devices which you later unused in manufacturing lines at plants worldwide now this customer did have a software division but all they did was write software to one the machines so now cloud no DevOps hardly any security because the devices are not connected to anything and this was their business for a long time then one day they decided to take these devices and connect them to the cloud basically what they want to do is to take telemetry from the devices information about things these devices are doing upload it uploaded the telemetry to the cloud analyze it it then visualize it in a way so that their customers will be able to see the data and use it for their own business effectively creating an IOT system Internet of Things now when they want to do that they contacted me and I came in and we start analyzing the requirements a building a project plan creating an architecture and we quickly realized that there will be some problematic areas that we'll need to cover and one of them was security this is a company never had to deal with security in this scale before and they were dealing with their own customers very sensitive business sensitive information because we were taking data from their manufacturing lines and uploading it to the cloud so they need a way to make sure that when the data is uploaded no one is able to access it do you need to make sure that when a device is sending data that is that it is the actual device that no one is spoofing the data that no one is faking the device's identity and more than that they need the solution to be simple because again this was not a software company it was a hardware company and since it was a dotnet shop we wanted to it in dotnet because we didn't want to add another complexity to their already complex scenario so we want to have a security solution in dotnet and we also wanted to run several s in the cloud because the solution was supposed to be supposed to be based on Azure functions service platform and we wanted it all to be streamlined now it turns out it is possible to do that in dotnet but it's very hard and it's not hard because the code is hard because it's hard because the documentation it scares there are hardly any samples there are no published best practices on how to do it with dotnet and key vote and we had a hard time finger finger out how we should implement it and that's why I decided to create this session and share the knowledge you gained throughout this project so what we're going to talk about today is that we're going to start with the basics of IOT data ingestion and our talk is not about IOT it's about security but just to give you the context of what we were trying to build then we're going to talk about the terminology of what our public key infrastructure x' what our certificate authorities what our certificates get the baseline so you all talk about the same thing then we're going to get to the bulk of the session we're going to build a service a certificate authority in dotnet once we have that built we're going to use it to issue certificates to simulated devices and store them securely we've got net and at the end I'm going to show the system running end-to-end where simulate the device connects to the cloud authenticate itself and sends data securely to the cloud using the generated certificate so that's what we're gonna do my name is Aaron Stiller I'm a software architect and suffer consultant I work for a software services company called code value we're from Israel I've been working with dotnet for the past I think 15 years and with Azure for the past 10 years is me speaking about it so I'm also recognized by Microsoft as an azure MVP in a Microsoft regional director and I'm very happy to be here to share my knowledge with you so without further ado I think we should start for content so let's start a little bit with IOT data ingestion when we're talking about an IOT system we usually have a bunch of devices it could be several it could be tens hundreds thousands even millions in our case we need to get to several thousands of devices but you can use the solution to scale it to millions and tens of millions of devices if that's what you need now when we have these devices we need a way to manage them meaning to provisioning them to provision them to UM provision them to check their to check their status and so on and we need a way to gather telemetry at high scale because each of these devices in our case it was thousands but again could be more is sending telemetry about once every second or two seconds so we're talking about a big amount of data in our case we decided to use a service in Azure platform service called IOT hub which effectively allows us to manage the live sector of the devices and it allows us to ingest data from these devices and nitronic can configure it to do the data whatever you want you can store it in blob storage like I show you here or you can use trim analytics or any other online analytic system that you want you just need to set up the routing and route your message there now a lot of times you need more than one ingestion pipeline because imagine that you're doing in a world where your devices spread worldwide you have some devices in the United States some in Europe some in Australia and not only that you need to deal with all kinds of regulations for example privacy regulations or datas of the vanity regulations which state that a certain piece of data needs to stay in a certain geographic area I know it's also well it's also in effect in Russia regarding some aspects so we need to have multiple pipelines spread all over the world or maybe you're building a multi-tenant system and you want each client to be isolated from the other clients so when a device boots up it needs to know should I connect this pipeline and should I connect to this pipeline and you can write this so-called the router yourself but luckily for us a measure provides another service platform service which is called the device provisioning service and what it allows us it allows us so that each device when it wakes ups it securely connects to the various provisioning service it authenticates itself and talked about later on how it Ascenta cait itself the device provisioning service authorizes the identity of the do authenticate it authorizes it and checks where should this device send data to once it's once it recognizes the correct by plan it registered the device returns the credentials and then the device can securely connect to the outer hub so that's basically the system that we wanted to build ingest data from devices to the cloud and manage the lifetime of the devices in this talk I'm going to focus on this part how do we get the securely connecting devices up and running now you can replace these parts with other services if you like but I think you if you understand the principles you can implement the same solution for other platforms as well now when we talk about securing our communication channel of the devices we want to achieve three main goals we want to achieve confidentiality meaning that if we send a piece of data from the device to the cloud want to know that no one else is able to see it or able to access it we encrypt it in some way we want to achieve authentication meaning that if a device claims it is a certain device we want to know that it is with claims it is so no one's faking their identity and once you have offended at the device we want to authorize it we need to make sure that it is allowed to send data to each in data ingest in pipeline each with same data what types of data it should send and so on now this problem is not new its existing in the world for a long time a lot of system what other systems need solutions for this problem and in fact there are various solutions to this but what's common common about all of them is that all of them rely eventually on a protocol for creating secure channels called TLS transport layer security you might also know it as SSL or HTTPS basically it's a protocol which allows us to securely communicate between two endpoints across the network now that protocol in turn relies on certificates you need your devices your endpoints to have valid certificates you need to manage them unity renew immunity revoke them and so on in order to allow for TLS communication and then overlay additional protocols on top which provide all of these so the our solution like I said to manage it but we wanted to keep it simple we want to have a simple dotnet based solution running unnatural functions we can again this is not your typical software company it was a hardware company they don't know how to manage the DeNooyer handled complex software and that's why we embarked on this journey and that's the context of what we want to do ok so we decided to create our own certificate of wrote your own public infrastructure but what is it actually what does a PKI or certificate authority have to do so let's discuss it a little bit a public infrastructure is like an umbrella term for all the stuff let's call it that you need in order to manage certificates in order to issue them issue them you know distribute them store them verify them revoke them notify an administrator that the certificate is about to be expired for example all of these software components and business workflows all these are things that are part of what we call a public key infrastructure usually a group of software components where each software component is responsible another aspect of managing the lifecycle of a certificate now usually you don't want to build this from scratch you have off-the-shelf solutions both for cloud-based on Prem hybrid solutions on almost any platform you can imagine and if you find one of those solutions which is good for you that's great go ahead and use that securities hard you don't want to write it yourself but sometimes you have unique requirements which require you to do something a little bit more special but even then you don't need to reinvent the wheel from scratch usually you can take parts of your public infrastructure off the shelf and use them and just customize the parts you need and that's what we did in our solution so ours should tickets we set the TLS or transport layer security cannot work without certificates but what are certificates so the way I see it certificates or like a driver's license for computers and code now let's think about a little bit what is a driver's license well it lets you drive but let's say for example you're driving along the street and a police officer stops you and asks to see your identification papers so you show them your driver's license or your passport or whatever and then take this document and they look at it and what does the document have it has your image right so they look at the image they look at you they try to determine if the image the person the image is actually you okay sometimes that's hard depends on how all your images let's say they're convinced it's you then they look at your name you see okay so you're probably Aaron let's say that's me okay that's great but how do I know that it's actually you that actually you are actually Aaron what do you do they check the authenticity of the document right they check if it's not fake they look for all kinds of signatures and security seals which are usually placed on typos on these documents and once they are convinced that this driver's license or this document is authentic they assume that because the government gave it to you and they trust the government to verify that is actually you they trust that the person listed in the document is you certificates are the same thing certificates are actually a binding between a name or an identifier it can be the device name it could be a domain name for website and so on and something that's called a public key which acts as the image in our case now a public key is part of something that's called a private public key pair or an asymmetric key a symmetric encryption key we're not going to go into a symmetric encryption today that's a topic for a brand new session but it suffice to say right now that in modern cryptography an encryption key is comprised of public key and a private key you give the public key to everyone you keep the private key to yourself you should never leak your private key ender match to each other and you can find the private key from the public key and vice versa now once the certificate has your name and you sorry your name and your public key together you can present it to other computers or to other people and once they see a certificate they check ok that's your public key I need to verify that you actually own the private key associated with this public key and I'll show you that in a couple of slides how we do that but the public key access the image it has your name it has one more thing it has a signature who signs the certificate a certificate authority and will get a certificate authority again in a second now you might have heard the term x.509 certificate x.509 is just a binary encoding of how we store the certificate in fact it's the only standard to use today to stall certificates so if you hear the term certificate or x.509 certificate it's roughly the same thing now imagine the certificate authority a certificate for it is the entity which signs the certificate which issue is the certificate in the case of driver's license it was the government in the case of our computer certificates we have actual certificate authorities worldwide you might have heard of things like digit sir it GoDaddy and so under multiple certificate authorities out there which what they do is that they verify the identity of those who want to issue certificate if you want to buy certificate from a certificate authority they verify your identity now this verification can be very simple something like an automated process like let's encrypt if you know it where you have to respond to a challenge over the network or it can be a very complex where you have to go offline and send documents proving your identity and so on depends on how much you pay them and how much you want to prove your but once they know you're an entity and they issued you a certificate it relies on the fact that others trust the certificate authority to only issue certificate to those who are entitled to it like in the case of the driver's license or the passport if I don't trust the government to verify your identity I don't trust driver's license the same thing you've certificates I need to trust this certificate authority and then I can trust the certificates it issues now let's look quickly at an example of a certificate so if I go let's say to github for example so I'm sure you've seen this small lock icon up here more than once and I can click on it I can go to the certificate and here we go we can see here and let me increase the size a bit this certificate was issued to github it was issued by this certificate authority desert it has a validity period from and until and if I go to the details we have all these fields which are called x.509 extensions there's a small piece of the pieces of data I can add to this certificate so for example I have sorry I have the subject up here so here we go the subject is github.com again we have the validity and we have some more information for example subject alternative name these are the domain names these certificates allows I have something called enhanced key usage server authentication client education this is what the certificate is allowed to do these are the allowed usages of the certificate and so on so I have a lot of information I can had on the top of this certificate so that's how our certificate looks like and it's typically used in scenarios like this one we want to create a secure connection to website but how does a website or a server prove their identity to you let's say I browse to github and github show me the certificate and has their name and their public key but I don't know they actually own this public key because remember in the driver's license case I can look at the image look in you and see is it the same person over here we will over a network and the public key is public I need to know that the other side has the private key associated with this public key so how does it work so our case we have Alice and Alice wants to connect with Bob and she says hi there I'm Alice and Bob responds hi Alice I'm Bob it says is Bob but then I ask asks how do I know you're really Bob prove it to me and he gives her his certificate which has his name Bob and his public key and it's also signed the certificate authority but remember a license to verify that he owns the private key associated with the public key so what she does is the following she gives Bob a challenge she can create for examples again there are various ways of doing it she can create a random array of bytes she can encrypt it using Bob's public key because she has the public in certificate and we only need the public key to encrypt sign the encrypted message to Bob and then tell Bob hey decrypt is for me and only the person with the private key can decrypt this message so suing Bob has the private key they can respond with the decrypted challenge and then we have a secure conversation optionally Alice can continue improve their own identity to Bob creating mutual authentication but this is the way this usually works and TLS again this is an abstracted version but TLS works in the same manner using the same principles and our solution work in the same way exactly so these are the basics of public infrastructure and certificates now how do we take this and turn it into working solution in.net the first thing that we need to consider when we build our certificate authority is the root certificate the root certificate is the certificate which belongs to the certificate authority and the certificate authority uses this root certificate to sign the certificate issues so if I looked at the github certificate for example and let's go back now sorry I didn't mean to open this one here we go if I go back to github click the lock icon know the certificate and I go to certification path I can see it actually signed by other certificates all the way up here we can actually create a chain of trust this certificate up here is the root certificate it's not signed by anyone else it's signed by itself and those who rely on the certificates need to trust this certificate now if you're building your own certificate authority you're gonna have your own root certificate or your own intermediate certificate if it's if you create a chain of trust and not a simple flat structure like in our example people need to trust it so if you have your root certificate and you lose your private key you lick it you're doomed you need to start revoking your certificate changing and moving changing trust definitions you're in a bad position if you lick the private key food certificate so you need to think very carefully and how are you gonna manage this are you gonna eat it how you gonna store it how you're gonna use it in a secure way so this private key never gets leaked now for this part we decide not to write it ourselves we decided we decide to use a service in Azure which is called a dirty wat a Nadder key wat is a platform service which is meant to safeguard cryptographic keys and secrets meaning that if you have any sensitive information your app let's say passwords connection strings to databases encryption keys and so on you can use as your key vote to securely store them and manage access policies who can access it audit it and so on and you can even use something that's called a hard rule security model an HSM to secure your encryption key in Hardwell and use it in hardware in order to encrypt things time things decrypt things and so on so your key is protected by specialized hardware and not software that's a very strong protection now if you don't want to use Azure keyboard you can definitely replace it with other solutions AWS has a similar solution called AWS certificate manager and if you don't want to use either Azure AWS again there are other solutions which are meant to manage sensitive information such as certificates or encryption keys some of them are in the crowds of them are on Prem so if you choose one of them obviously the implementing the implementation details will change but the principles that you see here would remain the same so great what we want to do is when a new device leave the factory you want to have and employ a person now this can be also an automatic process we can automate this what you want a person to log onto this device and learn some sort of utility or script now this utility will acquire our employee to identify itself to authenticate with an identity provider in our case our Active Directory and using their credentials we want to call into a back-end our certificate authority running on Azure functions in order to generate a certificate using he bot and return the certificate back to the device and store it securely this is what we want to achieve eventually now in order to do that we need to set up several cloud resources so you can do it manually in the portal you can also use arm templates you can also use code since since this is a dotnet conference I decided to do it using C sharp now all the code I'm going to show you is open source on github you have the link to it on the slides both on the next slide deck and you have it here at the end so basically what we have here is some code it uses the standard Azure management SDK or the fluent SDKs more correctly to create all the resources that we need so if we go up here sorry you can see we create a resource group and there are functions and the key vault and the LT have basically everything we need so we can run it later at home and create the setup yourselves and just to show you for example if you create the key vault what we do here is that we create something that's called key vault manager we authenticate with our own credentials and then we defined we define the region we define the resource group and define some policies which we'll get to in a second and so on so this code is less interesting I'm just gonna run it for now it should run and create all the resources that we need we'll get back to this in a second so this is running and creating all that we need there's a function the keyboard the IOT hub the device provision service and so on so heavily sources and now we want to get ready to build or see a but before we better see a need to generate the root certificates remember the root certificate you need to secure it very safely now one way to generate it is to generate it directly on key vault the way we do it is the following we use the keyboard client and this client sorry this client over here comes for the keyboard SDK and you can see it in the full code and we call a method which is called create certificate aceing which allows us to create a certificate on keyboard we give it the URL of the keyboard we created we give it a name for the certificate and identifier and then we need some specify some sort of policy what do we want with this certificate so we can specify for example poverty legal in the key in this case we specify that we want to use RSA as the encryption is the is the encryption protocol in one the key length to be 2,000 bits which is pretty standard today if you need if you have higher security requirements you can do longer key lengths but this will make your key raffiq operations much more expensive we give it some properties regarding the certificate so for example the subject name this is the name of the certificate authority of the root certificate we specify that this certificate is going to be used to sign other certificates in our case now you could specify other things if you want to create other types of certificates and we also specify this this means these are why these object identifiers what they mean is that this certificate is used for client authentication and server authentication like I showed you in a github certificate this is typically used specified certificates so they can be used to generate TLS to use in TRS connections and so on other than that was specified that the certificate is self signed since again this is a root certificate in other scenarios you can use this parameter to specify another issue and you can build a chain of trust so for example in the real signal in the real project we had a little bit more complex scenario who had an intermediate certificate for each factory which were generated from a good certificate in RCA and that was signed by a real public certificate so you can build much more complex things if you want but here we're using a self signed certificate now what's good about this implementation is that the private key is generated on as your key vault and it never leaves a turkey but we never have the access to the private key in this implementation however there is a small problem with this implementation unfortunately to us and this is a specific key vault issue specific as Rocky vault issue when a turkey vaults generates certificates they automatically marked them as leaf certificates they add an x.509 extension which states that this certificate should not be used by certificate authority now if you just want to create a regular certificate then this method is absolutely fine if you never verify that verify that property in your own implementation this is also fine because you don't have to validate that extension but unfortunately for us I'm going to use this later on with the device provisioning service which does verify this extension and it does not work so I really told Microsoft about this problem and unfortunately they haven't fixed it yet so I left this code and you have this code also in the in github just for reference in case you need to use it or refusing another mechanism like a double a certificate managers who might be able to do it there again the good thing about this is that you never have access to private key unfortunately we need to work around it so what we did in our solution is that unfortunately we generated the certificate on our machine using dotnet how does it we create a new key a random key you can see we call here our other side is created this is all standard the netcode system cryptography we create a new key we create a subject for a certificate again the name of the certificate authority and you create something that's called a certificate request this is the way that we create a new certificate in detent we create an object called a certificate request we give it the name of this certificate the key we just created and the hash algorithms we want to use for the certificates we can add other extensions so for example we say that this certificate is used for signing other certificates and we also say this thing x.509 basic constraints extensions now this has a lot of throughs but the first one over here it's a parameter we state that this certificate is used for a certificate authority this is what key vault sets automatically to false and you cannot override unfortunately today so I say that this certificate authority is used this certificate is used for CA and it can create a chain of trust in a maximum length of 1 so I don't want to create deeper levels of trust using this certificate once I have all the extensions now you go ahead create request create self signed I give it the validity dates in our case here from now and then I have the certificates so this works on your machine the only problem with this is that the private keys generated the newer machine and it's there on your machine in memory for a short amount of time because once we have this and we upload two key volt we can get rid of it what it was there for a very short time it was good enough for us because we could trust that the machine that were going to run this on was disconnected and it was secure enough and when we had one connection to keyboard and it was good enough for us but it depends on your requirements so if we go back to our demo and we can see our script already finished running so if we go here and we refresh so we have all of the resources that we needed that we created now I want to create this certificate so I'm gonna check out the second branch that we have here it's called root certificate again if you follow it later on github you have the same branches so you can follow along the demo and I have a class called root certificate helper which contains pretty much the code I just showed you let's build it but what it does is that it creates the certificates and then upload it for some reason videos till you decided not work nevermind and once we have it we use the keyboard client to instead of create this certificate we import it into keyboard so let's run this code okay so the the resource group already exists it doesn't recreate the resources and it went ahead and created a certificate and it also stored it locally the public part the public key it started locally here let me open it remember we only store the public key not the private key let's open it the directory we have here a wood certificate and we can look at it and we can see that it is self signed it's called build PKI sample CA it has all the extensions that we need and it was also uploaded so if I go to our keyboard and I go to the certificates part let me increase the size a bit we can see that we have a certificate was created today you can see November 7 2020 so it's a year for now I can click on it and I can also see the I can see all the versions from all the runs of this demo and click here for the current version which was created now here 11:05 that's right now and we can see all the details here as well we can also download the public certificate from here so we created a certificate we upload it to keyboard how do we use it before we use it we need to make to make note of two things the first thing is even though we uploaded to Keewatin keyboard is secure we need to secure access to a certificate we need to make sure that only those entities which require access to our certificate have access to it and even then we need to restrict it to as little as possible so in our case what we did is then you have a parting keyboard which is called access policies I gave access to our error function and note the permissions I gave it I gave it permission to get this certificate itself and this not only the public parts it doesn't allow it to get the private key the private key never leaves keyboard only the metadata of this certificate and allows it to use the key to sign things it can only send data to key vote to have it signed and then get the result back the private key never leaves key vault we don't give to anyone permission to get the private key and this is very important because you don't want it to leak so that's one thing you can do you can limit the access using access policies and if using another platform you can use your platform's tool of choice another thing you can do and that you should do is log is audit all the accesses to the private key because you want to know each and every time your private key was used and what was done with it and you can have later on monitoring tools which take this audit log and give you alerts if you have suspicious activity so in our case you can just turn on auditing it's connected to as your logs and you have a link at the end detailing how exactly it's done but you can see we get various information in the operation name when was it done who was that caller IP additional information regarding the identity of who made the call some again some more information regarding the operation itself and so on so you can get quite a lot of information to analyze it afterwards we can remember the private key of this of the root certificate is the most important thing you need to protect so we have our root certificate now we need to use it to sign a request and the way it's gonna work is the following we have our device identity provider certificate authority and keyboard the device when it wants a new certificate it will generate its own keeper which will generate a public/private key pair and we'll keep the private key within the device then it will authenticate the caller in this case the employee again this can be automated as well we've attracted actually get an access token for certificate authority call the certificate authority giving the subject name the device name that we want to use the public key which was generated and the access token to see that we are allowed to issue a certificate the certificate authority will create the certificate signing request or the certificate request send it to key vault to get signed then the private key never leaves give alt get the signed digest back and then we can return a signed certificate where the device can take the signed certificate add to it the private key it kept with and securely stole it within the device so this is the flow that we want to implement at first at this stage when you talk about the ca we'll focus on these side of things we'll see how we get the requests generate this certificate signing request sign it with give out and return the signed certificate so how is it done first off we take the public who were given again remember we are given the subject name for the certificate the public key and an access token so I'm not going to talk about the access token but I'm going to talk about the subject name in public key so we get the public key that we got from the request and again we use RSA does create like we did before on list and we're not creating a new random key we're creating a specific public key which we don't have the private key for only the public part then we go and create build a request so we give the name for the certificate the subject name that we got from the request we build the request object again giving it the subject name in the certificate key we add all the extensions that we need only at this time we say this certificate will be used for digitally signing and in ciphering things it's not used for signing all those certificates because this is a leaf certificate and we also state that this is a leaf certificate this is this false thing in the x.509 basic on straight extension and we have no requests now is the tricky part now at the part where we need to sign it to cave ought to have it signed and the way we do it is the following we get a request in addition to the request we need to create something that's called a serial number certificate serial number and the reason is that every CA you build or that you use always need to issue a unique serial number to each certificate it issues it's a way to keep track of the certificate a specific CA issues to the world now in Mike in my code in my example I used blob storage to store like a number and every time I just get it incremented by one and store the next one you can do the same with lettuce or or database or whatever is that you want that code is really not interesting but we have your small mechanism which returns a running serial number every time we request now here comes the fun part what we do here is that we take orc even cry he wold client from the key vault SDK and use an extension method which is called - RSA now this extension method comes from a third-party nougat package which was created by calling and VP called Orion Novotny and you have the link to this nugget package at the end it's also open source on github and what he did is he created an implementation of a dotnet RSA key or say is an abstract class he created an implementation where all the methods sign encrypt decrypt and so on instead of being performed locally within your process they send the data to key vote get the operation done there and returns the answer but the nice thing is is with this abstraction we can use this RSA class anywhere that dotnet expects an RSA key and that code doesn't it doesn't even need to know that key vote is used there so if you want to use your own platform this is exactly the hook that you can use just implement your own RS or if you want to use another algorithm that algorithm keys that algorithms key using your own platform once we have this we create something that's called x.509 signature generator again this is part of the.net sdk this is the class which generates a signature for a certificate we give it our key which is implemented in keyboard and then we go ahead request dot create give it a subject name the general the signature generator which references the keyboard the Verity did Barry period and the serial number and we get back a signed certificate which we can then return to our users so let's see it in action so if i go back to the demo let me open up the next stage okay let's close this and this okay so we have here our code or certificate each year which you can later on look exactly the same code I showed you in the slides and we have here an azure function which exposes one method issue certificate using post HTTP POST what it does it extracts the subject name and the public key from the request uses the code I showed you in the slide and then it converts the return certificate to base64 and returns it to the caller that's all it does is just a wrapper if you want to run it on something else and not as a function that's great you can use whatever you want so I'm gonna take this and I'm going to right click publish it there you go it's already connected to the resource I created earlier so this is going to publish this function to the cloud and if I go to the cloud and go to a resource group I can look at this as a function which is being deployed right now but when we set up the resource at the beginning in the script I showed you I set up one more thing I set up in the platform there's a feature called authentication authorization I set up in a way so that every call which is not authenticated needs to be logged in with Azure Active Directory in a configured as Active Directory again if you run the script at home you'll get the exact same setup what this does is that only authenticated users can use our CA to issue certificates so that way we don't have to deal with authentication in our code our function code is very straightforward get the request get the data issue the certificate return it that's it okay so we deal with authentication the platform again if you're not using other functions you need to deal with authentication in other way however you want to okay so we deployed our CA let's go to the next step of using it so how do we use it so at first we focused on this part now we're going to focus on the device side of things want to generate the key pair authenticate send the request to the CA get the certificate back and store it how does it work so first of all we need to get an access token for every functions again if you're not running other functions this will change so in our case we authenticate with Azure Active Directory we in our case we use MSA L Microsoft authentication library it's pretty well-documented you can look at the code later on it's not interesting once we have the access token from Azure Active Directory we can go ahead and authenticate with our as your function and the way we do that is we take the access token and we post it to this URL dot off slash login / ad because that's the way other functions work and it returns to us another token this token we can use it to authenticate with other functions this code is less interesting more interesting is how do we issue the certificate so what we do is we create a random key when RSA dot create generates a random new key we export the key but we only want to export the public parameters force here states that you only want the public part who don't want to export the private part the private parts which should be confidential we create the request to our service we put in an HTTP content and then we send it we add the adder for authentication and then eventually eventually eventually once we make the call we get back a response which is remember a base64 encoded certificate so we decoded from base64 string inter certificate new it up new x.509 certificate give it the content and have a certificate back from the CA pretty simple now when you store it so in order to store it with the private key we could use this we could go turned so difficult from the server and call method copy with private key and give it the private key the our side of create key we created earlier now you get back a certificate object and you can store it and this will work on Linux and on Mac but it won't work on Windows if you try to run this in Windows like I did it will only store the public key and the reason is that on Windows and again you have some dependency is some differences between the various platforms on Windows if you call this method the default are say dot create the key is not marked as exportable meaning the private key is marked as a kid which cannot be persisted it cannot be saved and on Linux and Mac it can actually be preceded because again this is based on an OS implementation it's not really implemented by dotnet so you have two options here one option is to when you create the key check if your Windows and if your Windows use a platform specific setting in order to create the key correctly that's one way or another way which is a workaround which was actually posted by Microsoft on the github issue which describes this problem is to do the following export the certificate with the private key into a pfx in memory pfx is a format for storing your certificate and then re-import it only this time with the appropriate keys so allow it to allow it to be stored to private key to be stored and persisted in Windows now this will work also on Linux and Mac so we can keep it much the same way and once you have the persistable certificate you can just open the x.509 store open it and add it and that's about it so let's see how this works so if I check out the next step okay let's check out our client we have here our client which runs on the device so I can run this it will ask me to authenticate so let's sorry let's take the code here next I'm going to send the gate with my identity you're going to go back here it's gonna ask do you want the device name to be my device so I'm going to say yes and we've got ourselves a certificate from the certificate authority we can see the issue is build big high sample the subject is my device and so on and if I go to the Windows certificate store and I go here to personal and certificate we can see that we actually have a certificate my device which was created November 7th which is today so we created a certificate and stored it that's great now when to use it in action and that's the last part only take this certificate and use it in the IOT scenario that you wanted to use it in the first place so again reminder this is the scenario we want to connect the device provisioning service register in IOT hub connector at you have been do it securely so how do we do that do this we load the certificate from the certificate store from the x.509 store and we use something this time again this is from the device provisioning service SDK we create a channel which uses this certificate to identify itself and then we can go ahead and register and send data now I want to show the other part of it how do I configure the server site to recognize this certificate so what I can do is I can go 12 resource group I can go to device provisioning service and I want it to configure it to recognize the certificate authority we just created and thus trust the devices for which we issue these certificates so we go to the device provisioning service go to certificates we're going to add a new certificate let's call it CA we need to upload it now remember when we stored the public part of the word certificate in a file this is the reason because we need to use it now so we're going to upload the public part of our certificate to the device provisioning service you know but note the dude certificate is unverified why because it's only the public part anyone can have it remember Alice and Bob we need to prove that we actually own the private key associated with this root certificate so what DPS does it provides a challenge it gives us a verification code and what it expects us it expects us to generate a certificate signed by the root certificate which has this subject name again challenge-response how can we do that easy we're going to go and run our client again which can issue certificates we'll need to real CENTAC eight let's give you the code okay now it's going to ask for the subject name I'm gonna take it from the device provisioning service where is it there we go copy here no sorry first thing I wanna say no then I'm gonna paste it here and we got the certificate luckily for me I also store it the public part again in a file I'm going to take this upload the certificate we just created ask it to verify and we have our certificate authority it should be verified now the vice-president service trusts certificates issued by our certificate authority now we need to authorize our devices so we're gonna go to manage enrollments and we're going to add something that's called a normal group will give it my devices it's going to use certificates so the CA certificate that we just defined we want to connect it we can define the IOT hubs we want to connect to this is the authorization wall so I'm going to link it to the IOT hub I created earlier irritative built PKI sample hub let's give it the default access policy Save so it should be loading in a second and it's thinking and once here we go I'm going to select our T hub click Save and once we have this in place we can go back to our code check out our simulated device which is the last branch let's set this as a start project go to a program where we can even set a breakpoint here just to see that it works come on with your studio let's f5 this okay so we're gonna load the certificate we created earlier the my device certificate create the channel register the device we've device provision service again this uses the azure device providing service SDK you can look at the code later on and hopefully this will return with a correct result and as you can see it takes some time unfortunately but once it returns what it returns with the registration we can connect directly let's remove this way we can connect directly with our device client and open it and send some data and I don't know why this is taking so long and you know what I'm gonna stop this I'm gonna run this again in the background hopefully tool and by the time I finish this session but they should connect use the certificate II know to a test to authenticate and authorize ourselves and send it to correct IOT hub thus closing the the entire operation end-to-end we'll skip the slide so what I wanted to remember from this session is the following certificates or hard okay but they're crucial to get right you don't want to get the security part wrong you definitely want to get this part right because this can take you out of business if something wrong happens you don't want to offer an entire public infrastructure scratch you can use an off-the-shelf component if you find one but if not use something that's available to you take a part of it rely on something available don't do invent the wheel and you have cloud solutions you have on Prem solutions you have hybrid solutions I used this scenario for an IOT okay and for Audi devices you many times in card the fact that you need to manage multiple devices the marriage certificate lifetimes and so on but you can also obviously visit in others nose as well the principles are just the same and hanok certificate of dotnet is surprisingly undocumented with without keyboard so the main thing you need to remember is the other sake the certificate signing request and appropriate properties once you have that and you get the hang of implementing an RSA key and maybe singing to give out you get all the parts connected straight as your key vault is a great platform to base your certificate authority on but again you can use AWS certificate manager or any other on-prem platform you want wend well the sample just just show you just a sample you can definitely use something similar production we use something a little bit more complex than this but we use it in production and we use it to monitor and revoke and we also notify when that certificate is about to be expired and so on so you can definitely get this more complicated but watching at the principles you can definitely get it going so here you have all the source code a link to the source code a link to the nugget package and some additional resources and you also have it in the slide deck that you get from the conference and that's it thank you very much thank you for time

Info

Channel: DotNext

Views: 1,228

Rating: 5 out of 5

Keywords: DotNext, .NET, dotnet, iot, security, bestpractices

Id: 7K2IuqJKAPc

Channel Id: undefined

Length: 60min 35sec (3635 seconds)

Published: Tue Mar 10 2020