Root Causes 440: Public Key Directories

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We're here podcasting in Toronto on a beautiful day face to face, which I've been loving the hell out of. What we want to talk about in this episode was the concept of a directory of public keys.

• 

  Jason Soroko

  Certificate Authority and we talk about it being a centralized trust rather than distributed. What's really what makes it centralized is the ability for Alice and Bob to not have to know anything about each other, but if they've been issued a key pair or better yet, just a certificate that contains what they need to be able to encrypt communication between each other and sign documents and do all kinds of cool things - The beauty is that the directory of public keys really exists in a central location.

  Therefore, if you want to do business together, in a lot of these scenarios that use an asymmetric secret, PKI, ultimately using certificate lifecycle management if you're using certificates, then the beauty of the public key directory - everybody talks about the protection of the private key. That's what gets most of the air play.

  Because it's the sexy, the thing the bad guy is going after, the thing you gotta protect, the thing you gotta put into a secure element, the thing you cannot let go out of your hands. But the elegance and the real power of a lot of things is happening because of the fact that you can share those public keys out easily. So there's a few things we're going to cover here, Tim. One is this. Let's talk about things where public keys are not distributed centrally. One of these days, you and I are going to do a podcast on PGP.

• 

  Tim Callan

  We keep threatening to do that, don't we?

• 

  Jason Soroko

  I'm going to give you the punch line. Here's the punch line. Spoiler alert. The reason why it's difficult to use - -

• 

  Tim Callan

  How do I know? How do I know what your public key is? You have to tell me.

• 

  Jason Soroko

  So you have to somehow share out that public key. Everything else after that is not that hard. Therefore think about then, if that's what's hard about it, and by the way, that's not a put down a PGP. PGP has its role, and there's a reason why it's made like the way it is. It's because dissidents in jurisdictions where they can't get access to a public key directory.

• 

  Tim Callan

  Yes. I know who you are anyway, or some way you believe enough about me that you do, and then I'd say, give me your public key.

• 

  Jason Soroko

  So the work of distributing that public key is the onus is on you, and you're the risk taker of, you know, etc. But now let's talk about how some modern systems have this under the hood, and it's the unsung hero of what's actually going on. Let's talk about something like Tailscale. Which is basically public key directory. Therefore it allows you to say, I want to extend trust. I want to have an authenticated and encrypted session between my iPhone or my Android device and a Linux server. By the way, I actually did this, you can create an encrypted session between an Apple TV and attached storage somewhere using Tailscale. Phenomenal.

  How is that magically happening so easily? It's because it all these devices know where to go to pick up the public key of the thing it needs to connect to. That's the real innovation that happened there. But it's all about making public key handouts so dead easy. It's the opposite of PGP in that sense.

  So let's talk about some further innovations then. VPN. You and I have talked quite a bit about how you go off and a non-enterprise VPN, so something you're using, typically to an average person who doesn't work in an enterprise, who is using a VPN to go to the coffee shop and encrypt their session within their coffee shop Wi-Fi, hotel Wi-Fi, airport Wi-Fi. So great. What you've done is you're saying, I don't trust anybody on the network of this coffee shop, hotel, airport, but I do trust my VPN provider. Is that always the best idea? The answer is probably no. That's the honest truth. Therefore that form of public key directory-based system might not be, that's an area where I think that we shouldn't deprecate the idea of VPN. I'm not calling for that. But what I am saying is understand who you're trusting.

  You and I have had a podcast in the past about doing Tor over VPN or VPN over Tor. And you're really shifting who you're trusting and distrusting, because if you distrust your ISP, or you distrust the Tor exit node, it depends on who you trust and who you distrust, and I think for the average person, they're not able to make that decision. But now let's talk about VPN within the enterprise as a public key, another usage of this grand idea. I think that VPN into the enterprise has a fundamental flaw. It doesn't have to, but pragmatically it does, and that is, nobody uses the principle of least privileges in their networks sufficiently.

  In other words, the reason why I brought up Tailscale and certain kinds of equivalents that are using wire guard, like Cloudflare Tunnels, and there's a number of these things that are out there. I'm not going to call them all out. I think that in a modern enterprise using a peer to peer encrypted session based off of an easy to use public key directory beats a VPN where you become a node on an entire enterprise network that has a set of privileges. So, for example, I'll tell you that the nightmare scenario is you have a systems administrator who has a static credential.

• 

  Tim Callan

  I was gonna say, is this because you're gonna have granularity of permissions?

• 

  Jason Soroko

  There used to be a day when everybody was an admin. The reason was because it made everything easy to run, and you didn’t have to worry about permissions. If you have an over permissioned credential log in through a VPN, it’s a bad scenario because if that gets compromised, the bad guy is walking around as you all across the - - And the other problem is, if your network was very, very flat, you could then walk into. What happens if you had a finance employee who, because of the flatness of your network, had sufficient privileges into, say, your R&D network, and then had the keys to the kingdom of your IP.

• 

  Tim Callan

  So you're kind of making the case for zero trust right now.

• 

  Jason Soroko

  This is a zero trust story.

• 

  Tim Callan

  So why do the two have to be mutually exclusive?

• 

  Jason Soroko

  I would say it's this. Let's go right back to the top. This is the reason why we started with you asking the question about public keys, handing out public keys, public key directories, centralization. It's because this - back in the day when the things that you wanted to authenticate to had to be on a network, and the easiest way to get to it wasn't to get a public key to it.

• 

  Tim Callan

  It was just to create a VPN.

• 

  Jason Soroko

  It was just to create a VPN and get access via wider network privileges. Well, that is the opposite of zero trust. So zero trust is greatly so aided.

• 

  Tim Callan

  So let me try this and make sure I'm getting it right. In a properly implemented zero trust scenario, the benefit that you would get from the VPN is irrelevant.

• 

  Jason Soroko

  You really technically should not in a zero trust scenario use VPN.

• 

  Tim Callan

  You don't need VPN. There's no value.

• 

  Jason Soroko

  That's correct. I would say, for people who are using VPN at their coffee shop and hotel, etc. I'm definitely not saying don't use it. That is the opposite of what I'm saying. You should use it. It's just, who do you trust?

• 

  Tim Callan

  I mean, if I VPN tunneled into my corporate network and it was a zero trust philosophy, it wouldn't matter. The VPN wouldn't hurt because I would still only get the permissions I get. However, also who cares about the VPN.

• 

  Jason Soroko

  And since the world has evolved to make public key distribution so much better than it used to be, we can now much more fine tune what we're encrypting our sessions into. I have a more sophisticated encryption mesh at home. I have a cottage north of where I live. I have various kinds of cloud properties that I administrate things, and my setup is far more sophisticated than just using a VPN into a network and then networking off to all my pieces. I have point to point everywhere ends with a public key distribution system that I trust and is made to be so easy, it's easier than setting up the VPN.

  So Tim, we're calling this out simply because (a) hallelujah. Innovations and public key distribution are making the world better, and I think it's doing it silently. Once again, PPI being ubiquitous and just forgotten about in the corner. I'm pointing at it, going, check it out. I'm also saying some of your old sacred cows of how you used to log into things, they need to go and die.

• 

  Tim Callan

  Let me offer something and you can tell me if you agree. The VPN, in and of itself, does not represent a vulnerability or security harm, but it is possibly an unnecessary cost. It is possibly an unnecessary worse user experience, and it may create a false sense of security that leads to other failures.

• 

  Jason Soroko

  All true. I'll even offer one more, which is, if your VPN logs you, essentially authenticates you into a network that has access to more than two things, you're not doing zero trust by definition.

• 

  Tim Callan

  I mean, this is assuming you're doing your zero trust well.

• 

  Jason Soroko

  I would say X number of years ago, there was no other real choice. So you would have laughed at me for even suggesting what I just said. What I am suggesting is little old me has set up a more secure, truly zero trust scenario with a legitimate IT group of things than you are in your high dollar enterprise network, and I did it with very little fuss, very little cost and not even having to learn a lot of things, and it's all due to innovations in public key distribution.