SECURITY & COMPLIANCE / PKI
Public Key Infrastructure is an asymmetric encryption system that uses two different kinds of keys (public and private) to encrypt and decrypt information exchanged between parties.
PKI encrypts the information, so it is secure during the exchange, and then decrypts the information once it reaches the approved recipient.
Hashes are a clever way to mathematically check if a file has changed (i.e. is valid). It is a mathematical function that condenses data down to a fixed length.
What is important is that these algorithms must produce irreversible and unique output hashes, this means that if you have the output, the original data cannot be obtained, so that data is safe, and unique in that different data could never produce the same output.
This allows computers to run the same hash on the same data to compare the data, but not actually compare the data itself, but rather the signature output.
When you combine this function with PKI systems, it can be used to facilitate signatures, integrity checking and of course underpin authentication.
Security provided by a hash algorithm depends on it being able to produce a unique value. A collision occurs when you get the same hash value for different data. A strong hash value is resistant to computational attacks. With a weak hash it could be possible to produce a collision. A broken hash is where collisions occur.
There are many hashes in existence, all designed for different situations. SHA-1 is a hash designed by the US government (NSA), and as computing power and hacking has evolved, it has been deemed to be insecure. Modern browsers natively do not recognise certificates with SHA-1 hashes as secure. Typically, that means a “broken lock” and a warning in the browser when accessing the site.
As per the hash output examples above, the SHA-1 output is 160 bits in length, so when it became apparent that attackers could break the hash, the answer was to make the output longer.
SHA-2 is the successor to SHA-1 and is actually made up of a family of output hashes, where the outputs can be 224, 256, 384 or 512 bits in length. More specifically referred to as SHA-224, SHA-256, SHA-384 or SHA-512, but known collectively as SHA-2.
PKI and Azure
Azure Disk Encryption
Encryption at rest, is a common way to prevent data compromise in case an attacker gains access to the storage where data resides.
Encryption at rest uses a symmetric key to encrypt data as it is being stored and uses the same key to decrypt that data when it is accessed. Multiple keys can be used to encrypt the partitioned data and keep the attack surface to a minimum.
Azure clients using the IaaS cloud model can secure their data hosted in VMs and disks through Azure Disk Encryption.
Azure Disk Encryption is tightly coupled to Azure Key Vault which provides clients the ability to manage their data encryption keys and secrets. Azure Disk Encryption uses BitLocker for Windows. There is no additional cost associated with OS and data disk encryption for Azure VMs although there will be a cost associated with Azure Key Vault which will be used for managing the keys for disk encryption.
Azure Key Vault (AKV)
Azure Key Vault is an Azure service that allows for the storage of encryption keys and secrets. That would include certificates, passwords and the like.
Azure Key Vault is FIPS 140-2 Level-2 certified.
There is also a FIPS 140-2 Level-3 option.
Access control to Azure Key Vault is controlled via Azure AD / AD.
It is important when using Azure Key Vault that the appropriate segregated and controlled permissions are granted and that the network that is built for PKI and AKV should be tightly controlled.