Machine Identities and Secrets

An Unintentional Secret - Automated TLS and its Zero Trust Fallacy

Tom McNamara

July 8, 2023

abstract graphic of network connections between zero trust nodes

An Unintentional Secret About Automated mTLS

Transport Layer Security (TLS) and its two-way version, mutual TLS (mTLS) have an unintentional secret. Many security professionals believe that TLS and mTLS are zero trust because of the endpoint-to-server encryption they provide. But, the speed and scale of the cloud requires these protocols to create encrypted connections that are built on automated PKI certificates. There’s an ugly truth about automated certificates: they are not zero trust.

Here’s why. The workload receiving the automated certificate from an intermediate (private) certificate authority (CA) has not vetted the workload. There is no verification of its identity before the certificate is issued. The trust is in the CA that received its authority from the chain of intermediate CAs that extend back to the root domain (which is a vetted and trusted identity). The chain of trust is in the CA and not in the workload holding the cert. 

Details Matter for Zero Trust

This isn’t a secret, it’s just an important detail that is overlooked by many security professionals and developers. To be truly zero trust, a workload’s identity should be proven or tested in some manner (vetted). But when certificates are as easy to get as pushing a button there can be no trust in the workload receiving the certificate. 

For root domains (e.g. www.hopr.co) certificates mean something. They can’t be obtained unless the identity of the domain has been verified to be owned by the entity they represent. This is not the case for certificates automatically issued by cloud certificates managers. Automated certificates may comply with 509a standards, but their signing authority is not an independent third party (i.e., they are self-signed certificates) and they lack the vetted trust intended by 509a. Another problem with certificates automation is expiration. 509a certificates are designed to expire and be replaced to prevent misuse. They are semi-static, but for reasons of convenience many developers (working in dev environments) use automated certificates without an expiration date. A certificate that doesn’t expire is a serious security vulnerability if they reach a production environment. But automated certificates have yet another identity problem: each new certificate is a completely different identity from the last certificate. There is no traceability from one certificate to another, yet the workload holding the certificate hasn’t changed.

Automated certificates make sense for some use cases, such as Kubernetes clusters with an isolated cert manager or development environments where the risk of unauthorized access is low. But they should never be used in a production environment if zero trust is necessary. Without trust, an automated and self-signed  certificate, created merely to build a TLS connection, is a false promise of security.

A Zero Trust “mTLS everywhere” Alternative

It’s been said that identity is the new security perimeter. And threat actors are not missing this fact, either. As the insider threat has become more likely, the consequences of successful identity-targeted attacks are significant. Even if automated mTLS is not zero trust, many security professionals believe that there is no other option. They need the encryption; they don’t see an alternative.  But there is one, and it verifies workload identity trust in real time at the speed and scale of the cloud. And it uses a new form of automated moving target defense (AMTD) to build end-to-end encrypted communication channels (hardened tunnels) between workloads on demand.

A zero trust “mTLS everywhere” alternative is possible because of a patented technology and protocol called CHIPS™ (Codes Hidden in Plain Sight). It uses the vast amount of constantly changing Internet information (think of news stories or financial data) and a special algorithm to generate a ‘seed’ that feeds a symmetric key generator. The secret power of CHIPS is that it produces identical keys if the algorithm runs in two different places at nearly the same time. With CHIPS, two workloads in any cloud can instantly build a hardened tunnel between them without a handshake, CA certificate, and key exchange. The two workloads can confirm the trust in each other because received messages can only be decrypted and read if their keys are identical. Any untrusted messages would fail decryption. The CHIPS protocol ensures that the keys used are short-lived and replaced automatically. High frequency (HF) key rotation produces one part of AMTD that disables threat actors from discovering and misusing the keys. But there is another part that is needed to protect workload identity credentials.

Zero Trust AMTD for Workload Identity

In addition to HF key rotation, this zero trust “mTLS everywhere” alternative must verify trust in workloads before they connect with other trusted workloads. To achieve this, CHIPS is augmented with a Machine Alias ID (MAID) credential that is assigned to a workload when it is first deployed and registered with Hopr (a process performed by the enterprise’s trusted DevOps engineer). This is the moment identity trust begins, and it is preserved and frequently verified thereafter.

The MAID rotates based on the history of a workload’s communication sessions. Each time a trusted workload begins a communication session with another trusted workload, Horp is able to observe the MAID of both workloads and verify its trustworthiness. The MAID rotates at a high frequency, too, and is an essential part of the zero trust AMTD that forms a complete and more effective “mTLS everywhere” alternative.

“mTLS everywhere” is a great security goal, but it’s not practical for several reasons not yet discussed. Here are some other differences between “mTLS everywhere” and the zero trust alternative:

Keep Reading

Machine Identity - Avoid the Crisis

Machines operating across the Internet outnumber humans by a ratio of three-to-one. This will rise dramatically as more Internet of Things (IOT) devices arrive. Existing approaches for managing identity and trust for a massive number of machines rely on centralized and legacy solutions that won't work for the machine era. A decentralized solution capable of speed, trust, and agility is needed to avoid a crisis and enable a graceful transition to high trust machine identities.

Author Avatar
Tom McNamara

December 9, 2023

IAM in a Box

Containers are an important part of modern cloud engineering. They evoke the idea of portability and relocation. But in the cloud this is often inhibited because they become anchored to external services within a particular cloud environment, and it becomes difficult to relocate them to a different environment. This article describes how containers can be freed and portability restored.

Author Avatar
Tom McNamara

July 8, 2023

Machine Identity - Who’s Who in the Cloud?

Identities for machines operating in the cloud, like humans in the natural world, are an important quality that is essential to trust, authorization, and authentication. Machines are identified by cryptographic material that takes the form of a certificate. But in the cloud, it is challenging to find, track, and manage the many certificates that are dynamically assigned and used. New approaches to managing machine identities in a zero trust cloud environment are needed to realize secure business operations in the cloud.

Author Avatar
Tom McNamara

July 8, 2023

Keeping Secrets Is Hard

Keeping secrets is hard because they have to stay secret to deliver security. And for machines and workloads in the cloud the consequences to lost secrecy can ripple through the entire business and bring down many digital operations in an instant. Leakage of digital secrets occurs almost naturally over time; disclosure eventually happens and secrecy is lost. But the risk of lost secrecy and the impact to cloud operations is minimized with the right tools.

Author Avatar
Tom McNamara

July 8, 2023

When Zero is a Good Thing

As businesses migrate more of their critical processes and data to the cloud and procure SaaS solutions, their attack surface grows significantly. This makes it harder to achieve a zero trust posture, and more risk occurs for employees with the Secret Zero to everything. While tools such as Machine Identity Managers and Secrets Managers (vaults) are improvements for today, they do not solve the growing problem of competition between zero trust and ever-scaling attack surfaces. A strategic solution that responds to the challenges in new ways is needed. (click to read more)

Author Avatar
Tom McNamara

July 8, 2023

Subscribe to our newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Use CasesHow It WorksUnique FeaturesHopr ConnectHopr Connect GatewayPricingContact usSecurityWeb Retriever OSSAboutPrivacy policiesTerms of service
Hopr enables on-demand, verified-trust, ultra-secure application networking across clouds, organizations, and ecosystems.

Our patented technology and  protocols form Cloud Native Automated Moving Target Defense (AMTD) around workloads, API endpoints, and data in transit.

Hopr's AMTD disrupts threat actors and proactively prevents cyber attacks to increase cyber resilience.
copyright 2021-2023 | Hopr Corporation
CHIPS™, MAID™, and SEE™ are trademarks of Hopr Corporation
CHIPS™ technology the MAID and SEE™ protocols
are protected by US Patents and patents pending.