Elliptic-curve cryptography (ECC)


Elliptic-curve cryptography (ECC)

finding the discrete logarithm of a random elliptic curve element with respect to a publicly known base point is infeasible: this is the "elliptic curve discrete logarithm problem" (ECDLP). 

Applicable for 
ECC Key length comparison with RSA Key length. 


RSAECC
512112
1024160
2048224
3072256
7680384
15360512


Elliptic Curve

Public Key Cryptography



PKI (Public Key Infrastructure) 

  • CA (Certificate Authority) binds public key with identity. = TTP Trusted Third 
  • Party. E.g. Symantec, Comodo, GoDaddy
  • OSCP Responder
  • RA (Registration Authority) = subordinate CA in Microsoft PKI. 
  • VA (Validation Authority) 
  • Central Directory to store index keys
  • Certificate Management System
  • Certificate Policy
Method of certification

1. CA

2. Web of Trust. E.g. PGP (Pretty Good Privacy) and GnuPG
3. Simple Public Key Infrastructure (SPKI). Authorization loop : verifier = issuers 

Open Source implementation of CA



  • OpenSSL is the simplest CA and tool to build PKI enabled apps. C. Part of all major Linux distributions, 
  • EJBCA is a full featured, Enterprise grade, CA implementation. Java. 
  • OpenCA is a full featured CA implementation 
  • XCA is a graphical interface, and database. 
  • (Discontinued) TinyCA was a graphical interface for OpenSSL.
  • XiPKI CA and OCSP responder. With SHA3 support, OSGi-based Java.
  • IoT_pki is a simple PKI. Python cryptography library
  • DogTag
  • gnoMint
  • EasyRSA, OpenVPN's command line CA utilities using OpenSSL.
  • r509
  • Boulder is an automated server that uses the Automated Certificate Management Environment (ACME) protocol.
  • Windows Server : Active Directory Certificate Services.
Free digital certificate for public by CA

  • CAcert  https://en.wikipedia.org/wiki/CAcert
  • Let's Encrypt. https://en.wikipedia.org/wiki/Let%27s_Encrypt
Tools

Standards

Public Key Cryptography Standards : https://en.wikipedia.org/wiki/PKCS
Cryptographic Message Syntax :  https://en.wikipedia.org/wiki/Cryptographic_Message_Syntax and RFC 2315, RFC 2360, RFC 3369


Books

1. Introduction to cryptography and network security



2. Cryptography theory and practice

3. Field Arithmetic 

4. Problems in the Theory of Modular Forms



Kubernates - practicals



To get more practical insight about internals of Kubernetes

https://github.com/kelseyhightower/kubernetes-the-hard-way

Learn Kubernetes using Interactive Browser-Based Scenarios

https://www.katacoda.com/courses/kubernetes


Handon with Minikube: single node kubernates cluster

To install Minikube : 

https://gist.github.com/osowski/adce22b01fadd6e2bc3331c066d7d612

Then execute command:
minikube start

Now play around with Minicube with kubectl

Overview of kubectl
https://kubernetes.io/docs/reference/kubectl/overview/

ubectl Cheat Sheet
https://kubernetes.io/docs/reference/kubectl/cheatsheet/

istio


istio

Micro-service mesh management framework

It provides a uniform way to connect, manage, and secure microservices. It supports managing traffic flows between microservices, enforcing access policies, and aggregating telemetry data, all without requiring changes to the microservice code.

Benifit
=======

* A/B testing, 
* canary releases, 
* failure recovery, 
* metrics,

Key Capablity

* Traffic Management 
* load balancing, 
* rate limiting, 
* Observability
* monitoring
* Policy Enforcement 
* access control,
* load balancing, 
* Servie identity and security
* service-to-service authentication, 
* discovery of services, 
* end-to-end authentication.
* Platform Support
* Cloud, 
* on-premise, 
* Kubernetes, 
* Mesos
* Integration and Customization : integrate with existing solutions for 
* ACLs, 
* logging, 
* monitoring, 
* quotas, 
* auditing 
* etc.

Istio pre-configured addons
==========================

* Grafana : dashboard to visulize service mesh traffic data
* Prometheus : to query istio metrics 
* ServiceGraph :  generating and visualizing a graph of services within a mesh
* Zipkin : distributed tracing system

Architecture
============

1. Data plane : 
set of intelligent proxy (Envoy)
2. Control plane :
manage and configure proxy 
to route traffic
to enforce policy runtime. 

1. Envoy : sidecar proxy in same pod with features : 
dynamic service discovery, 
load balancing, 
TLS termination, 
HTTP & gRPC proxying, 
circuit breakers, 
health checks, 
staged rollouts with %-based traffic split, 
fault injection, 
rich metrics.

2. Mixer: 
platform independant
flexible plugin model 
with a variety of host environments and infrastructure backend
Tasks: 
enforce access control
enforce usage policies
collect telemetry data from envoy
Mixer configuration for
attribute extractation
policy evaluation

3. Pilot 
Tasks: 
converts high level routing rules that control traffic behavior into Envoy-specific configurations
propagates Envoy-specific configurations to the sidecars at runtime
abstracts platform-specifc service discovery mechanisms
transalate service discovery to Envoy data plane API
Benefits
service discovery
traffic management
intelligent routing
A/B tests, 
canary deployments
resiliency 
timeouts, 
retries, 
circuit breakers, 
etc.
multiple environments 
Kubernetes, 
Consul/Nomad

4. istio-Auth
Authentication using mutua TLS
Built-in identity + credentials management
enforce policy based on service identity

Kubernetes


1. Design
=========

API -> Primitives (Building Blocks) for 
1. deploy 
2. maintain 
3. scale 
apps. 

1.1 Pod
=======

* Scheduling unit
* Pod = 1+ co-located containers. 
* Pod has unique IP within cluster. 
* Can be managed by Kubernetes API or controller. 

1.2 Labels & Selectors
======================

* Key-Value pair
* attached to pod and node
* grouping mechanism 

1.3 Controllers
===============

* Manage a set of podes as per "Labels and Selector"
* reconciliation loop drive cluster state from actual to desirable 
E.g 
1. Replication controller: to scale up and down
2. Daemonset controller to run 1 pod on 1 machine, 
3. Job controller 

1.4 Services
============

* set of pods works together, E.g. tier in multi-tier
* set defined by labels & selector.
* service discovery by Kubernetes

2. Architecture
===============

* Master-slave

2.1 C-plane
===========

2.1.1 etcd
==========

* key value data store
* configuration data of cluster
* represent overall state of cluster
* other componenets monitors changed at etcd

2.1.2 API server
================

* JSON over HTTP
* Validate REST request and update API objects's state at etcd
* so client can configure workloads, containers across the worker nodes

2.1.3 Schedular
===============

* plugable 
* match resource "supploy" to workload "demands"
* select nod to run pod
* inputs
- resource availability
- resource untilization
- resource requirement
- QoS
- afinity requirements
- anti-afinity requirements
- data locality 

2.1.4 contoller manager
=======================
* process to run (1) Daemonset controller (2) Replication controller 
* communicate with API server to create, update, delete (1) pod, (2) service end points (3) etc.

2.2 Kubernetes Node
===================

= Worker = Minion 
* run container runtime. e.g Docker and below componenets

2.2.1 Kubelet
=============

* hearbeat for health of node.

2.2.2 Kube-proxy
================

* n/w proxy + load balancer
* route to container based on IP + port

2.2.3 cAdvisor
==============

Agent to collect resource usage. 

Other alternatives

1. Docker Swarm
2. Apache Meos