The Triple Defense: Zero Trust, TLS with Mutual Authentication, and HSMs Join Forces

In the ever-evolving cybersecurity landscape, a new trio has emerged: Zero Trust, TLS with mutual authentication and hardware security modules (HSMs). These joined forces are changing the way we protect our digital assets, ensuring that trust is earned, not assumed.

In this article, I will discuss the role of TLS with mutual authentication within Zero Trust applications. Simply put, I will explain why it’s important not to trust anyone, even your best friend. 

How to secure your network: The journey from traditional perimeter security to Zero Trust Architecture

Let's start by exploring the conventional perimeter security model. In this setup, the network is segregated and secured with tools such as firewalls, VPNs, or an intrusion detection system. These methods are designed to protect the networks from any attacker or unauthorized access from outside the networks. 

The result? You are trusted, and you are trusted, any everyone here is trusted! 

As you can see, there's a significant flaw: a default trust assumption. All devices, users, and applications (once) allowed inside the perimeter are automatically trusted. However, perimeter security has one more major drawback: In modern work environments, where we heavily rely on cloud applications, the lines of data security blur. With critical applications hosted outside of the perimeter, where do we draw the line?

Due to these drawbacks, Zero Trust Architecture is becoming more popular in large, complex organizations. The reason is that this approach requires continuous authentication, and no trust is given "by default", based on the principle of "never trust, always verify". 

If you want to delve deeper into Zero Trust and the various security pillars that build upon this concept, you can read the articles in our series:
•   Introduction to Zero Trust Architecture
•   Identity Management in Zero Trust
•   Authentication in Zero Trust
•   Data Encryption and Access Management in Zero Trust
•   Zero Trust with HSM
•   Zero Trust with Right Key Lifecycle Management

The role of TLS with mutual authentication in Zero Trust Architectures

TLS, or Transport Layer Security, is a cryptographic protocol ensuring secure client/server communication over insecure channels like the Internet, preventing eavesdropping, tampering, and message forgery. 

The majority of web applications now heavily rely on TLS, widely supported by most browsers. The latest version of TLS is TLS 1.3, released in 2018. To establish a TLS connection, the server provides the client with a certificate that the client validates with respect to a Certificate Authority (CA), followed by procedures to secure the channel.

As a result, the server is authenticated to the client; however, the client does not reciprocally trust the server's authenticity. This trust can be established by implementing TLS with mutual authentication (mTLS). 

In a mutual authentication TLS scenario, both the client and server exchange certificates and authentication messages. Each party's certificate and authentication messages are then validated against a Certificate Authority (CA). After mutual authentication, both parties establish one or more session keys, which are then used to secure subsequent communications.  

Benefits of TLS with mutual authentication

• Extra level of security is added. 
• Verification processes at both ends are established, making it ideal for Zero Trust applications.
• Compliance regulations and requirements for high-security industries are met. 

How does TLS with mutual authentication fit into the Zero Trust narrative?

TLS with mutual authentication plays a crucial role in Zero Trust networks by enhancing security through additional authentication steps. In particular, it can be used for the following use cases:

• IoT applications – securing the communication between the IoT device and the cloud server.
• Cloud application deployments – trusted communication on both sides. 
• Corporate networks – enabling secure connections for remote employees, preventing man-in-the-middle attacks.

But wait, there's more to the arsenal of Zero Trust than just authentication. Let’s learn about Hardware Security Modules (HSMs), the guardians of cryptographic keys.

What is a Hardware Security Module (HSM)?
A Hardware Security Module is an essential element for all kinds of applications, where cryptography is involved. It is the safe place for secure key generation, management, and storage and can support various cryptographic operations.

How do Zero Trust, TLS with Mutual Authentication, and HSMs Join Forces?

TLS is based on asymmetric cryptography, wherein a public key and a private key are used to establish a secure connection and generate certificates. 

The critical question arises: where are these cryptographic keys stored? In some cases, the keys are stored on the web application server, which poses three significant disadvantages:

1. Degradation in application performance.
2. Vulnerability to security breaches if the web server is attacked.
3. Complexity in certificate management.

Leveraging a Hardware Security Module for TLS encryption and decryption solves these challenges. Cryptographic keys and certificates are generated and managed within the HSM. The private keys never leave the certified and secure perimeter of the HSM. When combined with Zero Trust principles, this approach fortifies network security by enforcing strict access controls and continuously verifying trust, thus minimizing the risk of unauthorized access or data breaches.

Utimaco’s HSMs do not only support generating and storing keys required for TLS, but their LAN appliances also support TLS 1.3 with mutual authentication themselves.

This means that in addition to securing cryptographic keys within the HSM, the LAN appliances themselves are equipped to establish secure connections using the latest TLS protocols, enhancing overall network security and integrity. TLS 1.3 with mutual authentication adds an additional layer of security, ensuring secure communications with the LAN appliance. This implementation has been tested and validated by TLS-Anvil, a test suite for evaluating the RFC compliance of Transport Layer Security (TLS) libraries. 

TLS-Anvil is part of the KoTeBi research project funded by the German Federal Ministry of Education and Research. The use of TLS 1.3 with mutual authentication provides an additional layer of security to ensure secure communication with the LAN appliance in high-security or Zero Trust environments.

"Success in research and development isn't just about innovation; it's about translating ideas into tangible results. By implementing TLS 1.3 with mutual authentication for our LAN appliances, validated by TLS Anvil rigorous testing and praised for its effectiveness, we are reaffirming our commitment to the highest levels of security and creating trust in the digital society."

Frank Egger - Head of Global Research & Development at Utimaco