Time
4 hours 53 minutes
Difficulty
Beginner
CEU/CPE
5

Video Transcription

00:02
Welcome back in this video, we're going to talk about cubbyhole response wrapping technique.
00:09
So what I mean by response were happening.
00:13
I'm specifically referring to the method for securely distributing tokens in the concept of secure introduction. Right. If you step back and you think about where does this old process start? Right. In order to interact with vault, you need a token. In order to get a token, something has to happen. So if you have
00:31
processes and servers,
00:33
services or servers running out there, whether it's in the cloud on Prem and they need to retrieve information from vault, they need a token. Well, how did they get that token in the first place? There's a few different ways that problem and that dilemma is called secure introduction, Right? How do we get the whole process and bootstrapped going? How can we securely get them? The token
00:53
and response wrapping is one of the mechanisms to do that we're going to be doing is creating a single use token that has a very short time to live very short. We're talking hopefully in seconds. You have to think about what is the client that needs to be used in this token. And how quickly can he respond
01:11
with the maximum response time
01:15
that we wanna wait until we raise concerns that maybe the client itself isn't responding? Maybe the token that we provided over these insecurities sandals has been compromised in some way, right? So we want to stay on top of these things. We get a very short time to live token. And then that token itself. It wraps a secret
01:34
which could itself be another access token
01:37
that has a little longer time to live for more continued activities.
01:42
It could also be another secret in itself on, and we'll get into those examples and later in this module. And then finally, we're giving this wrapped
01:53
token over to the application, the service, the individual, and then they go through the process of unwrapping it quickly, right, because it's going to expire in a very short order and form. So this provides some benefits in terms of, um,
02:08
the transmitted information across the wire. It itself is not a secret.
02:14
Rather, it's a rapping, So it's kind of like a pointer or an indirect reference to a secret. And we can really detect if a single party unwraps a token cause it's a single use token. So whenever it's used, we know it's been used in
02:25
it cannot be reused again to obtain whatever information is wrapping, and the really short lifetime of this token that were transmitting in this process.
02:34
It limits our secret vulnerability right that the period of time in which we are exposed.
02:40
So let's hop over to the command line
02:47
start of the vault server
02:55
and
03:01
first thing we want to do is set up our scenario in which we're gonna exercise this cubbyhole response wrapping paradigm. And what I want to do is, I want to create a policy here. So in the the repository with materials for this course, you could see that I've included a gadget
03:22
Digest
03:23
policy, and it's the same one that we used in the prior module talking about access management. And so what I want to do here is I'm going to go ahead and write this policy to the get user policy to my vault server,
03:40
and with that created, let's make a secret
03:45
that is going to be used for pertaining to the gadgets going to be given toe. James Bond Let's say he's on the Goldfinger mission. In there was a very famous gadgets, the the laser beam that even Austin Powers makes reference to.
04:01
So let's, uh, say, Hey,
04:04
James Bond, watch out for the Super Laser.
04:12
So in this fictitious scenario with our fictitious James Bond, let's assume that he forgot his user name and passed. So somehow he needs to get information about the gadget used to get the name of the gadget needs to access those secrets. He can no longer provide his user name and password, which would then provide him with an authentication token.
04:30
Somehow, we need to get him an authentication token that will provide him the rights
04:34
to access that information in the vault. This is a great place to take advantage of the wrapping situation, and what we can do is we can generate a token for James Bond using the token create. We're going associate that with the gadget user policy, giving him the rights to access and read the secrets
04:55
at that aforementioned location of the gadget,
04:58
and then we're gonna say rap T TL of 20 seconds. And by including this, what it's going to do is a token is going to be generated. That has a time to live of two hours and a use limit of two.
05:12
And then that another tokens gonna be created automatically. And this is the wrapping token. And in the in, that wrapping token will only have 20 seconds to live.
05:21
And then in that
05:24
tope wrapping tokens cubbyhole, we're going to throw this other token, which has the to our time to live.
05:31
And so the unwrapping process, what is going to do is it's going to access vault using this wrapping token, which can only be used once and has a very limited time line of life. And then it's going to retrieve from that wrapping tokens cubbyhole, another token which has itself two hours of access and and the other use limit.
05:50
And I can then use that other token. Once I've done the unwrapping
05:55
that other token to actually read the secrets from vault and perform all actions afforded to me by the gadget user and the default profiles
06:06
and running it, we immediately see Here's the wrapping token outputs a little different than we've done token create in the past. We only have 20 seconds so Let's go ahead and run the vault on rap Command and pass it the token i d.
06:23
And here we now have the rial token. So this vault on rap process this would have been something that James Bond was doing, not necessarily the person who created So I would have sent. James Bond is wrapping token. Hey, you only have 20 seconds. Hurry up, Go unwrapped this token. Now he has access to a token.
06:42
And if anybody comes back
06:44
after 20 seconds or after James has used the wrapping token and unwrapped that racket in token, it is no longer valid. In fact, we can come back here. Let's just try the unwrapping process again and we're going to get an air because of it was already used. And it's just a one time use thing, really limiting
07:01
the time period in which we've been exposed
07:04
to having somebody compromised. Even if this
07:09
rapping token itself, somehow was, was given to people in plain text way have another a lot of other safeguards above and beyond just the pure security of the token itself
07:23
and, of course, to bring everything full circle. Let's go ahead. Fault token equals I'm not using the wrapping tokens, right? I'm using the real token that was unwrapped. I'm going to now interface with vault, and I'm going to do so as a user that has a token which belongs to the gadget user
07:42
policy.
07:44
And I'm going to receive Goldfinger Gadget Secret, which tells me, Okay, there's a super laser.
07:54
So between the beginning lecture of this video and the hands on example war, helping our buddy James Bond out in his fictitious dilemma, I hope you have, ah, understanding of how response wrapping works, how it is under the covers where it's valuable for providing access to certain secrets.
08:13
And then, of course, in the video we wrapped a token.
08:16
And then we went ahead and we unwrapped a token that allowed us to get access to another token, which we then used to access a particular secret that was stored involved.
08:26
I look forward to seeing you on our next video where we take these concepts and start applying them in a very real world scenario.

Up Next

Vault Fundamentals

Learn how HashiCorp Vault can improve your security posture when it comes to storing sensitive passwords, maintaining confidential keys, implementing encryption, and establishing robust access management.

Instructed By

Instructor Profile Image
James Leone
Cloud, IoT & DevSecOps at Abbott
Instructor