Customers who use the Alert Logic® Threat Manager™ network intrusion detection system (IDS) and web application IDS may need to upload SSL/TLS keys and certificates to have encrypted traffic inspected. This decryption process requires that these keys and certificates be uploaded through the Alert Logic console. In both cases, the data is encrypted in transit and at rest.
Note: This article speaks specifically to how this data is protected on the appliance.
Securing SSL Keys and Certificates
For Alert Logic network IDS and web application IDS features, customers have the option to upload important information to the appliance through the Alert Logic console. In this case, you may want to decrypt currently encrypted traffic present within a deployment for proper inspection. To accomplish this, you can upload the relevant SSL keys and certificates for the environment that is being protected.
In order to ensure that data is protected, Alert Logic encrypts the data on the appliance and in the back end, where it is also stored. The method of securing this information differs between the two features:
Web Application IDS
For the web application IDS, customer SSL/TLS keys and certificates are converted to PKCS#8 and encrypted using AES-256. Encryption occurs via a secret derived from a key used to encrypt Alert Logic Web Security Manager™ software, as well as some of the certificate data. These are salted, and thus the same keypair uploaded multiple times will never have the same encryption secret.
The secret is computed when the keys are loaded into the proxy engine and is then erased from memory - it is never stored anywhere on the appliance. Alert Logic only stores the PKCS#8 key with the encrypted payload.
The use of encryption keys and certificates for the network IDS application is conceptually similar to that of the web application IDS, except that the binary configuration file is encrypted using either the agent certificate's private key or a separate key derived from the agent host's identity before being stored to disk. Cryptographic Message Syntax - formerly PKCS#7 - EnvelopedData messages, which are also used in Secure/Multipurpose Internet Mail Extensions, are utilized when encrypting these IDS configurations.
Note: Alert Logic utilizes different encryption methods for these two products because their data are stored using methods unique to each application.