10 lines of encryption, 1500 lines of key management

10 lines of encryption, 1500 lines of key management

Talk by Anastasiia Vixentael.

Этот доклад о security design & security architecture. Речь пойдет о реальном iOS/macOS приложении, в котором пользователи запросили end-to-end шифрование своих заметок, и о том, как Настя это реализовала.
Слушатели узнают, как сложно строить безопасную систему, которая не разрушает пользовательский UX. Ключевые слова: модель данных, модель угроз, разница между “data locking” и “data encryption”, разница между паролем и ключем шифрования, выбор криптобиблиотеки, недоверие к iOS Keychain, многоуровневые кэши, подготовка к инциденту, monotonic timer, defense in depth

This talk was made for CocoaHeads Kyiv #15 which took place Jul 28, 2019. (https://cocoaheads.org.ua/cocoaheadskyiv/15)

Video: https://youtu.be/CliAlRUqx14

Db84cf61fdada06b63f43f310b68b462?s=128

CocoaHeads Ukraine

July 28, 2019
Tweet

Transcript

  1. 10 lines of encryption, 1500 lines of key management @vixentael

  2. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

    Acra cryptographic tools, security engineering, datasec training
  3. @vixentael zero knowledge searchable encryption cossacklabs.com/acra/ e2ee data collaboration cossacklabs.com/hermes/

    zero knowledge authentication github.com/cossacklabs/themis/wiki/Secure-Comparator-cryptosystem cossacklabs.com/whitepapers/
  4. Bespoke data security solutions and security engineering.

  5. None
  6. @vixentael Data encryption without compromising UX

  7. 1. Encryption: from GDPR to DoD @vixentael 2. Building security:

    decision making in security, boring crypto, defense in depth 3. E2EE note sharing 4. Cat
  8. GDPR @vixentael Article 32/35: responsibly store and process data according

    to risks
 
 Article 33/34: detecting data leakage and alert users & controller https://gdpr-info.eu/
  9. @vixentael https://gdpr-info.eu/ Article 32

  10. @vixentael US Department of Defense

  11. @vixentael US Department of Defense https://media.defense.gov/2018/Apr/22/2001906836/-1/-1/0/ DEFENSEINNOVATIONBOARD_TEN_COMMANDMENTS_OF_SOFT WARE_2018.04.20.PDF

  12. @vixentael Apple privacy policy update https://developer.apple.com/news/?id=06032019j

  13. @vixentael Google https://support.google.com/cloud/answer/9110914

  14. @vixentael Decision making in security 101

  15. @vixentael Decision making in security 101 1. “just because we

    can” 3. understanding risks & threats 2. every app should have security features
  16. @vixentael Decision making in security 101 1. “just because we

    can” 3. understanding risks & threats 2. every app should have security features ✅
  17. @vixentael app flow app features code user problem

  18. risk & threat model security methods security controls libraries/ code

    app flow app features code user problem @vixentael
  19. @vixentael risk model & threat model create demands for security

  20. @vixentael Data & risks PII User data Service data likes,

    preferences purchase history logs keys, accesses, API tokens backups configurations locations
  21. @vixentael Data & risks compliance risks legal risks reputational risks

    continuity risks User data Service data reputational risks medium.com/@cossacklabs/trick-or-threat-security-losses-for- business-f5b44243d89c
  22. @vixentael Boring crypto

  23. https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf 269 CVEs from 2011-2014 17% 83% bugs inside crypto

    libs misuses of crypto libs by individual apps @vixentael
  24. — crypto that simply works, solidly resists attacks, never needs

    any upgrades https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf Daniel J. Bernstein Boring crypto @vixentael
  25. encryption integration abstraction level complexity @vixentael

  26. encryption integration abstraction level complexity cipher crypto- library crypto- system

    boxed solution @vixentael pain
  27. @vixentael @vixentael easy to make mistakes

  28. @vixentael should be random should use KDF(key) uses AES CBC,

    not AES GCM padding? salt? @vixentael easy to make mistakes
  29. Themis: hard to make mistakes @vixentael @vixentael github.com/cossacklabs/themis

  30. @vixentael hides cryptographic details: salt, IV, KDF, padding built-in KDF,

    safe to use passphrase uses AES-256-GCM @vixentael github.com/cossacklabs/themis Themis: hard to make mistakes
  31. encryption integration abstraction level complexity cipher crypto- library crypto- system

    boxed solution @vixentael pain
  32. https://github.com/vixentael/my-talks#dont-waste-time-on-learning-cryptography-better-use-it-properly see full talk about Boring crypto @vixentael

  33. @vixentael Defense in depth

  34. Defense in depth – independent, yet interconnected, set of security

    controls aimed at mitigating multiple risks during the whole application flow @vixentael
  35. @vixentael 1. Encryption to protect data globally 
 (during the

    whole data flow / app lifecycle). 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. Overlapped security controls
  36. @vixentael Lines of defense

  37. @vixentael

  38. @vixentael 10 lines of encryption, 1500 lines of key management

  39. @vixentael 10 lines of encryption, 1500 lines of key management

    60 3000
  40. @vixentael

  41. None
  42. @vixentael • smooth UX • not finance/banking app • syncing

    between all user’s devices • privacy • incident response • next versions: Web/Electron Bear e2ee for notes
  43. @vixentael 1. user notes encrypted using unique keys (per app

    per user) 2. user password is never stored in plaintext 3. data in Keychain encrypted 4. notes & passwords are synced between devices Results
  44. @vixentael UX is important, so we made the security scheme

    more complex from an engineering perspective, but less stressful for users
  45. @vixentael note encryption & note locking

  46. @vixentael app locking

  47. @vixentael note encryption != note locking != app locking

  48. @vixentael note encryption != note locking != app locking encryption

    authentication authentication
  49. @vixentael note text user passphrase note encryption key data model

    plaintext user input unique per note
  50. @vixentael Access Disclosure Modification Access denial note text Moderate Critical

    Critical High user passphrase Moderate Critical Critical Critical note encryption key Moderate Low Low Moderate threats
  51. @vixentael Device filesystem Device process memory Device keychain & secure

    enclave Transport, iCloud database iCloud Keychain Medium High High Medium Medium trust model
  52. @vixentael Breaking Keychain youtube.com/watch?v=EUGDa0Z71uk youtube.com/watch?v=sR6KeCaCRMA github.com/LinusHenze/Keysteal macOS keychain: https://thetapedrive.com/face-id-fail-ios-13 iOS13

    beta keychain:
  53. @vixentael We have more trust towards the data stored on

    the device than the data stored in a cloud
  54. @vixentael key model

  55. @vixentael from user mind or password mngr cached for some

    time calculated before usage Keychain, Secure Enclave key model
  56. @vixentael multiple caches to minimize user distractions user Keychain SecureEnclave

    iCloudKeychain in memory cache temp var password manager
  57. @vixentael App encryption key Key stretching: PBKDF2, deterministic long_data =

    user_passphrase + generated_passphrase_password + generated_app_context app_encryption_key = SecureCellContextImprint(data: long_data, context: generated_app_context, key: user_passphrase)
  58. @vixentael long_data = user_passphrase + generated_passphrase_password + generated_app_context app_encryption_key =

    SecureCellContextImprint(data: long_data, context: generated_app_context, key: user_passphrase) long_data = app_encryption_key + generated_passphrase_password + generated_app_context note_encryption_key = SecureCellContextImprint(data: long_data, context: note_encryption_id, key: app_encryption_key) App encryption key, note encryption key Key stretching: PBKDF2, deterministic
  59. @vixentael data encryption encrypted_note = SecureCellSeal(data: note_text, context: note_encryption_id, key:

    note_encryption_key) decrypted_note = SecureCellSeal(data: encrypted_note, context: note_encryption_id, key: note_encryption_key) AES-256-GCM, random IV/nonce, non-deterministic
  60. @vixentael 1. Encryption to protect data globally 
 (during the

    whole data flow / app lifecycle). 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. Overlapped security controls ✅
  61. @vixentael encrypted_passphrase = SecureCellSeal(data: user_passphrase, context: nil, key: generated_passphrase_key) decrypted_passphrase

    = SecureCellSeal(data: user_passphrase, context: nil, key: generated_passphrase_key) passphrase encryption https://www.youtube.com/watch?v=EUGDa0Z71uk https://www.youtube.com/watch?v=sR6KeCaCRMA https://github.com/LinusHenze/Keysteal remember about breaking keychain AES-256-GCM, random IV/nonce, non-deterministic https://thetapedrive.com/face-id-fail-ios-13
  62. @vixentael hint encryption

  63. @vixentael hint encryption encrypted_hint = SecureCellSeal(data: hint, context: nil, key:

    generated_hint_key) decrypted_hint = SecureCellSeal(data: encrypted_hint, context: nil, key: generated_hint_key) AES-256-GCM, random IV/nonce, non-deterministic
  64. @vixentael Auto-locking timer clean up caches and decrypted data after

    T seconds let unlockDate = Date() ... let unlockedInterval = unlockDate.timeIntervalSinceNow();
  65. @vixentael Auto-locking timer clean up caches and decrypted data after

    T seconds let unlockDate = Date() ... let unlockedInterval = unlockDate.timeIntervalSinceNow(); timezones
  66. @vixentael Auto-locking timer monotonic https://twitter.com/wilshipley/status/1130973433120952321

  67. @vixentael Failed attempts counter, increasing delays makes it harder to

    brute force the passphrase user_passphrase t
  68. @vixentael Failed attempts counter, increasing delays

  69. @vixentael Compatibility & incident response

  70. 1. Encryption to protect data globally 
 (during the whole

    data flow / app lifecycle). 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. Overlapped security controls ✅ ✅ ✅ @vixentael
  71. Key points

  72. 1. Encryption: from GDPR to DoD @vixentael 2. Building security:

    decision making in security, boring crypto, defense in depth 3. E2EE note sharing 4. Cat
  73. @vixentael crypto gets harder if you need usability 1. E2EE

    for notes, synced between devices – Bear 2. Searchable encryption – Acra 3. E2EE for data collaboration – Hermes
  74. @vixentael coming soon

  75. @vixentael OWASP ASVS / MASVS

  76. It is secure. It’s not broken yet. @vixentael

  77. failure of single security control is a question of time

    failure of security system is a question of design
  78. @vixentael cryptographic tools, security consulting, training github.com/vixentael/ my-talks