Upgrade to Pro — share decks privately, control downloads, hide ads and more …

10 lines of encryption, 1500 lines of key management

CocoaHeads Ukraine
July 28, 2019
Programming
1
99

10 lines of encryption, 1500 lines of key management

Talk by Anastasiia Vixentael.

Этот доклад о security design & security architecture. Речь пойдет о реальном iOS/macOS приложении, в котором пользователи запросили end-to-end шифрование своих заметок, и о том, как Настя это реализовала.
Слушатели узнают, как сложно строить безопасную систему, которая не разрушает пользовательский UX. Ключевые слова: модель данных, модель угроз, разница между “data locking” и “data encryption”, разница между паролем и ключем шифрования, выбор криптобиблиотеки, недоверие к iOS Keychain, многоуровневые кэши, подготовка к инциденту, monotonic timer, defense in depth

This talk was made for CocoaHeads Kyiv #15 which took place Jul 28, 2019. (https://cocoaheads.org.ua/cocoaheadskyiv/15)

Video: https://youtu.be/CliAlRUqx14

CocoaHeads Ukraine

July 28, 2019
Tweet

More Decks by CocoaHeads Ukraine

See All by CocoaHeads Ukraine
Hacking iOS Simulator
cocoaheadsukraine
1
150
Dig into Value types. It's really obvious when to use them. Or not?!
cocoaheadsukraine
0
350
Классифицируем текст в iOS без CoreML: как и зачем?
cocoaheadsukraine
0
91
Managed side effects
cocoaheadsukraine
3
110
Мифический full-stack разработчик
cocoaheadsukraine
2
200
Анализ текста на скриншотах с Vision и CoreML
cocoaheadsukraine
0
85
Автоматизация регрессии аналитики
cocoaheadsukraine
0
60
Implementation of Clean Architecture using FRP
cocoaheadsukraine
0
68
S stands for security in WWDC
cocoaheadsukraine
0
41

Other Decks in Programming

See All in Programming
KustoクエリのChatGPT Plugin!
tomokusaba
0
320
UseCaseの凝集度を高める Goのpackage戦略 / Go packaging strategy to increase use case cohesion
deresmos
2
980
CSS Subgridが遂に全ブラウザ対応。新時代のグリッドデザインを学ぼう
tonkotsuboy_com
6
6.9k
ZennにみるCloudRunとBigQueryによるアプリケーション構築 / zenn-cloudrun-bigquery-serverless
wadayusuke
14
3.9k
Build Backwards-Compatible REST APIs with Rolling Versions
subomi
0
140
たのしいドメイン駆動設計: 序 / Enjoy domain driven design : ZYO
jpt_corp_official
9
4.3k
Flutter導入時に警戒すべき要件X選
k9i
1
230
マイクロサービス環境におけるToilを削減するTerraformの活用 in DMMプラットフォーム
pospome
1
230
テーブル駆動テストと状態
hazumirr
2
1.1k
初めましてLaravel、君のことを教えてくれ! 〜春に就職したばかりの新卒エンジニアが調べた内部仕様と、そのプロセス〜
amixedcolor
0
180
GDSC NYCU 2023 茶會
rabbitmagician1
1
330
はじめてのPHPコマンドラインオプション〜PHP開発を今よりちょっと楽しくする〜
kotomin_m
2
110

Featured

See All Featured
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.7k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.5k
How STYLIGHT went responsive
nonsquared
89
4.4k
Git: the NoSQL Database
bkeepers
PRO
420
61k
The Illustrated Children's Guide to Kubernetes
chrisshort
26
45k
The World Runs on Bad Software
bkeepers
PRO
59
6.1k
Fireside Chat
paigeccino
18
2.2k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
17
1.3k
YesSQL, Process and Tooling at Scale
rocio
159
13k
StorybookのUI Testing Handbookを読んだ
zakiyama
9
3.9k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
6
7.1k
Stop Working from a Prison Cell
hatefulcrawdad
265
18k

Transcript

  1. 10 lines of encryption,
    1500 lines of key management
    @vixentael

    View Slide

  2. @vixentael
    product engineer in security
    and cryptography
    OSS maintainer: Themis, Acra
    cryptographic tools, security
    engineering, datasec training

    View Slide

  3. @vixentael
    zero knowledge searchable encryption
    cossacklabs.com/acra/
    e2ee data collaboration
    cossacklabs.com/hermes/
    zero knowledge authentication
    github.com/cossacklabs/themis/wiki/Secure-Comparator-cryptosystem
    cossacklabs.com/whitepapers/

    View Slide

  4. Bespoke data security solutions
    and security engineering.

    View Slide

  5. View Slide

  6. @vixentael
    Data encryption without
    compromising UX

    View Slide

  7. 1. Encryption: from GDPR to DoD
    @vixentael
    2. Building security: decision making in
    security, boring crypto, defense in depth
    3. E2EE note sharing
    4. Cat

    View Slide

  8. GDPR
    @vixentael
    Article 32/35: responsibly store and process
    data according to risks


    Article 33/34: detecting data leakage and
    alert users & controller
    https://gdpr-info.eu/

    View Slide

  9. @vixentael
    https://gdpr-info.eu/
    Article 32

    View Slide

  10. @vixentael
    US Department of Defense

    View Slide

  11. @vixentael
    US Department of Defense
    https://media.defense.gov/2018/Apr/22/2001906836/-1/-1/0/
    DEFENSEINNOVATIONBOARD_TEN_COMMANDMENTS_OF_SOFT
    WARE_2018.04.20.PDF

    View Slide

  12. @vixentael
    Apple privacy policy update
    https://developer.apple.com/news/?id=06032019j

    View Slide

  13. @vixentael
    Google
    https://support.google.com/cloud/answer/9110914

    View Slide

  14. @vixentael
    Decision making in security 101

    View Slide

  15. @vixentael
    Decision making in security 101
    1. “just because we can”
    3. understanding risks & threats
    2. every app should have security features

    View Slide

  16. @vixentael
    Decision making in security 101
    1. “just because we can”
    3. understanding risks & threats
    2. every app should have security features

    View Slide

  17. @vixentael
    app flow
    app
    features
    code
    user
    problem

    View Slide

  18. risk & threat
    model
    security
    methods
    security
    controls
    libraries/
    code
    app flow
    app
    features
    code
    user
    problem
    @vixentael

    View Slide

  19. @vixentael
    risk model & threat model
    create demands for security

    View Slide

  20. @vixentael
    Data & risks
    PII
    User data Service data
    likes, preferences
    purchase history
    logs
    keys, accesses, API tokens
    backups
    configurations
    locations

    View Slide

  21. @vixentael
    Data & risks
    compliance risks
    legal risks
    reputational risks
    continuity risks
    User data Service data
    reputational risks
    medium.com/@cossacklabs/trick-or-threat-security-losses-for-
    business-f5b44243d89c

    View Slide

  22. @vixentael
    Boring crypto

    View Slide

  23. https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf
    269 CVEs
    from 2011-2014
    17%
    83%
    bugs inside crypto libs
    misuses of crypto libs
    by individual apps
    @vixentael

    View Slide

  24. — crypto that simply works, solidly
    resists attacks, never needs any
    upgrades
    https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf
    Daniel J. Bernstein
    Boring crypto
    @vixentael

    View Slide

  25. encryption integration
    abstraction level
    complexity
    @vixentael

    View Slide

  26. encryption integration
    abstraction level
    complexity
    cipher
    crypto-
    library
    crypto-
    system
    boxed
    solution
    @vixentael
    pain

    View Slide

  27. @vixentael
    @vixentael
    easy to make mistakes

    View Slide

  28. @vixentael
    should be random
    should use KDF(key)
    uses AES CBC, not AES GCM
    padding? salt?

    @vixentael
    easy to make mistakes

    View Slide

  29. Themis: hard to make mistakes
    @vixentael
    @vixentael
    github.com/cossacklabs/themis

    View Slide

  30. @vixentael
    hides cryptographic details: salt, IV, KDF, padding
    built-in KDF, safe to use passphrase
    uses AES-256-GCM
    @vixentael
    github.com/cossacklabs/themis
    Themis: hard to make mistakes

    View Slide

  31. encryption integration
    abstraction level
    complexity
    cipher
    crypto-
    library
    crypto-
    system
    boxed
    solution
    @vixentael
    pain

    View Slide

  32. https://github.com/vixentael/my-talks#dont-waste-time-on-learning-cryptography-better-use-it-properly
    see full talk about Boring crypto
    @vixentael

    View Slide

  33. @vixentael
    Defense in depth

    View Slide

  34. Defense in depth –
    independent, yet interconnected,
    set of security controls
    aimed at mitigating multiple risks
    during the whole application flow
    @vixentael

    View Slide

  35. @vixentael
    1. Encryption to protect data globally 

    (during the whole data flow / app lifecycle).
    2. Whatever is the attack vector, there is a defense
    layer.
    3. For most popular attack vectors, we want as many
    independent defenses as possible.
    Overlapped security controls

    View Slide

  36. @vixentael
    Lines of defense

    View Slide

  37. @vixentael

    View Slide

  38. @vixentael
    10 lines of encryption,
    1500 lines of key management

    View Slide

  39. @vixentael
    10 lines of encryption,
    1500 lines of key management
    60
    3000

    View Slide

  40. @vixentael

    View Slide

  41. View Slide

  42. @vixentael
    • smooth UX
    • not finance/banking app
    • syncing between all user’s devices
    • privacy
    • incident response
    • next versions: Web/Electron
    Bear e2ee for notes

    View Slide

  43. @vixentael
    1. user notes encrypted using unique keys
    (per app per user)
    2. user password is never stored in plaintext
    3. data in Keychain encrypted
    4. notes & passwords are synced between
    devices
    Results

    View Slide

  44. @vixentael
    UX is important, so we made the security
    scheme more complex from an engineering
    perspective, but less stressful for users

    View Slide

  45. @vixentael
    note encryption
    & note locking

    View Slide

  46. @vixentael
    app locking

    View Slide

  47. @vixentael
    note encryption != note locking != app locking

    View Slide

  48. @vixentael
    note encryption != note locking != app locking
    encryption authentication authentication

    View Slide

  49. @vixentael
    note text
    user
    passphrase
    note encryption
    key
    data model
    plaintext
    user input
    unique per note

    View Slide

  50. @vixentael
    Access Disclosure Modification Access denial
    note text Moderate Critical Critical High
    user
    passphrase
    Moderate Critical Critical Critical
    note
    encryption
    key
    Moderate Low Low Moderate
    threats

    View Slide

  51. @vixentael
    Device
    filesystem
    Device
    process
    memory
    Device
    keychain &
    secure
    enclave
    Transport,
    iCloud
    database
    iCloud
    Keychain
    Medium High High Medium Medium
    trust model

    View Slide

  52. @vixentael
    Breaking Keychain
    youtube.com/watch?v=EUGDa0Z71uk youtube.com/watch?v=sR6KeCaCRMA
    github.com/LinusHenze/Keysteal
    macOS keychain:
    https://thetapedrive.com/face-id-fail-ios-13
    iOS13 beta keychain:

    View Slide

  53. @vixentael
    We have more trust towards
    the data stored on the device
    than the data stored in a cloud

    View Slide

  54. @vixentael
    key model

    View Slide

  55. @vixentael
    from user mind or
    password mngr
    cached for some
    time
    calculated before
    usage
    Keychain,
    Secure Enclave
    key model

    View Slide

  56. @vixentael
    multiple caches to minimize user distractions
    user Keychain
    SecureEnclave
    iCloudKeychain
    in memory
    cache
    temp var
    password
    manager

    View Slide

  57. @vixentael
    App encryption key
    Key stretching: PBKDF2, deterministic
    long_data = user_passphrase + generated_passphrase_password +
    generated_app_context
    app_encryption_key = SecureCellContextImprint(data: long_data, context:
    generated_app_context, key: user_passphrase)

    View Slide

  58. @vixentael
    long_data = user_passphrase + generated_passphrase_password +
    generated_app_context
    app_encryption_key = SecureCellContextImprint(data: long_data, context:
    generated_app_context, key: user_passphrase)
    long_data = app_encryption_key + generated_passphrase_password +
    generated_app_context
    note_encryption_key = SecureCellContextImprint(data: long_data, context:
    note_encryption_id, key: app_encryption_key)
    App encryption key, note encryption key
    Key stretching: PBKDF2, deterministic

    View Slide

  59. @vixentael
    data encryption
    encrypted_note = SecureCellSeal(data: note_text, context:
    note_encryption_id, key: note_encryption_key)
    decrypted_note = SecureCellSeal(data: encrypted_note, context:
    note_encryption_id, key: note_encryption_key)
    AES-256-GCM, random IV/nonce, non-deterministic

    View Slide

  60. @vixentael
    1. Encryption to protect data globally 

    (during the whole data flow / app lifecycle).
    2. Whatever is the attack vector, there is a defense
    layer.
    3. For most popular attack vectors, we want as many
    independent defenses as possible.
    Overlapped security controls

    View Slide

  61. @vixentael
    encrypted_passphrase = SecureCellSeal(data: user_passphrase, context: nil, key:
    generated_passphrase_key)
    decrypted_passphrase = SecureCellSeal(data: user_passphrase, context: nil, key:
    generated_passphrase_key)
    passphrase encryption
    https://www.youtube.com/watch?v=EUGDa0Z71uk
    https://www.youtube.com/watch?v=sR6KeCaCRMA
    https://github.com/LinusHenze/Keysteal
    remember about
    breaking keychain
    AES-256-GCM, random IV/nonce, non-deterministic
    https://thetapedrive.com/face-id-fail-ios-13

    View Slide

  62. @vixentael
    hint encryption

    View Slide

  63. @vixentael
    hint encryption
    encrypted_hint = SecureCellSeal(data: hint, context: nil, key:
    generated_hint_key)
    decrypted_hint = SecureCellSeal(data: encrypted_hint, context: nil, key:
    generated_hint_key)
    AES-256-GCM, random IV/nonce, non-deterministic

    View Slide

  64. @vixentael
    Auto-locking timer
    clean up caches and decrypted data after T seconds
    let unlockDate = Date()
    ...
    let unlockedInterval = unlockDate.timeIntervalSinceNow();

    View Slide

  65. @vixentael
    Auto-locking timer
    clean up caches and decrypted data after T seconds
    let unlockDate = Date()
    ...
    let unlockedInterval = unlockDate.timeIntervalSinceNow();
    timezones

    View Slide

  66. @vixentael
    Auto-locking timer monotonic
    https://twitter.com/wilshipley/status/1130973433120952321

    View Slide

  67. @vixentael
    Failed attempts counter, increasing delays
    makes it harder to brute force the passphrase
    user_passphrase
    t

    View Slide

  68. @vixentael
    Failed attempts counter, increasing delays

    View Slide

  69. @vixentael
    Compatibility & incident response

    View Slide

  70. 1. Encryption to protect data globally 

    (during the whole data flow / app lifecycle).
    2. Whatever is the attack vector, there is a defense
    layer.
    3. For most popular attack vectors, we want as many
    independent defenses as possible.
    Overlapped security controls



    @vixentael

    View Slide

  71. Key points

    View Slide

  72. 1. Encryption: from GDPR to DoD
    @vixentael
    2. Building security: decision making in
    security, boring crypto, defense in depth
    3. E2EE note sharing
    4. Cat

    View Slide

  73. @vixentael
    crypto gets harder if you need
    usability
    1. E2EE for notes, synced between devices – Bear
    2. Searchable encryption – Acra
    3. E2EE for data collaboration – Hermes



    View Slide

  74. @vixentael
    coming soon

    View Slide

  75. @vixentael
    OWASP ASVS / MASVS

    View Slide

  76. It is secure.
    It’s not broken yet.
    @vixentael

    View Slide

  77. failure of single security control is
    a question of time
    failure of security system is
    a question of design

    View Slide

  78. @vixentael
    cryptographic tools, security
    consulting, training
    github.com/vixentael/
    my-talks

    View Slide