Upgrade to Pro — share decks privately, control downloads, hide ads and more …

10 lines of encryption, 1500 lines of key management

10 lines of encryption, 1500 lines of key management

Talk by Anastasiia Vixentael.

Этот доклад о security design & security architecture. Речь пойдет о реальном iOS/macOS приложении, в котором пользователи запросили end-to-end шифрование своих заметок, и о том, как Настя это реализовала.
Слушатели узнают, как сложно строить безопасную систему, которая не разрушает пользовательский UX. Ключевые слова: модель данных, модель угроз, разница между “data locking” и “data encryption”, разница между паролем и ключем шифрования, выбор криптобиблиотеки, недоверие к iOS Keychain, многоуровневые кэши, подготовка к инциденту, monotonic timer, defense in depth

This talk was made for CocoaHeads Kyiv #15 which took place Jul 28, 2019. (https://cocoaheads.org.ua/cocoaheadskyiv/15)

Video: https://youtu.be/CliAlRUqx14

CocoaHeads Ukraine

July 28, 2019
Tweet

More Decks by CocoaHeads Ukraine

Other Decks in Programming

Transcript

  1. 10 lines of encryption,
    1500 lines of key management
    @vixentael

    View Slide

  2. @vixentael
    product engineer in security
    and cryptography
    OSS maintainer: Themis, Acra
    cryptographic tools, security
    engineering, datasec training

    View Slide

  3. @vixentael
    zero knowledge searchable encryption
    cossacklabs.com/acra/
    e2ee data collaboration
    cossacklabs.com/hermes/
    zero knowledge authentication
    github.com/cossacklabs/themis/wiki/Secure-Comparator-cryptosystem
    cossacklabs.com/whitepapers/

    View Slide

  4. Bespoke data security solutions
    and security engineering.

    View Slide

  5. View Slide

  6. @vixentael
    Data encryption without
    compromising UX

    View Slide

  7. 1. Encryption: from GDPR to DoD
    @vixentael
    2. Building security: decision making in
    security, boring crypto, defense in depth
    3. E2EE note sharing
    4. Cat

    View Slide

  8. GDPR
    @vixentael
    Article 32/35: responsibly store and process
    data according to risks


    Article 33/34: detecting data leakage and
    alert users & controller
    https://gdpr-info.eu/

    View Slide

  9. @vixentael
    https://gdpr-info.eu/
    Article 32

    View Slide

  10. @vixentael
    US Department of Defense

    View Slide

  11. @vixentael
    US Department of Defense
    https://media.defense.gov/2018/Apr/22/2001906836/-1/-1/0/
    DEFENSEINNOVATIONBOARD_TEN_COMMANDMENTS_OF_SOFT
    WARE_2018.04.20.PDF

    View Slide

  12. @vixentael
    Apple privacy policy update
    https://developer.apple.com/news/?id=06032019j

    View Slide

  13. @vixentael
    Google
    https://support.google.com/cloud/answer/9110914

    View Slide

  14. @vixentael
    Decision making in security 101

    View Slide

  15. @vixentael
    Decision making in security 101
    1. “just because we can”
    3. understanding risks & threats
    2. every app should have security features

    View Slide

  16. @vixentael
    Decision making in security 101
    1. “just because we can”
    3. understanding risks & threats
    2. every app should have security features

    View Slide

  17. @vixentael
    app flow
    app
    features
    code
    user
    problem

    View Slide

  18. risk & threat
    model
    security
    methods
    security
    controls
    libraries/
    code
    app flow
    app
    features
    code
    user
    problem
    @vixentael

    View Slide

  19. @vixentael
    risk model & threat model
    create demands for security

    View Slide

  20. @vixentael
    Data & risks
    PII
    User data Service data
    likes, preferences
    purchase history
    logs
    keys, accesses, API tokens
    backups
    configurations
    locations

    View Slide

  21. @vixentael
    Data & risks
    compliance risks
    legal risks
    reputational risks
    continuity risks
    User data Service data
    reputational risks
    medium.com/@cossacklabs/trick-or-threat-security-losses-for-
    business-f5b44243d89c

    View Slide

  22. @vixentael
    Boring crypto

    View Slide

  23. https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf
    269 CVEs
    from 2011-2014
    17%
    83%
    bugs inside crypto libs
    misuses of crypto libs
    by individual apps
    @vixentael

    View Slide

  24. — crypto that simply works, solidly
    resists attacks, never needs any
    upgrades
    https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf
    Daniel J. Bernstein
    Boring crypto
    @vixentael

    View Slide

  25. encryption integration
    abstraction level
    complexity
    @vixentael

    View Slide

  26. encryption integration
    abstraction level
    complexity
    cipher
    crypto-
    library
    crypto-
    system
    boxed
    solution
    @vixentael
    pain

    View Slide

  27. @vixentael
    @vixentael
    easy to make mistakes

    View Slide

  28. @vixentael
    should be random
    should use KDF(key)
    uses AES CBC, not AES GCM
    padding? salt?

    @vixentael
    easy to make mistakes

    View Slide

  29. Themis: hard to make mistakes
    @vixentael
    @vixentael
    github.com/cossacklabs/themis

    View Slide

  30. @vixentael
    hides cryptographic details: salt, IV, KDF, padding
    built-in KDF, safe to use passphrase
    uses AES-256-GCM
    @vixentael
    github.com/cossacklabs/themis
    Themis: hard to make mistakes

    View Slide

  31. encryption integration
    abstraction level
    complexity
    cipher
    crypto-
    library
    crypto-
    system
    boxed
    solution
    @vixentael
    pain

    View Slide

  32. https://github.com/vixentael/my-talks#dont-waste-time-on-learning-cryptography-better-use-it-properly
    see full talk about Boring crypto
    @vixentael

    View Slide

  33. @vixentael
    Defense in depth

    View Slide

  34. Defense in depth –
    independent, yet interconnected,
    set of security controls
    aimed at mitigating multiple risks
    during the whole application flow
    @vixentael

    View Slide

  35. @vixentael
    1. Encryption to protect data globally 

    (during the whole data flow / app lifecycle).
    2. Whatever is the attack vector, there is a defense
    layer.
    3. For most popular attack vectors, we want as many
    independent defenses as possible.
    Overlapped security controls

    View Slide

  36. @vixentael
    Lines of defense

    View Slide

  37. @vixentael

    View Slide

  38. @vixentael
    10 lines of encryption,
    1500 lines of key management

    View Slide

  39. @vixentael
    10 lines of encryption,
    1500 lines of key management
    60
    3000

    View Slide

  40. @vixentael

    View Slide

  41. View Slide

  42. @vixentael
    • smooth UX
    • not finance/banking app
    • syncing between all user’s devices
    • privacy
    • incident response
    • next versions: Web/Electron
    Bear e2ee for notes

    View Slide

  43. @vixentael
    1. user notes encrypted using unique keys
    (per app per user)
    2. user password is never stored in plaintext
    3. data in Keychain encrypted
    4. notes & passwords are synced between
    devices
    Results

    View Slide

  44. @vixentael
    UX is important, so we made the security
    scheme more complex from an engineering
    perspective, but less stressful for users

    View Slide

  45. @vixentael
    note encryption
    & note locking

    View Slide

  46. @vixentael
    app locking

    View Slide

  47. @vixentael
    note encryption != note locking != app locking

    View Slide

  48. @vixentael
    note encryption != note locking != app locking
    encryption authentication authentication

    View Slide

  49. @vixentael
    note text
    user
    passphrase
    note encryption
    key
    data model
    plaintext
    user input
    unique per note

    View Slide

  50. @vixentael
    Access Disclosure Modification Access denial
    note text Moderate Critical Critical High
    user
    passphrase
    Moderate Critical Critical Critical
    note
    encryption
    key
    Moderate Low Low Moderate
    threats

    View Slide

  51. @vixentael
    Device
    filesystem
    Device
    process
    memory
    Device
    keychain &
    secure
    enclave
    Transport,
    iCloud
    database
    iCloud
    Keychain
    Medium High High Medium Medium
    trust model

    View Slide

  52. @vixentael
    Breaking Keychain
    youtube.com/watch?v=EUGDa0Z71uk youtube.com/watch?v=sR6KeCaCRMA
    github.com/LinusHenze/Keysteal
    macOS keychain:
    https://thetapedrive.com/face-id-fail-ios-13
    iOS13 beta keychain:

    View Slide

  53. @vixentael
    We have more trust towards
    the data stored on the device
    than the data stored in a cloud

    View Slide

  54. @vixentael
    key model

    View Slide

  55. @vixentael
    from user mind or
    password mngr
    cached for some
    time
    calculated before
    usage
    Keychain,
    Secure Enclave
    key model

    View Slide

  56. @vixentael
    multiple caches to minimize user distractions
    user Keychain
    SecureEnclave
    iCloudKeychain
    in memory
    cache
    temp var
    password
    manager

    View Slide

  57. @vixentael
    App encryption key
    Key stretching: PBKDF2, deterministic
    long_data = user_passphrase + generated_passphrase_password +
    generated_app_context
    app_encryption_key = SecureCellContextImprint(data: long_data, context:
    generated_app_context, key: user_passphrase)

    View Slide

  58. @vixentael
    long_data = user_passphrase + generated_passphrase_password +
    generated_app_context
    app_encryption_key = SecureCellContextImprint(data: long_data, context:
    generated_app_context, key: user_passphrase)
    long_data = app_encryption_key + generated_passphrase_password +
    generated_app_context
    note_encryption_key = SecureCellContextImprint(data: long_data, context:
    note_encryption_id, key: app_encryption_key)
    App encryption key, note encryption key
    Key stretching: PBKDF2, deterministic

    View Slide

  59. @vixentael
    data encryption
    encrypted_note = SecureCellSeal(data: note_text, context:
    note_encryption_id, key: note_encryption_key)
    decrypted_note = SecureCellSeal(data: encrypted_note, context:
    note_encryption_id, key: note_encryption_key)
    AES-256-GCM, random IV/nonce, non-deterministic

    View Slide

  60. @vixentael
    1. Encryption to protect data globally 

    (during the whole data flow / app lifecycle).
    2. Whatever is the attack vector, there is a defense
    layer.
    3. For most popular attack vectors, we want as many
    independent defenses as possible.
    Overlapped security controls

    View Slide

  61. @vixentael
    encrypted_passphrase = SecureCellSeal(data: user_passphrase, context: nil, key:
    generated_passphrase_key)
    decrypted_passphrase = SecureCellSeal(data: user_passphrase, context: nil, key:
    generated_passphrase_key)
    passphrase encryption
    https://www.youtube.com/watch?v=EUGDa0Z71uk
    https://www.youtube.com/watch?v=sR6KeCaCRMA
    https://github.com/LinusHenze/Keysteal
    remember about
    breaking keychain
    AES-256-GCM, random IV/nonce, non-deterministic
    https://thetapedrive.com/face-id-fail-ios-13

    View Slide

  62. @vixentael
    hint encryption

    View Slide

  63. @vixentael
    hint encryption
    encrypted_hint = SecureCellSeal(data: hint, context: nil, key:
    generated_hint_key)
    decrypted_hint = SecureCellSeal(data: encrypted_hint, context: nil, key:
    generated_hint_key)
    AES-256-GCM, random IV/nonce, non-deterministic

    View Slide

  64. @vixentael
    Auto-locking timer
    clean up caches and decrypted data after T seconds
    let unlockDate = Date()
    ...
    let unlockedInterval = unlockDate.timeIntervalSinceNow();

    View Slide

  65. @vixentael
    Auto-locking timer
    clean up caches and decrypted data after T seconds
    let unlockDate = Date()
    ...
    let unlockedInterval = unlockDate.timeIntervalSinceNow();
    timezones

    View Slide

  66. @vixentael
    Auto-locking timer monotonic
    https://twitter.com/wilshipley/status/1130973433120952321

    View Slide

  67. @vixentael
    Failed attempts counter, increasing delays
    makes it harder to brute force the passphrase
    user_passphrase
    t

    View Slide

  68. @vixentael
    Failed attempts counter, increasing delays

    View Slide

  69. @vixentael
    Compatibility & incident response

    View Slide

  70. 1. Encryption to protect data globally 

    (during the whole data flow / app lifecycle).
    2. Whatever is the attack vector, there is a defense
    layer.
    3. For most popular attack vectors, we want as many
    independent defenses as possible.
    Overlapped security controls



    @vixentael

    View Slide

  71. Key points

    View Slide

  72. 1. Encryption: from GDPR to DoD
    @vixentael
    2. Building security: decision making in
    security, boring crypto, defense in depth
    3. E2EE note sharing
    4. Cat

    View Slide

  73. @vixentael
    crypto gets harder if you need
    usability
    1. E2EE for notes, synced between devices – Bear
    2. Searchable encryption – Acra
    3. E2EE for data collaboration – Hermes



    View Slide

  74. @vixentael
    coming soon

    View Slide

  75. @vixentael
    OWASP ASVS / MASVS

    View Slide

  76. It is secure.
    It’s not broken yet.
    @vixentael

    View Slide

  77. failure of single security control is
    a question of time
    failure of security system is
    a question of design

    View Slide

  78. @vixentael
    cryptographic tools, security
    consulting, training
    github.com/vixentael/
    my-talks

    View Slide