Behind Closed Doors: Managing Passwords in a Dangerous World

Transcript

1. Noah Kantrowitz Behind Closed Doors Managing Passwords in a Dangerous

   World

2. Me • Chef-y dude • @kantrn / coderanger • Bloomberg

   FOSS

3. Secrets

4. Definition • Small • Radioactive • Required

5. Secrets • Passwords • Tokens
 • Keys • Other

6. Passwords • Computer to computer • 1 to ~1024 bytes

   • "Internal" or human-y

7. Tokens • "External" or API • Like passwords

8. Keys • Whole files • Bigger, chunkier

9. Other • Kerberos tickets • PCI log files • HIPAA

   records

10. Temperature

11. Hot / Online • Autonomous access • Used a lot

    • Humans need not apply

12. Cold / Offline • Used rarely • Humans required

13. Spectrum

14. Speed

15. Slow • "Static" • Change is "big" • Less safe

16. Fast • Changes constantly • Automatic rotation • More safe

17. Properties of a Secrets Management System

18. – Jerome Saltzer, Communications of the ACM “Every program and every

    privileged user of the system should operate using the least amount of privilege necessary to complete the job.”

19. Properties • Least privilege • Audit trail

20. Let's do it!

21. $ echo "P@s5wd" > secret.txt $ git commit -a -m

    "yolo!" $ git push origin master To git@github.com:me/myapp.git f35a8c0..c2f0adf master -> master

22. Attack Surfaces

23. Surfaces • Brute force • Code leak • Backup leak

    • Traversal
 • Code exec • Root exec • Laptop theft • Higher power

24. Brute Force • Always be wary • Rate-limit, restrict, rotate

    • Make it impossible

25. Code Leak • Read-only access • No data • "GitHub

    oops"

26. Backup Leak • Still read-only • With database, et al

27. Traversal • /show?n=about • /show?n=../../passwd • /search?q=;select…

28. An Aside • Environment variables • Logged, inherited, etc •

    Unsafe at any speed

29. Code Exec • Beyond app security • Infrastructure hygiene •

    Service users

30. Root Exec Lasciate ogne speranza,
 voi ch'intrate

31. Laptop Theft • Use disk encryption • Rotate everything

32. Higher Power • Government • Advanced threat • Natural disaster

33. Cryptography

34. Symmetry • Symmetric vs asymmetric • Shared key vs pairs

    • Public key not secret

35. Secret Symmetric Admin Server

36. Secret Symmetric Admin Server Key

37. Secret Encrypted Blob Symmetric Admin Server Key

38. Secret Encrypted Blob Symmetric Admin Server Key Key

39. Encrypted Blob Secret Encrypted Blob Symmetric Admin Server Key Key

40. Encrypted Blob Secret Encrypted Blob Secret Symmetric Admin Server Key

    Key

41. Secret Asymmetric Admin Server

42. Secret Asymmetric Admin Server Key Pair

43. Secret Asymmetric Admin Server Public Key Key Pair

44. Secret Encrypted Blob Asymmetric Admin Server Public Key Key Pair

45. Encrypted Blob Secret Encrypted Blob Asymmetric Admin Server Public Key

    Key Pair

46. Encrypted Blob Secret Secret Encrypted Blob Asymmetric Admin Server Public

    Key Key Pair

47. Mode • Pre-encryption • Symmetric key distribution • Asymmetric key

    identity • Trusted third party

48. Symmetric Pre Admin Servers Store

49. Symmetric Pre Admin Servers Store

50. Symmetric Pre Admin Servers Store

51. Symmetric Pre Admin Servers Store

52. Symmetric Pre Admin Servers Store

53. Symmetric Pre Admin Servers Store

54. Asymmetric Pre Admin Servers Store A B C

55. A B Asymmetric Pre Admin Servers Store A B C

56. A B Asymmetric Pre Admin Servers Store A B A

    B C

57. A B Asymmetric Pre Admin Servers Store A B A

    B A B C

58. A B A B Asymmetric Pre Admin Servers Store A

    B A B A B C

59. A B A B B A Asymmetric Pre Admin Servers

    Store A B A B A B C

60. A B A B B A Asymmetric Pre Admin Servers

    Store A B A B A B C

61. Trusted Third Party Admin TTP Servers A B C D

62. Trusted Third Party B C Admin TTP Servers A B

    C D

63. Trusted Third Party B C Admin TTP Servers A B

    C D

64. Tools

65. Text Files • git add … • scp … •

    Interns

66. git-crypt • Git file filter • Symmetric or asymmetric •

    Footgun

67. Cluster Managers • ZooKeeper, Consul, Etcd • ACLs or bust

    • Here be dragons

68. Chef Encrypted Bags • Symmetric, AES-256-GCM • Server vs git

    • Turtles all the way down

69. Ansible Vault • AES-256-CTR + SHA-256 • Still turtles

70. Hiera Eyaml • PKCS7 (or GPG) • Trusted Third Party

71. Chef Vault • RSA(encrypted bags) • Asymmetric pre-encrypt • Kind

    of still turtle-y

72. Hashicorp Vault • TTP service • New bar for fast

    secrets • Modular design

73. Keywhiz • TTP • TLS keys, files • Battle tested

74. Private S3 • IAM roles • Complex policy • Easy

    to get started

75. Amazon KMS • Kool-aid-tastic • Key escrow • Hosted encrypt/decrypt

76. Sneaker • KMS + S3 • Still kool

77. Confidant • KMS + DynamoDB • Web-based • Versioned w/

    history

78. Trousseau • Asymmetric pre-encrypt • GPG + modular storage •

    S3, GPG, GitHub

79. Sops • KMS or GPG • Manual storage

80. Red October • Cold secrets • N of M storage

81. Barbican Pining for the fjords

82. Conjur • And other closed source • Trust but verify

83. HSMs • TPMs otherwise $ $ $ • Dedicated hardware

    • Bugs not unheard of

84. The Hard Problem

85. Identity • Who are you? • Who am I? •

    Why are we in this
 hand basket?

86. Pure Identity • TLS client certificates • MySQL, Postgres •

    Internal APIs

87. Integration

88. API Clients • Vault: HVAC, vault-rails • KMS: botocore, aws-sdk

89. HVAC # local_settings.py import hvac c = hvac.Client( url='https://vaultserver:8200') DATABASES

    = { 'default': { # Other settings ... 'PASSWORD': c.read('secret/dbpass') } }

90. Config Management • Templates/commands • hiera-vault • Ruby/Python APIs

91. Chef # recipes/myapp.rb execute 'sneaker unpack ...' template 'local_settings.py' do

    # Other properties ... variables pw: citadel['pw'] end

92. KeywhizFS • FUSE filesystem • Direct key usage • In-memory

93. Consul Templates • Standalone daemon • Sync Vault data to

    files • CM → Templates → files

94. envconsul • Vault data in $ENV • Beware of logging

95. Summon • Secrets in $ENV • Modular providers • S3,

    Keyring, Conjur

96. In Summary • Check your privilege and audit trail •

    Pick types and temperatures • Think about attack surfaces • Have a disaster plan

97. Thank You

98. Questions? @kantrn coderanger.net