Cloudifying Key Management

Transcript

1. [jarret.raim, matt.tesauro, michael.xin, tj.byrom] @ rackspace.com 1 Cloudifying Key Management

2. RACKSPACE® HOSTING | WWW.RACKSPACE.COM WHO AM I? Jarret Raim –

   Cloud Security Product Manager 2 DEVELOPER ACADEMIC APPLICATION SECURITY SECURITY CONSULTANT SECURITY PRODUCTS [email protected]!

3. RACKSPACE® HOSTING | WWW.RACKSPACE.COM WHO IS HE? Matt Tesauro –

   Cloud Application Security Guy + OWASP 3 [email protected]! [email protected]! Racker since October 2011! Rackspace’s Cloud Product Group! Work with developers and QE! OWASP International Foundation Board
 Member and Treasurer ! Project Leader of OWASP Live CD & 
 OWASP WTE projects!

4. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Current State of Key Management 4

5. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Look familiar? public class CryptHelper {!

   private static final String ALOGRITHM = "PBEWithMD5AndTripleDES";! ! // Salt! static byte[] salt = { (byte) 0xc7, (byte) 0x73, (byte) 0x21, (byte) 0x8c, (byte) 0x7e, (byte) 0xc8, (byte) 0xee, (byte) 0x99 };! ! static PBEKeySpec pbeKeySpec = new PBEKeySpec("this is a super secret key!".toCharArray());! ! public byte[] encrypt(String cleartext) { … }! public String decrypt(byte[] ciphertext) { … }! }! 5

6. RACKSPACE® HOSTING | WWW.RACKSPACE.COM How about this? 6

7. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Bad Advice First 10 results on

   Google – all bad. 7 •  Hardcoded keys •  Hardcoded algorithms •  Recommendations for all cypher block types (including ECB) •  Old (top result is from 2007) •  Null & Hardcoded IV’s •  Old libraries (last updated in 2002).

8. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Keyrings Everywhere •  Primary use case

   is local key protection •  Doesn’t handle central key distribution •  Limited logging & auditing •  Limited automation •  Tied to dependencies •  Kernel protections aimed at keys for kernel use rather than application use. 8

9. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Windows Actually Does Something Right! • 

   Data Protection API (DPAPI) provides the ability to store, retrieve and share keys protected by the OS. •  Active Directory allows keys to be stored locally. •  Not portable (duh) •  Somewhat centrally manageable. 9

10. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Vendor Solutions • Some great products • Good

    differentiated features • Proprietary • Expensive • Some Difficulties with Cloud 10

11. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Introducing… 11 CloudKeep 
 https://github.com/cloudkeep!

12. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Design Principals 1.  Provide a central

    key-store capable of distributing keying material to all types of deployments including ephemeral Cloud instances. 2.  Support reasonable compliance regimes through reporting and auditability. 3.  Application adoption costs should be minimal or non- existent. 4.  Build a community and ecosystem by being open-source and extensible. 5.  Improve security through sane defaults and centralized management of key policies. 6.  Out of band communication mechanism to notify and protect sensitive assets. 12

13. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 13 Barbican Barbican is the main

    application providing the API, key storage, lifecycle management, provision, auditing and reporting in Python. Postern Postern is an agent that provides access to keys via the FUSE file system in Go. Palisade Palisade is a client- side, Javascript user interface for Barbican using AngularJS.

14. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 14 API API API RDBMS

15. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 15 API API API Queue Worker

    Worker Worker RDBMS

16. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 16 API API API Queue Worker

    Worker Worker RDBMS Certificate Authorities

17. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 17 API API API Queue Worker

    Worker Worker RDBMS Certificate Authorities Provisioning Targets

18. RACKSPACE® HOSTING | WWW.RACKSPACE.COM 18 API API API Queue Worker

    Worker Worker RDBMS Certificate Authorities Provisioning Targets Metrics Logging HSM

19. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Technology & Architecture Barbican •  Python

    API using uWSGI •  Based on OpenStack architecture •  Uses OpenStack commons (Oslo) •  Pluggable •  Uses Keystone for authN & authZ Postern •  Go application using FUSE API •  Natively compiled •  Natively packaged •  Simplify integration Supports local protocols like PKCS 19 Palisade •  AngularJS client side application •  Communicates with Barbican API •  Graphical configuration tool •  Suitable for real-time monitoring Keep •  Python CLI client for Barbican •  Non-browser configuration tool •  Automatable •  Debugging & monitoring use cases

20. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Plugins Barbican API supports multiple different

    methods for extension and configuration. 20 Hardware Security Module! Certificate 
 Authorities! Data 
 Stores! Provisioning Targets!

21. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Key Providing Methods Environment Variables FUSE

    File System ReST API PKCS 21 •  Provides a file system abstraction •  Simple to integrate, but requires an agent •  Existing standard, medium interoperability •  Pretty crusty API, multi-tenancy, vendor extensions •  Easy integration for most applications •  Security issues, shell dependencies •  Common method, easily understood •  Requires code changes to integrate

22. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Events & Auditing 22 Agent File

    Syslog API •  Multiple log options, specified by central policy & local configuration •  API logging provides a compliant streaming log solution •  More likely for a log to escape a compromised server •  PANICs and other events surfaced via API •  API can respond to events on the agent

23. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Demo Time This is PoC software.

    It is throwaway code, not secure and generally awful. Do not use it in production, it is to validate ideas for the production system. 23

24. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Install & Pairing Process •  Using

    Go for Agent –  Binary packages –  Low run-time memory •  Pairing options for various security levels –  Oauth, Token, Manual Key Exchange •  Once paired, agent and API exchange keys –  API can store a key-pair by tenant or by agent –  Offers a wide range of installation options •  Support for Chef / Puppet Installation •  Agent will mount a directory 24 API Agent Tenant Public Tenant Keys Agent Public Agent Keys Key exchange allows for signed messages!

25. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Policies 25 {! ""uuid": "01fb57ff-058c-4d68-85e9-d81844dd0089",! ""name":

    "Available after reboot",! ""max_key_accesses": 1,! ""time_available_after_reboot": 10,! ""time_available_after_restart": 10,! ""allow_directory_listng": false,! ""client_log": "api”,! }! Reusable block of configuration governing key access.

26. RACKSPACE® HOSTING | WWW.RACKSPACE.COM Keys 26 {! "uuid": "e2b633c7-fda5-4be8-b42c-9a2c9280284d",! "filename":

    "configuration_key",! "mime_type": "application/aes-256-cbc",! "expiration": "2014-02-28T19:14:44.180394",! "secret": "b7990b786ee9659b43e6b1cd6136de07d9c5…",! *"owner": "myapp",! *"group": "myapp",! *"cacheable": false! }! Defines metadata about a key. Settings in the policy can be overrided if needed. (*) Overrides policy settings.

27. 27 RACKSPACE® HOSTING | 5000 WALZEM ROAD | SAN ANTONIO,

    TX 78218 US SALES: 1-800-961-2888 | US SUPPORT: 1-800-961-4454 | WWW.RACKSPACE.COM RACKSPACE® HOSTING | © RACKSPACE US, INC. | RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED STATES AND OTHER COUNTRIES. | WWW.RACKSPACE.COM