Bringing usable crypto to 7 million developers

Bringing usable crypto to 7 million developers Kenneth White @kennwhite
A story about lessons in end-to-end encryption

/about

/about - Security Principal at MongoDB - Focus on applied
encryption & distributed systems - Some past projects: TrueCrypt & OpenSSL audits, Linux Foundation Core Infrastructure Initiative, super cookie research, DHS, DOD - Life- and safety-critical systems

Bringing usable crypto to 7 million developers ❏ Database myths
❏ The trust problem ❏ Encrypting Hello World on every major platform ❏ Things they don't teach you in CS ❏ Lessons ❏ Reflections

Database myths

Database myths ❏ Database encryption is a solved problem

Database myths ❏ Database encryption is a solved problem (it
is not)

is not) "I want database encryption" "Here. Here's TLS."

is not) "I want database encryption" "Here. Here's TLS." "I want database encryption" "Here. Here's FDE."

is not) "I want database encryption" "Here. Here's TLS." "I want database encryption" "Here. Here's FDE." "I want database encryption" "Here. Here's encrypted datastore files."

The trust problem

The trust problem ❏ We've done a (pretty) good job
of addressing:

of addressing: ❏ network confidentiality/encryption-in-transit ❏ Modern TLS (PFS, abuse-resistance)

of addressing: ❏ network confidentiality/encryption-in-transit ❏ Modern TLS (PFS, abuse-resistance) ❏ storage confidentiality/encryption-at-rest ❏ FDE / encrypted volumes / file encryption

The trust problem

The trust problem Who holds the keys?

The trust problem Who holds the keys? ❏ Who can
see the plaintext?

see the plaintext? - The database operator?

see the plaintext? - The database operator? - The sys admin?

see the plaintext? - The database operator? - The sys admin? - The DB server?

see the plaintext? - The database operator? - The sys admin? - The DB server? - The VM hypervisor host?

see the plaintext? - The database operator? - The sys admin? - The DB server? - The VM hypervisor host? - The infrastructure/cloud provider?

The trust problem

Is this your database trust model?

The trust problem ❏ A question of trust. What is
the source of trust?

the source of trust? - In a server-side encryption model, a leak or breach can be catastrophic

the source of trust? - In a server-side encryption model, a leak or breach can be catastrophic - This potentially includes: logs, backups, temp files, process memory…

the source of trust? - In a server-side encryption model, a leak or breach can be catastrophic - This potentially includes: logs, backups, temp files, process memory… - Privileged credential users/processes see everything

The trust problem

The trust problem ❏ We have far fewer options to
protect data-in-use

protect data-in-use ❏ In theory, we have lots of choices

protect data-in-use ❏ In theory, we have lots of choices ❏ In practice, not so much

“The difference between ‘possible’ and ‘lol nope’ is a vast
lonely wasteland that's crushed countless souls.” — me

The trust problem

The trust problem ❏ "Encryption-at-rest" is only helpful, if, in
fact we're resting.

The trust problem ❏ Can we encrypt data before it
ever leaves the application?

ever leaves the application? ❏ Some workloads require end-to-end or client-side encryption

The trust problem

ever leaves the application? ❏ Some workloads require end-to-end or client-side encryption

ever leaves the application? ❏ Some workloads require end-to-end or client-side encryption ❏ Similar to e2e in messaging apps

ever leaves the application? ❏ Some workloads require end-to-end or client-side encryption ❏ Similar to e2e in messaging apps ❏ This is a solved problem, yes?

ever leaves the application? ❏ Some workloads require end-to-end or client-side encryption ❏ Similar to e2e in messaging apps ❏ This is a solved problem, yes? Narrator: It is not.

The trust problem ❏ Database encryption is not a solved
problem

problem "I want client-side database encryption" "Here. Here's an SDK."

problem "I want client-side database encryption" "Here. Here's an SDK." "So I just run my queries as-is?" "Oh, no sorry. You'll have to re-write everything."

problem "I want client-side database encryption" "Here. Here's an SDK." "So I just run my queries as-is?" "Oh, no sorry. You'll have to re-write everything." "But at least I can search my database?" "Oh, no sorry."

problem A github repo or a complicated bolt-on SDK doesn't count.

Reality Check

An idea was born

An idea was born What if...

An idea was born What if... You didn't have to
...use some clunky and limited SDK ...rewrite all your app query code ...lose the ability to search your database

...use some clunky and limited SDK ...rewrite all your app query code ...lose the ability to search your database What if...

...use some clunky and limited SDK ...rewrite all your app query code ...lose the ability to search your database What if... You could create a key, set a config, and just go?

So began the journey

So began the journey ❏ 24+ engineers (core server, query,
drivers, platforms, build)

drivers, platforms, build) ❏ 3 independent security reviews

drivers, platforms, build) ❏ 3 independent security reviews ❏ dozens of formal developer UX studies

drivers, platforms, build) ❏ 3 independent security reviews ❏ dozens of formal developer UX studies ❏ 7 months of real-world customer beta testing

drivers, platforms, build) ❏ 3 independent security reviews ❏ dozens of formal developer UX studies ❏ 7 months of real-world customer beta testing ❏ 2 years from initial scope to GA

drivers, platforms, build) ❏ 3 independent security reviews ❏ dozens of formal developer UX studies ❏ 7 months of real-world customer beta testing ❏ 2 years from initial scope to GA ❏ one of the largest engineering investments we've made

So began the journey ❏ MongoDB client-side field level encryption
(CSFLE)

(CSFLE) ❏ Most popular NoSQL database in the world

(CSFLE) ❏ Most popular NoSQL database in the world ❏ Runs on 19+ platforms

(CSFLE) ❏ Most popular NoSQL database in the world ❏ Runs on 19+ platforms - 12 MongoDB supported language drivers + 7 community drivers

(CSFLE) ❏ Most popular NoSQL database in the world ❏ Runs on 19+ platforms - 12 MongoDB supported language drivers + 7 community drivers - Java, Reactive Native, Scala, Python, Node.js, Go, C, C++, C# .NET, PHP, Ruby, Swift...

(CSFLE) ❏ Most popular NoSQL database in the world ❏ Runs on 19+ platforms - 12 MongoDB supported language drivers + 7 community drivers - Java, Reactive Native, Scala, Python, Node.js, Go, C, C++, C# .NET, PHP, Ruby, Swift... - Windows, MacOS, iOS, Android, Debian, Ubuntu, Red Hat, CentOS, Amazon Linux, SuSE

(CSFLE) ❏ Most popular NoSQL database in the world ❏ Runs on 19+ platforms - 12 MongoDB supported language drivers + 7 community drivers - Java, Reactive Native, Scala, Python, Node.js, Go, C, C++, C# .NET, PHP, Ruby, Swift... - Windows, MacOS, iOS, Android, Debian, Ubuntu, Red Hat, CentOS, Amazon Linux, SuSE - x86, ARM, Power, IBM Z-Series mainframes

The implementation

The implementation ❏ CSFLE is enabled in drivers & integrated
into shell

into shell ❏ All encrypt/decrypt is done in the driver, on client

into shell ❏ All encrypt/decrypt is done in the driver, on client ❏ Drivers have expanded MQL awareness for automatic encryption

into shell ❏ All encrypt/decrypt is done in the driver, on client ❏ Drivers have expanded MQL awareness for automatic encryption ❏ Individual fields within collections can be marked as encrypted

into shell ❏ All encrypt/decrypt is done in the driver, on client ❏ Drivers have expanded MQL awareness for automatic encryption ❏ Individual fields within collections can be marked as encrypted ❏ Keys can be used on a per-field or per-document basis

into shell ❏ All encrypt/decrypt is done in the driver, on client ❏ Drivers have expanded MQL awareness for automatic encryption ❏ Individual fields within collections can be marked as encrypted ❏ Keys can be used on a per-field or per-document basis ❏ Native subdocument & aggregation pipeline support

Cryptography

Cryptography ❏ Cloud key services natively integrated

Cryptography ❏ Cloud key services natively integrated ❏ Authenticated encryption:
AEAD AES-256 HMAC-SHA512

AEAD AES-256 HMAC-SHA512 ❏ Abuse- and misuse-resistant, derived HMACs

AEAD AES-256 HMAC-SHA512 ❏ Abuse- and misuse-resistant, derived HMACs ❏ Native OS libraries used for crypto primitives (no DIY)

Cryptography ❏ Raw key material never persisted to disk (in-memory
on app server only)

on app server only) ❏ Stored field keys protected by strong symmetric encryption server-side (opaque to operator)

on app server only) ❏ Stored field keys protected by strong symmetric encryption server-side (opaque to operator) ❏ Field wrapping keys secured in HSM-backed external KMS

on app server only) ❏ Stored field keys protected by strong symmetric encryption server-side (opaque to operator) ❏ Field wrapping keys secured in HSM-backed external KMS ❏ Outside cryptanalysis & design reviews

on app server only) ❏ Stored field keys protected by strong symmetric encryption server-side (opaque to operator) ❏ Field wrapping keys secured in HSM-backed external KMS ❏ Outside cryptanalysis & design reviews ❏ Core constructions are Post Quantum resistant

Encryption in-use

Automatic encryption in-use

Encrypting Hello World on 19 platforms

Encrypting Hello World on 19 platforms ❏ Lessons from developer
ecosystems ❏ dependency hell challenges ❏ OS legacy package managers ❏ Python & pip ❏ Java, JVMs & Maven ❏ Adventures in NuGet ❏ Go & binaries

Things they don't teach you in CS

Things they don't teach you in CS ❏ No one
reads the docs (no, really) ❏ Operating systems will ship the oldest, weirdest system libraries you can imagine ❏ Never underestimate user experience, just to get to hello world ❏ Make copy/paste examples before the web does for you ❏ Every mistake in configuration that can be made will be made

Current status ❏ Released for production GA: - Node, Python,
C# .NET Core, Go, shell Java async, JVM Reactive Streams, Scala ❏ In beta: - C, C++, Ruby, PHP ❏ Experimental: Direct e2e S3 queries via Atlas Datalake ❏ Drivers & core cryptography framework Apache licensed ❏ Continuous pushes to GitHub for all platforms

Lessons

Lessons ❏ Encrypted search has costs

Lessons ❏ Encrypted search has costs ❏ Don't underestimate native
DB platform features

DB platform features ❏ Make key mgmt as simple as possible, but no more

DB platform features ❏ Make key mgmt as simple as possible, but no more ❏ (Almost) no one really understands IAM

DB platform features ❏ Make key mgmt as simple as possible, but no more ❏ (Almost) no one really understands IAM ❏ <5% of the actual engineering involved cryptography

Take away

Take away ❏ Engage professional cryptographers early in design

Take away ❏ Engage professional cryptographers early in design ❏
Homomorphic encryption will not save us

Homomorphic encryption will not save us ❏ Developer ease of use > technical properties

Homomorphic encryption will not save us ❏ Developer ease of use > technical properties ❏ Make technical choices easier

Homomorphic encryption will not save us ❏ Developer ease of use > technical properties ❏ Make technical choices easier ❏ Solving the 95% use case > offering impractical choices

It takes a village Andrew Asya Bernie Clyde Craig Dave
Davi Divjot Dmitri Emily Esha Jeff Jesse Julie Kaitlin Kevin Mark Matt Nathan Naomi Nick Oz Ravind Rachael Samantha Sara Shreyas Spencer Vincent

Special thanks Kenny Paterson, ETH Zurich Seny Kamara, Brown/Aroki Tarik
Moataz, Brown/Aroki Jean-Philippe Aumasson, Teserakt

Thank you! Kenneth White @kennwhite

Bringing usable crypto to 7 million developers

Bringing usable crypto to 7 million developers

More Decks by Kenn White

Other Decks in Technology

Featured

Transcript