Bringing usable crypto to 7 million developers

Bringing usable crypto to 7 million developers

Enigma 2020 | USENIX

671d41cff530fadcbc82a5d6e7070c4a?s=128

Kenneth White

January 27, 2020
Tweet

Transcript

  1. Bringing usable crypto to 7 million developers Kenneth White @kennwhite

    A story about lessons in end-to-end encryption
  2. /about

  3. /about - Security Principal at MongoDB - Focus on applied

    encryption & distributed systems - Some past projects: TrueCrypt & OpenSSL audits, Linux Foundation Core Infrastructure Initiative, super cookie research, DHS, DOD - Life- and safety-critical systems
  4. Bringing usable crypto to 7 million developers

  5. Bringing usable crypto to 7 million developers ❏ Database myths

    ❏ The trust problem ❏ Encrypting Hello World on every major platform ❏ Things they don't teach you in CS ❏ Lessons ❏ Reflections
  6. Database myths

  7. Database myths ❏ Database encryption is a solved problem

  8. Database myths ❏ Database encryption is a solved problem (it

    is not)
  9. Database myths ❏ Database encryption is a solved problem (it

    is not) "I want database encryption" "Here. Here's TLS."
  10. Database myths ❏ Database encryption is a solved problem (it

    is not) "I want database encryption" "Here. Here's TLS." "I want database encryption" "Here. Here's FDE."
  11. Database myths ❏ Database encryption is a solved problem (it

    is not) "I want database encryption" "Here. Here's TLS." "I want database encryption" "Here. Here's FDE." "I want database encryption" "Here. Here's encrypted datastore files."
  12. The trust problem

  13. The trust problem ❏ We've done a (pretty) good job

    of addressing:
  14. The trust problem ❏ We've done a (pretty) good job

    of addressing: ❏ network confidentiality/encryption-in-transit ❏ Modern TLS (PFS, abuse-resistance)
  15. The trust problem ❏ We've done a (pretty) good job

    of addressing: ❏ network confidentiality/encryption-in-transit ❏ Modern TLS (PFS, abuse-resistance) ❏ storage confidentiality/encryption-at-rest ❏ FDE / encrypted volumes / file encryption
  16. The trust problem

  17. The trust problem Who holds the keys?

  18. The trust problem Who holds the keys? ❏ Who can

    see the plaintext?
  19. The trust problem Who holds the keys? ❏ Who can

    see the plaintext? - The database operator?
  20. The trust problem Who holds the keys? ❏ Who can

    see the plaintext? - The database operator? - The sys admin?
  21. The trust problem Who holds the keys? ❏ Who can

    see the plaintext? - The database operator? - The sys admin? - The DB server?
  22. The trust problem Who holds the keys? ❏ Who can

    see the plaintext? - The database operator? - The sys admin? - The DB server? - The VM hypervisor host?
  23. The trust problem Who holds the keys? ❏ Who can

    see the plaintext? - The database operator? - The sys admin? - The DB server? - The VM hypervisor host? - The infrastructure/cloud provider?
  24. The trust problem

  25. Is this your database trust model?

  26. The trust problem ❏ A question of trust. What is

    the source of trust?
  27. The trust problem ❏ A question of trust. What is

    the source of trust? - In a server-side encryption model, a leak or breach can be catastrophic
  28. The trust problem ❏ A question of trust. What is

    the source of trust? - In a server-side encryption model, a leak or breach can be catastrophic - This potentially includes: logs, backups, temp files, process memory…
  29. The trust problem ❏ A question of trust. What is

    the source of trust? - In a server-side encryption model, a leak or breach can be catastrophic - This potentially includes: logs, backups, temp files, process memory… - Privileged credential users/processes see everything
  30. The trust problem ❏ A question of trust. What is

    the source of trust? - In a server-side encryption model, a leak or breach can be catastrophic - This potentially includes: logs, backups, temp files, process memory… - Privileged credential users/processes see everything
  31. The trust problem

  32. The trust problem

  33. The trust problem

  34. The trust problem ❏ We have far fewer options to

    protect data-in-use
  35. The trust problem ❏ We have far fewer options to

    protect data-in-use ❏ In theory, we have lots of choices
  36. The trust problem ❏ We have far fewer options to

    protect data-in-use ❏ In theory, we have lots of choices ❏ In practice, not so much
  37. “The difference between ‘possible’ and ‘lol nope’ is a vast

    lonely wasteland that's crushed countless souls.” — me
  38. The trust problem

  39. The trust problem ❏ "Encryption-at-rest" is only helpful, if, in

    fact we're resting.
  40. The trust problem ❏ "Encryption-at-rest" is only helpful, if, in

    fact we're resting.
  41. The trust problem ❏ Can we encrypt data before it

    ever leaves the application?
  42. The trust problem ❏ Can we encrypt data before it

    ever leaves the application? ❏ Some workloads require end-to-end or client-side encryption
  43. The trust problem

  44. The trust problem ❏ Can we encrypt data before it

    ever leaves the application? ❏ Some workloads require end-to-end or client-side encryption
  45. The trust problem ❏ Can we encrypt data before it

    ever leaves the application? ❏ Some workloads require end-to-end or client-side encryption ❏ Similar to e2e in messaging apps
  46. The trust problem ❏ Can we encrypt data before it

    ever leaves the application? ❏ Some workloads require end-to-end or client-side encryption ❏ Similar to e2e in messaging apps ❏ This is a solved problem, yes?
  47. The trust problem ❏ Can we encrypt data before it

    ever leaves the application? ❏ Some workloads require end-to-end or client-side encryption ❏ Similar to e2e in messaging apps ❏ This is a solved problem, yes?
  48. The trust problem ❏ Can we encrypt data before it

    ever leaves the application? ❏ Some workloads require end-to-end or client-side encryption ❏ Similar to e2e in messaging apps ❏ This is a solved problem, yes? Narrator: It is not.
  49. The trust problem ❏ Database encryption is not a solved

    problem
  50. The trust problem ❏ Database encryption is not a solved

    problem "I want client-side database encryption" "Here. Here's an SDK."
  51. The trust problem ❏ Database encryption is not a solved

    problem "I want client-side database encryption" "Here. Here's an SDK." "So I just run my queries as-is?" "Oh, no sorry. You'll have to re-write everything."
  52. The trust problem ❏ Database encryption is not a solved

    problem "I want client-side database encryption" "Here. Here's an SDK." "So I just run my queries as-is?" "Oh, no sorry. You'll have to re-write everything." "But at least I can search my database?" "Oh, no sorry."
  53. The trust problem ❏ Database encryption is not a solved

    problem A github repo or a complicated bolt-on SDK doesn't count.
  54. Reality Check

  55. Reality Check

  56. Reality Check

  57. Reality Check

  58. An idea was born

  59. An idea was born What if...

  60. An idea was born What if... You didn't have to

    ...use some clunky and limited SDK ...rewrite all your app query code ...lose the ability to search your database
  61. An idea was born What if... You didn't have to

    ...use some clunky and limited SDK ...rewrite all your app query code ...lose the ability to search your database What if...
  62. An idea was born What if... You didn't have to

    ...use some clunky and limited SDK ...rewrite all your app query code ...lose the ability to search your database What if... You could create a key, set a config, and just go?
  63. None
  64. So began the journey

  65. So began the journey ❏ 24+ engineers (core server, query,

    drivers, platforms, build)
  66. So began the journey ❏ 24+ engineers (core server, query,

    drivers, platforms, build) ❏ 3 independent security reviews
  67. So began the journey ❏ 24+ engineers (core server, query,

    drivers, platforms, build) ❏ 3 independent security reviews ❏ dozens of formal developer UX studies
  68. So began the journey ❏ 24+ engineers (core server, query,

    drivers, platforms, build) ❏ 3 independent security reviews ❏ dozens of formal developer UX studies ❏ 7 months of real-world customer beta testing
  69. So began the journey ❏ 24+ engineers (core server, query,

    drivers, platforms, build) ❏ 3 independent security reviews ❏ dozens of formal developer UX studies ❏ 7 months of real-world customer beta testing ❏ 2 years from initial scope to GA
  70. So began the journey ❏ 24+ engineers (core server, query,

    drivers, platforms, build) ❏ 3 independent security reviews ❏ dozens of formal developer UX studies ❏ 7 months of real-world customer beta testing ❏ 2 years from initial scope to GA ❏ one of the largest engineering investments we've made
  71. So began the journey ❏ MongoDB client-side field level encryption

    (CSFLE)
  72. So began the journey ❏ MongoDB client-side field level encryption

    (CSFLE) ❏ Most popular NoSQL database in the world
  73. So began the journey ❏ MongoDB client-side field level encryption

    (CSFLE) ❏ Most popular NoSQL database in the world ❏ Runs on 19+ platforms
  74. So began the journey ❏ MongoDB client-side field level encryption

    (CSFLE) ❏ Most popular NoSQL database in the world ❏ Runs on 19+ platforms - 12 MongoDB supported language drivers + 7 community drivers
  75. So began the journey ❏ MongoDB client-side field level encryption

    (CSFLE) ❏ Most popular NoSQL database in the world ❏ Runs on 19+ platforms - 12 MongoDB supported language drivers + 7 community drivers - Java, Reactive Native, Scala, Python, Node.js, Go, C, C++, C# .NET, PHP, Ruby, Swift...
  76. So began the journey ❏ MongoDB client-side field level encryption

    (CSFLE) ❏ Most popular NoSQL database in the world ❏ Runs on 19+ platforms - 12 MongoDB supported language drivers + 7 community drivers - Java, Reactive Native, Scala, Python, Node.js, Go, C, C++, C# .NET, PHP, Ruby, Swift... - Windows, MacOS, iOS, Android, Debian, Ubuntu, Red Hat, CentOS, Amazon Linux, SuSE
  77. So began the journey ❏ MongoDB client-side field level encryption

    (CSFLE) ❏ Most popular NoSQL database in the world ❏ Runs on 19+ platforms - 12 MongoDB supported language drivers + 7 community drivers - Java, Reactive Native, Scala, Python, Node.js, Go, C, C++, C# .NET, PHP, Ruby, Swift... - Windows, MacOS, iOS, Android, Debian, Ubuntu, Red Hat, CentOS, Amazon Linux, SuSE - x86, ARM, Power, IBM Z-Series mainframes
  78. The implementation

  79. The implementation ❏ CSFLE is enabled in drivers & integrated

    into shell
  80. The implementation ❏ CSFLE is enabled in drivers & integrated

    into shell ❏ All encrypt/decrypt is done in the driver, on client
  81. The implementation ❏ CSFLE is enabled in drivers & integrated

    into shell ❏ All encrypt/decrypt is done in the driver, on client ❏ Drivers have expanded MQL awareness for automatic encryption
  82. The implementation ❏ CSFLE is enabled in drivers & integrated

    into shell ❏ All encrypt/decrypt is done in the driver, on client ❏ Drivers have expanded MQL awareness for automatic encryption ❏ Individual fields within collections can be marked as encrypted
  83. The implementation ❏ CSFLE is enabled in drivers & integrated

    into shell ❏ All encrypt/decrypt is done in the driver, on client ❏ Drivers have expanded MQL awareness for automatic encryption ❏ Individual fields within collections can be marked as encrypted ❏ Keys can be used on a per-field or per-document basis
  84. The implementation ❏ CSFLE is enabled in drivers & integrated

    into shell ❏ All encrypt/decrypt is done in the driver, on client ❏ Drivers have expanded MQL awareness for automatic encryption ❏ Individual fields within collections can be marked as encrypted ❏ Keys can be used on a per-field or per-document basis ❏ Native subdocument & aggregation pipeline support
  85. None
  86. None
  87. None
  88. Cryptography

  89. Cryptography ❏ Cloud key services natively integrated

  90. Cryptography ❏ Cloud key services natively integrated ❏ Authenticated encryption:

    AEAD AES-256 HMAC-SHA512
  91. Cryptography ❏ Cloud key services natively integrated ❏ Authenticated encryption:

    AEAD AES-256 HMAC-SHA512 ❏ Abuse- and misuse-resistant, derived HMACs
  92. Cryptography ❏ Cloud key services natively integrated ❏ Authenticated encryption:

    AEAD AES-256 HMAC-SHA512 ❏ Abuse- and misuse-resistant, derived HMACs ❏ Native OS libraries used for crypto primitives (no DIY)
  93. Cryptography ❏ Raw key material never persisted to disk (in-memory

    on app server only)
  94. Cryptography ❏ Raw key material never persisted to disk (in-memory

    on app server only) ❏ Stored field keys protected by strong symmetric encryption server-side (opaque to operator)
  95. Cryptography ❏ Raw key material never persisted to disk (in-memory

    on app server only) ❏ Stored field keys protected by strong symmetric encryption server-side (opaque to operator) ❏ Field wrapping keys secured in HSM-backed external KMS
  96. Cryptography ❏ Raw key material never persisted to disk (in-memory

    on app server only) ❏ Stored field keys protected by strong symmetric encryption server-side (opaque to operator) ❏ Field wrapping keys secured in HSM-backed external KMS ❏ Outside cryptanalysis & design reviews
  97. Cryptography ❏ Raw key material never persisted to disk (in-memory

    on app server only) ❏ Stored field keys protected by strong symmetric encryption server-side (opaque to operator) ❏ Field wrapping keys secured in HSM-backed external KMS ❏ Outside cryptanalysis & design reviews ❏ Core constructions are Post Quantum resistant
  98. Encryption in-use

  99. Encryption in-use

  100. Automatic encryption in-use

  101. Automatic encryption in-use

  102. Automatic encryption in-use

  103. Encrypting Hello World on 19 platforms

  104. Encrypting Hello World on 19 platforms ❏ Lessons from developer

    ecosystems ❏ dependency hell challenges ❏ OS legacy package managers ❏ Python & pip ❏ Java, JVMs & Maven ❏ Adventures in NuGet ❏ Go & binaries
  105. Things they don't teach you in CS

  106. Things they don't teach you in CS ❏ No one

    reads the docs (no, really) ❏ Operating systems will ship the oldest, weirdest system libraries you can imagine ❏ Never underestimate user experience, just to get to hello world ❏ Make copy/paste examples before the web does for you ❏ Every mistake in configuration that can be made will be made
  107. Current status ❏ Released for production GA: - Node, Python,

    C# .NET Core, Go, shell Java async, JVM Reactive Streams, Scala ❏ In beta: - C, C++, Ruby, PHP ❏ Experimental: Direct e2e S3 queries via Atlas Datalake ❏ Drivers & core cryptography framework Apache licensed ❏ Continuous pushes to GitHub for all platforms
  108. Lessons

  109. Lessons ❏ Encrypted search has costs

  110. Lessons ❏ Encrypted search has costs ❏ Don't underestimate native

    DB platform features
  111. Lessons ❏ Encrypted search has costs ❏ Don't underestimate native

    DB platform features ❏ Make key mgmt as simple as possible, but no more
  112. Lessons ❏ Encrypted search has costs ❏ Don't underestimate native

    DB platform features ❏ Make key mgmt as simple as possible, but no more ❏ (Almost) no one really understands IAM
  113. Lessons ❏ Encrypted search has costs ❏ Don't underestimate native

    DB platform features ❏ Make key mgmt as simple as possible, but no more ❏ (Almost) no one really understands IAM ❏ <5% of the actual engineering involved cryptography
  114. Take away

  115. Take away ❏ Engage professional cryptographers early in design

  116. Take away ❏ Engage professional cryptographers early in design ❏

    Homomorphic encryption will not save us
  117. Take away ❏ Engage professional cryptographers early in design ❏

    Homomorphic encryption will not save us ❏ Developer ease of use > technical properties
  118. Take away ❏ Engage professional cryptographers early in design ❏

    Homomorphic encryption will not save us ❏ Developer ease of use > technical properties ❏ Make technical choices easier
  119. Take away ❏ Engage professional cryptographers early in design ❏

    Homomorphic encryption will not save us ❏ Developer ease of use > technical properties ❏ Make technical choices easier ❏ Solving the 95% use case > offering impractical choices
  120. It takes a village Andrew Asya Bernie Clyde Craig Dave

    Davi Divjot Dmitri Emily Esha Jeff Jesse Julie Kaitlin Kevin Mark Matt Nathan Naomi Nick Oz Ravind Rachael Samantha Sara Shreyas Spencer Vincent
  121. Special thanks Kenny Paterson, ETH Zurich Seny Kamara, Brown/Aroki Tarik

    Moataz, Brown/Aroki Jean-Philippe Aumasson, Teserakt
  122. Thank you! Kenneth White @kennwhite

  123. None