Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bringing usable crypto to 7 million developers

Kenn White
January 27, 2020

Bringing usable crypto to 7 million developers

Enigma 2020 | USENIX

Kenn White

January 27, 2020
Tweet

More Decks by Kenn White

Other Decks in Technology

Transcript

  1. Bringing usable crypto to 7
    million developers
    Kenneth White
    @kennwhite
    A story about lessons in end-to-end encryption

    View Slide

  2. /about

    View Slide

  3. /about
    - Security Principal at MongoDB
    - Focus on applied encryption & distributed
    systems
    - Some past projects: TrueCrypt & OpenSSL
    audits, Linux Foundation Core Infrastructure
    Initiative, super cookie research, DHS, DOD
    - Life- and safety-critical systems

    View Slide

  4. Bringing usable crypto to 7 million developers

    View Slide

  5. Bringing usable crypto to 7 million developers
    ❏ Database myths
    ❏ The trust problem
    ❏ Encrypting Hello World on every major platform
    ❏ Things they don't teach you in CS
    ❏ Lessons
    ❏ Reflections

    View Slide

  6. Database myths

    View Slide

  7. Database myths
    ❏ Database encryption is a solved problem

    View Slide

  8. Database myths
    ❏ Database encryption is a solved problem (it is not)

    View Slide

  9. Database myths
    ❏ Database encryption is a solved problem (it is not)
    "I want database encryption"
    "Here. Here's TLS."

    View Slide

  10. Database myths
    ❏ Database encryption is a solved problem (it is not)
    "I want database encryption"
    "Here. Here's TLS."
    "I want database encryption"
    "Here. Here's FDE."

    View Slide

  11. Database myths
    ❏ Database encryption is a solved problem (it is not)
    "I want database encryption"
    "Here. Here's TLS."
    "I want database encryption"
    "Here. Here's FDE."
    "I want database encryption"
    "Here. Here's encrypted datastore files."

    View Slide

  12. The trust problem

    View Slide

  13. The trust problem
    ❏ We've done a (pretty) good job of addressing:

    View Slide

  14. The trust problem
    ❏ We've done a (pretty) good job of addressing:
    ❏ network confidentiality/encryption-in-transit
    ❏ Modern TLS (PFS, abuse-resistance)

    View Slide

  15. The trust problem
    ❏ We've done a (pretty) good job of addressing:
    ❏ network confidentiality/encryption-in-transit
    ❏ Modern TLS (PFS, abuse-resistance)
    ❏ storage confidentiality/encryption-at-rest
    ❏ FDE / encrypted volumes / file encryption

    View Slide

  16. The trust problem

    View Slide

  17. The trust problem
    Who holds the keys?

    View Slide

  18. The trust problem
    Who holds the keys?
    ❏ Who can see the plaintext?

    View Slide

  19. The trust problem
    Who holds the keys?
    ❏ Who can see the plaintext?
    - The database operator?

    View Slide

  20. The trust problem
    Who holds the keys?
    ❏ Who can see the plaintext?
    - The database operator?
    - The sys admin?

    View Slide

  21. The trust problem
    Who holds the keys?
    ❏ Who can see the plaintext?
    - The database operator?
    - The sys admin?
    - The DB server?

    View Slide

  22. The trust problem
    Who holds the keys?
    ❏ Who can see the plaintext?
    - The database operator?
    - The sys admin?
    - The DB server?
    - The VM hypervisor host?

    View Slide

  23. The trust problem
    Who holds the keys?
    ❏ Who can see the plaintext?
    - The database operator?
    - The sys admin?
    - The DB server?
    - The VM hypervisor host?
    - The infrastructure/cloud provider?

    View Slide

  24. The trust problem

    View Slide

  25. Is this your database trust model?

    View Slide

  26. The trust problem
    ❏ A question of trust. What is the source of trust?

    View Slide

  27. The trust problem
    ❏ A question of trust. What is the source of trust?
    - In a server-side encryption model, a leak or breach
    can be catastrophic

    View Slide

  28. The trust problem
    ❏ A question of trust. What is the source of trust?
    - In a server-side encryption model, a leak or breach
    can be catastrophic
    - This potentially includes: logs, backups, temp files,
    process memory…

    View Slide

  29. The trust problem
    ❏ A question of trust. What is the source of trust?
    - In a server-side encryption model, a leak or breach
    can be catastrophic
    - This potentially includes: logs, backups, temp files,
    process memory…
    - Privileged credential users/processes see everything

    View Slide

  30. The trust problem
    ❏ A question of trust. What is the source of trust?
    - In a server-side encryption model, a leak or breach
    can be catastrophic
    - This potentially includes: logs, backups, temp files,
    process memory…
    - Privileged credential users/processes see everything

    View Slide

  31. The trust problem

    View Slide

  32. The trust problem

    View Slide

  33. The trust problem

    View Slide

  34. The trust problem
    ❏ We have far fewer options to protect data-in-use

    View Slide

  35. The trust problem
    ❏ We have far fewer options to protect data-in-use
    ❏ In theory, we have lots of choices

    View Slide

  36. The trust problem
    ❏ We have far fewer options to protect data-in-use
    ❏ In theory, we have lots of choices
    ❏ In practice, not so much

    View Slide

  37. “The difference between ‘possible’ and
    ‘lol nope’ is a vast lonely wasteland
    that's crushed countless souls.”
    — me

    View Slide

  38. The trust problem

    View Slide

  39. The trust problem
    ❏ "Encryption-at-rest" is only helpful, if, in fact we're resting.

    View Slide

  40. The trust problem
    ❏ "Encryption-at-rest" is only helpful, if, in fact we're resting.

    View Slide

  41. The trust problem
    ❏ Can we encrypt data before it ever leaves the application?

    View Slide

  42. The trust problem
    ❏ Can we encrypt data before it ever leaves the application?
    ❏ Some workloads require end-to-end or client-side
    encryption

    View Slide

  43. The trust problem

    View Slide

  44. The trust problem
    ❏ Can we encrypt data before it ever leaves the application?
    ❏ Some workloads require end-to-end or client-side
    encryption

    View Slide

  45. The trust problem
    ❏ Can we encrypt data before it ever leaves the application?
    ❏ Some workloads require end-to-end or client-side
    encryption
    ❏ Similar to e2e in messaging apps

    View Slide

  46. The trust problem
    ❏ Can we encrypt data before it ever leaves the application?
    ❏ Some workloads require end-to-end or client-side
    encryption
    ❏ Similar to e2e in messaging apps
    ❏ This is a solved problem, yes?

    View Slide

  47. The trust problem
    ❏ Can we encrypt data before it ever leaves the application?
    ❏ Some workloads require end-to-end or client-side
    encryption
    ❏ Similar to e2e in messaging apps
    ❏ This is a solved problem, yes?

    View Slide

  48. The trust problem
    ❏ Can we encrypt data before it ever leaves the application?
    ❏ Some workloads require end-to-end or client-side
    encryption
    ❏ Similar to e2e in messaging apps
    ❏ This is a solved problem, yes?
    Narrator: It is not.

    View Slide

  49. The trust problem
    ❏ Database encryption is not a solved problem

    View Slide

  50. The trust problem
    ❏ Database encryption is not a solved problem
    "I want client-side database encryption"
    "Here. Here's an SDK."

    View Slide

  51. The trust problem
    ❏ Database encryption is not a solved problem
    "I want client-side database encryption"
    "Here. Here's an SDK."
    "So I just run my queries as-is?"
    "Oh, no sorry. You'll have to re-write everything."

    View Slide

  52. The trust problem
    ❏ Database encryption is not a solved problem
    "I want client-side database encryption"
    "Here. Here's an SDK."
    "So I just run my queries as-is?"
    "Oh, no sorry. You'll have to re-write everything."
    "But at least I can search my database?"
    "Oh, no sorry."

    View Slide

  53. The trust problem
    ❏ Database encryption is not a solved problem
    A github repo or a complicated bolt-on SDK doesn't count.

    View Slide

  54. Reality Check

    View Slide

  55. Reality Check

    View Slide

  56. Reality Check

    View Slide

  57. Reality Check

    View Slide

  58. An idea was born

    View Slide

  59. An idea was born
    What if...

    View Slide

  60. An idea was born
    What if...
    You didn't have to
    ...use some clunky and limited SDK
    ...rewrite all your app query code
    ...lose the ability to search your database

    View Slide

  61. An idea was born
    What if...
    You didn't have to
    ...use some clunky and limited SDK
    ...rewrite all your app query code
    ...lose the ability to search your database
    What if...

    View Slide

  62. An idea was born
    What if...
    You didn't have to
    ...use some clunky and limited SDK
    ...rewrite all your app query code
    ...lose the ability to search your database
    What if...
    You could create a key, set a config, and just go?

    View Slide

  63. View Slide

  64. So began the journey

    View Slide

  65. So began the journey
    ❏ 24+ engineers (core server, query, drivers, platforms, build)

    View Slide

  66. So began the journey
    ❏ 24+ engineers (core server, query, drivers, platforms, build)
    ❏ 3 independent security reviews

    View Slide

  67. So began the journey
    ❏ 24+ engineers (core server, query, drivers, platforms, build)
    ❏ 3 independent security reviews
    ❏ dozens of formal developer UX studies

    View Slide

  68. So began the journey
    ❏ 24+ engineers (core server, query, drivers, platforms, build)
    ❏ 3 independent security reviews
    ❏ dozens of formal developer UX studies
    ❏ 7 months of real-world customer beta testing

    View Slide

  69. So began the journey
    ❏ 24+ engineers (core server, query, drivers, platforms, build)
    ❏ 3 independent security reviews
    ❏ dozens of formal developer UX studies
    ❏ 7 months of real-world customer beta testing
    ❏ 2 years from initial scope to GA

    View Slide

  70. So began the journey
    ❏ 24+ engineers (core server, query, drivers, platforms, build)
    ❏ 3 independent security reviews
    ❏ dozens of formal developer UX studies
    ❏ 7 months of real-world customer beta testing
    ❏ 2 years from initial scope to GA
    ❏ one of the largest engineering investments we've made

    View Slide

  71. So began the journey
    ❏ MongoDB client-side field level encryption (CSFLE)

    View Slide

  72. So began the journey
    ❏ MongoDB client-side field level encryption (CSFLE)
    ❏ Most popular NoSQL database in the world

    View Slide

  73. So began the journey
    ❏ MongoDB client-side field level encryption (CSFLE)
    ❏ Most popular NoSQL database in the world
    ❏ Runs on 19+ platforms

    View Slide

  74. So began the journey
    ❏ MongoDB client-side field level encryption (CSFLE)
    ❏ Most popular NoSQL database in the world
    ❏ Runs on 19+ platforms
    - 12 MongoDB supported language drivers + 7 community drivers

    View Slide

  75. So began the journey
    ❏ MongoDB client-side field level encryption (CSFLE)
    ❏ Most popular NoSQL database in the world
    ❏ Runs on 19+ platforms
    - 12 MongoDB supported language drivers + 7 community drivers
    - Java, Reactive Native, Scala, Python, Node.js, Go, C, C++,
    C# .NET, PHP, Ruby, Swift...

    View Slide

  76. So began the journey
    ❏ MongoDB client-side field level encryption (CSFLE)
    ❏ Most popular NoSQL database in the world
    ❏ Runs on 19+ platforms
    - 12 MongoDB supported language drivers + 7 community drivers
    - Java, Reactive Native, Scala, Python, Node.js, Go, C, C++,
    C# .NET, PHP, Ruby, Swift...
    - Windows, MacOS, iOS, Android, Debian, Ubuntu, Red Hat,
    CentOS, Amazon Linux, SuSE

    View Slide

  77. So began the journey
    ❏ MongoDB client-side field level encryption (CSFLE)
    ❏ Most popular NoSQL database in the world
    ❏ Runs on 19+ platforms
    - 12 MongoDB supported language drivers + 7 community drivers
    - Java, Reactive Native, Scala, Python, Node.js, Go, C, C++,
    C# .NET, PHP, Ruby, Swift...
    - Windows, MacOS, iOS, Android, Debian, Ubuntu, Red Hat,
    CentOS, Amazon Linux, SuSE
    - x86, ARM, Power, IBM Z-Series mainframes

    View Slide

  78. The implementation

    View Slide

  79. The implementation
    ❏ CSFLE is enabled in drivers & integrated into shell

    View Slide

  80. The implementation
    ❏ CSFLE is enabled in drivers & integrated into shell
    ❏ All encrypt/decrypt is done in the driver, on client

    View Slide

  81. The implementation
    ❏ CSFLE is enabled in drivers & integrated into shell
    ❏ All encrypt/decrypt is done in the driver, on client
    ❏ Drivers have expanded MQL awareness for automatic
    encryption

    View Slide

  82. The implementation
    ❏ CSFLE is enabled in drivers & integrated into shell
    ❏ All encrypt/decrypt is done in the driver, on client
    ❏ Drivers have expanded MQL awareness for automatic
    encryption
    ❏ Individual fields within collections can be marked as
    encrypted

    View Slide

  83. The implementation
    ❏ CSFLE is enabled in drivers & integrated into shell
    ❏ All encrypt/decrypt is done in the driver, on client
    ❏ Drivers have expanded MQL awareness for automatic
    encryption
    ❏ Individual fields within collections can be marked as
    encrypted
    ❏ Keys can be used on a per-field or per-document basis

    View Slide

  84. The implementation
    ❏ CSFLE is enabled in drivers & integrated into shell
    ❏ All encrypt/decrypt is done in the driver, on client
    ❏ Drivers have expanded MQL awareness for automatic
    encryption
    ❏ Individual fields within collections can be marked as
    encrypted
    ❏ Keys can be used on a per-field or per-document basis
    ❏ Native subdocument & aggregation pipeline support

    View Slide

  85. View Slide

  86. View Slide

  87. View Slide

  88. Cryptography

    View Slide

  89. Cryptography
    ❏ Cloud key services natively integrated

    View Slide

  90. Cryptography
    ❏ Cloud key services natively integrated
    ❏ Authenticated encryption: AEAD AES-256 HMAC-SHA512

    View Slide

  91. Cryptography
    ❏ Cloud key services natively integrated
    ❏ Authenticated encryption: AEAD AES-256 HMAC-SHA512
    ❏ Abuse- and misuse-resistant, derived HMACs

    View Slide

  92. Cryptography
    ❏ Cloud key services natively integrated
    ❏ Authenticated encryption: AEAD AES-256 HMAC-SHA512
    ❏ Abuse- and misuse-resistant, derived HMACs
    ❏ Native OS libraries used for crypto primitives (no DIY)

    View Slide

  93. Cryptography
    ❏ Raw key material never persisted to disk (in-memory on
    app server only)

    View Slide

  94. Cryptography
    ❏ Raw key material never persisted to disk (in-memory on
    app server only)
    ❏ Stored field keys protected by strong symmetric
    encryption server-side (opaque to operator)

    View Slide

  95. Cryptography
    ❏ Raw key material never persisted to disk (in-memory on
    app server only)
    ❏ Stored field keys protected by strong symmetric
    encryption server-side (opaque to operator)
    ❏ Field wrapping keys secured in HSM-backed external
    KMS

    View Slide

  96. Cryptography
    ❏ Raw key material never persisted to disk (in-memory on
    app server only)
    ❏ Stored field keys protected by strong symmetric
    encryption server-side (opaque to operator)
    ❏ Field wrapping keys secured in HSM-backed external
    KMS
    ❏ Outside cryptanalysis & design reviews

    View Slide

  97. Cryptography
    ❏ Raw key material never persisted to disk (in-memory on
    app server only)
    ❏ Stored field keys protected by strong symmetric
    encryption server-side (opaque to operator)
    ❏ Field wrapping keys secured in HSM-backed external
    KMS
    ❏ Outside cryptanalysis & design reviews
    ❏ Core constructions are Post Quantum resistant

    View Slide

  98. Encryption in-use

    View Slide

  99. Encryption in-use

    View Slide

  100. Automatic encryption in-use

    View Slide

  101. Automatic encryption in-use

    View Slide

  102. Automatic encryption in-use

    View Slide

  103. Encrypting Hello World on 19 platforms

    View Slide

  104. Encrypting Hello World on 19 platforms
    ❏ Lessons from developer ecosystems
    ❏ dependency hell challenges
    ❏ OS legacy package managers
    ❏ Python & pip
    ❏ Java, JVMs & Maven
    ❏ Adventures in NuGet
    ❏ Go & binaries

    View Slide

  105. Things they don't teach you in CS

    View Slide

  106. Things they don't teach you in CS
    ❏ No one reads the docs (no, really)
    ❏ Operating systems will ship the oldest, weirdest system
    libraries you can imagine
    ❏ Never underestimate user experience, just to get to hello
    world
    ❏ Make copy/paste examples before the web does for you
    ❏ Every mistake in configuration that can be made will be
    made

    View Slide

  107. Current status
    ❏ Released for production GA:
    - Node, Python, C# .NET Core, Go, shell
    Java async, JVM Reactive Streams, Scala
    ❏ In beta:
    - C, C++, Ruby, PHP
    ❏ Experimental: Direct e2e S3 queries via Atlas Datalake
    ❏ Drivers & core cryptography framework Apache licensed
    ❏ Continuous pushes to GitHub for all platforms

    View Slide

  108. Lessons

    View Slide

  109. Lessons
    ❏ Encrypted search has costs

    View Slide

  110. Lessons
    ❏ Encrypted search has costs
    ❏ Don't underestimate native DB platform features

    View Slide

  111. Lessons
    ❏ Encrypted search has costs
    ❏ Don't underestimate native DB platform features
    ❏ Make key mgmt as simple as possible, but no more

    View Slide

  112. Lessons
    ❏ Encrypted search has costs
    ❏ Don't underestimate native DB platform features
    ❏ Make key mgmt as simple as possible, but no more
    ❏ (Almost) no one really understands IAM

    View Slide

  113. Lessons
    ❏ Encrypted search has costs
    ❏ Don't underestimate native DB platform features
    ❏ Make key mgmt as simple as possible, but no more
    ❏ (Almost) no one really understands IAM
    ❏ <5% of the actual engineering involved cryptography

    View Slide

  114. Take away

    View Slide

  115. Take away
    ❏ Engage professional cryptographers early in design

    View Slide

  116. Take away
    ❏ Engage professional cryptographers early in design
    ❏ Homomorphic encryption will not save us

    View Slide

  117. Take away
    ❏ Engage professional cryptographers early in design
    ❏ Homomorphic encryption will not save us
    ❏ Developer ease of use > technical properties

    View Slide

  118. Take away
    ❏ Engage professional cryptographers early in design
    ❏ Homomorphic encryption will not save us
    ❏ Developer ease of use > technical properties
    ❏ Make technical choices easier

    View Slide

  119. Take away
    ❏ Engage professional cryptographers early in design
    ❏ Homomorphic encryption will not save us
    ❏ Developer ease of use > technical properties
    ❏ Make technical choices easier
    ❏ Solving the 95% use case > offering impractical choices

    View Slide

  120. It takes a village
    Andrew Asya Bernie Clyde Craig
    Dave Davi Divjot Dmitri Emily
    Esha Jeff Jesse Julie Kaitlin
    Kevin Mark Matt Nathan Naomi
    Nick Oz Ravind Rachael Samantha
    Sara Shreyas Spencer Vincent

    View Slide

  121. Special thanks
    Kenny Paterson, ETH Zurich
    Seny Kamara, Brown/Aroki
    Tarik Moataz, Brown/Aroki
    Jean-Philippe Aumasson, Teserakt

    View Slide

  122. Thank you!
    Kenneth White
    @kennwhite

    View Slide

  123. View Slide