Bringing usable crypto to 7 million developers

Bringing usable crypto to 7
million developers
Kenneth White
@kennwhite
A story about lessons in end-to-end encryption

View Slide

/about

View Slide

/about
- Security Principal at MongoDB
- Focus on applied encryption & distributed
systems
- Some past projects: TrueCrypt & OpenSSL
audits, Linux Foundation Core Infrastructure
Initiative, super cookie research, DHS, DOD
- Life- and safety-critical systems

View Slide

Bringing usable crypto to 7 million developers

View Slide

Bringing usable crypto to 7 million developers
❏ Database myths
❏ The trust problem
❏ Encrypting Hello World on every major platform
❏ Things they don't teach you in CS
❏ Lessons
❏ Reflections

View Slide

Database myths

View Slide

Database myths
❏ Database encryption is a solved problem

View Slide

Database myths
❏ Database encryption is a solved problem (it is not)

View Slide

Database myths
"I want database encryption"
"Here. Here's TLS."

View Slide

Database myths
"Here. Here's TLS."
"Here. Here's FDE."

View Slide

Database myths
"Here. Here's TLS."
"Here. Here's FDE."
"Here. Here's encrypted datastore files."

View Slide

The trust problem

View Slide

The trust problem
❏ We've done a (pretty) good job of addressing:

View Slide

The trust problem
❏ network confidentiality/encryption-in-transit
❏ Modern TLS (PFS, abuse-resistance)

View Slide

The trust problem
❏ network confidentiality/encryption-in-transit
❏ Modern TLS (PFS, abuse-resistance)
❏ storage confidentiality/encryption-at-rest
❏ FDE / encrypted volumes / file encryption

View Slide

The trust problem

View Slide

The trust problem
Who holds the keys?

View Slide

The trust problem
Who holds the keys?
❏ Who can see the plaintext?

View Slide

The trust problem
Who holds the keys?
- The database operator?

View Slide

The trust problem
Who holds the keys?
- The sys admin?

View Slide

The trust problem
Who holds the keys?
- The sys admin?
- The DB server?

View Slide

The trust problem
Who holds the keys?
- The sys admin?
- The DB server?
- The VM hypervisor host?

View Slide

The trust problem
Who holds the keys?
- The sys admin?
- The DB server?
- The VM hypervisor host?
- The infrastructure/cloud provider?

View Slide

The trust problem

View Slide

Is this your database trust model?

View Slide

The trust problem
❏ A question of trust. What is the source of trust?

View Slide

The trust problem
- In a server-side encryption model, a leak or breach
can be catastrophic

View Slide

The trust problem
can be catastrophic
- This potentially includes: logs, backups, temp files,
process memory…

View Slide

The trust problem
can be catastrophic
- This potentially includes: logs, backups, temp files,
process memory…
- Privileged credential users/processes see everything

View Slide

The trust problem

View Slide

The trust problem
❏ We have far fewer options to protect data-in-use

View Slide

The trust problem
❏ In theory, we have lots of choices

View Slide

The trust problem
❏ In theory, we have lots of choices
❏ In practice, not so much

View Slide

“The difference between ‘possible’ and
‘lol nope’ is a vast lonely wasteland
that's crushed countless souls.”
— me

View Slide

The trust problem

View Slide

The trust problem
❏ "Encryption-at-rest" is only helpful, if, in fact we're resting.

View Slide

The trust problem
❏ Can we encrypt data before it ever leaves the application?

View Slide

The trust problem
❏ Some workloads require end-to-end or client-side
encryption

View Slide

The trust problem

View Slide

The trust problem
encryption

View Slide

The trust problem
encryption
❏ Similar to e2e in messaging apps

View Slide

The trust problem
encryption
❏ This is a solved problem, yes?

View Slide

The trust problem
encryption
❏ This is a solved problem, yes?
Narrator: It is not.

View Slide

The trust problem
❏ Database encryption is not a solved problem

View Slide

The trust problem
"I want client-side database encryption"
"Here. Here's an SDK."

View Slide

The trust problem
"So I just run my queries as-is?"
"Oh, no sorry. You'll have to re-write everything."

View Slide

The trust problem
"So I just run my queries as-is?"
"Oh, no sorry. You'll have to re-write everything."
"But at least I can search my database?"
"Oh, no sorry."

View Slide

The trust problem
A github repo or a complicated bolt-on SDK doesn't count.

View Slide

Reality Check

View Slide

An idea was born

View Slide

An idea was born
What if...

View Slide

An idea was born
What if...
You didn't have to
...use some clunky and limited SDK
...rewrite all your app query code
...lose the ability to search your database

View Slide

An idea was born
What if...
You didn't have to
What if...

View Slide

An idea was born
What if...
You didn't have to
What if...
You could create a key, set a config, and just go?

View Slide

View Slide

So began the journey

View Slide

❏ 24+ engineers (core server, query, drivers, platforms, build)

View Slide

❏ 3 independent security reviews

View Slide

❏ dozens of formal developer UX studies

View Slide

❏ 7 months of real-world customer beta testing

View Slide

❏ 2 years from initial scope to GA

View Slide

❏ 2 years from initial scope to GA
❏ one of the largest engineering investments we've made

View Slide

❏ MongoDB client-side field level encryption (CSFLE)

View Slide

❏ Most popular NoSQL database in the world

View Slide

❏ Runs on 19+ platforms

View Slide

- 12 MongoDB supported language drivers + 7 community drivers

View Slide

- Java, Reactive Native, Scala, Python, Node.js, Go, C, C++,
C# .NET, PHP, Ruby, Swift...

View Slide

- Windows, MacOS, iOS, Android, Debian, Ubuntu, Red Hat,
CentOS, Amazon Linux, SuSE

View Slide

- Windows, MacOS, iOS, Android, Debian, Ubuntu, Red Hat,
CentOS, Amazon Linux, SuSE
- x86, ARM, Power, IBM Z-Series mainframes

View Slide

The implementation

View Slide

The implementation
❏ CSFLE is enabled in drivers & integrated into shell

View Slide

The implementation
❏ All encrypt/decrypt is done in the driver, on client

View Slide

The implementation
❏ Drivers have expanded MQL awareness for automatic
encryption

View Slide

The implementation
encryption
❏ Individual fields within collections can be marked as
encrypted

View Slide

The implementation
encryption
encrypted
❏ Keys can be used on a per-field or per-document basis

View Slide

The implementation
encryption
encrypted
❏ Keys can be used on a per-field or per-document basis
❏ Native subdocument & aggregation pipeline support

View Slide

View Slide

Cryptography

View Slide

Cryptography
❏ Cloud key services natively integrated

View Slide

Cryptography
❏ Authenticated encryption: AEAD AES-256 HMAC-SHA512

View Slide

Cryptography
❏ Abuse- and misuse-resistant, derived HMACs

View Slide

Cryptography
❏ Abuse- and misuse-resistant, derived HMACs
❏ Native OS libraries used for crypto primitives (no DIY)

View Slide

Cryptography
❏ Raw key material never persisted to disk (in-memory on
app server only)

View Slide

Cryptography
app server only)
❏ Stored field keys protected by strong symmetric
encryption server-side (opaque to operator)

View Slide

Cryptography
app server only)
❏ Field wrapping keys secured in HSM-backed external
KMS

View Slide

Cryptography
app server only)
KMS
❏ Outside cryptanalysis & design reviews

View Slide

Cryptography
app server only)
KMS
❏ Outside cryptanalysis & design reviews
❏ Core constructions are Post Quantum resistant

View Slide

Encryption in-use

View Slide

Automatic encryption in-use

View Slide

Encrypting Hello World on 19 platforms

View Slide

Encrypting Hello World on 19 platforms
❏ Lessons from developer ecosystems
❏ dependency hell challenges
❏ OS legacy package managers
❏ Python & pip
❏ Java, JVMs & Maven
❏ Adventures in NuGet
❏ Go & binaries

View Slide

Things they don't teach you in CS

View Slide

Things they don't teach you in CS
❏ No one reads the docs (no, really)
❏ Operating systems will ship the oldest, weirdest system
libraries you can imagine
❏ Never underestimate user experience, just to get to hello
world
❏ Make copy/paste examples before the web does for you
❏ Every mistake in configuration that can be made will be
made

View Slide

Current status
❏ Released for production GA:
- Node, Python, C# .NET Core, Go, shell
Java async, JVM Reactive Streams, Scala
❏ In beta:
- C, C++, Ruby, PHP
❏ Experimental: Direct e2e S3 queries via Atlas Datalake
❏ Drivers & core cryptography framework Apache licensed
❏ Continuous pushes to GitHub for all platforms

View Slide

Lessons

View Slide

Lessons
❏ Encrypted search has costs

View Slide

Lessons
❏ Don't underestimate native DB platform features

View Slide

Lessons
❏ Make key mgmt as simple as possible, but no more

View Slide

Lessons
❏ (Almost) no one really understands IAM

View Slide

Lessons
❏ (Almost) no one really understands IAM
❏ <5% of the actual engineering involved cryptography

View Slide

Take away

View Slide

Take away
❏ Engage professional cryptographers early in design

View Slide

Take away
❏ Homomorphic encryption will not save us

View Slide

Take away
❏ Developer ease of use > technical properties

View Slide

Take away
❏ Make technical choices easier

View Slide

Take away
❏ Make technical choices easier
❏ Solving the 95% use case > offering impractical choices

View Slide

It takes a village
Andrew Asya Bernie Clyde Craig
Dave Davi Divjot Dmitri Emily
Esha Jeff Jesse Julie Kaitlin
Kevin Mark Matt Nathan Naomi
Nick Oz Ravind Rachael Samantha
Sara Shreyas Spencer Vincent

View Slide

Special thanks
Kenny Paterson, ETH Zurich
Seny Kamara, Brown/Aroki
Tarik Moataz, Brown/Aroki
Jean-Philippe Aumasson, Teserakt

View Slide

Thank you!
Kenneth White
@kennwhite

View Slide

View Slide

Bringing usable crypto to 7 million developers

Bringing usable crypto to 7 million developers

Kenn White

More Decks by Kenn White

Other Decks in Technology

Featured

Transcript