Tweet
Tweet

Slide 1

Slide 1 text

Data encryption for Ruby web applications Dmytro Shapovalov Infrastructure Engineer @ Cossack Labs

Slide 2

Slide 2 text

Who we are? • UK-based data security products and services company
 • Building security tools to prevent sensitive data leakage and to comply with data security regulations
 • Cryptographic tools, security consulting, training
 • We are cryptographers, system engineers, applied engineers, infrastructure engineers
 • We support community, speak, teach, open source a lot

Slide 3

Slide 3 text

What we are going to talk • Data breaches problem • Approaches to the protection of sensitive data • What we can and can not protect with encryption • Integration encryption into a Rails application

Slide 4

Slide 4 text

What does humanity have
 to protect information? Strong enough block crypto algorithms Rijndael (AES) Twofish Serpent Tons of structured information +

Slide 5

Slide 5 text

Data breaches continue rising 2018 • Facebook : 87 Million • Under Armour : 150 Million • Saks Fifth Avenue : 5 Million • SingHealth : 1.5 Million • British Airways : 0.38 Million • Ticketfly : 26 Million • Marriott : 500 Million • Quora : 100 Million • Instagram : plaintext passwords in the URL? Really?

Slide 6

Slide 6 text

So what should we do? 1. Classify and specify data that we want to protect 2. Classify and analyze risks 3. Determine threats 4. Choose techniques and tools 5. Integrate into application

Slide 7

Slide 7 text

Data classification and risks All data user service • Biographical information • Looks, appearance and behaviour • Private and subjective • Workplace, education • Health, sickness and genetics • Accounts, passwords • Certificates • Keys, tokens

Slide 8

Slide 8 text

Data classification and risks All data user service • Compliance risk • Legal risk • Reputational risk • Quality risk

Slide 9

Slide 9 text

Types of data breaches Unknown 15% Physical loss 12% Insider 1% Disclosure 22% Hacking 49% https://www.privacyrights.org/data-breaches

Slide 10

Slide 10 text

OWASP top 10 security risks — 2017 • Security Misconfiguration • Cross-Site Scripting (XSS) • Insure Deserialization • Using Components with Known Vulnerabilities • Insufficient Logging & Monitoring • Injection • Broken Authentication • Sensitive Data Exposure • XML External Entities (XXE) • Broken Access Control https://www.owasp.org/index.php/Top_10-2017_Top_10

Slide 11

Slide 11 text

Typical web application Frontend Backend DB

Slide 12

Slide 12 text

Typical web application reflection attacks XSS MITM SQL injections code injections execution flow attack crypto-miners everywhere Frontend Backend DB

Slide 13

Slide 13 text

Ways to decrease risks Administrative Technical • Infrastructure • Application

Slide 14

Slide 14 text

Decrease risks in application • Authentication & Authorization (inc. API), principle of least privileges • Filter input data, escaping output • Implement weak-password checks • Use less complex data formats • Compartmentalization — classify data and apply controls • Use strict DB queries • Security by default • Use secure connections • Log everything • Hash passwords and encrypt sensitive data

Slide 15

Slide 15 text

Protection of passwords Yes, plaintext passwords are a little insecure • DO NOT operate with plaintext passwords • use one-way hash functions whenever it possible

Slide 16

Slide 16 text

Password hashes • MD5 • SHA-1 • Argon2 • PBKDF2 • bcrypt • script • MD5 • SHA-1 https://dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm • SHA-256 • SHA-512 pre-image attack collision attack lookup tables attack

Slide 17

Slide 17 text

Data encryption implementation • Choose algorithm Expectations Reality • Design architecture • Choose abstraction level • Choose algorithm • Choose algorithm parameters • Choose library • Design key management

Slide 18

Slide 18 text

Encryption integration complexity abstraction level

Slide 19

Slide 19 text

Encryption integration complexity abstraction level Cipher Library Suite

Slide 20

Slide 20 text

Encryption integration complexity abstraction level Cipher Library Suite Cryptographers Developers

Slide 21

Slide 21 text

Why security fails? 83% 17% Weak algorithms Implementation mistakes https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf

Slide 22

Slide 22 text

Common data security mistakes • TLS is enough • Poor cryptographic design • Using database storage encryption only • Insecure key management model • Poor authentication

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

Quick review Algorithms • AES-256-GCM 
 Libraries • bcrypt-ruby • rbnacl • rubythemis Suites • Acra • axolotl • hermes • ssh • truecrypt • vault • ZeroKit

Slide 25

Slide 25 text

What the implementation 
 of data encryption 
 should look like?

Slide 26

Slide 26 text

Architecture usability security

Slide 27

Slide 27 text

Minimize attack surface area!

Slide 28

Slide 28 text

Frontend Backend DB Architecture : components & transport

Slide 29

Slide 29 text

Architecture : components & transport Frontend Backend Decryption
 proxy DB

Slide 30

Slide 30 text

Architecture : components & transport Frontend Backend Decryption
 proxy DB input encrypt save output process decrypt read noop

Slide 31

Slide 31 text

Architecture : components & transport Frontend Backend Decryption
 proxy DB input encrypt save output process decrypt read noop TLS TLS

Slide 32

Slide 32 text

Architecture : keys Frontend Backend Decryption
 proxy DB public private

Slide 33

Slide 33 text

Integration Acra • Acra • Acra Engineering Demo • rubygems.org project Example based on: https://github.com/rubygems/rubygems https://github.com/cossacklabs/acra-engineering-demo https://github.com/cossacklabs/acra

Slide 34

Slide 34 text

Integration Frontend Backend AcraServer DB + AcraWriter

Slide 35

Slide 35 text

Integration 1. Add gem

Slide 36

Slide 36 text

Integration 2. Modify models

Slide 37

Slide 37 text

Integration 3. Modify secrets

Slide 38

Slide 38 text

Integration 4. Change DB host to AcraServer 5. Convert DB columns to binary

Slide 39

Slide 39 text

Integration 4. Change DB host to AcraServer 5. Convert DB columns to binary Done!

Slide 40

Slide 40 text

Integration of cryptography
 should be simple!

Slide 41

Slide 41 text

OWASP top 10 security risks — 2017 • Security Misconfiguration • Cross-Site Scripting (XSS) • Insure Deserialization • Using Components with Known Vulnerabilities • Insufficient Logging & Monitoring • Injection • Broken Authentication • Sensitive Data Exposure • XML External Entities (XXE) • Broken Access Control https://www.owasp.org/index.php/Top_10-2017_Top_10

Slide 42

Slide 42 text

Acra Engineering Demo

Slide 43

Slide 43 text

Acra Engineering Demo https://github.com/cossacklabs/acra-engineering-demo Try it!

Slide 44

Slide 44 text

Links • OWASP (Open Web Application Security Project)
 https://www.owasp.org • Acra
 https://github.com/cossacklabs/acra • Acra Engineering Demo
 https://github.com/cossacklabs/acra-engineering-demo • Privacy Rights Clearinghouse
 https://www.privacyrights.org • MITTRE ATT&CK Matrix
 https://attack.mitre.org/

Slide 45

Slide 45 text

Dmytro Shapovalov Infrastructure Engineer @ Cossack Labs Thank you! shadinua shad.in.ua shad.in.ua