10 lines of encryption, 1500 lines of key management

Slide 1

Slide 1 text

10 lines of encryption, 1500 lines of key management @vixentael

Slide 2

Slide 2 text

@vixentael product engineer in security and cryptography OSS maintainer: Themis, Acra cryptographic tools, security engineering, datasec training

Slide 3

Slide 3 text

cossacklabs.com Data security solutions @vixentael We help you focus on serving your customers better, while relieving your team from security engineering pains and making your users conﬁdent that their data is safe with you.

Slide 4

Slide 4 text

@vixentael zero knowledge searchable encryption cossacklabs.com/acra/ e2ee data collaboration cossacklabs.com/hermes/ zero knowledge authentication github.com/cossacklabs/themis/wiki/Secure-Comparator-cryptosystem cossacklabs.com/whitepapers/

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

USABLE

Slide 7

Slide 7 text

Data encryption without compromising UX

Slide 8

Slide 8 text

@vixentael 1. Three principles of security engineering (decision making in security, boring crypto, defense in depth) 3. Defense in depth security controls 2. E2EE for Bear.app: data model & key management 4. Cat

Slide 9

Slide 9 text

@vixentael

Slide 10

Slide 10 text

GDPR @vixentael Article 32/35: responsibly store and process data according to risks    Article 33/34: detecting data leakage and alert users & controller https://gdpr-info.eu/

Slide 11

Slide 11 text

@vixentael https://gdpr-info.eu/ Article 32

Slide 12

Slide 12 text

@vixentael US Department of Defense

Slide 13

Slide 13 text

@vixentael US Department of Defense https://media.defense.gov/2018/Apr/22/2001906836/-1/-1/0/ DEFENSEINNOVATIONBOARD_TEN_COMMANDMENTS_OF_SOFT WARE_2018.04.20.PDF

Slide 14

Slide 14 text

@vixentael Apple privacy policy update https://developer.apple.com/news/?id=06032019j

Slide 15

Slide 15 text

@vixentael Google https://support.google.com/cloud/answer/9110914

Slide 16

Slide 16 text

@vixentael Decision making in security 101

Slide 17

Slide 17 text

@vixentael Decision making in security 101 1. “just because we can” 3. understanding risks & threats 2. every app should have security features

Slide 18

Slide 18 text

@vixentael Decision making in security 101 1. “just because we can” 3. understanding risks & threats 2. every app should have security features ✅

Slide 19

Slide 19 text

@vixentael app ﬂow app features code user problem

Slide 20

Slide 20 text

risk & threat model security methods security controls libraries/ code app ﬂow app features code user problem @vixentael

Slide 21

Slide 21 text

@vixentael risk model & threat model create demands for security

Slide 22

Slide 22 text

@vixentael Data & risks PII User data Service data likes, preferences purchase history logs keys, accesses, API tokens backups conﬁgurations locations

Slide 23

Slide 23 text

@vixentael Data & risks compliance risks legal risks reputational risks continuity risks User data Service data reputational risks medium.com/@cossacklabs/trick-or-threat-security-losses-for- business-f5b44243d89c

Slide 24

Slide 24 text

@vixentael Boring crypto

Slide 25

Slide 25 text

https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf 269 CVEs from 2011-2014 17% 83% bugs inside crypto libs misuses of crypto libs by individual apps @vixentael

Slide 26

Slide 26 text

— crypto that simply works, solidly resists attacks, never needs any upgrades https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf Daniel J. Bernstein Boring crypto @vixentael

Slide 27

Slide 27 text

encryption integration abstraction level complexity @vixentael

Slide 28

Slide 28 text

encryption integration abstraction level complexity cipher crypto- library cryptosystem boxed solution @vixentael pain

Slide 29

Slide 29 text

@vixentael @vixentael easy to make mistakes

Slide 30

Slide 30 text

@vixentael should be random should use KDF(key) uses AES CBC, not AES GCM padding? salt? @vixentael easy to make mistakes

Slide 31

Slide 31 text

Themis: hard to make mistakes @vixentael @vixentael github.com/cossacklabs/themis

Slide 32

Slide 32 text

@vixentael hides cryptographic details: salt, IV, KDF, padding built-in KDF, safe to use passphrase uses AES-256-GCM @vixentael github.com/cossacklabs/themis Themis: hard to make mistakes

Slide 33

Slide 33 text

https://github.com/vixentael/my-talks#dont-waste-time-on-learning-cryptography-better-use-it-properly see full talk about Boring crypto @vixentael

Slide 34

Slide 34 text

@vixentael Defense in depth

Slide 35

Slide 35 text

@vixentael

Slide 36

Slide 36 text

Defense in depth – independent, yet interconnected, set of security controls aimed at mitigating multiple risks during the whole application ﬂow @vixentael

Slide 37

Slide 37 text

@vixentael 1. Encryption to protect data globally   (during the whole data ﬂow / app lifecycle). 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. Overlapped security controls

Slide 38

Slide 38 text

@vixentael encryption & key mngmt AAA WAF honey pots IDS infra mngmt compartmentalization authenticated crypto &  integrity checks access logging jailbans monitoring data ﬁrewall SIEM HIDS DAST SAST KMS HSM PKI TPM honey tokens RTFM dep mngmt UEBA IAM TLS TDE AEAD

Slide 39

Slide 39 text

@vixentael Lines of defense

Slide 40

Slide 40 text

@vixentael

Slide 41

Slide 41 text

@vixentael 10 lines of encryption, 1500 lines of key management

Slide 42

Slide 42 text

@vixentael 10 lines of encryption, 1500 lines of key management 60 3000

Slide 43

Slide 43 text

bear.app

Slide 44

Slide 44 text

@vixentael End-to-end encryption in Bear blog.bear.app/ cossacklabs.com/blog/

Slide 45

Slide 45 text

@vixentael • smooth UX • not ﬁnance/banking app • syncing between all user’s devices • privacy • incident response • next versions: Web/Electron Bear e2ee for notes

Slide 46

Slide 46 text

@vixentael 1. fast & smooth 2. notes are encrypted using unique keys (per app per user) 3. user passphrase is never stored in plaintext 4. data in Keychain is encrypted 5. notes & passphrases are synced between devices Results

Slide 47

Slide 47 text

@vixentael UX is important – we made the security scheme more complex from an engineering perspective, but less stressful for users.

Slide 48

Slide 48 text

@vixentael note encryption & note locking

Slide 49

Slide 49 text

@vixentael app locking

Slide 50

Slide 50 text

@vixentael note encryption != note locking != app locking

Slide 51

Slide 51 text

@vixentael note encryption != note locking != app locking encryption authentication authentication

Slide 52

Slide 52 text

@vixentael note text user passphrase note encryption key Data model plaintext user input unique per note

Slide 53

Slide 53 text

@vixentael Access Disclosure Modification Access denial note text Moderate Critical Critical High user passphrase Moderate Critical Critical Critical note encryption key Moderate Low Low Moderate Threats

Slide 54

Slide 54 text

@vixentael Device filesystem Device process memory Device keychain & secure enclave Transport, iCloud database iCloud Keychain Medium High High Medium Medium Trust model

Slide 55

Slide 55 text

@vixentael Breaking Keychain youtube.com/watch?v=EUGDa0Z71uk youtube.com/watch?v=sR6KeCaCRMA github.com/LinusHenze/Keysteal macOS keychain: https://thetapedrive.com/face-id-fail-ios-13 iOS13 beta keychain:

Slide 56

Slide 56 text

@vixentael We have more trust towards the data stored on the device than the data stored in a cloud

Slide 57

Slide 57 text

@vixentael Key model

Slide 58

Slide 58 text

@vixentael from user mind or password mngr cached for some time calculated before usage Keychain, Secure Enclave Key model

Slide 59

Slide 59 text

@vixentael Multiple caches to minimize user distractions user Keychain SecureEnclave iCloudKeychain in memory cache temp var password manager

Slide 60

Slide 60 text

@vixentael App encryption key Key stretching: KDF, deterministic long_data = user_passphrase + gen_passphrase_pwd + gen_app_context app_encryption_key = SecureCellContextImprint(data: long_data, context: generated_app_context, key: user_passphrase) github.com/cossacklabs/themis

Slide 61

Slide 61 text

@vixentael long_data = user_passphrase + gen_passphrase_pwd + gen_app_context app_encryption_key = SecureCellContextImprint(data: long_data, context: generated_app_context, key: user_passphrase) long_data = app_encryption_key + gen_passphrase_pwd + gen_app_context note_encryption_key = SecureCellContextImprint(data: long_data, context: note_encryption_id, key: app_encryption_key) App encryption key, note encryption key Key stretching: KDF, deterministic github.com/cossacklabs/themis

Slide 62

Slide 62 text

@vixentael encrypted_note = SecureCellSeal(data: note_text, context: note_encryption_id, key: note_encryption_key) decrypted_note = SecureCellSeal(data: encrypted_note, context: note_encryption_id, key: note_encryption_key) AES-256-GCM, random IV/nonce, non-deterministic Notes encryption github.com/cossacklabs/themis

Slide 63

Slide 63 text

Slide 64

Slide 64 text

@vixentael notes protection (e2ee)

Slide 65

Slide 65 text

@vixentael passphrase encryption hint encryption zeroing secrets TLS / certiﬁcate pinning auto-locking timer failed attempts counter encrypted user settings notes protection (e2ee) obfuscation anti-RE & anti-debugging continuous improvements prepare for incidents cossacklabs.com/blog/end-to-end-encryption-in-bear-app.html

Slide 66

Slide 66 text

@vixentael passphrase encryption hint encryption zeroing secrets TLS / certiﬁcate pinning auto-locking timer failed attempts counter encrypted user settings obfuscation anti-RE & anti-debugging continuous improvements notes protection (e2ee) prepare for incidents cossacklabs.com/blog/end-to-end-encryption-in-bear-app.html

Slide 67

Slide 67 text

@vixentael encrypted_passphrase = SecureCellSeal(data: user_passphrase, context: nil, key: generated_passphrase_key) decrypted_passphrase = SecureCellSeal(data: user_passphrase, context: nil, key: generated_passphrase_key) remember about breaking keychain AES-256-GCM, random IV/nonce, non-deterministic Passphrase encryption

Slide 68

Slide 68 text

@vixentael Hint encryption

Slide 69

Slide 69 text

@vixentael encrypted_hint = SecureCellSeal(data: hint, context: nil, key: generated_hint_key) decrypted_hint = SecureCellSeal(data: encrypted_hint, context: nil, key: generated_hint_key) Hint encryption AES-256-GCM, random IV/nonce, non-deterministic

Slide 70

Slide 70 text

@vixentael Compatibility & incident response

Slide 71

Slide 71 text

@vixentael Auto-locking timer clean up caches and decrypted data after T seconds let unlockDate = Date() ... let unlockedInterval = unlockDate.timeIntervalSinceNow();

Slide 72

Slide 72 text

@vixentael Auto-locking timer clean up caches and decrypted data after T seconds let unlockDate = Date() ... let unlockedInterval = unlockDate.timeIntervalSinceNow(); timezones

Slide 73

Slide 73 text

@vixentael Auto-locking timer monotonic https://twitter.com/wilshipley/status/1130973433120952321

Slide 74

Slide 74 text

@vixentael Failed attempts counter, increasing delays t makes it harder to brute force the passphrase user_passphrase

Slide 75

Slide 75 text

Key points

Slide 76

Slide 76 text

1. Encryption to protect data globally   (during the whole data ﬂow / app lifecycle). 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. Overlapped security controls ✅ ✅ ✅ @vixentael

Slide 77

Slide 77 text

@vixentael passphrase encryption hint encryption prepare for incidents zeroing secrets TLS / certiﬁcate pinning auto-locking timer failed attempts counter encrypted user settings notes protection (e2ee) obfuscation anti-RE & anti-debugging continuous improvements cossacklabs.com/blog/end-to-end-encryption-in-bear-app.html

Slide 78

Slide 78 text

@vixentael crypto gets harder if you need usability 1. E2EE for notes, synced between devices – Bear 2. Searchable encryption – Acra 3. E2EE for data collaboration – Hermes

Slide 79

Slide 79 text

@vixentael OWASP ASVS / MASVS

Slide 80

Slide 80 text

failure of single security control is a question of time failure of security system is a question of design

Slide 81

Slide 81 text

@vixentael cryptographic tools, security consulting, training github.com/vixentael/ my-talks