Slide 1

Slide 1 text

e2ee ≠ security ≠ privacy @vixentael

Slide 2

Slide 2 text

@vixentael head of customer solutions, security software engineer OSS maintainer: Themis, Acra focused on applied crypto and building e2ee protocols

Slide 3

Slide 3 text

cossacklabs.com/products Data security tools & solutions @vixentael We make software to get data security right – from open-source and proprietary cryptographic tools to custom solutions and consulting.

Slide 4

Slide 4 text

We help with e2ee in apps blog.bear.app cossacklabs.com/blog/ @vixentael appspector.com userbase.com

Slide 5

Slide 5 text

Lots of misunderstanding about security, privacy and encryption @vixentael

Slide 6

Slide 6 text

@vixentael

Slide 7

Slide 7 text

@vixentael Using “end-to-end encryption” doesn’t mean that ALL your data is encrypted end-to-end AND local data is encrypted AND e2ee is enabled by default AND backups are encrypted AND cipher is modern

Slide 8

Slide 8 text

@vixentael Using “end-to-end encryption” doesn’t mean that ALL your data is encrypted end-to-end AND local data is encrypted AND e2ee is enabled by default meta-data, attachments some ppl call TLS — E2EE :) data at rest enc is separate opt-in vs opt-out AND backups are encrypted also separate also apps can collect phone numbers, location, IPs, device info, etc AND cipher is modern xor, base64, AES CBC

Slide 9

Slide 9 text

twitter.com/mikebutcher/status/1347105722035822593 @vixentael All these apps use e2ee

Slide 10

Slide 10 text

securemessagingapps.com @vixentael docs.google.com/spreadsheets/d/1I_qS5Oy1lRpd6FEw-4AqrFxq- FLN-m6bJPJf2drdwRY/htmlview#gid=0

Slide 11

Slide 11 text

@vixentael What data we collect, how we link it to the user, who has access to collected info, do we give access to gov, where servers are located. See GDPR/CCPA. Privacy & trust How we protect collected data, access, apps, dbs, servers, backups. See OWASP ASVS/MASVS/SAMM. AppSec, DataSec, InfraSec. Security Some data is e2ee’d from user to same/another user, servers don’t have access to keys/secrets/plaintext. E2EE

Slide 12

Slide 12 text

@vixentael Privacy Security E2EE Any combinations possible

Slide 13

Slide 13 text

Now, let’s talk about encryption from data-flow perspective @vixentael

Slide 14

Slide 14 text

input, generation, local storage processing storage logs, analytics Encryption depends on a dataflow web frontend storage mobile frontend web admin backups payment service orders processing analytics i i o i p s s p @vixentael

Slide 15

Slide 15 text

@vixentael Encryption data stored encrypted locally – data-at-rest encryption; also FS/OS encryption, TDE. host / server host / server transport layer encryption – data-in-transit encryption (TLS, IPSec, SSH). host / server

Slide 16

Slide 16 text

@vixentael Application-level encryption (ALE) data encrypted by app – application-level encryption (ALE) app ALE happens on client side – client-side encryption client ALE happens on server side – server-side encryption server proxy … proxy-side encryption

Slide 17

Slide 17 text

@vixentael server 1 server 2 server 3 TLS (in transit) server 1 server 2 server 3 Alice app 2 Bob application-level encryption Alice app 2 Bob

Slide 18

Slide 18 text

@vixentael E2EE, FLE only some data fields are encrypted – field-level encryption (FLE) Alice client-side encryption when no keys/ secrets/data is available to servers – end-to-end encryption Bob

Slide 19

Slide 19 text

@vixentael Transparent encryption Data is encrypted in a database, but apps don’t know about this – Transparent Database Encryption (TDE) Data is encrypted on a proxy, but apps/dbs don’t know about this – Transparent Proxy-side Encryption proxy app app

Slide 20

Slide 20 text

@vixentael Obviously, because TLS and ALE have totally different threat models.

Slide 21

Slide 21 text

@vixentael encryption controls / events transit (TLS) disk / FS TDE / DB encryption ALE E2EE physical access to servers ⛔ ✅ ✅ ✅ ✅ MitM ✅ ⛔ ⛔ ✅ ✅ privileged DB access ⛔ ⛔ ⛔ ✅ ✅ privileged system access ⛔ ⛔ ⛔ Depends ✅ backups, logs, snapshots ⛔ ⛔ Few ✅ ✅ infoq.com/articles/ale-software-architects/

Slide 22

Slide 22 text

@vixentael if E2EE is so great, why we don’t use it everywhere? TLS FS/OS encr, TDE custom data- at-rest encr ALE E2EE security efforts, tradeoffs

Slide 23

Slide 23 text

@vixentael if E2EE is so great, why we don’t use it everywhere? TLS FS/OS encr, TDE custom data- at-rest encr ALE E2EE security efforts, tradeoffs key storage, key rotation, key revocation, data re-encryption, consistency, backups, tying keys w/ identity, search in encrypted data, logging monitoring, and all the NIST SP 800-53,

Slide 24

Slide 24 text

@vixentael Also, using “end-to-end encryption” doesn’t mean that ALL your data is encrypted end-to-end AND local data is encrypted AND e2ee is enabled by default meta-data, attachments some ppl call TLS — E2EE :) data at rest enc is separate opt-in vs opt-out AND backups are encrypted also separate also apps can collect phone numbers, location, IPs, device info, etc AND cipher is modern xor, base64, AES CBC

Slide 25

Slide 25 text

More complicated schemes @vixentael

Slide 26

Slide 26 text

app @vixentael Client-side field-level encryption (CSFLE) docs.mongodb.com/drivers/security/client-side-field-level- encryption-guide app code MongoDB SDK MongoDB stores records with encrypted fields encryption / decryption key vault TLS writes records with encrypted fields reads records with encrypted fields TLS

Slide 27

Slide 27 text

app / server @vixentael Proxy-side transparent field-level encryption github.com/cossacklabs/acra database key vault stores records with encrypted fields writes records with encrypted fields reads records with encrypted fields Acra proxy encryption / decryption TLS TLS TLS

Slide 28

Slide 28 text

That’s all folks @vixentael

Slide 29

Slide 29 text

@vixentael speakerdeck.com/veorq/hunting-for-vulnerabilities-in-signal Hunting for vulnerabilities in Signal, 2017, by @veorq and @marver infoq.com/articles/ale-software-architects/ Application Level Encryption for Software Architects, by @9gunpi buttondown.email/cryptography-dispatches/archive/ cryptography-dispatches-the-most-backdoor-looking/ ‘xor nonce’ bug in Telegram protocol, by @FiloSottile

Slide 30

Slide 30 text

@vixentael github.com/vixentael/my-talks