e2ee ≠ security ≠ privacy @vixentael

@vixentael head of customer solutions, security software engineer OSS maintainer: Themis, Acra focused on applied crypto and building e2ee protocols

cossacklabs.com/products Data security tools & solutions @vixentael We make software to get data security right – from open-source and proprietary cryptographic tools to custom solutions and consulting.

We help with e2ee in apps blog.bear.app cossacklabs.com/blog/ @vixentael appspector.com userbase.com

Lots of misunderstanding about security, privacy and encryption @vixentael

@vixentael

@vixentael Using “end-to-end encryption” doesn’t mean that ALL your data is encrypted end-to-end AND local data is encrypted AND e2ee is enabled by default AND backups are encrypted AND cipher is modern

@vixentael Using “end-to-end encryption” doesn’t mean that ALL your data is encrypted end-to-end AND local data is encrypted AND e2ee is enabled by default meta-data, attachments some ppl call TLS — E2EE :) data at rest enc is separate opt-in vs opt-out AND backups are encrypted also separate also apps can collect phone numbers, location, IPs, device info, etc AND cipher is modern xor, base64, AES CBC

twitter.com/mikebutcher/status/1347105722035822593 @vixentael All these apps use e2ee

securemessagingapps.com @vixentael docs.google.com/spreadsheets/d/1I_qS5Oy1lRpd6FEw-4AqrFxq- FLN-m6bJPJf2drdwRY/htmlview#gid=0

@vixentael What data we collect, how we link it to the user, who has access to collected info, do we give access to gov, where servers are located. See GDPR/CCPA. Privacy & trust How we protect collected data, access, apps, dbs, servers, backups. See OWASP ASVS/MASVS/SAMM. AppSec, DataSec, InfraSec. Security Some data is e2ee’d from user to same/another user, servers don’t have access to keys/secrets/plaintext. E2EE

@vixentael Privacy Security E2EE Any combinations possible

Now, let’s talk about encryption from data-flow perspective @vixentael

input, generation, local storage processing storage logs, analytics Encryption depends on a dataflow web frontend storage mobile frontend web admin backups payment service orders processing analytics i i o i p s s p @vixentael

@vixentael Encryption data stored encrypted locally – data-at-rest encryption; also FS/OS encryption, TDE. host / server host / server transport layer encryption – data-in-transit encryption (TLS, IPSec, SSH). host / server

@vixentael Application-level encryption (ALE) data encrypted by app – application-level encryption (ALE) app ALE happens on client side – client-side encryption client ALE happens on server side – server-side encryption server proxy … proxy-side encryption

@vixentael server 1 server 2 server 3 TLS (in transit) server 1 server 2 server 3 Alice app 2 Bob application-level encryption Alice app 2 Bob

@vixentael E2EE, FLE only some data fields are encrypted – field-level encryption (FLE) Alice client-side encryption when no keys/ secrets/data is available to servers – end-to-end encryption Bob

@vixentael Transparent encryption Data is encrypted in a database, but apps don’t know about this – Transparent Database Encryption (TDE) Data is encrypted on a proxy, but apps/dbs don’t know about this – Transparent Proxy-side Encryption proxy app app

@vixentael Obviously, because TLS and ALE have totally different threat models.

@vixentael encryption controls / events transit (TLS) disk / FS TDE / DB encryption ALE E2EE physical access to servers ⛔ ✅ ✅ ✅ ✅ MitM ✅ ⛔ ⛔ ✅ ✅ privileged DB access ⛔ ⛔ ⛔ ✅ ✅ privileged system access ⛔ ⛔ ⛔ Depends ✅ backups, logs, snapshots ⛔ ⛔ Few ✅ ✅ infoq.com/articles/ale-software-architects/

@vixentael if E2EE is so great, why we don’t use it everywhere? TLS FS/OS encr, TDE custom data- at-rest encr ALE E2EE security efforts, tradeoffs

@vixentael if E2EE is so great, why we don’t use it everywhere? TLS FS/OS encr, TDE custom data- at-rest encr ALE E2EE security efforts, tradeoffs key storage, key rotation, key revocation, data re-encryption, consistency, backups, tying keys w/ identity, search in encrypted data, logging monitoring, and all the NIST SP 800-53,

@vixentael Also, using “end-to-end encryption” doesn’t mean that ALL your data is encrypted end-to-end AND local data is encrypted AND e2ee is enabled by default meta-data, attachments some ppl call TLS — E2EE :) data at rest enc is separate opt-in vs opt-out AND backups are encrypted also separate also apps can collect phone numbers, location, IPs, device info, etc AND cipher is modern xor, base64, AES CBC

More complicated schemes @vixentael

app @vixentael Client-side field-level encryption (CSFLE) docs.mongodb.com/drivers/security/client-side-field-level- encryption-guide app code MongoDB SDK MongoDB stores records with encrypted fields encryption / decryption key vault TLS writes records with encrypted fields reads records with encrypted fields TLS

app / server @vixentael Proxy-side transparent field-level encryption github.com/cossacklabs/acra database key vault stores records with encrypted fields writes records with encrypted fields reads records with encrypted fields Acra proxy encryption / decryption TLS TLS TLS

That’s all folks @vixentael

@vixentael speakerdeck.com/veorq/hunting-for-vulnerabilities-in-signal Hunting for vulnerabilities in Signal, 2017, by @veorq and @marver infoq.com/articles/ale-software-architects/ Application Level Encryption for Software Architects, by @9gunpi buttondown.email/cryptography-dispatches/archive/ cryptography-dispatches-the-most-backdoor-looking/ ‘xor nonce’ bug in Telegram protocol, by @FiloSottile

@vixentael github.com/vixentael/my-talks