Slide 1

Slide 1 text

Noah Kantrowitz Behind Closed Doors Managing Passwords in a Dangerous World

Slide 2

Slide 2 text

Me • Chef-y dude • @kantrn / coderanger • Bloomberg FOSS

Slide 3

Slide 3 text

Secrets

Slide 4

Slide 4 text

Definition • Small • Radioactive • Required

Slide 5

Slide 5 text

Secrets • Passwords • Tokens
 • Keys • Other

Slide 6

Slide 6 text

Passwords • Computer to computer • 1 to ~1024 bytes • "Internal" or human-y

Slide 7

Slide 7 text

Tokens • "External" or API • Like passwords

Slide 8

Slide 8 text

Keys • Whole files • Bigger, chunkier

Slide 9

Slide 9 text

Other • Kerberos tickets • PCI log files • HIPAA records

Slide 10

Slide 10 text

Temperature

Slide 11

Slide 11 text

Hot / Online • Autonomous access • Used a lot • Humans need not apply

Slide 12

Slide 12 text

Cold / Offline • Used rarely • Humans required

Slide 13

Slide 13 text

Spectrum

Slide 14

Slide 14 text

Speed

Slide 15

Slide 15 text

Slow • "Static" • Change is "big" • Less safe

Slide 16

Slide 16 text

Fast • Changes constantly • Automatic rotation • More safe

Slide 17

Slide 17 text

Properties of a Secrets Management System

Slide 18

Slide 18 text

– Jerome Saltzer, Communications of the ACM “Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.”

Slide 19

Slide 19 text

Properties • Least privilege • Audit trail

Slide 20

Slide 20 text

Let's do it!

Slide 21

Slide 21 text

$ echo "P@s5wd" > secret.txt $ git commit -a -m "yolo!" $ git push origin master To [email protected]:me/myapp.git f35a8c0..c2f0adf master -> master

Slide 22

Slide 22 text

Attack Surfaces

Slide 23

Slide 23 text

Surfaces • Brute force • Code leak • Backup leak • Traversal
 • Code exec • Root exec • Laptop theft • Higher power

Slide 24

Slide 24 text

Brute Force • Always be wary • Rate-limit, restrict, rotate • Make it impossible

Slide 25

Slide 25 text

Code Leak • Read-only access • No data • "GitHub oops"

Slide 26

Slide 26 text

Backup Leak • Still read-only • With database, et al

Slide 27

Slide 27 text

Traversal • /show?n=about • /show?n=../../passwd • /search?q=;select…

Slide 28

Slide 28 text

An Aside • Environment variables • Logged, inherited, etc • Unsafe at any speed

Slide 29

Slide 29 text

Code Exec • Beyond app security • Infrastructure hygiene • Service users

Slide 30

Slide 30 text

Root Exec Lasciate ogne speranza,
 voi ch'intrate

Slide 31

Slide 31 text

Laptop Theft • Use disk encryption • Rotate everything

Slide 32

Slide 32 text

Higher Power • Government • Advanced threat • Natural disaster

Slide 33

Slide 33 text

Cryptography

Slide 34

Slide 34 text

Symmetry • Symmetric vs asymmetric • Shared key vs pairs • Public key not secret

Slide 35

Slide 35 text

Secret Symmetric Admin Server

Slide 36

Slide 36 text

Secret Symmetric Admin Server Key

Slide 37

Slide 37 text

Secret Encrypted Blob Symmetric Admin Server Key

Slide 38

Slide 38 text

Secret Encrypted Blob Symmetric Admin Server Key Key

Slide 39

Slide 39 text

Encrypted Blob Secret Encrypted Blob Symmetric Admin Server Key Key

Slide 40

Slide 40 text

Encrypted Blob Secret Encrypted Blob Secret Symmetric Admin Server Key Key

Slide 41

Slide 41 text

Secret Asymmetric Admin Server

Slide 42

Slide 42 text

Secret Asymmetric Admin Server Key Pair

Slide 43

Slide 43 text

Secret Asymmetric Admin Server Public Key Key Pair

Slide 44

Slide 44 text

Secret Encrypted Blob Asymmetric Admin Server Public Key Key Pair

Slide 45

Slide 45 text

Encrypted Blob Secret Encrypted Blob Asymmetric Admin Server Public Key Key Pair

Slide 46

Slide 46 text

Encrypted Blob Secret Secret Encrypted Blob Asymmetric Admin Server Public Key Key Pair

Slide 47

Slide 47 text

Mode • Pre-encryption • Symmetric key distribution • Asymmetric key identity • Trusted third party

Slide 48

Slide 48 text

Symmetric Pre Admin Servers Store

Slide 49

Slide 49 text

Symmetric Pre Admin Servers Store

Slide 50

Slide 50 text

Symmetric Pre Admin Servers Store

Slide 51

Slide 51 text

Symmetric Pre Admin Servers Store

Slide 52

Slide 52 text

Symmetric Pre Admin Servers Store

Slide 53

Slide 53 text

Symmetric Pre Admin Servers Store

Slide 54

Slide 54 text

Asymmetric Pre Admin Servers Store A B C

Slide 55

Slide 55 text

A B Asymmetric Pre Admin Servers Store A B C

Slide 56

Slide 56 text

A B Asymmetric Pre Admin Servers Store A B A B C

Slide 57

Slide 57 text

A B Asymmetric Pre Admin Servers Store A B A B A B C

Slide 58

Slide 58 text

A B A B Asymmetric Pre Admin Servers Store A B A B A B C

Slide 59

Slide 59 text

A B A B B A Asymmetric Pre Admin Servers Store A B A B A B C

Slide 60

Slide 60 text

A B A B B A Asymmetric Pre Admin Servers Store A B A B A B C

Slide 61

Slide 61 text

Trusted Third Party Admin TTP Servers A B C D

Slide 62

Slide 62 text

Trusted Third Party B C Admin TTP Servers A B C D

Slide 63

Slide 63 text

Trusted Third Party B C Admin TTP Servers A B C D

Slide 64

Slide 64 text

Tools

Slide 65

Slide 65 text

Text Files • git add … • scp … • Interns

Slide 66

Slide 66 text

git-crypt • Git file filter • Symmetric or asymmetric • Footgun

Slide 67

Slide 67 text

Cluster Managers • ZooKeeper, Consul, Etcd • ACLs or bust • Here be dragons

Slide 68

Slide 68 text

Chef Encrypted Bags • Symmetric, AES-256-GCM • Server vs git • Turtles all the way down

Slide 69

Slide 69 text

Ansible Vault • AES-256-CTR + SHA-256 • Still turtles

Slide 70

Slide 70 text

Hiera Eyaml • PKCS7 (or GPG) • Trusted Third Party

Slide 71

Slide 71 text

Chef Vault • RSA(encrypted bags) • Asymmetric pre-encrypt • Kind of still turtle-y

Slide 72

Slide 72 text

Hashicorp Vault • TTP service • New bar for fast secrets • Modular design

Slide 73

Slide 73 text

Keywhiz • TTP • TLS keys, files • Battle tested

Slide 74

Slide 74 text

Private S3 • IAM roles • Complex policy • Easy to get started

Slide 75

Slide 75 text

Amazon KMS • Kool-aid-tastic • Key escrow • Hosted encrypt/decrypt

Slide 76

Slide 76 text

Sneaker • KMS + S3 • Still kool

Slide 77

Slide 77 text

Confidant • KMS + DynamoDB • Web-based • Versioned w/ history

Slide 78

Slide 78 text

Trousseau • Asymmetric pre-encrypt • GPG + modular storage • S3, GPG, GitHub

Slide 79

Slide 79 text

Sops • KMS or GPG • Manual storage

Slide 80

Slide 80 text

Red October • Cold secrets • N of M storage

Slide 81

Slide 81 text

Barbican Pining for the fjords

Slide 82

Slide 82 text

Conjur • And other closed source • Trust but verify

Slide 83

Slide 83 text

HSMs • TPMs otherwise $ $ $ • Dedicated hardware • Bugs not unheard of

Slide 84

Slide 84 text

The Hard Problem

Slide 85

Slide 85 text

Identity • Who are you? • Who am I? • Why are we in this
 hand basket?

Slide 86

Slide 86 text

Pure Identity • TLS client certificates • MySQL, Postgres • Internal APIs

Slide 87

Slide 87 text

Integration

Slide 88

Slide 88 text

API Clients • Vault: HVAC, vault-rails • KMS: botocore, aws-sdk

Slide 89

Slide 89 text

HVAC # local_settings.py import hvac c = hvac.Client( url='https://vaultserver:8200') DATABASES = { 'default': { # Other settings ... 'PASSWORD': c.read('secret/dbpass') } }

Slide 90

Slide 90 text

Config Management • Templates/commands • hiera-vault • Ruby/Python APIs

Slide 91

Slide 91 text

Chef # recipes/myapp.rb execute 'sneaker unpack ...' template 'local_settings.py' do # Other properties ... variables pw: citadel['pw'] end

Slide 92

Slide 92 text

KeywhizFS • FUSE filesystem • Direct key usage • In-memory

Slide 93

Slide 93 text

Consul Templates • Standalone daemon • Sync Vault data to files • CM → Templates → files

Slide 94

Slide 94 text

envconsul • Vault data in $ENV • Beware of logging

Slide 95

Slide 95 text

Summon • Secrets in $ENV • Modular providers • S3, Keyring, Conjur

Slide 96

Slide 96 text

In Summary • Check your privilege and audit trail • Pick types and temperatures • Think about attack surfaces • Have a disaster plan

Slide 97

Slide 97 text

Thank You

Slide 98

Slide 98 text

Questions? @kantrn coderanger.net