KEYS FROM THE CASTLE ANCIENT ART OF MANAGING KEYS AND TRUST @vixentael #appbuilders17

WE ALL FAIL IN BUILDING SECURE MOBILE APPS

@vixentael Lead Developer at stanfy.com Core Contributor at themis/ cossacklabs.com Feel free to reach me with any mobile security questions. I do check my inbox :)

THE PLAN what is trust? key management 101 goals and processes key management on iOS #appbuilders17 @vixentael mr. Box

LET’S TALK ABOUT ESTABLISHING TRUST

ESTABLISHING TRUST is ensuring you and remote party share some identifiable secret #appbuilders17 @vixentael

ESTABLISHING TRUST #appbuilders17 @vixentael USING MATH! is ensuring you and remote party share some identifiable secret

servers mobile data in transit via public channels WHERE IT HAPPENS? #appbuilders17 @vixentael trust

#appbuilders17 @vixentael OUR INFRASTRUCTURE IS FULL OF KEYS AND DATA, ALL THAT IN CABLES. (transatlantic cable is transferring data, aka boxes)

WHAT DO WE NEED TRUST FOR? TO PROTECT THE DATA! confidentiality authenticity integrity #appbuilders17 @vixentael

HOW DOES IT WORK? #appbuilders17 @vixentael

HOW DOES IT WORK? confidentiality authenticity integrity #appbuilders17 @vixentael

#appbuilders17 @vixentael KEYS ARE WHAT WE TRUST

KEY MANAGEMENT FOR MOBILE DEVS

secret key (symmetric ciphers) public/private keys (asymmetric ciphers, PGP & SSL) password
 KDF(pass) = good one-time pin WHAT IS A KEY? – ARRAY OF BYTES #appbuilders17 @vixentael

KEYS APP TOKENS USER PASSWORDS PUBLIC CERTS #appbuilders17 @vixentael let appId = "VK1TTYC4TV" let poolId = "us-east-1:r0s3s4r3-r3d-13375p34k" var userPass = "F4C38D"

WE USE KEYS TO PROTECT THE DATA #appbuilders17 @vixentael

THE DATA? User’s data Access to external resources Identifiable data of other people #appbuilders17 @vixentael

THREATS TO THE DATA #appbuilders17 @vixentael

KEYS ARE SMALL CHUNKS OF DATA #appbuilders17 @vixentael

#appbuilders17 @vixentael THREATS TO THE KEYS

‣ stolen ‣ replayed ‣ replaced PROTECT KEYS TOO! — KEYS CAN BE: #appbuilders17 @vixentael

“TRUST AND SECURITY ARE PRESERVED, YET SYSTEM IS USABLE”

MAKING USABLE SYSTEM generation exchange storage access rotation revocation service #appbuilders17 @vixentael

KEY GENERATION #appbuilders17 @vixentael RND Secret Generation Key or Keypair good math where user inputs a secret or where it’s safe to store WHEN/WHERE?

KEY PAIR #appbuilders17 @vixentael let keyGeneratorEC: TSKeyGen = TSKeyGen(algorithm: .EC) let privateKeyEC: Data = keyGeneratorEC.privateKey let publicKeyEC: Data = keyGeneratorEC.publicKey https://github.com/cossacklabs/themis

KDF #appbuilders17 @vixentael let password: Array = Array("s33krit".utf8) let salt: Array = Array("nacllcan".utf8) try PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256).calculate() https://github.com/krzyzanowskim/CryptoSwift

KEY EXCHANGE #appbuilders17 @vixentael — exchanging unique secret between parties to ensure authenticity and, sometimes, confidentiality.

KEY EXCHANGE #appbuilders17 @vixentael {“passw”:“123456”} passw: “123456” Alice-the-App Bob-the-Server insecure channel

KEY EXCHANGE 5720b3c2 fe674f54 73e10ad4 ... HTTPS SSL pinning ephemeral keys

KEY STORAGE #appbuilders17 @vixentael Never store the keys with the data they protect. Protect keys in a key vault.

KEY ACCESS #appbuilders17 @vixentael Make sure they are easy to access legitimately. Ensure that any secret key is protected from unauthorized access.

KEY ROTATION #appbuilders17 @vixentael Define a key lifecycle.

KEY ROTATION #appbuilders17 @vixentael Limit quantity of data encrypted with one key. Define a key lifecycle.

KEY ROTATION #appbuilders17 @vixentael Limit quantity of data encrypted with one key. Define a key lifecycle. Build support for changing algorithms and keys when needed.

KEY REVOCATION #appbuilders17 @vixentael Make sure that compromised or outdated keys don’t work.

SERVICE #appbuilders17 @vixentael BACKUPS ADMIN ACCESS KEY LINKING

KEY MANAGEMENT IN IOS

ESTABLISHING TRUST #appbuilders17 @vixentael 1. On-channel exchange: SSL pinning / SSL pre-keying https://developer.apple.com/reference/foundation/ urlsessiondelegate/1409308-urlsession func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) { }

ESTABLISHING TRUST #appbuilders17 @vixentael 2. Mediated exchange / Public key infrastructure keybase.io

ESTABLISHING TRUST #appbuilders17 @vixentael 3. Trusted channel exchange

VERIFYING TRUST let pathToCert = Bundle.main.path(forResource: "pathtomycert", ofType: "cer") let localCertificate:NSData = NSData(contentsOfFile: pathToCert!)! let serverTrustPolicy = ServerTrustPolicy.pinCertificates( certificates: [SecCertificateCreateWithData(nil, localCertificate)!], validateCertificateChain: true, validateHost: true ) let serverTrustPolicies = [ "myserver.com": serverTrustPolicy ] let alamofireManager = Alamofire.SessionManager( configuration: URLSessionConfiguration.default, serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies) ) https://github.com/Alamofire/Alamofire#server-trust-policy-manager https://www.owasp.org/index.php/Pinning_Cheat_Sheet

STORING TRUST #appbuilders17 @vixentael

TRY NOT TO STORE KEYS

TRY NOT TO STORE KEYS BUT IF YOU DO, BE BOLD!

STORING TRUST (KEYS) #appbuilders17 @vixentael USER DEFINED APP DEFINED Keychain Encrypted KDF Obfuscated Encrypted Calculated

OBFUSCATE #appbuilders17 @vixentael ‣ Store keys as HEX ‣ Replace chars ‣ Rename .cert to .mp3 ‣ Combine from separate pieces

OBFUSCATE #appbuilders17 @vixentael ‣ Store keys as HEX ‣ Replace chars ‣ Rename .cert to .mp3 ‣ Combine from separate pieces ORING BORING BORING BORING BORING BORING BO

STORE ENCRYPTED #appbuilders17 @vixentael 1. Encrypt keys during development 2. Store encrypted keys 3. Decrypt before using

USE NICE TOOLS #appbuilders17 @vixentael SCIENTIFIC BACKGROUND TRUST BIG GUYS GOOD TRACK RECORD https://github.com/RNCryptor/RNCryptor https://github.com/cossacklabs/themis https://github.com/krzyzanowskim/CryptoSwift CommonCrypto wrappers Ports of popular libs Keychain wrappers https://www.cossacklabs.com/choose-your-ios-crypto.html

FAKE KEYS #appbuilders17 @vixentael Poison keys, marker keys let key = “0XD34DB33F" Analyze logs to find marker keys Block those users/apps

HONEYPOT #appbuilders17 @vixentael Put fake keys in obvious places: ‣ plist ‣ static strings ‣ fake certs

No content

KEYPOINTS #appbuilders17 @vixentael 1. Keys to data are data too; you should protect them. 2. Separate keys from the data; don’t keep everything in one basket. 3. Protecting keys is a system of typical actions and goals.

ACCESS TRUST TO EVERY COMPONENT CAREFULLY; BUILD TOOLS TO MANAGE IT.

LINKS1 Cryptographic Storage Cheat Sheet https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet Key Management Cheat Sheet https://www.owasp.org/index.php/Key_Management_Cheat_Sheet Managing Keys, Certificates, and Passwords https://developer.apple.com/library/content/documentation/Security/ Conceptual/cryptoservices/KeyManagementAPIs/KeyManagementAPIs.html

LINKS2 https://speakerdeck.com/vixentael/

Lead Developer at stanfy.com Core Contributor at themis/ cossacklabs.com Feel free to reach me with any mobile security questions. I do check my inbox :) @vixentael