Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2016 - Noah Kantrowitz - Behind Closed Doors

PyBay
August 20, 2016
Programming
0
63

2016 - Noah Kantrowitz - Behind Closed Doors

Description
A modern application has a lot of passwords and keys floating around. Encryption keys, database passwords, and API credentials; often typed in to text files and forgotten. Fortunately a new wave of tools are emerging to help manage, update, and audit these secrets. Come learn how to avoid being the next TechCrunch headline.

Abstract
Secrets come in many forms, passwords, keys, tokens. All crucial for the operation of an application, but each dangerous in its own way. In the past, many of us have pasted those secrets in to a text file and moved on, but in a world of config automation and ephemeral microservices these patterns are leaving our data at greater risk than ever before.

New tools, products, and libraries are being released all the time to try to cope with this massive rise in threats, both new and old-but-ignored. This talk will cover the major types of secrets in a normal web application, how to model their security properties, what tools are best for each situation, and how to use them with major Python frameworks.

Bio
Noah Kantrowitz is a web developer turned infrastructure automation enthusiast, and all around engineering rabble-rouser. By day he builds tools and teaches, and by night he works with the Python Software Foundation infrastructure team. He is an active member of the Chef community, and enjoys merge commits, cat pictures, and beards.

https://youtu.be/xZiekP_70EA

PyBay

August 20, 2016
Tweet

More Decks by PyBay

See All by PyBay
2017 - The Packaging Gradient
pybay
2
740
2017 - Building Bridges: Stopping Python 2 without damages
pybay
0
530
2017 - Bringing Python 3 to LinkedIn
pybay
1
470
2017 - Python Debugging with PUDB
pybay
0
480
2017 - Opening up to Open Source
pybay
0
170
2017 - A Gentle Introduction to Text Classification with Deep Learning
pybay
2
140
2017 - Performant Asynchronous Programming at Quora
pybay
1
280
2017 - latus - a Personal Cloud Storage App written in Python
pybay
2
410
2017 - Everything You Ever Wanted to Know About Web Authentication in Python
pybay
3
410

Other Decks in Programming

See All in Programming
検証も兼ねて個人開発でHonoとかと向き合った話
hanetsuki
1
1.3k
Anthropic Cookbook のおすすめレシピ
schroneko
7
1.1k
Deep Dive into React Stream/Serialize
mugi_uno
3
660
PHP8.3の機能を振り返る / Review of PHP 8.3 features
seike460
PRO
1
120
GraphQLサーバの構成要素を整理する #ハッカー鮨 #tsukijigraphql / graphql server technology selection
izumin5210
4
900
Hanami and htmx
bkuhlmann
0
220
Kotlin Multiplatform at Stable and Beyond (Android Makers 2024)
zsmb
0
470
サイコロで理解する統計的仮説検定の考え方
tatamiya
4
1k
Going beyond Apache Parquet's default settings
xhochy
0
130
Fast JSX: Don't clone props object #28768
yossydev
1
180
大規模Reactアプリのリアーキテクチャ~8万行のTanStack Query移行の軌跡~
kj455
4
1k
Domain-Driven Transformation
hschwentner
2
1.5k

Featured

See All Featured
The Pragmatic Product Professional
lauravandoore
26
5.8k
Faster Mobile Websites
deanohume
300
30k
Designing Experiences People Love
moore
136
23k
Optimising Largest Contentful Paint
csswizardry
12
2.4k
Gamification - CAS2011
davidbonilla
77
4.6k
Documentation Writing (for coders)
carmenintech
60
4k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
65
14k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
275
13k
Fireside Chat
paigeccino
22
2.6k
Web Components: a chance to create the future
zenorocha
306
41k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
21
6.4k
The Illustrated Children's Guide to Kubernetes
chrisshort
32
46k

Transcript

  1. Noah Kantrowitz Behind Closed Doors Managing Passwords in a Dangerous

    World

  2. Me • Chef-y dude • @kantrn / coderanger • Bloomberg

    FOSS

  3. Secrets

  4. Definition • Small • Radioactive • Required

  5. Secrets • Passwords • Tokens
 • Keys • Other

  6. Passwords • Computer to computer • 1 to ~1024 bytes

    • "Internal" or human-y

  7. Tokens • "External" or API • Like passwords

  8. Keys • Whole files • Bigger, chunkier

  9. Other • Kerberos tickets • PCI log files • HIPAA

    records

  10. Temperature

  11. Hot / Online • Autonomous access • Used a lot

    • Humans need not apply

  12. Cold / Offline • Used rarely • Humans required

  13. Spectrum

  14. Speed

  15. Slow • "Static" • Change is "big" • Less safe

  16. Fast • Changes constantly • Automatic rotation • More safe

  17. Properties of a Secrets Management System

  18. – Jerome Saltzer, Communications of the ACM “Every program and every

    privileged user of the system should operate using the least amount of privilege necessary to complete the job.”

  19. Properties • Least privilege • Audit trail

  20. Let's do it!

  21. $ echo "P@s5wd" > secret.txt $ git commit -a -m

    "yolo!" $ git push origin master To [email protected]:me/myapp.git f35a8c0..c2f0adf master -> master

  22. Attack Surfaces

  23. Surfaces • Brute force • Code leak • Backup leak

    • Traversal
 • Code exec • Root exec • Laptop theft • Higher power

  24. Brute Force • Always be wary • Rate-limit, restrict, rotate

    • Make it impossible

  25. Code Leak • Read-only access • No data • "GitHub

    oops"

  26. Backup Leak • Still read-only • With database, et al

  27. Traversal • /show?n=about • /show?n=../../passwd • /search?q=;select…

  28. An Aside • Environment variables • Logged, inherited, etc •

    Unsafe at any speed

  29. Code Exec • Beyond app security • Infrastructure hygiene •

    Service users

  30. Root Exec Lasciate ogne speranza,
 voi ch'intrate

  31. Laptop Theft • Use disk encryption • Rotate everything

  32. Higher Power • Government • Advanced threat • Natural disaster

  33. Cryptography

  34. Symmetry • Symmetric vs asymmetric • Shared key vs pairs

    • Public key not secret

  35. Secret Symmetric Admin Server

  36. Secret Symmetric Admin Server Key

  37. Secret Encrypted Blob Symmetric Admin Server Key

  38. Secret Encrypted Blob Symmetric Admin Server Key Key

  39. Encrypted Blob Secret Encrypted Blob Symmetric Admin Server Key Key

  40. Encrypted Blob Secret Encrypted Blob Secret Symmetric Admin Server Key

    Key

  41. Secret Asymmetric Admin Server

  42. Secret Asymmetric Admin Server Key Pair

  43. Secret Asymmetric Admin Server Public Key Key Pair

  44. Secret Encrypted Blob Asymmetric Admin Server Public Key Key Pair

  45. Encrypted Blob Secret Encrypted Blob Asymmetric Admin Server Public Key

    Key Pair

  46. Encrypted Blob Secret Secret Encrypted Blob Asymmetric Admin Server Public

    Key Key Pair

  47. Mode • Pre-encryption • Symmetric key distribution • Asymmetric key

    identity • Trusted third party

  48. Symmetric Pre Admin Servers Store

  49. Symmetric Pre Admin Servers Store

  50. Symmetric Pre Admin Servers Store

  51. Symmetric Pre Admin Servers Store

  52. Symmetric Pre Admin Servers Store

  53. Symmetric Pre Admin Servers Store

  54. Asymmetric Pre Admin Servers Store A B C

  55. A B Asymmetric Pre Admin Servers Store A B C

  56. A B Asymmetric Pre Admin Servers Store A B A

    B C

  57. A B Asymmetric Pre Admin Servers Store A B A

    B A B C

  58. A B A B Asymmetric Pre Admin Servers Store A

    B A B A B C

  59. A B A B B A Asymmetric Pre Admin Servers

    Store A B A B A B C

  60. A B A B B A Asymmetric Pre Admin Servers

    Store A B A B A B C

  61. Trusted Third Party Admin TTP Servers A B C D

  62. Trusted Third Party B C Admin TTP Servers A B

    C D

  63. Trusted Third Party B C Admin TTP Servers A B

    C D

  64. Tools

  65. Text Files • git add … • scp … •

    Interns

  66. git-crypt • Git file filter • Symmetric or asymmetric •

    Footgun

  67. Cluster Managers • ZooKeeper, Consul, Etcd • ACLs or bust

    • Here be dragons

  68. Chef Encrypted Bags • Symmetric, AES-256-GCM • Server vs git

    • Turtles all the way down

  69. Ansible Vault • AES-256-CTR + SHA-256 • Still turtles

  70. Hiera Eyaml • PKCS7 (or GPG) • Trusted Third Party

  71. Chef Vault • RSA(encrypted bags) • Asymmetric pre-encrypt • Kind

    of still turtle-y

  72. Hashicorp Vault • TTP service • New bar for fast

    secrets • Modular design

  73. Keywhiz • TTP • TLS keys, files • Battle tested

  74. Private S3 • IAM roles • Complex policy • Easy

    to get started

  75. Amazon KMS • Kool-aid-tastic • Key escrow • Hosted encrypt/decrypt

  76. Sneaker • KMS + S3 • Still kool

  77. Confidant • KMS + DynamoDB • Web-based • Versioned w/

    history

  78. Trousseau • Asymmetric pre-encrypt • GPG + modular storage •

    S3, GPG, GitHub

  79. Sops • KMS or GPG • Manual storage

  80. Red October • Cold secrets • N of M storage

  81. Barbican Pining for the fjords

  82. Conjur • And other closed source • Trust but verify

  83. HSMs • TPMs otherwise $ $ $ • Dedicated hardware

    • Bugs not unheard of

  84. The Hard Problem

  85. Identity • Who are you? • Who am I? •

    Why are we in this
 hand basket?

  86. Pure Identity • TLS client certificates • MySQL, Postgres •

    Internal APIs

  87. Integration

  88. API Clients • Vault: HVAC, vault-rails • KMS: botocore, aws-sdk

  89. HVAC # local_settings.py import hvac c = hvac.Client( url='https://vaultserver:8200') DATABASES

    = { 'default': { # Other settings ... 'PASSWORD': c.read('secret/dbpass') } }

  90. Config Management • Templates/commands • hiera-vault • Ruby/Python APIs

  91. Chef # recipes/myapp.rb execute 'sneaker unpack ...' template 'local_settings.py' do

    # Other properties ... variables pw: citadel['pw'] end

  92. KeywhizFS • FUSE filesystem • Direct key usage • In-memory

  93. Consul Templates • Standalone daemon • Sync Vault data to

    files • CM → Templates → files

  94. envconsul • Vault data in $ENV • Beware of logging

  95. Summon • Secrets in $ENV • Modular providers • S3,

    Keyring, Conjur

  96. In Summary • Check your privilege and audit trail •

    Pick types and temperatures • Think about attack surfaces • Have a disaster plan

  97. Thank You

  98. Questions? @kantrn coderanger.net