Data encryption for Ruby web applications

01dad3d7bf0ae06c552a9e8c07ab6bfa?s=47 ShaD
December 08, 2018

Data encryption for Ruby web applications

Making secure applications is not easy, especially when encryption tools are difficult and incomprehensible. We will talk about typical data security problems in the web apps and how to implement encryption properly. We will review cryptographic approaches and exact tools that ensure that no sensitive data leaks from the application or database.

01dad3d7bf0ae06c552a9e8c07ab6bfa?s=128

ShaD

December 08, 2018
Tweet

Transcript

  1. Data encryption for Ruby web applications Dmytro Shapovalov Infrastructure Engineer

    @ Cossack Labs
  2. Who we are? • UK-based data security products and services

    company
 • Building security tools to prevent sensitive data leakage and to comply with data security regulations
 • Cryptographic tools, security consulting, training
 • We are cryptographers, system engineers, applied engineers, infrastructure engineers
 • We support community, speak, teach, open source a lot
  3. What we are going to talk • Data breaches problem

    • Approaches to the protection of sensitive data • What we can and can not protect with encryption • Integration encryption into a Rails application
  4. What does humanity have
 to protect information? Strong enough block

    crypto algorithms Rijndael (AES) Twofish Serpent Tons of structured information +
  5. Data breaches continue rising 2018 • Facebook : 87 Million

    • Under Armour : 150 Million • Saks Fifth Avenue : 5 Million • SingHealth : 1.5 Million • British Airways : 0.38 Million • Ticketfly : 26 Million • Marriott : 500 Million • Quora : 100 Million • Instagram : plaintext passwords in the URL? Really?
  6. So what should we do? 1. Classify and specify data

    that we want to protect 2. Classify and analyze risks 3. Determine threats 4. Choose techniques and tools 5. Integrate into application
  7. Data classification and risks All data user service • Biographical

    information • Looks, appearance and behaviour • Private and subjective • Workplace, education • Health, sickness and genetics • Accounts, passwords • Certificates • Keys, tokens
  8. Data classification and risks All data user service • Compliance

    risk • Legal risk • Reputational risk • Quality risk
  9. Types of data breaches Unknown 15% Physical loss 12% Insider

    1% Disclosure 22% Hacking 49% https://www.privacyrights.org/data-breaches
  10. OWASP top 10 security risks — 2017 • Security Misconfiguration

    • Cross-Site Scripting (XSS) • Insure Deserialization • Using Components with Known Vulnerabilities • Insufficient Logging & Monitoring • Injection • Broken Authentication • Sensitive Data Exposure • XML External Entities (XXE) • Broken Access Control https://www.owasp.org/index.php/Top_10-2017_Top_10
  11. Typical web application Frontend Backend DB

  12. Typical web application reflection attacks XSS MITM SQL injections code

    injections execution flow attack crypto-miners everywhere Frontend Backend DB
  13. Ways to decrease risks Administrative Technical • Infrastructure • Application

  14. Decrease risks in application • Authentication & Authorization (inc. API),

    principle of least privileges • Filter input data, escaping output • Implement weak-password checks • Use less complex data formats • Compartmentalization — classify data and apply controls • Use strict DB queries • Security by default • Use secure connections • Log everything • Hash passwords and encrypt sensitive data
  15. Protection of passwords Yes, plaintext passwords are a little insecure

    • DO NOT operate with plaintext passwords • use one-way hash functions whenever it possible
  16. Password hashes • MD5 • SHA-1 • Argon2 • PBKDF2

    • bcrypt • script • MD5 • SHA-1 https://dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm • SHA-256 • SHA-512 pre-image attack collision attack lookup tables attack
  17. Data encryption implementation • Choose algorithm Expectations Reality • Design

    architecture • Choose abstraction level • Choose algorithm • Choose algorithm parameters • Choose library • Design key management
  18. Encryption integration complexity abstraction level

  19. Encryption integration complexity abstraction level Cipher Library Suite

  20. Encryption integration complexity abstraction level Cipher Library Suite Cryptographers Developers

  21. Why security fails? 83% 17% Weak algorithms Implementation mistakes https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf

  22. Common data security mistakes • TLS is enough • Poor

    cryptographic design • Using database storage encryption only • Insecure key management model • Poor authentication
  23. None
  24. Quick review Algorithms • AES-256-GCM 
 Libraries • bcrypt-ruby •

    rbnacl • rubythemis Suites • Acra • axolotl • hermes • ssh • truecrypt • vault • ZeroKit
  25. What the implementation 
 of data encryption 
 should look

    like?
  26. Architecture usability security

  27. Minimize attack surface area!

  28. Frontend Backend DB Architecture : components & transport

  29. Architecture : components & transport Frontend Backend Decryption
 proxy DB

  30. Architecture : components & transport Frontend Backend Decryption
 proxy DB

    input encrypt save output process decrypt read noop
  31. Architecture : components & transport Frontend Backend Decryption
 proxy DB

    input encrypt save output process decrypt read noop TLS TLS
  32. Architecture : keys Frontend Backend Decryption
 proxy DB public private

  33. Integration Acra • Acra • Acra Engineering Demo • rubygems.org

    project Example based on: https://github.com/rubygems/rubygems https://github.com/cossacklabs/acra-engineering-demo https://github.com/cossacklabs/acra
  34. Integration Frontend Backend AcraServer DB + AcraWriter

  35. Integration 1. Add gem

  36. Integration 2. Modify models

  37. Integration 3. Modify secrets

  38. Integration 4. Change DB host to AcraServer 5. Convert DB

    columns to binary
  39. Integration 4. Change DB host to AcraServer 5. Convert DB

    columns to binary Done!
  40. Integration of cryptography
 should be simple!

  41. OWASP top 10 security risks — 2017 • Security Misconfiguration

    • Cross-Site Scripting (XSS) • Insure Deserialization • Using Components with Known Vulnerabilities • Insufficient Logging & Monitoring • Injection • Broken Authentication • Sensitive Data Exposure • XML External Entities (XXE) • Broken Access Control https://www.owasp.org/index.php/Top_10-2017_Top_10
  42. Acra Engineering Demo

  43. Acra Engineering Demo https://github.com/cossacklabs/acra-engineering-demo Try it!

  44. Links • OWASP (Open Web Application Security Project)
 https://www.owasp.org •

    Acra
 https://github.com/cossacklabs/acra • Acra Engineering Demo
 https://github.com/cossacklabs/acra-engineering-demo • Privacy Rights Clearinghouse
 https://www.privacyrights.org • MITTRE ATT&CK Matrix
 https://attack.mitre.org/
  45. Dmytro Shapovalov Infrastructure Engineer @ Cossack Labs Thank you! shadinua

    shad.in.ua shad.in.ua