$30 off During Our Annual Pro Sale. View Details »

Data encryption for Ruby web applications

ShaD
December 08, 2018
Programming
0
500

Data encryption for Ruby web applications

Making secure applications is not easy, especially when encryption tools are difficult and incomprehensible. We will talk about typical data security problems in the web apps and how to implement encryption properly. We will review cryptographic approaches and exact tools that ensure that no sensitive data leaks from the application or database.

ShaD

December 08, 2018
Tweet

More Decks by ShaD

See All by ShaD
Teach your application eloquence. Logs, metrics, traces.
shad
0
240
delivering_security_products.pdf
shad
0
74

Other Decks in Programming

See All in Programming
LINE Login ではじめる 「とりまセキュリティ」
akakou
0
250
フロントエンドの書くべきだったテスト、書かなくてよかったテスト
takefumiyoshii
31
11k
Python機械学習勉強会in新潟のロゴが無いので、生成AIで作ってみましょう / osc2023niigata
kasacchiful
0
210
動くコードを書こう / let's code a process
kishida
21
6k
Accelerating App Dev with Cloudflare Workers
chimame
1
200
Scala Left Fold Parallelisation - Three Approaches
philipschwarz
PRO
0
250
BigQuery のデータ品質やデータ活用を高める Dataplex 等の活用
mot_techtalk
4
850
DMMプラットフォームにおけるコード品質を改善する取り組みの理想と現実
pospome
3
1.8k
OpenMPW 2023 技術ぽい理解
ryos36
0
150
The Secret Ingredient: How to Understand and Resolve Just about Any Flaky Test
aridlehoover
PRO
1
210
ChatGPTをソフトウェア開発に活用する
fbei_ot
0
120
Developing a Vim plugin with Ruby
okuramasafumi
0
220

Featured

See All Featured
VelocityConf: Rendering Performance Case Studies
addyosmani
319
23k
Designing the Hi-DPI Web
ddemaree
274
33k
Designing for humans not robots
tammielis
246
24k
Into the Great Unknown - MozCon
thekraken
7
650
Building Your Own Lightsaber
phodgson
97
5.4k
Producing Creativity
orderedlist
PRO
335
38k
Building Adaptive Systems
keathley
29
1.6k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
17
1.4k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.7k
How to train your dragon (web standard)
notwaldorf
71
4.8k
BBQ
matthewcrist
76
8.5k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.7k

Transcript

  1. Data encryption
    for Ruby web applications
    Dmytro Shapovalov
    Infrastructure Engineer @ Cossack Labs

    View Slide

  2. Who we are?
    • UK-based data security products and services
    company

    • Building security tools to prevent sensitive data
    leakage and to comply with data security
    regulations

    • Cryptographic tools, security consulting, training

    • We are cryptographers, system engineers,
    applied engineers, infrastructure engineers

    • We support community, speak, teach, open
    source a lot

    View Slide

  3. What we are going to talk
    • Data breaches problem
    • Approaches to the protection of sensitive data
    • What we can and can not protect with encryption
    • Integration encryption into a Rails application

    View Slide

  4. What does humanity have

    to protect information?
    Strong enough block crypto algorithms
    Rijndael
    (AES)
    Twofish Serpent
    Tons of structured information
    +

    View Slide

  5. Data breaches continue rising
    2018
    • Facebook : 87 Million
    • Under Armour : 150 Million
    • Saks Fifth Avenue : 5 Million
    • SingHealth : 1.5 Million
    • British Airways : 0.38 Million
    • Ticketfly : 26 Million
    • Marriott : 500 Million
    • Quora : 100 Million
    • Instagram : plaintext passwords in the URL? Really?

    View Slide

  6. So what should we do?
    1. Classify and specify data that we want to protect
    2. Classify and analyze risks
    3. Determine threats
    4. Choose techniques and tools
    5. Integrate into application

    View Slide

  7. Data classification and risks
    All data
    user service
    • Biographical information
    • Looks, appearance and
    behaviour
    • Private and subjective
    • Workplace, education
    • Health, sickness and genetics
    • Accounts, passwords
    • Certificates
    • Keys, tokens

    View Slide

  8. Data classification and risks
    All data
    user service
    • Compliance risk
    • Legal risk
    • Reputational risk
    • Quality risk

    View Slide

  9. Types of data breaches
    Unknown
    15%
    Physical loss
    12%
    Insider
    1%
    Disclosure
    22%
    Hacking
    49%
    https://www.privacyrights.org/data-breaches

    View Slide

  10. OWASP top 10 security risks — 2017
    • Security
    Misconfiguration
    • Cross-Site Scripting
    (XSS)
    • Insure Deserialization
    • Using Components with
    Known Vulnerabilities
    • Insufficient Logging &
    Monitoring
    • Injection
    • Broken
    Authentication
    • Sensitive Data
    Exposure
    • XML External Entities
    (XXE)
    • Broken Access Control
    https://www.owasp.org/index.php/Top_10-2017_Top_10

    View Slide

  11. Typical web application
    Frontend Backend DB

    View Slide

  12. Typical web application
    reflection attacks
    XSS
    MITM
    SQL injections code injections
    execution flow attack
    crypto-miners everywhere
    Frontend Backend DB

    View Slide

  13. Ways to decrease risks
    Administrative Technical
    • Infrastructure
    • Application

    View Slide

  14. Decrease risks in application
    • Authentication & Authorization (inc. API), principle of least
    privileges
    • Filter input data, escaping output
    • Implement weak-password checks
    • Use less complex data formats
    • Compartmentalization — classify data and apply controls
    • Use strict DB queries
    • Security by default
    • Use secure connections
    • Log everything
    • Hash passwords and encrypt sensitive data

    View Slide

  15. Protection of passwords
    Yes, plaintext passwords are a little insecure
    • DO NOT operate with plaintext passwords
    • use one-way hash functions whenever it possible

    View Slide

  16. Password hashes
    • MD5
    • SHA-1
    • Argon2
    • PBKDF2
    • bcrypt
    • script
    • MD5
    • SHA-1
    https://dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm
    • SHA-256
    • SHA-512
    pre-image attack
    collision attack
    lookup tables attack

    View Slide

  17. Data encryption implementation
    • Choose algorithm
    Expectations Reality
    • Design architecture
    • Choose abstraction
    level
    • Choose algorithm
    • Choose algorithm
    parameters
    • Choose library
    • Design key
    management

    View Slide

  18. Encryption integration
    complexity
    abstraction level

    View Slide

  19. Encryption integration
    complexity
    abstraction level
    Cipher
    Library
    Suite

    View Slide

  20. Encryption integration
    complexity
    abstraction level
    Cipher
    Library
    Suite
    Cryptographers Developers

    View Slide

  21. Why security fails?
    83%
    17%
    Weak algorithms
    Implementation mistakes
    https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf

    View Slide

  22. Common data security mistakes
    • TLS is enough
    • Poor cryptographic design
    • Using database storage encryption only
    • Insecure key management model
    • Poor authentication

    View Slide

  23. View Slide

  24. Quick review
    Algorithms
    • AES-256-GCM

    Libraries
    • bcrypt-ruby
    • rbnacl
    • rubythemis
    Suites
    • Acra
    • axolotl
    • hermes
    • ssh
    • truecrypt
    • vault
    • ZeroKit

    View Slide

  25. What the implementation 

    of data encryption 

    should look like?

    View Slide

  26. Architecture
    usability
    security

    View Slide

  27. Minimize attack surface area!

    View Slide

  28. Frontend Backend DB
    Architecture : components & transport

    View Slide

  29. Architecture : components & transport
    Frontend Backend
    Decryption

    proxy
    DB

    View Slide

  30. Architecture : components & transport
    Frontend Backend
    Decryption

    proxy
    DB
    input encrypt save
    output process decrypt read
    noop

    View Slide

  31. Architecture : components & transport
    Frontend Backend
    Decryption

    proxy
    DB
    input encrypt save
    output process decrypt read
    noop
    TLS TLS

    View Slide

  32. Architecture : keys
    Frontend Backend
    Decryption

    proxy
    DB
    public private

    View Slide

  33. Integration Acra
    • Acra
    • Acra Engineering Demo
    • rubygems.org project
    Example based on:
    https://github.com/rubygems/rubygems
    https://github.com/cossacklabs/acra-engineering-demo
    https://github.com/cossacklabs/acra

    View Slide

  34. Integration
    Frontend Backend AcraServer DB
    + AcraWriter

    View Slide

  35. Integration
    1. Add gem

    View Slide

  36. Integration
    2. Modify models

    View Slide

  37. Integration
    3. Modify secrets

    View Slide

  38. Integration
    4. Change DB host to AcraServer
    5. Convert DB columns to binary

    View Slide

  39. Integration
    4. Change DB host to AcraServer
    5. Convert DB columns to binary
    Done!

    View Slide

  40. Integration of cryptography

    should be simple!

    View Slide

  41. OWASP top 10 security risks — 2017
    • Security
    Misconfiguration
    • Cross-Site Scripting
    (XSS)
    • Insure Deserialization
    • Using Components with
    Known Vulnerabilities
    • Insufficient Logging &
    Monitoring
    • Injection
    • Broken
    Authentication
    • Sensitive Data
    Exposure
    • XML External Entities
    (XXE)
    • Broken Access Control
    https://www.owasp.org/index.php/Top_10-2017_Top_10

    View Slide

  42. Acra Engineering Demo

    View Slide

  43. Acra Engineering Demo
    https://github.com/cossacklabs/acra-engineering-demo
    Try it!

    View Slide

  44. Links
    • OWASP (Open Web Application Security Project)

    https://www.owasp.org
    • Acra

    https://github.com/cossacklabs/acra
    • Acra Engineering Demo

    https://github.com/cossacklabs/acra-engineering-demo
    • Privacy Rights Clearinghouse

    https://www.privacyrights.org
    • MITTRE ATT&CK Matrix

    https://attack.mitre.org/

    View Slide

  45. Dmytro Shapovalov
    Infrastructure Engineer @ Cossack Labs
    Thank you!
    shadinua
    shad.in.ua
    shad.in.ua

    View Slide