10 lines of encryption, 1500 lines of key management

Transcript

1. 10 lines of encryption, 1500 lines of key management @vixentael

2. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

   Acra cryptographic tools, security engineering, datasec training

3. cossacklabs.com Data security solutions @vixentael We help you focus on

   serving your customers better, while relieving your team from security engineering pains and making your users confident that their data is safe with you.

4. @vixentael zero knowledge searchable encryption cossacklabs.com/acra/ e2ee data collaboration cossacklabs.com/hermes/

   zero knowledge authentication github.com/cossacklabs/themis/wiki/Secure-Comparator-cryptosystem cossacklabs.com/whitepapers/
5. None

6. USABLE

7. Data encryption without compromising UX

8. @vixentael 1. Three principles of security engineering (decision making in

   security, boring crypto, defense in depth) 3. Defense in depth security controls 2. E2EE for Bear.app: data model & key management 4. Cat

9. @vixentael

10. GDPR @vixentael Article 32/35: responsibly store and process data according

    to risks
 
 Article 33/34: detecting data leakage and alert users & controller https://gdpr-info.eu/

11. @vixentael https://gdpr-info.eu/ Article 32

12. @vixentael US Department of Defense

13. @vixentael US Department of Defense https://media.defense.gov/2018/Apr/22/2001906836/-1/-1/0/ DEFENSEINNOVATIONBOARD_TEN_COMMANDMENTS_OF_SOFT WARE_2018.04.20.PDF

14. @vixentael Apple privacy policy update https://developer.apple.com/news/?id=06032019j

15. @vixentael Google https://support.google.com/cloud/answer/9110914

16. @vixentael Decision making in security 101

17. @vixentael Decision making in security 101 1. “just because we

    can” 3. understanding risks & threats 2. every app should have security features

18. @vixentael Decision making in security 101 1. “just because we

    can” 3. understanding risks & threats 2. every app should have security features ✅

19. @vixentael app flow app features code user problem

20. risk & threat model security methods security controls libraries/ code

    app flow app features code user problem @vixentael

21. @vixentael risk model & threat model create demands for security

22. @vixentael Data & risks PII User data Service data likes,

    preferences purchase history logs keys, accesses, API tokens backups configurations locations

23. @vixentael Data & risks compliance risks legal risks reputational risks

    continuity risks User data Service data reputational risks medium.com/@cossacklabs/trick-or-threat-security-losses-for- business-f5b44243d89c

24. @vixentael Boring crypto

25. https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf 269 CVEs from 2011-2014 17% 83% bugs inside crypto

    libs misuses of crypto libs by individual apps @vixentael

26. — crypto that simply works, solidly resists attacks, never needs

    any upgrades https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf Daniel J. Bernstein Boring crypto @vixentael

27. encryption integration abstraction level complexity @vixentael

28. encryption integration abstraction level complexity cipher crypto- library crypto- system

    boxed solution @vixentael pain

29. @vixentael @vixentael easy to make mistakes

30. @vixentael should be random should use KDF(key) uses AES CBC,

    not AES GCM padding? salt? @vixentael easy to make mistakes

31. Themis: hard to make mistakes @vixentael @vixentael github.com/cossacklabs/themis

32. @vixentael hides cryptographic details: salt, IV, KDF, padding built-in KDF,

    safe to use passphrase uses AES-256-GCM @vixentael github.com/cossacklabs/themis Themis: hard to make mistakes

33. https://github.com/vixentael/my-talks#dont-waste-time-on-learning-cryptography-better-use-it-properly see full talk about Boring crypto @vixentael

34. @vixentael Defense in depth

35. @vixentael

36. Defense in depth – independent, yet interconnected, set of security

    controls aimed at mitigating multiple risks during the whole application flow @vixentael

37. @vixentael 1. Encryption to protect data globally 
 (during the

    whole data flow / app lifecycle). 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. Overlapped security controls

38. @vixentael encryption & key mngmt AAA WAF honey pots IDS

    infra mngmt compartmentalization authenticated crypto &
 integrity checks access logging jailbans monitoring data firewall SIEM HIDS DAST SAST KMS HSM PKI TPM honey tokens RTFM dep mngmt UEBA IAM TLS TDE AEAD

39. @vixentael Lines of defense

40. @vixentael

41. @vixentael 10 lines of encryption, 1500 lines of key management

42. @vixentael 10 lines of encryption, 1500 lines of key management

    60 3000

43. bear.app

44. @vixentael End-to-end encryption in Bear blog.bear.app/ cossacklabs.com/blog/

45. @vixentael • smooth UX • not finance/banking app • syncing

    between all user’s devices • privacy • incident response • next versions: Web/Electron Bear e2ee for notes

46. @vixentael 1. fast & smooth 2. notes are encrypted using

    unique keys (per app per user) 3. user passphrase is never stored in plaintext 4. data in Keychain is encrypted 5. notes & passphrases are synced between devices Results

47. @vixentael UX is important – we made the security scheme

    more complex from an engineering perspective, but less stressful for users.

48. @vixentael note encryption & note locking

49. @vixentael app locking

50. @vixentael note encryption != note locking != app locking

51. @vixentael note encryption != note locking != app locking encryption

    authentication authentication

52. @vixentael note text user passphrase note encryption key Data model

    plaintext user input unique per note

53. @vixentael Access Disclosure Modification Access denial note text Moderate Critical

    Critical High user passphrase Moderate Critical Critical Critical note encryption key Moderate Low Low Moderate Threats

54. @vixentael Device filesystem Device process memory Device keychain & secure

    enclave Transport, iCloud database iCloud Keychain Medium High High Medium Medium Trust model

55. @vixentael Breaking Keychain youtube.com/watch?v=EUGDa0Z71uk youtube.com/watch?v=sR6KeCaCRMA github.com/LinusHenze/Keysteal macOS keychain: https://thetapedrive.com/face-id-fail-ios-13 iOS13

    beta keychain:

56. @vixentael We have more trust towards the data stored on

    the device than the data stored in a cloud

57. @vixentael Key model

58. @vixentael from user mind or password mngr cached for some

    time calculated before usage Keychain, Secure Enclave Key model

59. @vixentael Multiple caches to minimize user distractions user Keychain SecureEnclave

    iCloudKeychain in memory cache temp var password manager

60. @vixentael App encryption key Key stretching: KDF, deterministic long_data =

    user_passphrase + gen_passphrase_pwd + gen_app_context app_encryption_key = SecureCellContextImprint(data: long_data, context: generated_app_context, key: user_passphrase) github.com/cossacklabs/themis

61. @vixentael long_data = user_passphrase + gen_passphrase_pwd + gen_app_context app_encryption_key =

    SecureCellContextImprint(data: long_data, context: generated_app_context, key: user_passphrase) long_data = app_encryption_key + gen_passphrase_pwd + gen_app_context note_encryption_key = SecureCellContextImprint(data: long_data, context: note_encryption_id, key: app_encryption_key) App encryption key, note encryption key Key stretching: KDF, deterministic github.com/cossacklabs/themis

62. @vixentael encrypted_note = SecureCellSeal(data: note_text, context: note_encryption_id, key: note_encryption_key) decrypted_note

    = SecureCellSeal(data: encrypted_note, context: note_encryption_id, key: note_encryption_key) AES-256-GCM, random IV/nonce, non-deterministic Notes encryption github.com/cossacklabs/themis

63. @vixentael 1. Encryption to protect data globally 
 (during the

    whole data flow / app lifecycle). 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. Overlapped security controls ✅

64. @vixentael notes protection (e2ee)

65. @vixentael passphrase encryption hint encryption zeroing secrets TLS / certificate

    pinning auto-locking timer failed attempts counter encrypted user settings notes protection (e2ee) obfuscation anti-RE & anti-debugging continuous improvements prepare for incidents cossacklabs.com/blog/end-to-end-encryption-in-bear-app.html

66. @vixentael passphrase encryption hint encryption zeroing secrets TLS / certificate

    pinning auto-locking timer failed attempts counter encrypted user settings obfuscation anti-RE & anti-debugging continuous improvements notes protection (e2ee) prepare for incidents cossacklabs.com/blog/end-to-end-encryption-in-bear-app.html

67. @vixentael encrypted_passphrase = SecureCellSeal(data: user_passphrase, context: nil, key: generated_passphrase_key) decrypted_passphrase

    = SecureCellSeal(data: user_passphrase, context: nil, key: generated_passphrase_key) remember about breaking keychain AES-256-GCM, random IV/nonce, non-deterministic Passphrase encryption

68. @vixentael Hint encryption

69. @vixentael encrypted_hint = SecureCellSeal(data: hint, context: nil, key: generated_hint_key) decrypted_hint

    = SecureCellSeal(data: encrypted_hint, context: nil, key: generated_hint_key) Hint encryption AES-256-GCM, random IV/nonce, non-deterministic

70. @vixentael Compatibility & incident response

71. @vixentael Auto-locking timer clean up caches and decrypted data after

    T seconds let unlockDate = Date() ... let unlockedInterval = unlockDate.timeIntervalSinceNow();

72. @vixentael Auto-locking timer clean up caches and decrypted data after

    T seconds let unlockDate = Date() ... let unlockedInterval = unlockDate.timeIntervalSinceNow(); timezones

73. @vixentael Auto-locking timer monotonic https://twitter.com/wilshipley/status/1130973433120952321

74. @vixentael Failed attempts counter, increasing delays t makes it harder

    to brute force the passphrase user_passphrase

75. Key points

76. 1. Encryption to protect data globally 
 (during the whole

    data flow / app lifecycle). 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. Overlapped security controls ✅ ✅ ✅ @vixentael

77. @vixentael passphrase encryption hint encryption prepare for incidents zeroing secrets

    TLS / certificate pinning auto-locking timer failed attempts counter encrypted user settings notes protection (e2ee) obfuscation anti-RE & anti-debugging continuous improvements cossacklabs.com/blog/end-to-end-encryption-in-bear-app.html

78. @vixentael crypto gets harder if you need usability 1. E2EE

    for notes, synced between devices – Bear 2. Searchable encryption – Acra 3. E2EE for data collaboration – Hermes

79. @vixentael OWASP ASVS / MASVS

80. failure of single security control is a question of time

    failure of security system is a question of design

81. @vixentael cryptographic tools, security consulting, training github.com/vixentael/ my-talks