10 lines of encryption, 1500 lines of key management

10 lines of encryption, 1500 lines of key management

Often when users ask for some features, they don’t understand how long it takes to make them. When features are related to security, developers also often don’t understand how long it will take.

I will show the real case about one large note taking the app, that decided to implement convenient note encryption and note locking for their existing user base. But finding a balance between usability, security and mobile platforms' restrictions is complicated.

We will start with the security design scheme, then select the proper encryption library, then implement the flow, and prepare for incidents. Now — think about it — cryptography is only chapter 3 in OWASP MASVS (7 chapters in general). Even the best cryptography will fail if basic security controls are badly implemented.

Points we will go through: the difference between "locking" and "encrypting", the difference between password and encryption key, how to sync passwords between devices, what exactly to store in keychain/keystore, how to use proper cryptography (AES CBC or AES GCM, random salt? IV? padding? what a hell is this mess), how to use biometrics (we don’t want to bother user, let’s use biometric keychain, but what if users will change their fingerprints — shall we invalidate all passwords?), updating encryption version (imagine, vulnerability is discovered in our library or app — how to update cipher, and softly migrate users to the new cipher, if users don’t even have a clue that encryption was versioned).

At the end, this is only one simple JIRA ticket "let's encrypt the notes" from the eyes of security software engineer :)

Other talks and videos:
https://github.com/vixentael/my-talks

042b7c0e45c53de46667f07de2fb2614?s=128

vixentael

July 28, 2019
Tweet

Transcript

  1. 2.

    @vixentael product engineer in security and cryptography OSS maintainer: Themis,

    Acra cryptographic tools, security engineering, datasec training
  2. 3.

    cossacklabs.com Data security solutions @vixentael We help you focus on

    serving your customers better, while relieving your team from security engineering pains and making your users confident that their data is safe with you.
  3. 4.

    @vixentael zero knowledge searchable encryption cossacklabs.com/acra/ e2ee data collaboration cossacklabs.com/hermes/

    zero knowledge authentication github.com/cossacklabs/themis/wiki/Secure-Comparator-cryptosystem cossacklabs.com/whitepapers/
  4. 5.
  5. 6.
  6. 8.

    @vixentael 1. Three principles of security engineering (decision making in

    security, boring crypto, defense in depth) 3. Defense in depth security controls 2. E2EE for Bear.app: data model & key management 4. Cat
  7. 10.

    GDPR @vixentael Article 32/35: responsibly store and process data according

    to risks
 
 Article 33/34: detecting data leakage and alert users & controller https://gdpr-info.eu/
  8. 17.

    @vixentael Decision making in security 101 1. “just because we

    can” 3. understanding risks & threats 2. every app should have security features
  9. 18.

    @vixentael Decision making in security 101 1. “just because we

    can” 3. understanding risks & threats 2. every app should have security features ✅
  10. 20.

    risk & threat model security methods security controls libraries/ code

    app flow app features code user problem @vixentael
  11. 22.

    @vixentael Data & risks PII User data Service data likes,

    preferences purchase history logs keys, accesses, API tokens backups configurations locations
  12. 23.

    @vixentael Data & risks compliance risks legal risks reputational risks

    continuity risks User data Service data reputational risks medium.com/@cossacklabs/trick-or-threat-security-losses-for- business-f5b44243d89c
  13. 26.

    — crypto that simply works, solidly resists attacks, never needs

    any upgrades https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf Daniel J. Bernstein Boring crypto @vixentael
  14. 30.

    @vixentael should be random should use KDF(key) uses AES CBC,

    not AES GCM padding? salt? @vixentael easy to make mistakes
  15. 32.

    @vixentael hides cryptographic details: salt, IV, KDF, padding built-in KDF,

    safe to use passphrase uses AES-256-GCM @vixentael github.com/cossacklabs/themis Themis: hard to make mistakes
  16. 36.

    Defense in depth – independent, yet interconnected, set of security

    controls aimed at mitigating multiple risks during the whole application flow @vixentael
  17. 37.

    @vixentael 1. Encryption to protect data globally 
 (during the

    whole data flow / app lifecycle). 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. Overlapped security controls
  18. 38.

    @vixentael encryption & key mngmt AAA WAF honey pots IDS

    infra mngmt compartmentalization authenticated crypto &
 integrity checks access logging jailbans monitoring data firewall SIEM HIDS DAST SAST KMS HSM PKI TPM honey tokens RTFM dep mngmt UEBA IAM TLS TDE AEAD
  19. 43.
  20. 45.

    @vixentael • smooth UX • not finance/banking app • syncing

    between all user’s devices • privacy • incident response • next versions: Web/Electron Bear e2ee for notes
  21. 46.

    @vixentael 1. fast & smooth 2. notes are encrypted using

    unique keys (per app per user) 3. user passphrase is never stored in plaintext 4. data in Keychain is encrypted 5. notes & passphrases are synced between devices Results
  22. 47.

    @vixentael UX is important – we made the security scheme

    more complex from an engineering perspective, but less stressful for users.
  23. 53.

    @vixentael Access Disclosure Modification Access denial note text Moderate Critical

    Critical High user passphrase Moderate Critical Critical Critical note encryption key Moderate Low Low Moderate Threats
  24. 54.

    @vixentael Device filesystem Device process memory Device keychain & secure

    enclave Transport, iCloud database iCloud Keychain Medium High High Medium Medium Trust model
  25. 56.

    @vixentael We have more trust towards the data stored on

    the device than the data stored in a cloud
  26. 58.

    @vixentael from user mind or password mngr cached for some

    time calculated before usage Keychain, Secure Enclave Key model
  27. 59.

    @vixentael Multiple caches to minimize user distractions user Keychain SecureEnclave

    iCloudKeychain in memory cache temp var password manager
  28. 60.

    @vixentael App encryption key Key stretching: KDF, deterministic long_data =

    user_passphrase + gen_passphrase_pwd + gen_app_context app_encryption_key = SecureCellContextImprint(data: long_data, context: generated_app_context, key: user_passphrase) github.com/cossacklabs/themis
  29. 61.

    @vixentael long_data = user_passphrase + gen_passphrase_pwd + gen_app_context app_encryption_key =

    SecureCellContextImprint(data: long_data, context: generated_app_context, key: user_passphrase) long_data = app_encryption_key + gen_passphrase_pwd + gen_app_context note_encryption_key = SecureCellContextImprint(data: long_data, context: note_encryption_id, key: app_encryption_key) App encryption key, note encryption key Key stretching: KDF, deterministic github.com/cossacklabs/themis
  30. 62.

    @vixentael encrypted_note = SecureCellSeal(data: note_text, context: note_encryption_id, key: note_encryption_key) decrypted_note

    = SecureCellSeal(data: encrypted_note, context: note_encryption_id, key: note_encryption_key) AES-256-GCM, random IV/nonce, non-deterministic Notes encryption github.com/cossacklabs/themis
  31. 63.

    @vixentael 1. Encryption to protect data globally 
 (during the

    whole data flow / app lifecycle). 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. Overlapped security controls ✅
  32. 65.

    @vixentael passphrase encryption hint encryption zeroing secrets TLS / certificate

    pinning auto-locking timer failed attempts counter encrypted user settings notes protection (e2ee) obfuscation anti-RE & anti-debugging continuous improvements prepare for incidents cossacklabs.com/blog/end-to-end-encryption-in-bear-app.html
  33. 66.

    @vixentael passphrase encryption hint encryption zeroing secrets TLS / certificate

    pinning auto-locking timer failed attempts counter encrypted user settings obfuscation anti-RE & anti-debugging continuous improvements notes protection (e2ee) prepare for incidents cossacklabs.com/blog/end-to-end-encryption-in-bear-app.html
  34. 67.

    @vixentael encrypted_passphrase = SecureCellSeal(data: user_passphrase, context: nil, key: generated_passphrase_key) decrypted_passphrase

    = SecureCellSeal(data: user_passphrase, context: nil, key: generated_passphrase_key) remember about breaking keychain AES-256-GCM, random IV/nonce, non-deterministic Passphrase encryption
  35. 69.

    @vixentael encrypted_hint = SecureCellSeal(data: hint, context: nil, key: generated_hint_key) decrypted_hint

    = SecureCellSeal(data: encrypted_hint, context: nil, key: generated_hint_key) Hint encryption AES-256-GCM, random IV/nonce, non-deterministic
  36. 71.

    @vixentael Auto-locking timer clean up caches and decrypted data after

    T seconds let unlockDate = Date() ... let unlockedInterval = unlockDate.timeIntervalSinceNow();
  37. 72.

    @vixentael Auto-locking timer clean up caches and decrypted data after

    T seconds let unlockDate = Date() ... let unlockedInterval = unlockDate.timeIntervalSinceNow(); timezones
  38. 74.

    @vixentael Failed attempts counter, increasing delays t makes it harder

    to brute force the passphrase user_passphrase
  39. 76.

    1. Encryption to protect data globally 
 (during the whole

    data flow / app lifecycle). 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. Overlapped security controls ✅ ✅ ✅ @vixentael
  40. 77.

    @vixentael passphrase encryption hint encryption prepare for incidents zeroing secrets

    TLS / certificate pinning auto-locking timer failed attempts counter encrypted user settings notes protection (e2ee) obfuscation anti-RE & anti-debugging continuous improvements cossacklabs.com/blog/end-to-end-encryption-in-bear-app.html
  41. 78.

    @vixentael crypto gets harder if you need usability 1. E2EE

    for notes, synced between devices – Bear 2. Searchable encryption – Acra 3. E2EE for data collaboration – Hermes
  42. 80.

    failure of single security control is a question of time

    failure of security system is a question of design