Upgrade to Pro — share decks privately, control downloads, hide ads and more …

10 lines of encryption, 1500 lines of key management

vixentael
July 28, 2019
Programming
2
1.5k

10 lines of encryption, 1500 lines of key management

Often when users ask for some features, they don’t understand how long it takes to make them. When features are related to security, developers also often don’t understand how long it will take.

I will show the real case about one large note taking the app, that decided to implement convenient note encryption and note locking for their existing user base. But finding a balance between usability, security and mobile platforms' restrictions is complicated.

We will start with the security design scheme, then select the proper encryption library, then implement the flow, and prepare for incidents. Now — think about it — cryptography is only chapter 3 in OWASP MASVS (7 chapters in general). Even the best cryptography will fail if basic security controls are badly implemented.

Points we will go through: the difference between "locking" and "encrypting", the difference between password and encryption key, how to sync passwords between devices, what exactly to store in keychain/keystore, how to use proper cryptography (AES CBC or AES GCM, random salt? IV? padding? what a hell is this mess), how to use biometrics (we don’t want to bother user, let’s use biometric keychain, but what if users will change their fingerprints — shall we invalidate all passwords?), updating encryption version (imagine, vulnerability is discovered in our library or app — how to update cipher, and softly migrate users to the new cipher, if users don’t even have a clue that encryption was versioned).

At the end, this is only one simple JIRA ticket "let's encrypt the notes" from the eyes of security software engineer :)

Other talks and videos:
https://github.com/vixentael/my-talks

vixentael

July 28, 2019
Tweet

More Decks by vixentael

See All by vixentael
Using YubiKey and FIDO U2F for secure authentication
vixentael
0
1.1k
Data is a new security boundary
vixentael
0
4.1k
Cryptographic protection of ML models
vixentael
0
2.5k
e2ee != security != privacy
vixentael
0
2.1k
Maintaining cryptographic library for 12 languages
vixentael
1
3.5k
Security, privacy and cryptography at WWDC19
vixentael
1
620
Data encryption: CyberKids edition
vixentael
0
550
"Defense in depth": trench warfare principles for building secure distributed applications
vixentael
3
840
Workshop: Secure Software Development: From Rookie to Hardcore in 90 Minutes
vixentael
1
1k

Other Decks in Programming

See All in Programming
VS Code をプロダクトにどう取り込むか
onomax
1
360
VSCodeでのDatabricks開発もお勧めしたい/I would also recommend Databricks development with VSCode.
kazumain
0
250
GitHub Copilotのススメ
marcy731
1
200
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
190
⼤規模⾔語モデルの拡張(RAG)が 終わったかも知れない件について
nearme_tech
23
15k
MetricKitで予期せぬ終了を検知する話 / Detect unexpected termination with MetricKit
nekowen
1
180
MicrosoftのPlatform Engineeringガイドを読んで実際になにかやってみた
ymd65536
1
300
PHPはいつから死んでいるかの調査
chiroruxx
1
390
Goのmultiple errorsについて (2024年4月版)
syumai
3
590
try! Swift Tokyo 2024のLT枠に採択されたプロポーザルを出すときに考えていたこと
ski
0
350
ゆるい個人開発のススメ
kuroppe1819
10
990
0→1と1→10の狭間で Javaという技術選定を振り返る/Reflecting on the Decision to Choose Java Between Scaling from 0 to 1 and 1 to 10
jaguar_imo
2
380

Featured

See All Featured
WebSockets: Embracing the real-time Web
robhawkes
59
7k
Designing Experiences People Love
moore
136
23k
GraphQLとの向き合い方2022年版
quramy
32
12k
What the flash - Photography Introduction
edds
64
11k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
78
42k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
125
32k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
30
6k
How GitHub (no longer) Works
holman
304
140k
Typedesign – Prime Four
hannesfritz
36
2.1k
The Cult of Friendly URLs
andyhume
74
5.7k
Gamification - CAS2011
davidbonilla
76
4.6k

Transcript

  1. 10 lines of encryption, 1500 lines of key management @vixentael

  2. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

    Acra cryptographic tools, security engineering, datasec training

  3. cossacklabs.com Data security solutions @vixentael We help you focus on

    serving your customers better, while relieving your team from security engineering pains and making your users confident that their data is safe with you.

  4. @vixentael zero knowledge searchable encryption cossacklabs.com/acra/ e2ee data collaboration cossacklabs.com/hermes/

    zero knowledge authentication github.com/cossacklabs/themis/wiki/Secure-Comparator-cryptosystem cossacklabs.com/whitepapers/
  5. None

  6. USABLE

  7. Data encryption without compromising UX

  8. @vixentael 1. Three principles of security engineering (decision making in

    security, boring crypto, defense in depth) 3. Defense in depth security controls 2. E2EE for Bear.app: data model & key management 4. Cat

  9. @vixentael

  10. GDPR @vixentael Article 32/35: responsibly store and process data according

    to risks
 
 Article 33/34: detecting data leakage and alert users & controller https://gdpr-info.eu/

  11. @vixentael https://gdpr-info.eu/ Article 32

  12. @vixentael US Department of Defense

  13. @vixentael US Department of Defense https://media.defense.gov/2018/Apr/22/2001906836/-1/-1/0/ DEFENSEINNOVATIONBOARD_TEN_COMMANDMENTS_OF_SOFT WARE_2018.04.20.PDF

  14. @vixentael Apple privacy policy update https://developer.apple.com/news/?id=06032019j

  15. @vixentael Google https://support.google.com/cloud/answer/9110914

  16. @vixentael Decision making in security 101

  17. @vixentael Decision making in security 101 1. “just because we

    can” 3. understanding risks & threats 2. every app should have security features

  18. @vixentael Decision making in security 101 1. “just because we

    can” 3. understanding risks & threats 2. every app should have security features ✅

  19. @vixentael app flow app features code user problem

  20. risk & threat model security methods security controls libraries/ code

    app flow app features code user problem @vixentael

  21. @vixentael risk model & threat model create demands for security

  22. @vixentael Data & risks PII User data Service data likes,

    preferences purchase history logs keys, accesses, API tokens backups configurations locations

  23. @vixentael Data & risks compliance risks legal risks reputational risks

    continuity risks User data Service data reputational risks medium.com/@cossacklabs/trick-or-threat-security-losses-for- business-f5b44243d89c

  24. @vixentael Boring crypto

  25. https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf 269 CVEs from 2011-2014 17% 83% bugs inside crypto

    libs misuses of crypto libs by individual apps @vixentael

  26. — crypto that simply works, solidly resists attacks, never needs

    any upgrades https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf Daniel J. Bernstein Boring crypto @vixentael

  27. encryption integration abstraction level complexity @vixentael

  28. encryption integration abstraction level complexity cipher crypto- library crypto- system

    boxed solution @vixentael pain

  29. @vixentael @vixentael easy to make mistakes

  30. @vixentael should be random should use KDF(key) uses AES CBC,

    not AES GCM padding? salt? @vixentael easy to make mistakes

  31. Themis: hard to make mistakes @vixentael @vixentael github.com/cossacklabs/themis

  32. @vixentael hides cryptographic details: salt, IV, KDF, padding built-in KDF,

    safe to use passphrase uses AES-256-GCM @vixentael github.com/cossacklabs/themis Themis: hard to make mistakes

  33. https://github.com/vixentael/my-talks#dont-waste-time-on-learning-cryptography-better-use-it-properly see full talk about Boring crypto @vixentael

  34. @vixentael Defense in depth

  35. @vixentael

  36. Defense in depth – independent, yet interconnected, set of security

    controls aimed at mitigating multiple risks during the whole application flow @vixentael

  37. @vixentael 1. Encryption to protect data globally 
 (during the

    whole data flow / app lifecycle). 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. Overlapped security controls

  38. @vixentael encryption & key mngmt AAA WAF honey pots IDS

    infra mngmt compartmentalization authenticated crypto &
 integrity checks access logging jailbans monitoring data firewall SIEM HIDS DAST SAST KMS HSM PKI TPM honey tokens RTFM dep mngmt UEBA IAM TLS TDE AEAD

  39. @vixentael Lines of defense

  40. @vixentael

  41. @vixentael 10 lines of encryption, 1500 lines of key management

  42. @vixentael 10 lines of encryption, 1500 lines of key management

    60 3000

  43. bear.app

  44. @vixentael End-to-end encryption in Bear blog.bear.app/ cossacklabs.com/blog/

  45. @vixentael • smooth UX • not finance/banking app • syncing

    between all user’s devices • privacy • incident response • next versions: Web/Electron Bear e2ee for notes

  46. @vixentael 1. fast & smooth 2. notes are encrypted using

    unique keys (per app per user) 3. user passphrase is never stored in plaintext 4. data in Keychain is encrypted 5. notes & passphrases are synced between devices Results

  47. @vixentael UX is important – we made the security scheme

    more complex from an engineering perspective, but less stressful for users.

  48. @vixentael note encryption & note locking

  49. @vixentael app locking

  50. @vixentael note encryption != note locking != app locking

  51. @vixentael note encryption != note locking != app locking encryption

    authentication authentication

  52. @vixentael note text user passphrase note encryption key Data model

    plaintext user input unique per note

  53. @vixentael Access Disclosure Modification Access denial note text Moderate Critical

    Critical High user passphrase Moderate Critical Critical Critical note encryption key Moderate Low Low Moderate Threats

  54. @vixentael Device filesystem Device process memory Device keychain & secure

    enclave Transport, iCloud database iCloud Keychain Medium High High Medium Medium Trust model

  55. @vixentael Breaking Keychain youtube.com/watch?v=EUGDa0Z71uk youtube.com/watch?v=sR6KeCaCRMA github.com/LinusHenze/Keysteal macOS keychain: https://thetapedrive.com/face-id-fail-ios-13 iOS13

    beta keychain:

  56. @vixentael We have more trust towards the data stored on

    the device than the data stored in a cloud

  57. @vixentael Key model

  58. @vixentael from user mind or password mngr cached for some

    time calculated before usage Keychain, Secure Enclave Key model

  59. @vixentael Multiple caches to minimize user distractions user Keychain SecureEnclave

    iCloudKeychain in memory cache temp var password manager

  60. @vixentael App encryption key Key stretching: KDF, deterministic long_data =

    user_passphrase + gen_passphrase_pwd + gen_app_context app_encryption_key = SecureCellContextImprint(data: long_data, context: generated_app_context, key: user_passphrase) github.com/cossacklabs/themis

  61. @vixentael long_data = user_passphrase + gen_passphrase_pwd + gen_app_context app_encryption_key =

    SecureCellContextImprint(data: long_data, context: generated_app_context, key: user_passphrase) long_data = app_encryption_key + gen_passphrase_pwd + gen_app_context note_encryption_key = SecureCellContextImprint(data: long_data, context: note_encryption_id, key: app_encryption_key) App encryption key, note encryption key Key stretching: KDF, deterministic github.com/cossacklabs/themis

  62. @vixentael encrypted_note = SecureCellSeal(data: note_text, context: note_encryption_id, key: note_encryption_key) decrypted_note

    = SecureCellSeal(data: encrypted_note, context: note_encryption_id, key: note_encryption_key) AES-256-GCM, random IV/nonce, non-deterministic Notes encryption github.com/cossacklabs/themis

  63. @vixentael 1. Encryption to protect data globally 
 (during the

    whole data flow / app lifecycle). 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. Overlapped security controls ✅

  64. @vixentael notes protection (e2ee)

  65. @vixentael passphrase encryption hint encryption zeroing secrets TLS / certificate

    pinning auto-locking timer failed attempts counter encrypted user settings notes protection (e2ee) obfuscation anti-RE & anti-debugging continuous improvements prepare for incidents cossacklabs.com/blog/end-to-end-encryption-in-bear-app.html

  66. @vixentael passphrase encryption hint encryption zeroing secrets TLS / certificate

    pinning auto-locking timer failed attempts counter encrypted user settings obfuscation anti-RE & anti-debugging continuous improvements notes protection (e2ee) prepare for incidents cossacklabs.com/blog/end-to-end-encryption-in-bear-app.html

  67. @vixentael encrypted_passphrase = SecureCellSeal(data: user_passphrase, context: nil, key: generated_passphrase_key) decrypted_passphrase

    = SecureCellSeal(data: user_passphrase, context: nil, key: generated_passphrase_key) remember about breaking keychain AES-256-GCM, random IV/nonce, non-deterministic Passphrase encryption

  68. @vixentael Hint encryption

  69. @vixentael encrypted_hint = SecureCellSeal(data: hint, context: nil, key: generated_hint_key) decrypted_hint

    = SecureCellSeal(data: encrypted_hint, context: nil, key: generated_hint_key) Hint encryption AES-256-GCM, random IV/nonce, non-deterministic

  70. @vixentael Compatibility & incident response

  71. @vixentael Auto-locking timer clean up caches and decrypted data after

    T seconds let unlockDate = Date() ... let unlockedInterval = unlockDate.timeIntervalSinceNow();

  72. @vixentael Auto-locking timer clean up caches and decrypted data after

    T seconds let unlockDate = Date() ... let unlockedInterval = unlockDate.timeIntervalSinceNow(); timezones

  73. @vixentael Auto-locking timer monotonic https://twitter.com/wilshipley/status/1130973433120952321

  74. @vixentael Failed attempts counter, increasing delays t makes it harder

    to brute force the passphrase user_passphrase

  75. Key points

  76. 1. Encryption to protect data globally 
 (during the whole

    data flow / app lifecycle). 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. Overlapped security controls ✅ ✅ ✅ @vixentael

  77. @vixentael passphrase encryption hint encryption prepare for incidents zeroing secrets

    TLS / certificate pinning auto-locking timer failed attempts counter encrypted user settings notes protection (e2ee) obfuscation anti-RE & anti-debugging continuous improvements cossacklabs.com/blog/end-to-end-encryption-in-bear-app.html

  78. @vixentael crypto gets harder if you need usability 1. E2EE

    for notes, synced between devices – Bear 2. Searchable encryption – Acra 3. E2EE for data collaboration – Hermes

  79. @vixentael OWASP ASVS / MASVS

  80. failure of single security control is a question of time

    failure of security system is a question of design

  81. @vixentael cryptographic tools, security consulting, training github.com/vixentael/ my-talks