$30 off During Our Annual Pro Sale. View Details »

10 lines of encryption, 1500 lines of key management

10 lines of encryption, 1500 lines of key management

Often when users ask for some features, they don’t understand how long it takes to make them. When features are related to security, developers also often don’t understand how long it will take.

I will show the real case about one large note taking the app, that decided to implement convenient note encryption and note locking for their existing user base. But finding a balance between usability, security and mobile platforms' restrictions is complicated.

We will start with the security design scheme, then select the proper encryption library, then implement the flow, and prepare for incidents. Now — think about it — cryptography is only chapter 3 in OWASP MASVS (7 chapters in general). Even the best cryptography will fail if basic security controls are badly implemented.

Points we will go through: the difference between "locking" and "encrypting", the difference between password and encryption key, how to sync passwords between devices, what exactly to store in keychain/keystore, how to use proper cryptography (AES CBC or AES GCM, random salt? IV? padding? what a hell is this mess), how to use biometrics (we don’t want to bother user, let’s use biometric keychain, but what if users will change their fingerprints — shall we invalidate all passwords?), updating encryption version (imagine, vulnerability is discovered in our library or app — how to update cipher, and softly migrate users to the new cipher, if users don’t even have a clue that encryption was versioned).

At the end, this is only one simple JIRA ticket "let's encrypt the notes" from the eyes of security software engineer :)

Other talks and videos:
https://github.com/vixentael/my-talks

vixentael

July 28, 2019
Tweet

More Decks by vixentael

Other Decks in Programming

Transcript

  1. 10 lines of encryption,
    1500 lines of key management
    @vixentael

    View Slide

  2. @vixentael
    product engineer in security
    and cryptography
    OSS maintainer: Themis, Acra
    cryptographic tools, security
    engineering, datasec training

    View Slide

  3. cossacklabs.com
    Data security solutions
    @vixentael
    We help you focus on serving your customers better, while
    relieving your team from security engineering pains and
    making your users confident that their data is safe with you.

    View Slide

  4. @vixentael
    zero knowledge searchable encryption
    cossacklabs.com/acra/
    e2ee data collaboration
    cossacklabs.com/hermes/
    zero knowledge authentication
    github.com/cossacklabs/themis/wiki/Secure-Comparator-cryptosystem
    cossacklabs.com/whitepapers/

    View Slide

  5. View Slide

  6. USABLE

    View Slide

  7. Data encryption without
    compromising UX

    View Slide

  8. @vixentael
    1. Three principles of security engineering
    (decision making in security, boring crypto, defense in depth)
    3. Defense in depth security controls
    2. E2EE for Bear.app: data model & key management
    4. Cat

    View Slide

  9. @vixentael

    View Slide

  10. GDPR
    @vixentael
    Article 32/35: responsibly store and process
    data according to risks


    Article 33/34: detecting data leakage and
    alert users & controller
    https://gdpr-info.eu/

    View Slide

  11. @vixentael
    https://gdpr-info.eu/
    Article 32

    View Slide

  12. @vixentael
    US Department of Defense

    View Slide

  13. @vixentael
    US Department of Defense
    https://media.defense.gov/2018/Apr/22/2001906836/-1/-1/0/
    DEFENSEINNOVATIONBOARD_TEN_COMMANDMENTS_OF_SOFT
    WARE_2018.04.20.PDF

    View Slide

  14. @vixentael
    Apple privacy policy update
    https://developer.apple.com/news/?id=06032019j

    View Slide

  15. @vixentael
    Google
    https://support.google.com/cloud/answer/9110914

    View Slide

  16. @vixentael
    Decision making in security 101

    View Slide

  17. @vixentael
    Decision making in security 101
    1. “just because we can”
    3. understanding risks & threats
    2. every app should have security features

    View Slide

  18. @vixentael
    Decision making in security 101
    1. “just because we can”
    3. understanding risks & threats
    2. every app should have security features

    View Slide

  19. @vixentael
    app flow
    app
    features
    code
    user
    problem

    View Slide

  20. risk & threat
    model
    security
    methods
    security
    controls
    libraries/
    code
    app flow
    app
    features
    code
    user
    problem
    @vixentael

    View Slide

  21. @vixentael
    risk model & threat model
    create demands for security

    View Slide

  22. @vixentael
    Data & risks
    PII
    User data Service data
    likes, preferences
    purchase history
    logs
    keys, accesses, API tokens
    backups
    configurations
    locations

    View Slide

  23. @vixentael
    Data & risks
    compliance risks
    legal risks
    reputational risks
    continuity risks
    User data Service data
    reputational risks
    medium.com/@cossacklabs/trick-or-threat-security-losses-for-
    business-f5b44243d89c

    View Slide

  24. @vixentael
    Boring crypto

    View Slide

  25. https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf
    269 CVEs
    from 2011-2014
    17%
    83%
    bugs inside crypto libs
    misuses of crypto libs
    by individual apps
    @vixentael

    View Slide

  26. — crypto that simply works, solidly
    resists attacks, never needs any
    upgrades
    https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf
    Daniel J. Bernstein
    Boring crypto
    @vixentael

    View Slide

  27. encryption integration
    abstraction level
    complexity
    @vixentael

    View Slide

  28. encryption integration
    abstraction level
    complexity
    cipher
    crypto-
    library
    crypto-
    system
    boxed
    solution
    @vixentael
    pain

    View Slide

  29. @vixentael
    @vixentael
    easy to make mistakes

    View Slide

  30. @vixentael
    should be random
    should use KDF(key)
    uses AES CBC, not AES GCM
    padding? salt?

    @vixentael
    easy to make mistakes

    View Slide

  31. Themis: hard to make mistakes
    @vixentael
    @vixentael
    github.com/cossacklabs/themis

    View Slide

  32. @vixentael
    hides cryptographic details: salt, IV, KDF, padding
    built-in KDF, safe to use passphrase
    uses AES-256-GCM
    @vixentael
    github.com/cossacklabs/themis
    Themis: hard to make mistakes

    View Slide

  33. https://github.com/vixentael/my-talks#dont-waste-time-on-learning-cryptography-better-use-it-properly
    see full talk about Boring crypto
    @vixentael

    View Slide

  34. @vixentael
    Defense in depth

    View Slide

  35. @vixentael

    View Slide

  36. Defense in depth –
    independent, yet interconnected,
    set of security controls
    aimed at mitigating multiple risks
    during the whole application flow
    @vixentael

    View Slide

  37. @vixentael
    1. Encryption to protect data globally 

    (during the whole data flow / app lifecycle).
    2. Whatever is the attack vector, there is a defense
    layer.
    3. For most popular attack vectors, we want as many
    independent defenses as possible.
    Overlapped security controls

    View Slide

  38. @vixentael
    encryption &
    key mngmt
    AAA
    WAF
    honey pots
    IDS
    infra mngmt
    compartmentalization
    authenticated crypto &

    integrity checks
    access logging
    jailbans
    monitoring
    data firewall
    SIEM
    HIDS
    DAST
    SAST
    KMS
    HSM
    PKI
    TPM
    honey tokens
    RTFM
    dep mngmt
    UEBA
    IAM
    TLS
    TDE
    AEAD

    View Slide

  39. @vixentael
    Lines of defense

    View Slide

  40. @vixentael

    View Slide

  41. @vixentael
    10 lines of encryption,
    1500 lines of key management

    View Slide

  42. @vixentael
    10 lines of encryption,
    1500 lines of key management
    60
    3000

    View Slide

  43. bear.app

    View Slide

  44. @vixentael
    End-to-end encryption in Bear
    blog.bear.app/
    cossacklabs.com/blog/

    View Slide

  45. @vixentael
    • smooth UX
    • not finance/banking app
    • syncing between all user’s devices
    • privacy
    • incident response
    • next versions: Web/Electron
    Bear e2ee for notes

    View Slide

  46. @vixentael
    1. fast & smooth
    2. notes are encrypted using unique keys (per app per user)
    3. user passphrase is never stored in plaintext
    4. data in Keychain is encrypted
    5. notes & passphrases are synced between devices
    Results

    View Slide

  47. @vixentael
    UX is important –
    we made the security scheme more
    complex from an engineering perspective,
    but less stressful for users.

    View Slide

  48. @vixentael
    note encryption
    & note locking

    View Slide

  49. @vixentael
    app locking

    View Slide

  50. @vixentael
    note encryption != note locking != app locking

    View Slide

  51. @vixentael
    note encryption != note locking != app locking
    encryption authentication authentication

    View Slide

  52. @vixentael
    note text
    user
    passphrase
    note encryption
    key
    Data model
    plaintext
    user input
    unique per note

    View Slide

  53. @vixentael
    Access Disclosure Modification
    Access
    denial
    note text Moderate Critical Critical High
    user
    passphrase
    Moderate Critical Critical Critical
    note
    encryption
    key
    Moderate Low Low Moderate
    Threats

    View Slide

  54. @vixentael
    Device
    filesystem
    Device
    process
    memory
    Device
    keychain &
    secure
    enclave
    Transport,
    iCloud
    database
    iCloud
    Keychain
    Medium High High Medium Medium
    Trust model

    View Slide

  55. @vixentael
    Breaking Keychain
    youtube.com/watch?v=EUGDa0Z71uk youtube.com/watch?v=sR6KeCaCRMA
    github.com/LinusHenze/Keysteal
    macOS keychain:
    https://thetapedrive.com/face-id-fail-ios-13
    iOS13 beta keychain:

    View Slide

  56. @vixentael
    We have more trust towards
    the data stored on the device
    than the data stored in a cloud

    View Slide

  57. @vixentael
    Key model

    View Slide

  58. @vixentael
    from user mind or
    password mngr
    cached for some
    time
    calculated before
    usage
    Keychain,
    Secure Enclave
    Key model

    View Slide

  59. @vixentael
    Multiple caches to minimize user distractions
    user Keychain
    SecureEnclave
    iCloudKeychain
    in memory
    cache
    temp var
    password
    manager

    View Slide

  60. @vixentael
    App encryption key
    Key stretching: KDF, deterministic
    long_data = user_passphrase + gen_passphrase_pwd + gen_app_context
    app_encryption_key = SecureCellContextImprint(data: long_data,
    context: generated_app_context,
    key: user_passphrase)
    github.com/cossacklabs/themis

    View Slide

  61. @vixentael
    long_data = user_passphrase + gen_passphrase_pwd + gen_app_context
    app_encryption_key = SecureCellContextImprint(data: long_data,
    context: generated_app_context,
    key: user_passphrase)
    long_data = app_encryption_key + gen_passphrase_pwd + gen_app_context
    note_encryption_key = SecureCellContextImprint(data: long_data,
    context: note_encryption_id,
    key: app_encryption_key)
    App encryption key, note encryption key
    Key stretching: KDF, deterministic
    github.com/cossacklabs/themis

    View Slide

  62. @vixentael
    encrypted_note = SecureCellSeal(data: note_text,
    context: note_encryption_id,
    key: note_encryption_key)
    decrypted_note = SecureCellSeal(data: encrypted_note,
    context: note_encryption_id,
    key: note_encryption_key)
    AES-256-GCM, random IV/nonce, non-deterministic
    Notes encryption
    github.com/cossacklabs/themis

    View Slide

  63. @vixentael
    1. Encryption to protect data globally 

    (during the whole data flow / app lifecycle).
    2. Whatever is the attack vector, there is a defense
    layer.
    3. For most popular attack vectors, we want as many
    independent defenses as possible.
    Overlapped security controls

    View Slide

  64. @vixentael
    notes
    protection
    (e2ee)

    View Slide

  65. @vixentael
    passphrase
    encryption
    hint
    encryption
    zeroing
    secrets
    TLS / certificate
    pinning
    auto-locking
    timer
    failed attempts
    counter
    encrypted user
    settings
    notes
    protection
    (e2ee) obfuscation
    anti-RE &
    anti-debugging
    continuous
    improvements
    prepare for
    incidents
    cossacklabs.com/blog/end-to-end-encryption-in-bear-app.html

    View Slide

  66. @vixentael
    passphrase
    encryption
    hint
    encryption
    zeroing
    secrets
    TLS / certificate
    pinning
    auto-locking
    timer
    failed attempts
    counter
    encrypted user
    settings
    obfuscation
    anti-RE &
    anti-debugging
    continuous
    improvements
    notes
    protection
    (e2ee)
    prepare for
    incidents
    cossacklabs.com/blog/end-to-end-encryption-in-bear-app.html

    View Slide

  67. @vixentael
    encrypted_passphrase = SecureCellSeal(data: user_passphrase,
    context: nil,
    key: generated_passphrase_key)
    decrypted_passphrase = SecureCellSeal(data: user_passphrase,
    context: nil,
    key: generated_passphrase_key)
    remember about
    breaking keychain
    AES-256-GCM, random IV/nonce, non-deterministic
    Passphrase encryption

    View Slide

  68. @vixentael
    Hint encryption

    View Slide

  69. @vixentael
    encrypted_hint = SecureCellSeal(data: hint,
    context: nil,
    key: generated_hint_key)
    decrypted_hint = SecureCellSeal(data: encrypted_hint,
    context: nil,
    key: generated_hint_key)
    Hint encryption
    AES-256-GCM, random IV/nonce, non-deterministic

    View Slide

  70. @vixentael
    Compatibility & incident response

    View Slide

  71. @vixentael
    Auto-locking timer
    clean up caches and decrypted data after T seconds
    let unlockDate = Date()
    ...
    let unlockedInterval = unlockDate.timeIntervalSinceNow();

    View Slide

  72. @vixentael
    Auto-locking timer
    clean up caches and decrypted data after T seconds
    let unlockDate = Date()
    ...
    let unlockedInterval = unlockDate.timeIntervalSinceNow();
    timezones

    View Slide

  73. @vixentael
    Auto-locking timer monotonic
    https://twitter.com/wilshipley/status/1130973433120952321

    View Slide

  74. @vixentael
    Failed attempts counter, increasing delays
    t
    makes it harder to brute force
    the passphrase
    user_passphrase

    View Slide

  75. Key points

    View Slide

  76. 1. Encryption to protect data globally 

    (during the whole data flow / app lifecycle).
    2. Whatever is the attack vector, there is a defense
    layer.
    3. For most popular attack vectors, we want as many
    independent defenses as possible.
    Overlapped security controls



    @vixentael

    View Slide

  77. @vixentael
    passphrase
    encryption
    hint
    encryption
    prepare for
    incidents
    zeroing
    secrets
    TLS / certificate
    pinning
    auto-locking
    timer
    failed attempts
    counter
    encrypted user
    settings
    notes
    protection
    (e2ee) obfuscation
    anti-RE &
    anti-debugging
    continuous
    improvements
    cossacklabs.com/blog/end-to-end-encryption-in-bear-app.html

    View Slide

  78. @vixentael
    crypto gets harder if you need
    usability
    1. E2EE for notes, synced between devices – Bear
    2. Searchable encryption – Acra
    3. E2EE for data collaboration – Hermes



    View Slide

  79. @vixentael
    OWASP ASVS / MASVS

    View Slide

  80. failure of single security control is
    a question of time
    failure of security system is
    a question of design

    View Slide

  81. @vixentael
    cryptographic tools, security
    consulting, training
    github.com/vixentael/
    my-talks

    View Slide