Pro Yearly is on sale from $80 to $50! »

10 lines of encryption, 1500 lines of key management

10 lines of encryption, 1500 lines of key management

Often when users ask for some features, they don’t understand how long it takes to make them. When features are related to security, developers also often don’t understand how long it will take.

I will show the real case about one large note taking the app, that decided to implement convenient note encryption and note locking for their existing user base. But finding a balance between usability, security and mobile platforms' restrictions is complicated.

We will start with the security design scheme, then select the proper encryption library, then implement the flow, and prepare for incidents. Now — think about it — cryptography is only chapter 3 in OWASP MASVS (7 chapters in general). Even the best cryptography will fail if basic security controls are badly implemented.

Points we will go through: the difference between "locking" and "encrypting", the difference between password and encryption key, how to sync passwords between devices, what exactly to store in keychain/keystore, how to use proper cryptography (AES CBC or AES GCM, random salt? IV? padding? what a hell is this mess), how to use biometrics (we don’t want to bother user, let’s use biometric keychain, but what if users will change their fingerprints — shall we invalidate all passwords?), updating encryption version (imagine, vulnerability is discovered in our library or app — how to update cipher, and softly migrate users to the new cipher, if users don’t even have a clue that encryption was versioned).

At the end, this is only one simple JIRA ticket "let's encrypt the notes" from the eyes of security software engineer :)

Other talks and videos:
https://github.com/vixentael/my-talks

042b7c0e45c53de46667f07de2fb2614?s=128

vixentael

July 28, 2019
Tweet

Transcript

  1. 10 lines of encryption, 1500 lines of key management @vixentael

  2. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

    Acra cryptographic tools, security engineering, datasec training
  3. cossacklabs.com Data security solutions @vixentael We help you focus on

    serving your customers better, while relieving your team from security engineering pains and making your users confident that their data is safe with you.
  4. @vixentael zero knowledge searchable encryption cossacklabs.com/acra/ e2ee data collaboration cossacklabs.com/hermes/

    zero knowledge authentication github.com/cossacklabs/themis/wiki/Secure-Comparator-cryptosystem cossacklabs.com/whitepapers/
  5. None
  6. USABLE

  7. Data encryption without compromising UX

  8. @vixentael 1. Three principles of security engineering (decision making in

    security, boring crypto, defense in depth) 3. Defense in depth security controls 2. E2EE for Bear.app: data model & key management 4. Cat
  9. @vixentael

  10. GDPR @vixentael Article 32/35: responsibly store and process data according

    to risks
 
 Article 33/34: detecting data leakage and alert users & controller https://gdpr-info.eu/
  11. @vixentael https://gdpr-info.eu/ Article 32

  12. @vixentael US Department of Defense

  13. @vixentael US Department of Defense https://media.defense.gov/2018/Apr/22/2001906836/-1/-1/0/ DEFENSEINNOVATIONBOARD_TEN_COMMANDMENTS_OF_SOFT WARE_2018.04.20.PDF

  14. @vixentael Apple privacy policy update https://developer.apple.com/news/?id=06032019j

  15. @vixentael Google https://support.google.com/cloud/answer/9110914

  16. @vixentael Decision making in security 101

  17. @vixentael Decision making in security 101 1. “just because we

    can” 3. understanding risks & threats 2. every app should have security features
  18. @vixentael Decision making in security 101 1. “just because we

    can” 3. understanding risks & threats 2. every app should have security features ✅
  19. @vixentael app flow app features code user problem

  20. risk & threat model security methods security controls libraries/ code

    app flow app features code user problem @vixentael
  21. @vixentael risk model & threat model create demands for security

  22. @vixentael Data & risks PII User data Service data likes,

    preferences purchase history logs keys, accesses, API tokens backups configurations locations
  23. @vixentael Data & risks compliance risks legal risks reputational risks

    continuity risks User data Service data reputational risks medium.com/@cossacklabs/trick-or-threat-security-losses-for- business-f5b44243d89c
  24. @vixentael Boring crypto

  25. https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf 269 CVEs from 2011-2014 17% 83% bugs inside crypto

    libs misuses of crypto libs by individual apps @vixentael
  26. — crypto that simply works, solidly resists attacks, never needs

    any upgrades https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf Daniel J. Bernstein Boring crypto @vixentael
  27. encryption integration abstraction level complexity @vixentael

  28. encryption integration abstraction level complexity cipher crypto- library crypto- system

    boxed solution @vixentael pain
  29. @vixentael @vixentael easy to make mistakes

  30. @vixentael should be random should use KDF(key) uses AES CBC,

    not AES GCM padding? salt? @vixentael easy to make mistakes
  31. Themis: hard to make mistakes @vixentael @vixentael github.com/cossacklabs/themis

  32. @vixentael hides cryptographic details: salt, IV, KDF, padding built-in KDF,

    safe to use passphrase uses AES-256-GCM @vixentael github.com/cossacklabs/themis Themis: hard to make mistakes
  33. https://github.com/vixentael/my-talks#dont-waste-time-on-learning-cryptography-better-use-it-properly see full talk about Boring crypto @vixentael

  34. @vixentael Defense in depth

  35. @vixentael

  36. Defense in depth – independent, yet interconnected, set of security

    controls aimed at mitigating multiple risks during the whole application flow @vixentael
  37. @vixentael 1. Encryption to protect data globally 
 (during the

    whole data flow / app lifecycle). 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. Overlapped security controls
  38. @vixentael encryption & key mngmt AAA WAF honey pots IDS

    infra mngmt compartmentalization authenticated crypto &
 integrity checks access logging jailbans monitoring data firewall SIEM HIDS DAST SAST KMS HSM PKI TPM honey tokens RTFM dep mngmt UEBA IAM TLS TDE AEAD
  39. @vixentael Lines of defense

  40. @vixentael

  41. @vixentael 10 lines of encryption, 1500 lines of key management

  42. @vixentael 10 lines of encryption, 1500 lines of key management

    60 3000
  43. bear.app

  44. @vixentael End-to-end encryption in Bear blog.bear.app/ cossacklabs.com/blog/

  45. @vixentael • smooth UX • not finance/banking app • syncing

    between all user’s devices • privacy • incident response • next versions: Web/Electron Bear e2ee for notes
  46. @vixentael 1. fast & smooth 2. notes are encrypted using

    unique keys (per app per user) 3. user passphrase is never stored in plaintext 4. data in Keychain is encrypted 5. notes & passphrases are synced between devices Results
  47. @vixentael UX is important – we made the security scheme

    more complex from an engineering perspective, but less stressful for users.
  48. @vixentael note encryption & note locking

  49. @vixentael app locking

  50. @vixentael note encryption != note locking != app locking

  51. @vixentael note encryption != note locking != app locking encryption

    authentication authentication
  52. @vixentael note text user passphrase note encryption key Data model

    plaintext user input unique per note
  53. @vixentael Access Disclosure Modification Access denial note text Moderate Critical

    Critical High user passphrase Moderate Critical Critical Critical note encryption key Moderate Low Low Moderate Threats
  54. @vixentael Device filesystem Device process memory Device keychain & secure

    enclave Transport, iCloud database iCloud Keychain Medium High High Medium Medium Trust model
  55. @vixentael Breaking Keychain youtube.com/watch?v=EUGDa0Z71uk youtube.com/watch?v=sR6KeCaCRMA github.com/LinusHenze/Keysteal macOS keychain: https://thetapedrive.com/face-id-fail-ios-13 iOS13

    beta keychain:
  56. @vixentael We have more trust towards the data stored on

    the device than the data stored in a cloud
  57. @vixentael Key model

  58. @vixentael from user mind or password mngr cached for some

    time calculated before usage Keychain, Secure Enclave Key model
  59. @vixentael Multiple caches to minimize user distractions user Keychain SecureEnclave

    iCloudKeychain in memory cache temp var password manager
  60. @vixentael App encryption key Key stretching: KDF, deterministic long_data =

    user_passphrase + gen_passphrase_pwd + gen_app_context app_encryption_key = SecureCellContextImprint(data: long_data, context: generated_app_context, key: user_passphrase) github.com/cossacklabs/themis
  61. @vixentael long_data = user_passphrase + gen_passphrase_pwd + gen_app_context app_encryption_key =

    SecureCellContextImprint(data: long_data, context: generated_app_context, key: user_passphrase) long_data = app_encryption_key + gen_passphrase_pwd + gen_app_context note_encryption_key = SecureCellContextImprint(data: long_data, context: note_encryption_id, key: app_encryption_key) App encryption key, note encryption key Key stretching: KDF, deterministic github.com/cossacklabs/themis
  62. @vixentael encrypted_note = SecureCellSeal(data: note_text, context: note_encryption_id, key: note_encryption_key) decrypted_note

    = SecureCellSeal(data: encrypted_note, context: note_encryption_id, key: note_encryption_key) AES-256-GCM, random IV/nonce, non-deterministic Notes encryption github.com/cossacklabs/themis
  63. @vixentael 1. Encryption to protect data globally 
 (during the

    whole data flow / app lifecycle). 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. Overlapped security controls ✅
  64. @vixentael notes protection (e2ee)

  65. @vixentael passphrase encryption hint encryption zeroing secrets TLS / certificate

    pinning auto-locking timer failed attempts counter encrypted user settings notes protection (e2ee) obfuscation anti-RE & anti-debugging continuous improvements prepare for incidents cossacklabs.com/blog/end-to-end-encryption-in-bear-app.html
  66. @vixentael passphrase encryption hint encryption zeroing secrets TLS / certificate

    pinning auto-locking timer failed attempts counter encrypted user settings obfuscation anti-RE & anti-debugging continuous improvements notes protection (e2ee) prepare for incidents cossacklabs.com/blog/end-to-end-encryption-in-bear-app.html
  67. @vixentael encrypted_passphrase = SecureCellSeal(data: user_passphrase, context: nil, key: generated_passphrase_key) decrypted_passphrase

    = SecureCellSeal(data: user_passphrase, context: nil, key: generated_passphrase_key) remember about breaking keychain AES-256-GCM, random IV/nonce, non-deterministic Passphrase encryption
  68. @vixentael Hint encryption

  69. @vixentael encrypted_hint = SecureCellSeal(data: hint, context: nil, key: generated_hint_key) decrypted_hint

    = SecureCellSeal(data: encrypted_hint, context: nil, key: generated_hint_key) Hint encryption AES-256-GCM, random IV/nonce, non-deterministic
  70. @vixentael Compatibility & incident response

  71. @vixentael Auto-locking timer clean up caches and decrypted data after

    T seconds let unlockDate = Date() ... let unlockedInterval = unlockDate.timeIntervalSinceNow();
  72. @vixentael Auto-locking timer clean up caches and decrypted data after

    T seconds let unlockDate = Date() ... let unlockedInterval = unlockDate.timeIntervalSinceNow(); timezones
  73. @vixentael Auto-locking timer monotonic https://twitter.com/wilshipley/status/1130973433120952321

  74. @vixentael Failed attempts counter, increasing delays t makes it harder

    to brute force the passphrase user_passphrase
  75. Key points

  76. 1. Encryption to protect data globally 
 (during the whole

    data flow / app lifecycle). 2. Whatever is the attack vector, there is a defense layer. 3. For most popular attack vectors, we want as many independent defenses as possible. Overlapped security controls ✅ ✅ ✅ @vixentael
  77. @vixentael passphrase encryption hint encryption prepare for incidents zeroing secrets

    TLS / certificate pinning auto-locking timer failed attempts counter encrypted user settings notes protection (e2ee) obfuscation anti-RE & anti-debugging continuous improvements cossacklabs.com/blog/end-to-end-encryption-in-bear-app.html
  78. @vixentael crypto gets harder if you need usability 1. E2EE

    for notes, synced between devices – Bear 2. Searchable encryption – Acra 3. E2EE for data collaboration – Hermes
  79. @vixentael OWASP ASVS / MASVS

  80. failure of single security control is a question of time

    failure of security system is a question of design
  81. @vixentael cryptographic tools, security consulting, training github.com/vixentael/ my-talks