Encryption Without Magic, Risk Management Without Pain

Encryption Without Magic, Risk Management Without Pain

#security #crypto #databases #notmobile #trust #infrastructures #separation-of-duties #echelonization

1. What is attack surface, how cryptography helps to narrow it.
2. Simple crypto-systems, but significant downsides.
3. Middleware-side encryption: protecting data in web-based infrastructures.
4. Client-side encryption: trust to mobile apps and code execution. E2EE. ZKA. ZKP.
5. Echelonization, and traditional techniques.

--------------------------------------

If you can't tap on the link inside slides, please open as pdf (button on the right).

--------------------------------------

In-depth technical inquiry about cryptography in a wider context: how it helps to narrow more significant risks to controlled attack surfaces, enables managing the risk efficiently and elegantly, how tools and algorithms sit in a broader context of managing infrastructure-wide risks associated with handling sensitive data.

--------------------------------------

Links to follow:

12 and 1 ideas how to enhance backend data security
https://medium.com/@cossacklabs/12-and-1-ideas-how-to-enhance-backend-data-security-4b8ceb5ccb88

Explain Like I’m 5: Zero Knowledge Proof
https://hackernoon.com/eli5-zero-knowledge-proof-78a276db9eff

DevOps and security: from trenches to command centers
https://medium.com/@9gunpi/devops-and-security-from-trenches-to-command-centers-466dfb58fe5b

GDPR for engineers
https://www.cossacklabs.com/blog/gdpr-for-engineers.html

042b7c0e45c53de46667f07de2fb2614?s=128

vixentael

March 04, 2018
Tweet

Transcript

  1. 3.
  2. 5.

    CRYPTOGRAPHY? AES DES 3DES CBC CFB SEAL Salsa20 RSA DSA

    OFB Blowfish SHARK RC4 DSS ECB CTR Twofish Camelia SEED Rabbit ECDSA @vixentael
  3. 9.

    crypto is not a but a method to manage the

    attack surface @vixentael
  4. 10.

    ATTACK SURFACE – all the possible places where sensitive data

    may be stolen by adversary https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet @vixentael
  5. 12.

    HANDLING SENSITIVE DATA WITH CARE avoid plaintext as possible manage

    keys properly decrease time of plaintext secrets in memory log, monitor and inspect @vixentael limit access to data
  6. 15.

    attack surface is arbitrary one container one key symmetric encryption

    with poor key management key leaked → data leaked @vixentael
  7. 22.
  8. 24.

    SQL injections code injections execution flow attacks reflection attacks XSS

    crypto-miners everywhere MitM REAL-WORLD WEB SERVER @vixentael
  9. 27.

    encrypt/decrypt data using sym key easy to steal a key

    https://www.alibabacloud.com/ help/faq-detail/37505.htm @vixentael TRY SYMMETRIC ENCRYPTION?
  10. 29.

    “COMBINED” ENCRYPTION enc_data = Enc(data, Krand) container = (enc_data, PubKweb,

    enc_key) @vixentael enc_key = Enc(Krand, PrivKweb, PubKtds)
  11. 35.

    WHERE TO USE THIS TECHNIQUE? micro-services infrastructure @vixentael public-oriented interfaces

    non-trusted client side (browsers, IoT devices) hard to store keys securely
  12. 37.
  13. 39.

    MOVE TRUST TO CLIENTS session hijacking unattended backups MitM replay

    attacks misconfigured ACL trusted element in infrastructure @vixentael
  14. 42.

    ZKA is a design principle that enables software to provide

    services over protected client data without having an unencrypted access to it. @vixentael
  15. 44.

    e2ee clients all operations are on encrypted data: – control

    access to data from different users – CRUD – search (in encrypted data) ZKA INCLUDES: @vixentael
  16. 50.

    COLLABORATING ON DATA – store encrypted – share with others

    – manage access to parties ??? @vixentael
  17. 52.

    give access to certain blocks of data to exact users

    github.com/cossacklabs/ hermes-core CRYPTOGRAPHIC ACL @vixentael
  18. 56.

    shared audit logs complex docs, spreadsheets config files file system

    document store protection MORE POSSIBLE USE-CASES @vixentael
  19. 60.

    Cryptography is well implemented, if it allows to narrow attack

    surface, and increase control of data. @vixentael
  20. 63.

    EXCEPT CRYPTO, YOU ALSO NEED log and monitor events credential

    management access control, access logging firewall, IDS, infrastructure management ...
  21. 65.
  22. 66.

    THINGS TO REMEMBER 1. cryptography aims to narrow the attack

    surface 2. choose relevant encryption scheme 3. combine cryptography and classic security techniques @vixentael 4. echelonization, compartmentalization
  23. 67.

    https://medium.freecodecamp.org/preventing-leaks-and-injections-in-your-database- be3743af7614 How to prevent database leaks and injections https://medium.com/@cossacklabs/12-and-1-ideas-how-to-enhance-backend-data-

    security-4b8ceb5ccb88 12 and 1 ideas how to enhance backend data security BACKEND SECURITY https://www.cossacklabs.com/blog/gdpr-for-engineers.html GDPR for engineers: technical requirements https://samnewman.io/talks/insecure-transit-microservice-security/ Insecure Transit - Microservice Security
  24. 68.

    CRYPTOGRAPHY https://hackernoon.com/eli5-zero-knowledge-proof-78a276db9eff Explain Like I’m 5: Zero Knowledge Proof https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet

    Secure Coding Cheat Sheet https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_- _Quick_Reference_Guide Secure Coding Practices