Keys from the castle: ancient art of managing keys and trust

042b7c0e45c53de46667f07de2fb2614?s=47 vixentael
April 24, 2017

Keys from the castle: ancient art of managing keys and trust

Key management slides for mobile developers (targeted on iOS devs, but useful for everyone).

#iosdev #security #trust #keys

- establishing trust
- what is key?
- building key management system: key generation, access, storage, revocation etc
- key management for iOS

--------------------------------------

If you can't tap on the link inside slides, please open as pdf (button on the right).

--------------------------------------

We will talk about building trust. Trust is built around various trust tokens: keys, passwords, secrets, biometric properties, things you have and things you know. We will talk about what should you trust, how to establish and verify trust, how to share trustedly among different users. We will discuss technical aspects: key exchange, key trust, key derivation, channel trust, multi-factor authentications. I will try to make the audience understand how this huge universe of tools and algorithms serves just one purpose: letting the right guys in, keeping the wrong guys outside our magical castle. And fairies there should be!

--------------------------------------

text:
https://medium.com/@vixentael/key-management-approaches-for-mobile-apps-57bb4db63906

--------------------------------------

videos:

#craftconf17
http://www.ustream.tv/recorded/102860531

#appbuilders17
https://www.youtube.com/watch?v=5U3FfQUmcV4&feature=youtu.be

042b7c0e45c53de46667f07de2fb2614?s=128

vixentael

April 24, 2017
Tweet

Transcript

  1. KEYS FROM THE CASTLE ANCIENT ART OF MANAGING KEYS AND

    TRUST @vixentael #appbuilders17
  2. WE ALL FAIL IN BUILDING SECURE MOBILE APPS

  3. @vixentael Lead Developer at stanfy.com Core Contributor at themis/ cossacklabs.com

    Feel free to reach me with any mobile security questions. I do check my inbox :)
  4. THE PLAN what is trust? key management 101 goals and

    processes key management on iOS #appbuilders17 @vixentael mr. Box
  5. LET’S TALK ABOUT ESTABLISHING TRUST

  6. ESTABLISHING TRUST is ensuring you and remote party share some

    identifiable secret #appbuilders17 @vixentael
  7. ESTABLISHING TRUST #appbuilders17 @vixentael USING MATH! is ensuring you and

    remote party share some identifiable secret
  8. servers mobile data in transit via public channels WHERE IT

    HAPPENS? #appbuilders17 @vixentael trust
  9. #appbuilders17 @vixentael OUR INFRASTRUCTURE IS FULL OF KEYS AND DATA,

    ALL THAT IN CABLES. (transatlantic cable is transferring data, aka boxes)
  10. WHAT DO WE NEED TRUST FOR? TO PROTECT THE DATA!

    confidentiality authenticity integrity #appbuilders17 @vixentael
  11. HOW DOES IT WORK? #appbuilders17 @vixentael

  12. HOW DOES IT WORK? confidentiality authenticity integrity #appbuilders17 @vixentael

  13. #appbuilders17 @vixentael KEYS ARE WHAT WE TRUST

  14. KEY MANAGEMENT FOR MOBILE DEVS

  15. secret key (symmetric ciphers) public/private keys (asymmetric ciphers, PGP &

    SSL) password
 KDF(pass) = good one-time pin WHAT IS A KEY? – ARRAY OF BYTES #appbuilders17 @vixentael
  16. KEYS APP TOKENS USER PASSWORDS PUBLIC CERTS #appbuilders17 @vixentael let

    appId = "VK1TTYC4TV" let poolId = "us-east-1:r0s3s4r3-r3d-13375p34k" var userPass = "F4C38D"
  17. WE USE KEYS TO PROTECT THE DATA #appbuilders17 @vixentael

  18. THE DATA? User’s data Access to external resources Identifiable data

    of other people #appbuilders17 @vixentael
  19. THREATS TO THE DATA #appbuilders17 @vixentael

  20. KEYS ARE SMALL CHUNKS OF DATA #appbuilders17 @vixentael

  21. #appbuilders17 @vixentael THREATS TO THE KEYS

  22. ‣ stolen ‣ replayed ‣ replaced PROTECT KEYS TOO! —

    KEYS CAN BE: #appbuilders17 @vixentael
  23. “TRUST AND SECURITY ARE PRESERVED, YET SYSTEM IS USABLE”

  24. MAKING USABLE SYSTEM generation exchange storage access rotation revocation service

    #appbuilders17 @vixentael
  25. KEY GENERATION #appbuilders17 @vixentael RND Secret Generation Key or Keypair

    good math where user inputs a secret or where it’s safe to store WHEN/WHERE?
  26. KEY PAIR #appbuilders17 @vixentael let keyGeneratorEC: TSKeyGen = TSKeyGen(algorithm: .EC)

    let privateKeyEC: Data = keyGeneratorEC.privateKey let publicKeyEC: Data = keyGeneratorEC.publicKey https://github.com/cossacklabs/themis
  27. KDF #appbuilders17 @vixentael let password: Array<UInt8> = Array("s33krit".utf8) let salt:

    Array<UInt8> = Array("nacllcan".utf8) try PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256).calculate() https://github.com/krzyzanowskim/CryptoSwift
  28. KEY EXCHANGE #appbuilders17 @vixentael — exchanging unique secret between parties

    to ensure authenticity and, sometimes, confidentiality.
  29. KEY EXCHANGE #appbuilders17 @vixentael {“passw”:“123456”} passw: “123456” Alice-the-App Bob-the-Server insecure

    channel
  30. KEY EXCHANGE 5720b3c2 fe674f54 73e10ad4 ... HTTPS SSL pinning ephemeral

    keys
  31. KEY STORAGE #appbuilders17 @vixentael Never store the keys with the

    data they protect. Protect keys in a key vault.
  32. KEY ACCESS #appbuilders17 @vixentael Make sure they are easy to

    access legitimately. Ensure that any secret key is protected from unauthorized access.
  33. KEY ROTATION #appbuilders17 @vixentael Define a key lifecycle.

  34. KEY ROTATION #appbuilders17 @vixentael Limit quantity of data encrypted with

    one key. Define a key lifecycle.
  35. KEY ROTATION #appbuilders17 @vixentael Limit quantity of data encrypted with

    one key. Define a key lifecycle. Build support for changing algorithms and keys when needed.
  36. KEY REVOCATION #appbuilders17 @vixentael Make sure that compromised or outdated

    keys don’t work.
  37. SERVICE #appbuilders17 @vixentael BACKUPS ADMIN ACCESS KEY LINKING

  38. KEY MANAGEMENT IN IOS

  39. ESTABLISHING TRUST #appbuilders17 @vixentael 1. On-channel exchange: SSL pinning /

    SSL pre-keying https://developer.apple.com/reference/foundation/ urlsessiondelegate/1409308-urlsession func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) { }
  40. ESTABLISHING TRUST #appbuilders17 @vixentael 2. Mediated exchange / Public key

    infrastructure keybase.io
  41. ESTABLISHING TRUST #appbuilders17 @vixentael 3. Trusted channel exchange

  42. VERIFYING TRUST let pathToCert = Bundle.main.path(forResource: "pathtomycert", ofType: "cer") let

    localCertificate:NSData = NSData(contentsOfFile: pathToCert!)! let serverTrustPolicy = ServerTrustPolicy.pinCertificates( certificates: [SecCertificateCreateWithData(nil, localCertificate)!], validateCertificateChain: true, validateHost: true ) let serverTrustPolicies = [ "myserver.com": serverTrustPolicy ] let alamofireManager = Alamofire.SessionManager( configuration: URLSessionConfiguration.default, serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies) ) https://github.com/Alamofire/Alamofire#server-trust-policy-manager https://www.owasp.org/index.php/Pinning_Cheat_Sheet
  43. STORING TRUST #appbuilders17 @vixentael

  44. TRY NOT TO STORE KEYS

  45. TRY NOT TO STORE KEYS BUT IF YOU DO, BE

    BOLD!
  46. STORING TRUST (KEYS) #appbuilders17 @vixentael USER DEFINED APP DEFINED Keychain

    Encrypted KDF Obfuscated Encrypted Calculated
  47. OBFUSCATE #appbuilders17 @vixentael ‣ Store keys as HEX ‣ Replace

    chars ‣ Rename .cert to .mp3 ‣ Combine from separate pieces
  48. OBFUSCATE #appbuilders17 @vixentael ‣ Store keys as HEX ‣ Replace

    chars ‣ Rename .cert to .mp3 ‣ Combine from separate pieces ORING BORING BORING BORING BORING BORING BO
  49. STORE ENCRYPTED #appbuilders17 @vixentael 1. Encrypt keys during development 2.

    Store encrypted keys 3. Decrypt before using
  50. USE NICE TOOLS #appbuilders17 @vixentael SCIENTIFIC BACKGROUND TRUST BIG GUYS

    GOOD TRACK RECORD https://github.com/RNCryptor/RNCryptor https://github.com/cossacklabs/themis https://github.com/krzyzanowskim/CryptoSwift CommonCrypto wrappers Ports of popular libs Keychain wrappers https://www.cossacklabs.com/choose-your-ios-crypto.html
  51. FAKE KEYS #appbuilders17 @vixentael Poison keys, marker keys let key

    = “0XD34DB33F" Analyze logs to find marker keys Block those users/apps
  52. HONEYPOT #appbuilders17 @vixentael Put fake keys in obvious places: ‣

    plist ‣ static strings ‣ fake certs
  53. None
  54. KEYPOINTS #appbuilders17 @vixentael 1. Keys to data are data too;

    you should protect them. 2. Separate keys from the data; don’t keep everything in one basket. 3. Protecting keys is a system of typical actions and goals.
  55. ACCESS TRUST TO EVERY COMPONENT CAREFULLY; BUILD TOOLS TO MANAGE

    IT.
  56. LINKS1 Cryptographic Storage Cheat Sheet https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet Key Management Cheat Sheet

    https://www.owasp.org/index.php/Key_Management_Cheat_Sheet Managing Keys, Certificates, and Passwords https://developer.apple.com/library/content/documentation/Security/ Conceptual/cryptoservices/KeyManagementAPIs/KeyManagementAPIs.html
  57. LINKS2 https://speakerdeck.com/vixentael/

  58. Lead Developer at stanfy.com Core Contributor at themis/ cossacklabs.com Feel

    free to reach me with any mobile security questions. I do check my inbox :) @vixentael