Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keys from the castle: ancient art of managing keys and trust

vixentael
April 24, 2017

Keys from the castle: ancient art of managing keys and trust

Key management slides for mobile developers (targeted on iOS devs, but useful for everyone).

#iosdev #security #trust #keys

- establishing trust
- what is key?
- building key management system: key generation, access, storage, revocation etc
- key management for iOS

--------------------------------------

If you can't tap on the link inside slides, please open as pdf (button on the right).

--------------------------------------

We will talk about building trust. Trust is built around various trust tokens: keys, passwords, secrets, biometric properties, things you have and things you know. We will talk about what should you trust, how to establish and verify trust, how to share trustedly among different users. We will discuss technical aspects: key exchange, key trust, key derivation, channel trust, multi-factor authentications. I will try to make the audience understand how this huge universe of tools and algorithms serves just one purpose: letting the right guys in, keeping the wrong guys outside our magical castle. And fairies there should be!

--------------------------------------

text:
https://medium.com/@vixentael/key-management-approaches-for-mobile-apps-57bb4db63906

--------------------------------------

videos:

#craftconf17
http://www.ustream.tv/recorded/102860531

#appbuilders17
https://www.youtube.com/watch?v=5U3FfQUmcV4&feature=youtu.be

vixentael

April 24, 2017
Tweet

More Decks by vixentael

Other Decks in Programming

Transcript

  1. KEYS FROM THE CASTLE
    ANCIENT ART OF MANAGING KEYS
    AND TRUST
    @vixentael
    #appbuilders17

    View Slide

  2. WE ALL FAIL IN BUILDING
    SECURE MOBILE APPS

    View Slide

  3. @vixentael Lead Developer
    at stanfy.com
    Core Contributor
    at themis/
    cossacklabs.com
    Feel free to reach me with any
    mobile security questions.
    I do check my inbox :)

    View Slide

  4. THE PLAN
    what is trust?
    key management
    101
    goals and
    processes
    key
    management
    on iOS
    #appbuilders17 @vixentael
    mr. Box

    View Slide

  5. LET’S TALK ABOUT
    ESTABLISHING
    TRUST

    View Slide

  6. ESTABLISHING TRUST
    is ensuring you and remote party
    share some identifiable secret
    #appbuilders17 @vixentael

    View Slide

  7. ESTABLISHING TRUST
    #appbuilders17 @vixentael
    USING MATH!
    is ensuring you and remote party
    share some identifiable secret

    View Slide

  8. servers
    mobile
    data in transit via
    public channels
    WHERE IT HAPPENS?
    #appbuilders17 @vixentael
    trust

    View Slide

  9. #appbuilders17 @vixentael
    OUR INFRASTRUCTURE IS FULL OF
    KEYS AND DATA,
    ALL THAT IN CABLES.
    (transatlantic cable is transferring data, aka boxes)

    View Slide

  10. WHAT DO WE NEED TRUST FOR?
    TO PROTECT THE DATA!
    confidentiality
    authenticity
    integrity
    #appbuilders17 @vixentael

    View Slide

  11. HOW DOES IT WORK?
    #appbuilders17 @vixentael

    View Slide

  12. HOW DOES IT WORK?
    confidentiality
    authenticity
    integrity
    #appbuilders17 @vixentael

    View Slide

  13. #appbuilders17 @vixentael
    KEYS ARE WHAT WE TRUST

    View Slide

  14. KEY MANAGEMENT
    FOR MOBILE DEVS

    View Slide

  15. secret key
    (symmetric ciphers)
    public/private keys
    (asymmetric ciphers,
    PGP & SSL)
    password

    KDF(pass) = good
    one-time pin
    WHAT IS A KEY?
    – ARRAY OF BYTES
    #appbuilders17 @vixentael

    View Slide

  16. KEYS
    APP TOKENS USER PASSWORDS PUBLIC CERTS
    #appbuilders17 @vixentael
    let appId = "VK1TTYC4TV"
    let poolId = "us-east-1:r0s3s4r3-r3d-13375p34k"
    var userPass = "F4C38D"

    View Slide

  17. WE USE KEYS TO PROTECT
    THE DATA
    #appbuilders17 @vixentael

    View Slide

  18. THE DATA?
    User’s data
    Access to external resources
    Identifiable data of
    other people
    #appbuilders17 @vixentael

    View Slide

  19. THREATS TO THE DATA
    #appbuilders17 @vixentael

    View Slide

  20. KEYS ARE
    SMALL
    CHUNKS OF
    DATA
    #appbuilders17 @vixentael

    View Slide

  21. #appbuilders17 @vixentael
    THREATS TO THE KEYS

    View Slide

  22. ‣ stolen
    ‣ replayed
    ‣ replaced
    PROTECT KEYS TOO!
    — KEYS CAN BE:
    #appbuilders17 @vixentael

    View Slide

  23. “TRUST AND SECURITY ARE
    PRESERVED, YET SYSTEM IS
    USABLE”

    View Slide

  24. MAKING USABLE SYSTEM
    generation
    exchange
    storage
    access
    rotation
    revocation
    service
    #appbuilders17 @vixentael

    View Slide

  25. KEY GENERATION
    #appbuilders17 @vixentael
    RND
    Secret Generation
    Key or
    Keypair
    good math
    where user inputs a secret
    or where it’s safe to store
    WHEN/WHERE?

    View Slide

  26. KEY PAIR
    #appbuilders17 @vixentael
    let keyGeneratorEC: TSKeyGen = TSKeyGen(algorithm: .EC)
    let privateKeyEC: Data = keyGeneratorEC.privateKey
    let publicKeyEC: Data = keyGeneratorEC.publicKey
    https://github.com/cossacklabs/themis

    View Slide

  27. KDF
    #appbuilders17 @vixentael
    let password: Array = Array("s33krit".utf8)
    let salt: Array = Array("nacllcan".utf8)
    try PKCS5.PBKDF2(password: password, salt: salt,
    iterations: 4096, variant: .sha256).calculate()
    https://github.com/krzyzanowskim/CryptoSwift

    View Slide

  28. KEY EXCHANGE
    #appbuilders17 @vixentael
    — exchanging unique secret between
    parties to ensure authenticity and,
    sometimes, confidentiality.

    View Slide

  29. KEY EXCHANGE
    #appbuilders17 @vixentael
    {“passw”:“123456”}
    passw: “123456”
    Alice-the-App Bob-the-Server
    insecure

    channel

    View Slide

  30. KEY EXCHANGE
    5720b3c2 fe674f54
    73e10ad4 ...
    HTTPS
    SSL pinning
    ephemeral keys

    View Slide

  31. KEY STORAGE
    #appbuilders17 @vixentael
    Never store the keys with
    the data they protect.
    Protect keys in a key vault.

    View Slide

  32. KEY ACCESS
    #appbuilders17 @vixentael
    Make sure they are easy to access
    legitimately.
    Ensure that any secret key is
    protected from unauthorized access.

    View Slide

  33. KEY ROTATION
    #appbuilders17 @vixentael
    Define a key lifecycle.

    View Slide

  34. KEY ROTATION
    #appbuilders17 @vixentael
    Limit quantity of data encrypted with
    one key.
    Define a key lifecycle.

    View Slide

  35. KEY ROTATION
    #appbuilders17 @vixentael
    Limit quantity of data encrypted with one
    key.
    Define a key lifecycle.
    Build support for changing algorithms
    and keys when needed.

    View Slide

  36. KEY REVOCATION
    #appbuilders17 @vixentael
    Make sure that
    compromised or outdated
    keys don’t work.

    View Slide

  37. SERVICE
    #appbuilders17 @vixentael
    BACKUPS ADMIN ACCESS KEY LINKING

    View Slide

  38. KEY MANAGEMENT
    IN IOS

    View Slide

  39. ESTABLISHING TRUST
    #appbuilders17 @vixentael
    1. On-channel exchange:
    SSL pinning / SSL pre-keying
    https://developer.apple.com/reference/foundation/
    urlsessiondelegate/1409308-urlsession
    func urlSession(_ session: URLSession,
    didReceive challenge: URLAuthenticationChallenge,
    completionHandler: @escaping
    (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
    }

    View Slide

  40. ESTABLISHING TRUST
    #appbuilders17 @vixentael
    2. Mediated exchange /
    Public key infrastructure
    keybase.io

    View Slide

  41. ESTABLISHING TRUST
    #appbuilders17 @vixentael
    3. Trusted channel exchange

    View Slide

  42. VERIFYING TRUST
    let pathToCert = Bundle.main.path(forResource: "pathtomycert", ofType: "cer")
    let localCertificate:NSData = NSData(contentsOfFile: pathToCert!)!
    let serverTrustPolicy = ServerTrustPolicy.pinCertificates(
    certificates: [SecCertificateCreateWithData(nil, localCertificate)!],
    validateCertificateChain: true,
    validateHost: true
    )
    let serverTrustPolicies = [
    "myserver.com": serverTrustPolicy
    ]
    let alamofireManager = Alamofire.SessionManager(
    configuration: URLSessionConfiguration.default,
    serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
    )
    https://github.com/Alamofire/Alamofire#server-trust-policy-manager
    https://www.owasp.org/index.php/Pinning_Cheat_Sheet

    View Slide

  43. STORING TRUST
    #appbuilders17 @vixentael

    View Slide

  44. TRY NOT TO STORE KEYS

    View Slide

  45. TRY NOT TO STORE KEYS
    BUT IF YOU DO, BE BOLD!

    View Slide

  46. STORING TRUST (KEYS)
    #appbuilders17 @vixentael
    USER DEFINED APP DEFINED
    Keychain
    Encrypted
    KDF
    Obfuscated
    Encrypted
    Calculated

    View Slide

  47. OBFUSCATE
    #appbuilders17 @vixentael
    ‣ Store keys as HEX
    ‣ Replace chars
    ‣ Rename .cert to .mp3
    ‣ Combine from separate pieces

    View Slide

  48. OBFUSCATE
    #appbuilders17 @vixentael
    ‣ Store keys as HEX
    ‣ Replace chars
    ‣ Rename .cert to .mp3
    ‣ Combine from separate pieces
    ORING BORING BORING BORING BORING BORING BO

    View Slide

  49. STORE ENCRYPTED
    #appbuilders17 @vixentael
    1. Encrypt keys during development
    2. Store encrypted keys
    3. Decrypt before using

    View Slide

  50. USE NICE TOOLS
    #appbuilders17 @vixentael
    SCIENTIFIC BACKGROUND TRUST BIG GUYS GOOD TRACK RECORD
    https://github.com/RNCryptor/RNCryptor
    https://github.com/cossacklabs/themis
    https://github.com/krzyzanowskim/CryptoSwift
    CommonCrypto wrappers
    Ports of popular libs
    Keychain wrappers
    https://www.cossacklabs.com/choose-your-ios-crypto.html

    View Slide

  51. FAKE KEYS
    #appbuilders17 @vixentael
    Poison keys, marker keys
    let key = “0XD34DB33F"
    Analyze logs to find marker keys
    Block those users/apps

    View Slide

  52. HONEYPOT
    #appbuilders17 @vixentael
    Put fake keys in obvious places:
    ‣ plist
    ‣ static strings
    ‣ fake certs

    View Slide

  53. View Slide

  54. KEYPOINTS
    #appbuilders17 @vixentael
    1. Keys to data are data too; you should protect
    them.
    2. Separate keys from the data; don’t keep
    everything in one basket.
    3. Protecting keys is a system of typical actions
    and goals.

    View Slide

  55. ACCESS TRUST TO EVERY
    COMPONENT CAREFULLY;
    BUILD TOOLS TO MANAGE IT.

    View Slide

  56. LINKS1
    Cryptographic Storage Cheat Sheet
    https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
    Key Management Cheat Sheet
    https://www.owasp.org/index.php/Key_Management_Cheat_Sheet
    Managing Keys, Certificates, and Passwords
    https://developer.apple.com/library/content/documentation/Security/
    Conceptual/cryptoservices/KeyManagementAPIs/KeyManagementAPIs.html

    View Slide

  57. LINKS2
    https://speakerdeck.com/vixentael/

    View Slide

  58. Lead Developer
    at stanfy.com
    Core Contributor
    at themis/
    cossacklabs.com
    Feel free to reach me with any
    mobile security questions.
    I do check my inbox :)
    @vixentael

    View Slide