Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keys from the castle: ancient art of managing keys and trust

April 24, 2017

Keys from the castle: ancient art of managing keys and trust

Key management slides for mobile developers (targeted on iOS devs, but useful for everyone).

#iosdev #security #trust #keys

- establishing trust
- what is key?
- building key management system: key generation, access, storage, revocation etc
- key management for iOS


If you can't tap on the link inside slides, please open as pdf (button on the right).


We will talk about building trust. Trust is built around various trust tokens: keys, passwords, secrets, biometric properties, things you have and things you know. We will talk about what should you trust, how to establish and verify trust, how to share trustedly among different users. We will discuss technical aspects: key exchange, key trust, key derivation, channel trust, multi-factor authentications. I will try to make the audience understand how this huge universe of tools and algorithms serves just one purpose: letting the right guys in, keeping the wrong guys outside our magical castle. And fairies there should be!








April 24, 2017

More Decks by vixentael

Other Decks in Programming


  1. @vixentael Lead Developer at stanfy.com Core Contributor at themis/ cossacklabs.com

    Feel free to reach me with any mobile security questions. I do check my inbox :)
  2. THE PLAN what is trust? key management 101 goals and

    processes key management on iOS #appbuilders17 @vixentael mr. Box
  3. ESTABLISHING TRUST is ensuring you and remote party share some

    identifiable secret #appbuilders17 @vixentael
  4. servers mobile data in transit via public channels WHERE IT

    HAPPENS? #appbuilders17 @vixentael trust
  5. #appbuilders17 @vixentael OUR INFRASTRUCTURE IS FULL OF KEYS AND DATA,

    ALL THAT IN CABLES. (transatlantic cable is transferring data, aka boxes)

    confidentiality authenticity integrity #appbuilders17 @vixentael
  7. secret key (symmetric ciphers) public/private keys (asymmetric ciphers, PGP &

    SSL) password
 KDF(pass) = good one-time pin WHAT IS A KEY? – ARRAY OF BYTES #appbuilders17 @vixentael
  8. KEYS APP TOKENS USER PASSWORDS PUBLIC CERTS #appbuilders17 @vixentael let

    appId = "VK1TTYC4TV" let poolId = "us-east-1:r0s3s4r3-r3d-13375p34k" var userPass = "F4C38D"
  9. ‣ stolen ‣ replayed ‣ replaced PROTECT KEYS TOO! —

    KEYS CAN BE: #appbuilders17 @vixentael
  10. KEY GENERATION #appbuilders17 @vixentael RND Secret Generation Key or Keypair

    good math where user inputs a secret or where it’s safe to store WHEN/WHERE?
  11. KEY PAIR #appbuilders17 @vixentael let keyGeneratorEC: TSKeyGen = TSKeyGen(algorithm: .EC)

    let privateKeyEC: Data = keyGeneratorEC.privateKey let publicKeyEC: Data = keyGeneratorEC.publicKey https://github.com/cossacklabs/themis
  12. KDF #appbuilders17 @vixentael let password: Array<UInt8> = Array("s33krit".utf8) let salt:

    Array<UInt8> = Array("nacllcan".utf8) try PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256).calculate() https://github.com/krzyzanowskim/CryptoSwift
  13. KEY EXCHANGE #appbuilders17 @vixentael — exchanging unique secret between parties

    to ensure authenticity and, sometimes, confidentiality.
  14. KEY STORAGE #appbuilders17 @vixentael Never store the keys with the

    data they protect. Protect keys in a key vault.
  15. KEY ACCESS #appbuilders17 @vixentael Make sure they are easy to

    access legitimately. Ensure that any secret key is protected from unauthorized access.
  16. KEY ROTATION #appbuilders17 @vixentael Limit quantity of data encrypted with

    one key. Define a key lifecycle. Build support for changing algorithms and keys when needed.
  17. ESTABLISHING TRUST #appbuilders17 @vixentael 1. On-channel exchange: SSL pinning /

    SSL pre-keying https://developer.apple.com/reference/foundation/ urlsessiondelegate/1409308-urlsession func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) { }
  18. VERIFYING TRUST let pathToCert = Bundle.main.path(forResource: "pathtomycert", ofType: "cer") let

    localCertificate:NSData = NSData(contentsOfFile: pathToCert!)! let serverTrustPolicy = ServerTrustPolicy.pinCertificates( certificates: [SecCertificateCreateWithData(nil, localCertificate)!], validateCertificateChain: true, validateHost: true ) let serverTrustPolicies = [ "myserver.com": serverTrustPolicy ] let alamofireManager = Alamofire.SessionManager( configuration: URLSessionConfiguration.default, serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies) ) https://github.com/Alamofire/Alamofire#server-trust-policy-manager https://www.owasp.org/index.php/Pinning_Cheat_Sheet
  19. OBFUSCATE #appbuilders17 @vixentael ‣ Store keys as HEX ‣ Replace

    chars ‣ Rename .cert to .mp3 ‣ Combine from separate pieces
  20. OBFUSCATE #appbuilders17 @vixentael ‣ Store keys as HEX ‣ Replace

    chars ‣ Rename .cert to .mp3 ‣ Combine from separate pieces ORING BORING BORING BORING BORING BORING BO

    GOOD TRACK RECORD https://github.com/RNCryptor/RNCryptor https://github.com/cossacklabs/themis https://github.com/krzyzanowskim/CryptoSwift CommonCrypto wrappers Ports of popular libs Keychain wrappers https://www.cossacklabs.com/choose-your-ios-crypto.html
  22. FAKE KEYS #appbuilders17 @vixentael Poison keys, marker keys let key

    = “0XD34DB33F" Analyze logs to find marker keys Block those users/apps
  23. KEYPOINTS #appbuilders17 @vixentael 1. Keys to data are data too;

    you should protect them. 2. Separate keys from the data; don’t keep everything in one basket. 3. Protecting keys is a system of typical actions and goals.
  24. LINKS1 Cryptographic Storage Cheat Sheet https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet Key Management Cheat Sheet

    https://www.owasp.org/index.php/Key_Management_Cheat_Sheet Managing Keys, Certificates, and Passwords https://developer.apple.com/library/content/documentation/Security/ Conceptual/cryptoservices/KeyManagementAPIs/KeyManagementAPIs.html
  25. Lead Developer at stanfy.com Core Contributor at themis/ cossacklabs.com Feel

    free to reach me with any mobile security questions. I do check my inbox :) @vixentael