Keys from the castle: ancient art of managing keys and trust

Transcript

1. KEYS FROM THE CASTLE ANCIENT ART OF MANAGING KEYS AND

   TRUST @vixentael #appbuilders17

2. WE ALL FAIL IN BUILDING SECURE MOBILE APPS

3. @vixentael Lead Developer at stanfy.com Core Contributor at themis/ cossacklabs.com

   Feel free to reach me with any mobile security questions. I do check my inbox :)

4. THE PLAN what is trust? key management 101 goals and

   processes key management on iOS #appbuilders17 @vixentael mr. Box

5. LET’S TALK ABOUT ESTABLISHING TRUST

6. ESTABLISHING TRUST is ensuring you and remote party share some

   identifiable secret #appbuilders17 @vixentael

7. ESTABLISHING TRUST #appbuilders17 @vixentael USING MATH! is ensuring you and

   remote party share some identifiable secret

8. servers mobile data in transit via public channels WHERE IT

   HAPPENS? #appbuilders17 @vixentael trust

9. #appbuilders17 @vixentael OUR INFRASTRUCTURE IS FULL OF KEYS AND DATA,

   ALL THAT IN CABLES. (transatlantic cable is transferring data, aka boxes)

10. WHAT DO WE NEED TRUST FOR? TO PROTECT THE DATA!

    confidentiality authenticity integrity #appbuilders17 @vixentael

11. HOW DOES IT WORK? #appbuilders17 @vixentael

12. HOW DOES IT WORK? confidentiality authenticity integrity #appbuilders17 @vixentael

13. #appbuilders17 @vixentael KEYS ARE WHAT WE TRUST

14. KEY MANAGEMENT FOR MOBILE DEVS

15. secret key (symmetric ciphers) public/private keys (asymmetric ciphers, PGP &

    SSL) password
 KDF(pass) = good one-time pin WHAT IS A KEY? – ARRAY OF BYTES #appbuilders17 @vixentael

16. KEYS APP TOKENS USER PASSWORDS PUBLIC CERTS #appbuilders17 @vixentael let

    appId = "VK1TTYC4TV" let poolId = "us-east-1:r0s3s4r3-r3d-13375p34k" var userPass = "F4C38D"

17. WE USE KEYS TO PROTECT THE DATA #appbuilders17 @vixentael

18. THE DATA? User’s data Access to external resources Identifiable data

    of other people #appbuilders17 @vixentael

19. THREATS TO THE DATA #appbuilders17 @vixentael

20. KEYS ARE SMALL CHUNKS OF DATA #appbuilders17 @vixentael

21. #appbuilders17 @vixentael THREATS TO THE KEYS

22. ‣ stolen ‣ replayed ‣ replaced PROTECT KEYS TOO! —

    KEYS CAN BE: #appbuilders17 @vixentael

23. “TRUST AND SECURITY ARE PRESERVED, YET SYSTEM IS USABLE”

24. MAKING USABLE SYSTEM generation exchange storage access rotation revocation service

    #appbuilders17 @vixentael

25. KEY GENERATION #appbuilders17 @vixentael RND Secret Generation Key or Keypair

    good math where user inputs a secret or where it’s safe to store WHEN/WHERE?

26. KEY PAIR #appbuilders17 @vixentael let keyGeneratorEC: TSKeyGen = TSKeyGen(algorithm: .EC)

    let privateKeyEC: Data = keyGeneratorEC.privateKey let publicKeyEC: Data = keyGeneratorEC.publicKey https://github.com/cossacklabs/themis

27. KDF #appbuilders17 @vixentael let password: Array<UInt8> = Array("s33krit".utf8) let salt:

    Array<UInt8> = Array("nacllcan".utf8) try PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256).calculate() https://github.com/krzyzanowskim/CryptoSwift

28. KEY EXCHANGE #appbuilders17 @vixentael — exchanging unique secret between parties

    to ensure authenticity and, sometimes, confidentiality.

29. KEY EXCHANGE #appbuilders17 @vixentael {“passw”:“123456”} passw: “123456” Alice-the-App Bob-the-Server insecure

    channel

30. KEY EXCHANGE 5720b3c2 fe674f54 73e10ad4 ... HTTPS SSL pinning ephemeral

    keys

31. KEY STORAGE #appbuilders17 @vixentael Never store the keys with the

    data they protect. Protect keys in a key vault.

32. KEY ACCESS #appbuilders17 @vixentael Make sure they are easy to

    access legitimately. Ensure that any secret key is protected from unauthorized access.

33. KEY ROTATION #appbuilders17 @vixentael Define a key lifecycle.

34. KEY ROTATION #appbuilders17 @vixentael Limit quantity of data encrypted with

    one key. Define a key lifecycle.

35. KEY ROTATION #appbuilders17 @vixentael Limit quantity of data encrypted with

    one key. Define a key lifecycle. Build support for changing algorithms and keys when needed.

36. KEY REVOCATION #appbuilders17 @vixentael Make sure that compromised or outdated

    keys don’t work.

37. SERVICE #appbuilders17 @vixentael BACKUPS ADMIN ACCESS KEY LINKING

38. KEY MANAGEMENT IN IOS

39. ESTABLISHING TRUST #appbuilders17 @vixentael 1. On-channel exchange: SSL pinning /

    SSL pre-keying https://developer.apple.com/reference/foundation/ urlsessiondelegate/1409308-urlsession func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) { }

40. ESTABLISHING TRUST #appbuilders17 @vixentael 2. Mediated exchange / Public key

    infrastructure keybase.io

41. ESTABLISHING TRUST #appbuilders17 @vixentael 3. Trusted channel exchange

42. VERIFYING TRUST let pathToCert = Bundle.main.path(forResource: "pathtomycert", ofType: "cer") let

    localCertificate:NSData = NSData(contentsOfFile: pathToCert!)! let serverTrustPolicy = ServerTrustPolicy.pinCertificates( certificates: [SecCertificateCreateWithData(nil, localCertificate)!], validateCertificateChain: true, validateHost: true ) let serverTrustPolicies = [ "myserver.com": serverTrustPolicy ] let alamofireManager = Alamofire.SessionManager( configuration: URLSessionConfiguration.default, serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies) ) https://github.com/Alamofire/Alamofire#server-trust-policy-manager https://www.owasp.org/index.php/Pinning_Cheat_Sheet

43. STORING TRUST #appbuilders17 @vixentael

44. TRY NOT TO STORE KEYS

45. TRY NOT TO STORE KEYS BUT IF YOU DO, BE

    BOLD!

46. STORING TRUST (KEYS) #appbuilders17 @vixentael USER DEFINED APP DEFINED Keychain

    Encrypted KDF Obfuscated Encrypted Calculated

47. OBFUSCATE #appbuilders17 @vixentael ‣ Store keys as HEX ‣ Replace

    chars ‣ Rename .cert to .mp3 ‣ Combine from separate pieces

48. OBFUSCATE #appbuilders17 @vixentael ‣ Store keys as HEX ‣ Replace

    chars ‣ Rename .cert to .mp3 ‣ Combine from separate pieces ORING BORING BORING BORING BORING BORING BO

49. STORE ENCRYPTED #appbuilders17 @vixentael 1. Encrypt keys during development 2.

    Store encrypted keys 3. Decrypt before using

50. USE NICE TOOLS #appbuilders17 @vixentael SCIENTIFIC BACKGROUND TRUST BIG GUYS

    GOOD TRACK RECORD https://github.com/RNCryptor/RNCryptor https://github.com/cossacklabs/themis https://github.com/krzyzanowskim/CryptoSwift CommonCrypto wrappers Ports of popular libs Keychain wrappers https://www.cossacklabs.com/choose-your-ios-crypto.html

51. FAKE KEYS #appbuilders17 @vixentael Poison keys, marker keys let key

    = “0XD34DB33F" Analyze logs to find marker keys Block those users/apps

52. HONEYPOT #appbuilders17 @vixentael Put fake keys in obvious places: ‣

    plist ‣ static strings ‣ fake certs
53. None

54. KEYPOINTS #appbuilders17 @vixentael 1. Keys to data are data too;

    you should protect them. 2. Separate keys from the data; don’t keep everything in one basket. 3. Protecting keys is a system of typical actions and goals.

55. ACCESS TRUST TO EVERY COMPONENT CAREFULLY; BUILD TOOLS TO MANAGE

    IT.

56. LINKS1 Cryptographic Storage Cheat Sheet https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet Key Management Cheat Sheet

    https://www.owasp.org/index.php/Key_Management_Cheat_Sheet Managing Keys, Certificates, and Passwords https://developer.apple.com/library/content/documentation/Security/ Conceptual/cryptoservices/KeyManagementAPIs/KeyManagementAPIs.html

57. LINKS2 https://speakerdeck.com/vixentael/

58. Lead Developer at stanfy.com Core Contributor at themis/ cossacklabs.com Feel

    free to reach me with any mobile security questions. I do check my inbox :) @vixentael