Keys from the castle: ancient art of managing keys and trust

Transcript

1. KEYS FROM THE CASTLE
   ANCIENT ART OF MANAGING KEYS
   AND TRUST
   @vixentael
   #appbuilders17
   

   View Slide

2. WE ALL FAIL IN BUILDING
   SECURE MOBILE APPS
   

   View Slide

3. @vixentael Lead Developer
   at stanfy.com
   Core Contributor
   at themis/
   cossacklabs.com
   Feel free to reach me with any
   mobile security questions.
   I do check my inbox :)
   

   View Slide

4. THE PLAN
   what is trust?
   key management
   101
   goals and
   processes
   key
   management
   on iOS
   #appbuilders17 @vixentael
   mr. Box
   

   View Slide

5. LET’S TALK ABOUT
   ESTABLISHING
   TRUST
   

   View Slide

6. ESTABLISHING TRUST
   is ensuring you and remote party
   share some identifiable secret
   #appbuilders17 @vixentael
   

   View Slide

7. ESTABLISHING TRUST
   #appbuilders17 @vixentael
   USING MATH!
   is ensuring you and remote party
   share some identifiable secret
   

   View Slide

8. servers
   mobile
   data in transit via
   public channels
   WHERE IT HAPPENS?
   #appbuilders17 @vixentael
   trust
   

   View Slide

9. #appbuilders17 @vixentael
   OUR INFRASTRUCTURE IS FULL OF
   KEYS AND DATA,
   ALL THAT IN CABLES.
   (transatlantic cable is transferring data, aka boxes)
   

   View Slide

10. WHAT DO WE NEED TRUST FOR?
    TO PROTECT THE DATA!
    confidentiality
    authenticity
    integrity
    #appbuilders17 @vixentael
    

    View Slide

11. HOW DOES IT WORK?
    #appbuilders17 @vixentael
    

    View Slide

12. HOW DOES IT WORK?
    confidentiality
    authenticity
    integrity
    #appbuilders17 @vixentael
    

    View Slide

13. #appbuilders17 @vixentael
    KEYS ARE WHAT WE TRUST
    

    View Slide

14. KEY MANAGEMENT
    FOR MOBILE DEVS
    

    View Slide

15. secret key
    (symmetric ciphers)
    public/private keys
    (asymmetric ciphers,
    PGP & SSL)
    password

    KDF(pass) = good
    one-time pin
    WHAT IS A KEY?
    – ARRAY OF BYTES
    #appbuilders17 @vixentael
    

    View Slide

16. KEYS
    APP TOKENS USER PASSWORDS PUBLIC CERTS
    #appbuilders17 @vixentael
    let appId = "VK1TTYC4TV"
    let poolId = "us-east-1:r0s3s4r3-r3d-13375p34k"
    var userPass = "F4C38D"
    

    View Slide

17. WE USE KEYS TO PROTECT
    THE DATA
    #appbuilders17 @vixentael
    

    View Slide

18. THE DATA?
    User’s data
    Access to external resources
    Identifiable data of
    other people
    #appbuilders17 @vixentael
    

    View Slide

19. THREATS TO THE DATA
    #appbuilders17 @vixentael
    

    View Slide

20. KEYS ARE
    SMALL
    CHUNKS OF
    DATA
    #appbuilders17 @vixentael
    

    View Slide

21. #appbuilders17 @vixentael
    THREATS TO THE KEYS
    

    View Slide

22. ‣ stolen
    ‣ replayed
    ‣ replaced
    PROTECT KEYS TOO!
    — KEYS CAN BE:
    #appbuilders17 @vixentael
    

    View Slide

23. “TRUST AND SECURITY ARE
    PRESERVED, YET SYSTEM IS
    USABLE”
    

    View Slide

24. MAKING USABLE SYSTEM
    generation
    exchange
    storage
    access
    rotation
    revocation
    service
    #appbuilders17 @vixentael
    

    View Slide

25. KEY GENERATION
    #appbuilders17 @vixentael
    RND
    Secret Generation
    Key or
    Keypair
    good math
    where user inputs a secret
    or where it’s safe to store
    WHEN/WHERE?
    

    View Slide

26. KEY PAIR
    #appbuilders17 @vixentael
    let keyGeneratorEC: TSKeyGen = TSKeyGen(algorithm: .EC)
    let privateKeyEC: Data = keyGeneratorEC.privateKey
    let publicKeyEC: Data = keyGeneratorEC.publicKey
    https://github.com/cossacklabs/themis
    

    View Slide

27. KDF
    #appbuilders17 @vixentael
    let password: Array = Array("s33krit".utf8)
    let salt: Array = Array("nacllcan".utf8)
    try PKCS5.PBKDF2(password: password, salt: salt,
    iterations: 4096, variant: .sha256).calculate()
    https://github.com/krzyzanowskim/CryptoSwift
    

    View Slide

28. KEY EXCHANGE
    #appbuilders17 @vixentael
    — exchanging unique secret between
    parties to ensure authenticity and,
    sometimes, confidentiality.
    

    View Slide

29. KEY EXCHANGE
    #appbuilders17 @vixentael
    {“passw”:“123456”}
    passw: “123456”
    Alice-the-App Bob-the-Server
    insecure
    
    channel
    

    View Slide

30. KEY EXCHANGE
    5720b3c2 fe674f54
    73e10ad4 ...
    HTTPS
    SSL pinning
    ephemeral keys
    

    View Slide

31. KEY STORAGE
    #appbuilders17 @vixentael
    Never store the keys with
    the data they protect.
    Protect keys in a key vault.
    

    View Slide

32. KEY ACCESS
    #appbuilders17 @vixentael
    Make sure they are easy to access
    legitimately.
    Ensure that any secret key is
    protected from unauthorized access.
    

    View Slide

33. KEY ROTATION
    #appbuilders17 @vixentael
    Define a key lifecycle.
    

    View Slide

34. KEY ROTATION
    #appbuilders17 @vixentael
    Limit quantity of data encrypted with
    one key.
    Define a key lifecycle.
    

    View Slide

35. KEY ROTATION
    #appbuilders17 @vixentael
    Limit quantity of data encrypted with one
    key.
    Define a key lifecycle.
    Build support for changing algorithms
    and keys when needed.
    

    View Slide

36. KEY REVOCATION
    #appbuilders17 @vixentael
    Make sure that
    compromised or outdated
    keys don’t work.
    

    View Slide

37. SERVICE
    #appbuilders17 @vixentael
    BACKUPS ADMIN ACCESS KEY LINKING
    

    View Slide

38. KEY MANAGEMENT
    IN IOS
    

    View Slide

39. ESTABLISHING TRUST
    #appbuilders17 @vixentael
    1. On-channel exchange:
    SSL pinning / SSL pre-keying
    https://developer.apple.com/reference/foundation/
    urlsessiondelegate/1409308-urlsession
    func urlSession(_ session: URLSession,
    didReceive challenge: URLAuthenticationChallenge,
    completionHandler: @escaping
    (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
    }
    

    View Slide

40. ESTABLISHING TRUST
    #appbuilders17 @vixentael
    2. Mediated exchange /
    Public key infrastructure
    keybase.io
    

    View Slide

41. ESTABLISHING TRUST
    #appbuilders17 @vixentael
    3. Trusted channel exchange
    

    View Slide

42. VERIFYING TRUST
    let pathToCert = Bundle.main.path(forResource: "pathtomycert", ofType: "cer")
    let localCertificate:NSData = NSData(contentsOfFile: pathToCert!)!
    let serverTrustPolicy = ServerTrustPolicy.pinCertificates(
    certificates: [SecCertificateCreateWithData(nil, localCertificate)!],
    validateCertificateChain: true,
    validateHost: true
    )
    let serverTrustPolicies = [
    "myserver.com": serverTrustPolicy
    ]
    let alamofireManager = Alamofire.SessionManager(
    configuration: URLSessionConfiguration.default,
    serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
    )
    https://github.com/Alamofire/Alamofire#server-trust-policy-manager
    https://www.owasp.org/index.php/Pinning_Cheat_Sheet
    

    View Slide

43. STORING TRUST
    #appbuilders17 @vixentael
    

    View Slide

44. TRY NOT TO STORE KEYS
    

    View Slide

45. TRY NOT TO STORE KEYS
    BUT IF YOU DO, BE BOLD!
    

    View Slide

46. STORING TRUST (KEYS)
    #appbuilders17 @vixentael
    USER DEFINED APP DEFINED
    Keychain
    Encrypted
    KDF
    Obfuscated
    Encrypted
    Calculated
    

    View Slide

47. OBFUSCATE
    #appbuilders17 @vixentael
    ‣ Store keys as HEX
    ‣ Replace chars
    ‣ Rename .cert to .mp3
    ‣ Combine from separate pieces
    

    View Slide

48. OBFUSCATE
    #appbuilders17 @vixentael
    ‣ Store keys as HEX
    ‣ Replace chars
    ‣ Rename .cert to .mp3
    ‣ Combine from separate pieces
    ORING BORING BORING BORING BORING BORING BO
    

    View Slide

49. STORE ENCRYPTED
    #appbuilders17 @vixentael
    1. Encrypt keys during development
    2. Store encrypted keys
    3. Decrypt before using
    

    View Slide

50. USE NICE TOOLS
    #appbuilders17 @vixentael
    SCIENTIFIC BACKGROUND TRUST BIG GUYS GOOD TRACK RECORD
    https://github.com/RNCryptor/RNCryptor
    https://github.com/cossacklabs/themis
    https://github.com/krzyzanowskim/CryptoSwift
    CommonCrypto wrappers
    Ports of popular libs
    Keychain wrappers
    https://www.cossacklabs.com/choose-your-ios-crypto.html
    

    View Slide

51. FAKE KEYS
    #appbuilders17 @vixentael
    Poison keys, marker keys
    let key = “0XD34DB33F"
    Analyze logs to find marker keys
    Block those users/apps
    

    View Slide

52. HONEYPOT
    #appbuilders17 @vixentael
    Put fake keys in obvious places:
    ‣ plist
    ‣ static strings
    ‣ fake certs
    

    View Slide

53. View Slide

54. KEYPOINTS
    #appbuilders17 @vixentael
    1. Keys to data are data too; you should protect
    them.
    2. Separate keys from the data; don’t keep
    everything in one basket.
    3. Protecting keys is a system of typical actions
    and goals.
    

    View Slide

55. ACCESS TRUST TO EVERY
    COMPONENT CAREFULLY;
    BUILD TOOLS TO MANAGE IT.
    

    View Slide

56. LINKS1
    Cryptographic Storage Cheat Sheet
    https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
    Key Management Cheat Sheet
    https://www.owasp.org/index.php/Key_Management_Cheat_Sheet
    Managing Keys, Certificates, and Passwords
    https://developer.apple.com/library/content/documentation/Security/
    Conceptual/cryptoservices/KeyManagementAPIs/KeyManagementAPIs.html
    

    View Slide

57. LINKS2
    https://speakerdeck.com/vixentael/
    

    View Slide

58. Lead Developer
    at stanfy.com
    Core Contributor
    at themis/
    cossacklabs.com
    Feel free to reach me with any
    mobile security questions.
    I do check my inbox :)
    @vixentael
    

    View Slide