SlideShare une entreprise Scribd logo

No more unsecure secrets with OSS

Mathias Herberts
Mathias Herberts

This document describes a demo of an OSS (Open Secret Service) that securely generates, stores, and retrieves secrets using cryptographic techniques like Shamir secret sharing and symmetric/asymmetric encryption. The demo shows how to initialize the OSS with a master key split into shares, generate and retrieve secrets, modify access control lists, wrap data with secrets, and retrieve the original data by unwrapping it with the secret. The goal is to eliminate storing secrets in clear text files, environment variables, or other unsecure locations.

Technologie
1  sur  37
No more (unsecure) secrets, Marty 18h20 - 18h50 - Salle Miles Davis A
No more (unsecure) secrets, Marty Mathias Herberts Disruptive Engineer – Crédit Mutuel Arkéa @herberts 27 au 29 mars 2013
Does any of those look familiar? SecretConstants.java secrets.properties public class SecretConstants { user = foo password = bar /** * Database User */ public static final String USER = "foo"; secrets.xml /** <secret> * Database Password <user>foo</user> */ <password>bar</password> public static final String PASSWORD = "bar"; </secret> } secrets.yaml secret: user: foo password: bar …
Or maybe one of these? SuperStrongCryptoConfig.java Use environment variables public class SuperStrongCryptoConfig { export PASSWORD = 'foo' /** java -jar app.jar * Encrypted User Name */ advanced spying tools: public static final byte[] USER = { 0x33, 0x3a, 0x3a }; /** ps -H e (ps -E) * Encryption key cat /proc/xxxx/environ */ private static final byte KEY = 0x55; Use system properties // // Decrypt the User Name using advanced crypto java -Dpassword=foo -jar app.jar // static { more advanced spying tools: for (int i = 0; i < USER.length; i++) { USER[i] = (byte) ((USER[i] ^ KEY) & 0xff); ps } cat /proc/xxxx/cmdline } } …
Demo #1 – OSS Initialization GenMasterSecret Offline operation Generate master key Split key using a N / K Shamir sharing scheme Init Online operation Needs an SSH key specified in oss.init.sshkeys loaded in the SSH agent Send K shares of master key to OSS instance <WRAPPED(<TS><SHARE><SSH SIGNING KEY BLOB><SSH SIGNATURE BLOB>)><SEALED WRAPPING KEY> OSS instance reassembles shares into master key 27 au 29 mars 2013
Demo #1 – OSS Initialization # # Generate Master Secret (do it once) # java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSGenMasterSecret secops.gpg ID1,...,IDN K # # Launch OSS (in production, run it in your webapp container of choice) # Check logs for session RSA public key (-Doss.rsa=......:...) # gradle -Doss.init.sshkeys=... -Doss.gensecret.sshkeys=... -Doss.acl.sshkeys=... -Doss.keystore.dir=... jettyRun # # Send K parts to OSS (need to have authorized SSH keys loaded in SSH agent) # gpg -d share-1 | java -Doss.rsa=......:... -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSInit http://127.0.0.1:8080/oss ... gpg -d share-K | java -Doss.rsa=......:... -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSInit http://127.0.0.1:8080/oss 27 au 29 mars 2013
Demo #2 – OSS Secret Generation GenSecret Online operation Needs an SSH key specified in oss.gensecret.sshkeys loaded in the SSH agent Send secret name to OSS instance <TS><SECRET NAME><SSH SIGNING KEY BLOB><SSH SIGNATURE BLOB> Generate 256 random bits Encrypt random bits using OSS Master Key Store blob under oss.keystore.dir (in .secret file, converting dot to path separator) 27 au 29 mars 2013
Demo #2 – OSS Secret Generation # # Generate Secret named 'devoxx.secret1' # java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSGenSecret devoxx.secret1 # # Secret file under oss.keystore.dir # find oss.keystore.dir -type f oss.keystore.dir/devoxx/secret1.secret 27 au 29 mars 2013
Demo #3 – Modify ACLs for secret {Add,Remove}ACL Online operation Needs an SSH key specified in oss.acl.sshkeys loaded in the SSH agent Send secret name and SSH key fingeprints to add/remove from ACL to OSS instance WRAPPED<<TS><<SECRET NAME> <FPR1>...<FPRN>> <SSH SIGNING KEY BLOB><SSH SIGNATURE BLOB>> <SEALED WRAPPING KEY> OSS instance checks SSH signing key OSS instance updates ACL file (.acl file at same level as .secret file) 27 au 29 mars 2013
Demo #3 – Modify ACLs for secret # # Add ACL for devoxx.secret1 # SSH_FINGERPRINT=2a:e8:a3:c1:e7:89:e3:84:ba:7e:46:3a:0c:24:aa:09 java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSAddACL URL devoxx.secret1 ${SSH_FINGERPRINT} # # ACL file under oss.keystore.dir # find oss.keystore.dir -type f oss.keystore.dir/devoxx/secret1.acl oss.keystore.dir/devoxx/secret1.secret # # Retrieve ACL # java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSGetACL URL devoxx.secret1 [devoxx.secret1] 2a:e8:a3:c1:e7:89:e3:84:ba:7e:46:3a:0c:24:aa:09: 27 au 29 mars 2013
Demo #4 – Retrieve secret GetSecret Online operation Needs an SSH key specified in secret ACL file Send secret name and a temporary RSA public key to OSS instance <TS><<SECRET NAME> <RSA PUBLIC KEY>> <SSH SIGNING KEY BLOB><SSH SIGNATURE BLOB> OSS instance checks SSH signing key against secret ACL OSS instance reads secret from .secret file OSS instance unwraps secret using its Master Key OSS instance wraps secret using a random AES key and sends response to client <WRAPPED SECRET><SEALED WRAPPING KEY> 27 au 29 mars 2013
Demo #4 – Retrieve secret # # Retrieve Secret # java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSGetSecret URL devoxx.secret1 Secret = e1c5129baeb0454588ebeda7a3742a7a3678aabcaa0cd390 27 au 29 mars 2013
Demo #5 – Wrap secret data Wrap Online operation Needs an SSH key specified in secret ACL file Retrieve secret (cf GetSecret) Wrap data read on stdin using secret (with a random 8 bytes prefix) 27 au 29 mars 2013
Demo #5 – Wrap secret data # # Wrap data using secret # echo -n “Hello Devoxx” | java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSWrap URL devoxx.secret1 Wrapped (8 bytes nonce prefix) = 8476e13e2254e7d276b3dc1616aaa794bdd69cd5916f528cebd6c3527663642f 27 au 29 mars 2013
Demo #6 – No more unsecure secrets import org.apache.commons.codec.binary.Hex; import com.geoxp.oss.CryptoHelper; import com.geoxp.oss.client.OSSClient; public class NoMoreUnsecureSecretsMarty { private static final String OSS_URL = "oss.url"; private static final String OSS_SECRET = "devoxx.secret1"; private static final String SECRET_DATA = "8476e13e2254e7d276b3dc1616aaa794bdd69cd5916f528cebd6c3527663642f"; public static void main(String[] args) throws Exception { byte[] secret = OSSClient.getSecret(System.getProperty(OSS_URL), OSS_SECRET, null); byte[] blob = CryptoHelper.unwrapBlob(secret, Hex.decodeHex(SECRET_DATA.toCharArray())); System.out.println(new String(blob)); } } 27 au 29 mars 2013
No more unsecure secrets with OSS
No more unsecure secrets with OSS
No more unsecure secrets with OSS
No more unsecure secrets with OSS
No more unsecure secrets with OSS
No more unsecure secrets with OSS
No more unsecure secrets with OSS

Recommandé

Warp 10 Platform Presentation - Criteo Beer & Tech 2016-02-03
Warp 10 Platform Presentation - Criteo Beer & Tech 2016-02-03Warp 10 Platform Presentation - Criteo Beer & Tech 2016-02-03
Warp 10 Platform Presentation - Criteo Beer & Tech 2016-02-03Mathias Herberts
 
Leveraging Hadoop for Legacy Systems
Leveraging Hadoop for Legacy SystemsLeveraging Hadoop for Legacy Systems
Leveraging Hadoop for Legacy SystemsMathias Herberts
 
This is not your father's monitoring.
This is not your father's monitoring.This is not your father's monitoring.
This is not your father's monitoring.Mathias Herberts
 
Artimon - Apache Flume (incubating) NYC Meetup 20111108
Artimon - Apache Flume (incubating) NYC Meetup 20111108Artimon - Apache Flume (incubating) NYC Meetup 20111108
Artimon - Apache Flume (incubating) NYC Meetup 20111108Mathias Herberts
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloudNUTC, imac
 
Docker 基本概念與指令操作
Docker 基本概念與指令操作Docker 基本概念與指令操作
Docker 基本概念與指令操作NUTC, imac
 
使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台NUTC, imac
 
R-House (LSRC)
R-House (LSRC)R-House (LSRC)
R-House (LSRC)Fernand Galiana
 

Recommandé

Warp 10 Platform Presentation - Criteo Beer & Tech 2016-02-03
Warp 10 Platform Presentation - Criteo Beer & Tech 2016-02-03Warp 10 Platform Presentation - Criteo Beer & Tech 2016-02-03
Warp 10 Platform Presentation - Criteo Beer & Tech 2016-02-03Mathias Herberts
 
Leveraging Hadoop for Legacy Systems
Leveraging Hadoop for Legacy SystemsLeveraging Hadoop for Legacy Systems
Leveraging Hadoop for Legacy SystemsMathias Herberts
 
This is not your father's monitoring.
This is not your father's monitoring.This is not your father's monitoring.
This is not your father's monitoring.Mathias Herberts
 
Artimon - Apache Flume (incubating) NYC Meetup 20111108
Artimon - Apache Flume (incubating) NYC Meetup 20111108Artimon - Apache Flume (incubating) NYC Meetup 20111108
Artimon - Apache Flume (incubating) NYC Meetup 20111108Mathias Herberts
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloudNUTC, imac
 
Docker 基本概念與指令操作
Docker 基本概念與指令操作Docker 基本概念與指令操作
Docker 基本概念與指令操作NUTC, imac
 
使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台NUTC, imac
 
R-House (LSRC)
R-House (LSRC)R-House (LSRC)
R-House (LSRC)Fernand Galiana
 
Linux configer
Linux configerLinux configer
Linux configerMD. AL AMIN
 
Linux Containers (LXC)
Linux Containers (LXC)Linux Containers (LXC)
Linux Containers (LXC)Vladimir Melnic
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Groupsiculars
 
[4] 아두이노와 인터넷
[4] 아두이노와 인터넷[4] 아두이노와 인터넷
[4] 아두이노와 인터넷Chiwon Song
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptographyErik LaBianca
 
Kubernetes Tutorial
Kubernetes TutorialKubernetes Tutorial
Kubernetes TutorialCi Jie Li
 
Redis - Usability and Use Cases
Redis - Usability and Use CasesRedis - Usability and Use Cases
Redis - Usability and Use CasesFabrizio Farinacci
 
Gr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Gr8conf EU 2018 - Bring you infrastructure under control with InfrastructorGr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Gr8conf EU 2018 - Bring you infrastructure under control with InfrastructorStanislav Tiurikov
 
glance replicator
glance replicatorglance replicator
glance replicatoririx_jp
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜Retrieva inc.
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
 
SCALE 15x Minimizing PostgreSQL Major Version Upgrade Downtime
SCALE 15x Minimizing PostgreSQL Major Version Upgrade DowntimeSCALE 15x Minimizing PostgreSQL Major Version Upgrade Downtime
SCALE 15x Minimizing PostgreSQL Major Version Upgrade DowntimeJeff Frost
 
X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newYiwei Ma
 
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and RailsAnchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and RailsEleanor McHugh
 
Nko workshop - node js crud & deploy
Nko workshop - node js crud & deployNko workshop - node js crud & deploy
Nko workshop - node js crud & deploySimon Su
 
Nginx-lua
Nginx-luaNginx-lua
Nginx-luaДэв Тим Афс
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22Yuya Takei
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedVmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedAdrian Huang
 
Devinsampa nginx-scripting
Devinsampa nginx-scriptingDevinsampa nginx-scripting
Devinsampa nginx-scriptingTony Fabeen
 
Getting started with RDO Havana
Getting started with RDO HavanaGetting started with RDO Havana
Getting started with RDO HavanaDan Radez
 
Big Data - Open Coffee Brest - 20121121
Big Data - Open Coffee Brest - 20121121Big Data - Open Coffee Brest - 20121121
Big Data - Open Coffee Brest - 20121121Mathias Herberts
 
The Hadoop Ecosystem
The Hadoop EcosystemThe Hadoop Ecosystem
The Hadoop EcosystemMathias Herberts
 

Contenu connexe

Tendances

Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Groupsiculars
 
[4] 아두이노와 인터넷
[4] 아두이노와 인터넷[4] 아두이노와 인터넷
[4] 아두이노와 인터넷Chiwon Song
 
Kubernetes Tutorial
Kubernetes TutorialKubernetes Tutorial
Kubernetes TutorialCi Jie Li
 
Redis - Usability and Use Cases
Redis - Usability and Use CasesRedis - Usability and Use Cases
Redis - Usability and Use CasesFabrizio Farinacci
 
Gr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Gr8conf EU 2018 - Bring you infrastructure under control with InfrastructorGr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Gr8conf EU 2018 - Bring you infrastructure under control with InfrastructorStanislav Tiurikov
 
glance replicator
glance replicatorglance replicator
glance replicatoririx_jp
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜Retrieva inc.
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
 
SCALE 15x Minimizing PostgreSQL Major Version Upgrade Downtime
SCALE 15x Minimizing PostgreSQL Major Version Upgrade DowntimeSCALE 15x Minimizing PostgreSQL Major Version Upgrade Downtime
SCALE 15x Minimizing PostgreSQL Major Version Upgrade DowntimeJeff Frost
 
X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newYiwei Ma
 
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and RailsAnchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and RailsEleanor McHugh
 
Nko workshop - node js crud & deploy
Nko workshop - node js crud & deployNko workshop - node js crud & deploy
Nko workshop - node js crud & deploySimon Su
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22Yuya Takei
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedVmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedAdrian Huang
 
Devinsampa nginx-scripting
Devinsampa nginx-scriptingDevinsampa nginx-scripting
Devinsampa nginx-scriptingTony Fabeen
 
Getting started with RDO Havana
Getting started with RDO HavanaGetting started with RDO Havana
Getting started with RDO HavanaDan Radez
 

Tendances (20)

Linux configer
Linux configerLinux configer
Linux configer
 
Linux Containers (LXC)
Linux Containers (LXC)Linux Containers (LXC)
Linux Containers (LXC)
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Group
 
[4] 아두이노와 인터넷
[4] 아두이노와 인터넷[4] 아두이노와 인터넷
[4] 아두이노와 인터넷
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
Kubernetes Tutorial
Kubernetes TutorialKubernetes Tutorial
Kubernetes Tutorial
 
Redis - Usability and Use Cases
Redis - Usability and Use CasesRedis - Usability and Use Cases
Redis - Usability and Use Cases
 
Gr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Gr8conf EU 2018 - Bring you infrastructure under control with InfrastructorGr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Gr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
 
glance replicator
glance replicatorglance replicator
glance replicator
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
 
SCALE 15x Minimizing PostgreSQL Major Version Upgrade Downtime
SCALE 15x Minimizing PostgreSQL Major Version Upgrade DowntimeSCALE 15x Minimizing PostgreSQL Major Version Upgrade Downtime
SCALE 15x Minimizing PostgreSQL Major Version Upgrade Downtime
 
X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 new
 
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and RailsAnchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
 
Nko workshop - node js crud & deploy
Nko workshop - node js crud & deployNko workshop - node js crud & deploy
Nko workshop - node js crud & deploy
 
Nginx-lua
Nginx-luaNginx-lua
Nginx-lua
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedVmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
 
Devinsampa nginx-scripting
Devinsampa nginx-scriptingDevinsampa nginx-scripting
Devinsampa nginx-scripting
 
Getting started with RDO Havana
Getting started with RDO HavanaGetting started with RDO Havana
Getting started with RDO Havana
 

En vedette

Big Data - Open Coffee Brest - 20121121
Big Data - Open Coffee Brest - 20121121Big Data - Open Coffee Brest - 20121121
Big Data - Open Coffee Brest - 20121121Mathias Herberts
 
IoT Silicon Valley - Cityzen Sciences and Cityzen Data presentation
IoT Silicon Valley - Cityzen Sciences and Cityzen Data presentationIoT Silicon Valley - Cityzen Sciences and Cityzen Data presentation
IoT Silicon Valley - Cityzen Sciences and Cityzen Data presentationMathias Herberts
 
Programmation fonctionnelle
Programmation fonctionnelleProgrammation fonctionnelle
Programmation fonctionnelleJean Detoeuf
 
Scala : programmation fonctionnelle
Scala : programmation fonctionnelleScala : programmation fonctionnelle
Scala : programmation fonctionnelleMICHRAFY MUSTAFA
 
The Lambda Calculus and The JavaScript
The Lambda Calculus and The JavaScriptThe Lambda Calculus and The JavaScript
The Lambda Calculus and The JavaScriptNorman Richards
 
Programmation fonctionnelle en JavaScript
Programmation fonctionnelle en JavaScriptProgrammation fonctionnelle en JavaScript
Programmation fonctionnelle en JavaScriptLoïc Knuchel
 
Comprendre la programmation fonctionnelle, Blend Web Mix le 02/11/2016
Comprendre la programmation fonctionnelle, Blend Web Mix le 02/11/2016Comprendre la programmation fonctionnelle, Blend Web Mix le 02/11/2016
Comprendre la programmation fonctionnelle, Blend Web Mix le 02/11/2016Loïc Knuchel
 
Mathias Herberts fait le retour d'expérience Hadoop au Crédit Mutuel Arkéa
Mathias Herberts fait le retour d'expérience Hadoop au Crédit Mutuel ArkéaMathias Herberts fait le retour d'expérience Hadoop au Crédit Mutuel Arkéa
Mathias Herberts fait le retour d'expérience Hadoop au Crédit Mutuel ArkéaModern Data Stack France
 

En vedette (9)

Big Data - Open Coffee Brest - 20121121
Big Data - Open Coffee Brest - 20121121Big Data - Open Coffee Brest - 20121121
Big Data - Open Coffee Brest - 20121121
 
The Hadoop Ecosystem
The Hadoop EcosystemThe Hadoop Ecosystem
The Hadoop Ecosystem
 
IoT Silicon Valley - Cityzen Sciences and Cityzen Data presentation
IoT Silicon Valley - Cityzen Sciences and Cityzen Data presentationIoT Silicon Valley - Cityzen Sciences and Cityzen Data presentation
IoT Silicon Valley - Cityzen Sciences and Cityzen Data presentation
 
Programmation fonctionnelle
Programmation fonctionnelleProgrammation fonctionnelle
Programmation fonctionnelle
 
Scala : programmation fonctionnelle
Scala : programmation fonctionnelleScala : programmation fonctionnelle
Scala : programmation fonctionnelle
 
The Lambda Calculus and The JavaScript
The Lambda Calculus and The JavaScriptThe Lambda Calculus and The JavaScript
The Lambda Calculus and The JavaScript
 
Programmation fonctionnelle en JavaScript
Programmation fonctionnelle en JavaScriptProgrammation fonctionnelle en JavaScript
Programmation fonctionnelle en JavaScript
 
Comprendre la programmation fonctionnelle, Blend Web Mix le 02/11/2016
Comprendre la programmation fonctionnelle, Blend Web Mix le 02/11/2016Comprendre la programmation fonctionnelle, Blend Web Mix le 02/11/2016
Comprendre la programmation fonctionnelle, Blend Web Mix le 02/11/2016
 
Mathias Herberts fait le retour d'expérience Hadoop au Crédit Mutuel Arkéa
Mathias Herberts fait le retour d'expérience Hadoop au Crédit Mutuel ArkéaMathias Herberts fait le retour d'expérience Hadoop au Crédit Mutuel Arkéa
Mathias Herberts fait le retour d'expérience Hadoop au Crédit Mutuel Arkéa
 

Similaire à No more unsecure secrets with OSS

Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Paula Januszkiewicz
 
OpenStack Day 2 Operations (Toronto)
OpenStack Day 2 Operations (Toronto)OpenStack Day 2 Operations (Toronto)
OpenStack Day 2 Operations (Toronto)Dirk Wallerstorfer
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultOlinData
 
JavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersJavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersFestGroup
 
Introduction to Apache Mesos
Introduction to Apache MesosIntroduction to Apache Mesos
Introduction to Apache MesosJoe Stein
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateAlex Pop
 
Using Puppet to Create a Dynamic Network - PuppetConf 2013
Using Puppet to Create a Dynamic Network - PuppetConf 2013Using Puppet to Create a Dynamic Network - PuppetConf 2013
Using Puppet to Create a Dynamic Network - PuppetConf 2013Puppet
 
Webinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and moreWebinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and morepanagenda
 
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationMauricio Velazco
 
Charla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo WebCharla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo WebMikel Torres Ugarte
 
Portland Puppet User Group June 2014: Writing and publishing puppet modules
Portland Puppet User Group June 2014: Writing and publishing puppet modulesPortland Puppet User Group June 2014: Writing and publishing puppet modules
Portland Puppet User Group June 2014: Writing and publishing puppet modulesPuppet
 
June 2014 PDX PUG: Writing and Publishing Puppet Modules
June 2014 PDX PUG: Writing and Publishing Puppet Modules June 2014 PDX PUG: Writing and Publishing Puppet Modules
June 2014 PDX PUG: Writing and Publishing Puppet Modules Puppet
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxPatricia Aas
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsDevSecCon
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure ContainersSysdig
 
Building Your Own IoT Platform using FIWARE GEis
Building Your Own IoT Platform using FIWARE GEisBuilding Your Own IoT Platform using FIWARE GEis
Building Your Own IoT Platform using FIWARE GEisFIWARE
 

Similaire à No more unsecure secrets with OSS (20)

Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
 
OpenStack Day 2 Operations (Toronto)
OpenStack Day 2 Operations (Toronto)OpenStack Day 2 Operations (Toronto)
OpenStack Day 2 Operations (Toronto)
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
 
JavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersJavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developers
 
Introduction to Apache Mesos
Introduction to Apache MesosIntroduction to Apache Mesos
Introduction to Apache Mesos
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
 
Using Puppet to Create a Dynamic Network - PuppetConf 2013
Using Puppet to Create a Dynamic Network - PuppetConf 2013Using Puppet to Create a Dynamic Network - PuppetConf 2013
Using Puppet to Create a Dynamic Network - PuppetConf 2013
 
Webinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and moreWebinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and more
 
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
 
Charla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo WebCharla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo Web
 
Portland Puppet User Group June 2014: Writing and publishing puppet modules
Portland Puppet User Group June 2014: Writing and publishing puppet modulesPortland Puppet User Group June 2014: Writing and publishing puppet modules
Portland Puppet User Group June 2014: Writing and publishing puppet modules
 
June 2014 PDX PUG: Writing and Publishing Puppet Modules
June 2014 PDX PUG: Writing and Publishing Puppet Modules June 2014 PDX PUG: Writing and Publishing Puppet Modules
June 2014 PDX PUG: Writing and Publishing Puppet Modules
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
OpenStack Day 2 Operations
OpenStack Day 2 OperationsOpenStack Day 2 Operations
OpenStack Day 2 Operations
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure Containers
 
Osquery
OsqueryOsquery
Osquery
 
Building Your Own IoT Platform using FIWARE GEis
Building Your Own IoT Platform using FIWARE GEisBuilding Your Own IoT Platform using FIWARE GEis
Building Your Own IoT Platform using FIWARE GEis
 

Plus de Mathias Herberts

2019-09-25 Paris Time Series Meetup - Warp 10 - Advanced Time Series Technolo...
2019-09-25 Paris Time Series Meetup - Warp 10 - Advanced Time Series Technolo...2019-09-25 Paris Time Series Meetup - Warp 10 - Advanced Time Series Technolo...
2019-09-25 Paris Time Series Meetup - Warp 10 - Advanced Time Series Technolo...Mathias Herberts
 
20170516 hug france-warp10-time-seriesanalysisontopofhadoop
20170516 hug france-warp10-time-seriesanalysisontopofhadoop20170516 hug france-warp10-time-seriesanalysisontopofhadoop
20170516 hug france-warp10-time-seriesanalysisontopofhadoopMathias Herberts
 
WebScale Computing and Big Data a Pragmatic Approach
WebScale Computing and Big Data a Pragmatic ApproachWebScale Computing and Big Data a Pragmatic Approach
WebScale Computing and Big Data a Pragmatic ApproachMathias Herberts
 

Plus de Mathias Herberts (6)

2019-09-25 Paris Time Series Meetup - Warp 10 - Advanced Time Series Technolo...
2019-09-25 Paris Time Series Meetup - Warp 10 - Advanced Time Series Technolo...2019-09-25 Paris Time Series Meetup - Warp 10 - Advanced Time Series Technolo...
2019-09-25 Paris Time Series Meetup - Warp 10 - Advanced Time Series Technolo...
 
20170516 hug france-warp10-time-seriesanalysisontopofhadoop
20170516 hug france-warp10-time-seriesanalysisontopofhadoop20170516 hug france-warp10-time-seriesanalysisontopofhadoop
20170516 hug france-warp10-time-seriesanalysisontopofhadoop
 
Big Data Tribute
Big Data TributeBig Data Tribute
Big Data Tribute
 
Hadoop Pig Syntax Card
Hadoop Pig Syntax CardHadoop Pig Syntax Card
Hadoop Pig Syntax Card
 
Hadoop Pig
Hadoop PigHadoop Pig
Hadoop Pig
 
WebScale Computing and Big Data a Pragmatic Approach
WebScale Computing and Big Data a Pragmatic ApproachWebScale Computing and Big Data a Pragmatic Approach
WebScale Computing and Big Data a Pragmatic Approach
 

Dernier

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 

Dernier (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 

No more unsecure secrets with OSS

  • 1. No more (unsecure) secrets, Marty 18h20 - 18h50 - Salle Miles Davis A
  • 2. No more (unsecure) secrets, Marty Mathias Herberts Disruptive Engineer – Crédit Mutuel Arkéa @herberts 27 au 29 mars 2013
  • 3.
  • 4.
  • 5. Does any of those look familiar? SecretConstants.java secrets.properties public class SecretConstants { user = foo password = bar /** * Database User */ public static final String USER = "foo"; secrets.xml /** <secret> * Database Password <user>foo</user> */ <password>bar</password> public static final String PASSWORD = "bar"; </secret> } secrets.yaml secret: user: foo password: bar …
  • 6. Or maybe one of these? SuperStrongCryptoConfig.java Use environment variables public class SuperStrongCryptoConfig { export PASSWORD = 'foo' /** java -jar app.jar * Encrypted User Name */ advanced spying tools: public static final byte[] USER = { 0x33, 0x3a, 0x3a }; /** ps -H e (ps -E) * Encryption key cat /proc/xxxx/environ */ private static final byte KEY = 0x55; Use system properties // // Decrypt the User Name using advanced crypto java -Dpassword=foo -jar app.jar // static { more advanced spying tools: for (int i = 0; i < USER.length; i++) { USER[i] = (byte) ((USER[i] ^ KEY) & 0xff); ps } cat /proc/xxxx/cmdline } } …
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20. Demo #1 – OSS Initialization GenMasterSecret Offline operation Generate master key Split key using a N / K Shamir sharing scheme Init Online operation Needs an SSH key specified in oss.init.sshkeys loaded in the SSH agent Send K shares of master key to OSS instance <WRAPPED(<TS><SHARE><SSH SIGNING KEY BLOB><SSH SIGNATURE BLOB>)><SEALED WRAPPING KEY> OSS instance reassembles shares into master key 27 au 29 mars 2013
  • 21. Demo #1 – OSS Initialization # # Generate Master Secret (do it once) # java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSGenMasterSecret secops.gpg ID1,...,IDN K # # Launch OSS (in production, run it in your webapp container of choice) # Check logs for session RSA public key (-Doss.rsa=......:...) # gradle -Doss.init.sshkeys=... -Doss.gensecret.sshkeys=... -Doss.acl.sshkeys=... -Doss.keystore.dir=... jettyRun # # Send K parts to OSS (need to have authorized SSH keys loaded in SSH agent) # gpg -d share-1 | java -Doss.rsa=......:... -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSInit http://127.0.0.1:8080/oss ... gpg -d share-K | java -Doss.rsa=......:... -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSInit http://127.0.0.1:8080/oss 27 au 29 mars 2013
  • 22. Demo #2 – OSS Secret Generation GenSecret Online operation Needs an SSH key specified in oss.gensecret.sshkeys loaded in the SSH agent Send secret name to OSS instance <TS><SECRET NAME><SSH SIGNING KEY BLOB><SSH SIGNATURE BLOB> Generate 256 random bits Encrypt random bits using OSS Master Key Store blob under oss.keystore.dir (in .secret file, converting dot to path separator) 27 au 29 mars 2013
  • 23. Demo #2 – OSS Secret Generation # # Generate Secret named 'devoxx.secret1' # java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSGenSecret devoxx.secret1 # # Secret file under oss.keystore.dir # find oss.keystore.dir -type f oss.keystore.dir/devoxx/secret1.secret 27 au 29 mars 2013
  • 24. Demo #3 – Modify ACLs for secret {Add,Remove}ACL Online operation Needs an SSH key specified in oss.acl.sshkeys loaded in the SSH agent Send secret name and SSH key fingeprints to add/remove from ACL to OSS instance WRAPPED<<TS><<SECRET NAME> <FPR1>...<FPRN>> <SSH SIGNING KEY BLOB><SSH SIGNATURE BLOB>> <SEALED WRAPPING KEY> OSS instance checks SSH signing key OSS instance updates ACL file (.acl file at same level as .secret file) 27 au 29 mars 2013
  • 25. Demo #3 – Modify ACLs for secret # # Add ACL for devoxx.secret1 # SSH_FINGERPRINT=2a:e8:a3:c1:e7:89:e3:84:ba:7e:46:3a:0c:24:aa:09 java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSAddACL URL devoxx.secret1 ${SSH_FINGERPRINT} # # ACL file under oss.keystore.dir # find oss.keystore.dir -type f oss.keystore.dir/devoxx/secret1.acl oss.keystore.dir/devoxx/secret1.secret # # Retrieve ACL # java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSGetACL URL devoxx.secret1 [devoxx.secret1] 2a:e8:a3:c1:e7:89:e3:84:ba:7e:46:3a:0c:24:aa:09: 27 au 29 mars 2013
  • 26. Demo #4 – Retrieve secret GetSecret Online operation Needs an SSH key specified in secret ACL file Send secret name and a temporary RSA public key to OSS instance <TS><<SECRET NAME> <RSA PUBLIC KEY>> <SSH SIGNING KEY BLOB><SSH SIGNATURE BLOB> OSS instance checks SSH signing key against secret ACL OSS instance reads secret from .secret file OSS instance unwraps secret using its Master Key OSS instance wraps secret using a random AES key and sends response to client <WRAPPED SECRET><SEALED WRAPPING KEY> 27 au 29 mars 2013
  • 27. Demo #4 – Retrieve secret # # Retrieve Secret # java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSGetSecret URL devoxx.secret1 Secret = e1c5129baeb0454588ebeda7a3742a7a3678aabcaa0cd390 27 au 29 mars 2013
  • 28. Demo #5 – Wrap secret data Wrap Online operation Needs an SSH key specified in secret ACL file Retrieve secret (cf GetSecret) Wrap data read on stdin using secret (with a random 8 bytes prefix) 27 au 29 mars 2013
  • 29. Demo #5 – Wrap secret data # # Wrap data using secret # echo -n “Hello Devoxx” | java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSWrap URL devoxx.secret1 Wrapped (8 bytes nonce prefix) = 8476e13e2254e7d276b3dc1616aaa794bdd69cd5916f528cebd6c3527663642f 27 au 29 mars 2013
  • 30. Demo #6 – No more unsecure secrets import org.apache.commons.codec.binary.Hex; import com.geoxp.oss.CryptoHelper; import com.geoxp.oss.client.OSSClient; public class NoMoreUnsecureSecretsMarty { private static final String OSS_URL = "oss.url"; private static final String OSS_SECRET = "devoxx.secret1"; private static final String SECRET_DATA = "8476e13e2254e7d276b3dc1616aaa794bdd69cd5916f528cebd6c3527663642f"; public static void main(String[] args) throws Exception { byte[] secret = OSSClient.getSecret(System.getProperty(OSS_URL), OSS_SECRET, null); byte[] blob = CryptoHelper.unwrapBlob(secret, Hex.decodeHex(SECRET_DATA.toCharArray())); System.out.println(new String(blob)); } } 27 au 29 mars 2013