Adventures in Paranoia with Sinatra and Sequel

1. ro ug cu h t adventures in paranoia with sinatra and sequel Eleanor McHugh @feyeleanor http://github.com/feyeleanor Thursday, 4 April 2013

4. ro ug cu h t caveat lector think carefully before doing security Thursday, 4 April 2013

5. I am not a certified security professional and it's unlikely you are either what follows is definitely above our pay grade and presented to provoke further study so if privacy truly matters to you - and it should hire a certified security professional then follow their advice assiduously http://slides.games-with-brains.net Thursday, 4 April 2013

6. adventure Pronunciation: /əәdˈvɛntʃəә/ noun {mass noun} an unusual and exciting or daring experience: her recent adventures in Italy excitement associated with danger or the taking of risks: she travelled the world in search of adventure a reckless or potentially hazardous action or enterprise. archaic a commercial venture. http://slides.games-with-brains.net Thursday, 4 April 2013

7. paranoia Pronunciation: /ˌparəәˈnɔɪəә/ noun {mass noun} a mental condition characterized by delusions of persecution, unwarranted jealousy, or exaggerated self-importance, typically worked into an organized system. It may be an aspect of chronic personality disorder, of drug abuse, or of a serious condition such as schizophrenia in which the person loses touch with reality. unjustified suspicion and mistrust of other people: mild paranoia afflicts all prime ministers http://slides.games-with-brains.net Thursday, 4 April 2013

8. paranoia Pronunciation: /ˌparəәˈnɔɪəә/ noun {mass noun} the perfectly reasonable belief that someone, somewhere is watching your online behaviour with malicious and/or nefarious intent. It may be a result of reading a Hacking Exposed or Hacking for Dummies publication, experiencing the fallout from identity theft, or mixing with cryptographers and cypherpunks. justified suspicion and mistrust of other people: chronic paranoia afflicts all information security professionals http://slides.games-with-brains.net Thursday, 4 April 2013

9. trust no one how can we believe our visitors are who they claim to be http://slides.games-with-brains.net Thursday, 4 April 2013

10. trust no one how can visitors be conﬁdent we protect their privacy http://slides.games-with-brains.net Thursday, 4 April 2013

11. establish a well-known presence assign globally unique identities only accept opaque credentials secure storage wherever identity data rests secure transport wherever identity data moves separate authentication and authorisation http://slides.games-with-brains.net Thursday, 4 April 2013

12. globally unique identities opaque credentials secure storage secure transport http://slides.games-with-brains.net Thursday, 4 April 2013

13. globally unique identities opaque credentials secure storage secure transport http://slides.games-with-brains.net Thursday, 4 April 2013

14. high entropy identiﬁers opaque credentials secure storage secure transport http://slides.games-with-brains.net Thursday, 4 April 2013

15. SecureRandom.uuid opaque credentials secure storage secure transport http://slides.games-with-brains.net Thursday, 4 April 2013

16. SecureRandom.uuid opaque credentials secure storage secure transport http://slides.games-with-brains.net Thursday, 4 April 2013

17. SecureRandom.uuid hashed passwords secure storage secure transport http://slides.games-with-brains.net Thursday, 4 April 2013

18. SecureRandom.uuid OpenSSL::Digest::SHA512 secure storage secure transport http://slides.games-with-brains.net Thursday, 4 April 2013

19. SecureRandom.uuid OpenSSL::Digest::SHA512 iterative workload secure storage secure transport http://slides.games-with-brains.net Thursday, 4 April 2013

20. SecureRandom.uuid OpenSSL::Digest::SHA512 iterative workload secure storage secure transport http://slides.games-with-brains.net Thursday, 4 April 2013

21. SecureRandom.uuid OpenSSL::Digest::SHA512 iterative workload hybrid encryption secure transport http://slides.games-with-brains.net Thursday, 4 April 2013

22. SecureRandom.uuid OpenSSL::Digest::SHA512 iterative workload OpenSSL::PKey::RSA secure transport http://slides.games-with-brains.net Thursday, 4 April 2013

23. SecureRandom.uuid OpenSSL::Digest::SHA512 iterative workload OpenSSL::PKey::RSA OpenSSL::Cipher::AES secure transport http://slides.games-with-brains.net Thursday, 4 April 2013

24. SecureRandom.uuid OpenSSL::Digest::SHA512 iterative workload OpenSSL::PKey::RSA OpenSSL::Cipher::AES single-use keys secure transport http://slides.games-with-brains.net Thursday, 4 April 2013

25. SecureRandom.uuid OpenSSL::Digest::SHA512 iterative workload OpenSSL::PKey::RSA OpenSSL::Cipher::AES single-use keys secure transport http://slides.games-with-brains.net Thursday, 4 April 2013

26. SecureRandom.uuid OpenSSL::Digest::SHA512 iterative workload OpenSSL::PKey::RSA OpenSSL::Cipher::AES single-use keys ssl http://slides.games-with-brains.net Thursday, 4 April 2013

27. SecureRandom.uuid OpenSSL::Digest::SHA512 iterative workload OpenSSL::PKey::RSA OpenSSL::Cipher::AES single-use keys http strict transport security header http://slides.games-with-brains.net Thursday, 4 April 2013

28. SecureRandom.uuid OpenSSL::Digest::SHA512 iterative workload OpenSSL::PKey::RSA OpenSSL::Cipher::AES single-use keys http strict transport security header secure cookies http://slides.games-with-brains.net Thursday, 4 April 2013

29. SecureRandom.uuid OpenSSL::Digest::SHA512 iterative workload OpenSSL::PKey::RSA OpenSSL::Cipher::AES single-use keys http strict transport security header http-only ﬂag http://slides.games-with-brains.net Thursday, 4 April 2013

30. SecureRandom.uuid OpenSSL::Digest::SHA512 iterative workload OpenSSL::PKey::RSA OpenSSL::Cipher::AES single-use keys http strict transport security http-only ﬂag OpenSSL::HMAC http://slides.games-with-brains.net Thursday, 4 April 2013

31. ruby crypto standard library support for cryptography http://slides.games-with-brains.net Thursday, 4 April 2013

32. SecureRandom high-entropy byte stream generator http://slides.games-with-brains.net Thursday, 4 April 2013

33. random_bytes random_number urlsafe_base64 uuid http://slides.games-with-brains.net Thursday, 4 April 2013

34. require ‘securerandom’ def random_string min = 8, max = 64 length = SecureRandom.random_bytes(max - min) length = SecureRandom.random_bytes(min + length) SecureRandom.random_number length end http://slides.games-with-brains.net Thursday, 4 April 2013

35. OpenSSL the default security toolkit of the internet http://slides.games-with-brains.net Thursday, 4 April 2013

36. SHA2 cryptographic hashing algorithm http://slides.games-with-brains.net Thursday, 4 April 2013

37. require ‘openssl’ class SHA2 attr_accessor :rounds, :salt def initialize options = {} end def encode value end def sign value = nil end end http://slides.games-with-brains.net Thursday, 4 April 2013

38. def initialize options = {} @digest = OpenSSL::Digest::SHA512.new, options @salt = options[:salt] || 'salted' @rounds = options[:rounds] || 100000 @key = options[:signing_key] || "" end http://slides.games-with-brains.net Thursday, 4 April 2013

39. def initialize options = {} @digest = OpenSSL::Digest::SHA512.new options @salt = options[:salt] || 'salted' @rounds = options[:rounds] || 100000 @key = options[:signing_key] || "" end http://slides.games-with-brains.net Thursday, 4 April 2013

43. def encode value @digest.reset if rounds > 0 @digest << (salt + value) (rounds - 1).times do @digest << @digest.hexdigest end @digest.hexdigest else value end end http://slides.games-with-brains.net Thursday, 4 April 2013

49. def sign value = nil encode value if value OpenSSL::HMAC.hexdigest @digest, @key, @digest.hexdigest end http://slides.games-with-brains.net Thursday, 4 April 2013

52. class SHA2 attr_accessor :rounds, :salt def initialize options = {} @digest = OpenSSL::Digest::SHA512.new options @salt = options[:salt] || 'salted' @rounds = options[:rounds] || 100000 @key = options[:signing_key] || "" end def encode value @digest.reset if rounds > 0 @digest << (salt + value) (rounds - 1).times do @digest << @digest.hexdigest end @digest.hexdigest else value end end def sign value = nil encode value if value OpenSSL::HMAC.hexdigest @digest, @key, @digest.hexdigest end end http://slides.games-with-brains.net Thursday, 4 April 2013

53. AES single-key symmetric encryption http://slides.games-with-brains.net Thursday, 4 April 2013

54. require ‘openssl’ class AES attr_reader :result, :key, :iv def initialize options = {} end def encode data = "" end def decode cipher_text = "" end def encode_and_pack data end def unpack_and_decode cipher_text end private def update data = "" end end http://slides.games-with-brains.net Thursday, 4 April 2013

55. def update data = "" @result = @cipher.update data @result << @cipher.ﬁnal end http://slides.games-with-brains.net Thursday, 4 April 2013

58. def initialize options = {} @cipher = OpenSSL::Cipher::AES.new 256, :CBC @iv = if options[:iv] @cipher.iv = options[:iv] else @cipher.random_iv end @key = if options[:key] @cipher.key = options[:key] else @cipher.random_key end end http://slides.games-with-brains.net Thursday, 4 April 2013

62. def encode data = "" @cipher.reset @cipher.encrypt @cipher.key = key @cipher.iv = iv update(data.to_s rescue "") end http://slides.games-with-brains.net Thursday, 4 April 2013

66. def decode cipher_text = "" length = cipher_text.length rescue 0 @result = if length > 0 @cipher.reset @cipher.decrypt @cipher.key = key @cipher.iv = iv cipher_text = update cipher_text cipher_text if cipher_text.length > 0 end end http://slides.games-with-brains.net Thursday, 4 April 2013

73. def encode_and_pack data [iv, encode(data)].pack 'mm' end http://slides.games-with-brains.net Thursday, 4 April 2013

76. def unpack_and_decode cipher_text = "" cipher_elements = cipher_text.unpack 'mm' if cipher_elements.length > 0 c = AES.new iv: cipher_elements[0], key: key @result = c.decode cipher_elements[1] end rescue Exception => e nil end http://slides.games-with-brains.net Thursday, 4 April 2013

80. RSA 2-key asymmetric encryption http://slides.games-with-brains.net Thursday, 4 April 2013

81. require ‘openssl’ class RSA attr_reader :result, :key def initialize opts = {} @key = OpenSSL::PKey::RSA.new(opts[:key] || opts[:keysize]) end def public_key @key.public_key.to_pem end def private_key @key.to_pem end def encode data @result = @key.public_encrypt(data.to_s rescue "") end def decode cipher_text @result = @key.private_decrypt(cipher_text.to_s rescue "") end end http://slides.games-with-brains.net Thursday, 4 April 2013

90. encrypted datastores encryption-aware tables in Sequel http://slides.games-with-brains.net Thursday, 4 April 2013

91. encrypted datastores (this is not a sequel talk) http://slides.games-with-brains.net Thursday, 4 April 2013

92. encrypted datastores (we're just using it for its friendly DDL) http://slides.games-with-brains.net Thursday, 4 April 2013

93. class Account < Sequel::Model plugin :schema plugin :validation_helpers set_schema do primary_key :id String :name String :email_address index :name, unique: true index :email_address, unique: true end def validate super validates_unique :name, :email_address end end http://slides.games-with-brains.net Thursday, 4 April 2013

94. class Account < Sequel::Model plugin!:schema plugin :validation_helpers set_schema do primary_key :id String :name String :email_address index :name, unique: true index :email_address, unique: true end def validate super validates_unique :name, :email_address end end http://slides.games-with-brains.net Thursday, 4 April 2013

95. class Account < Sequel::Model plugin!:schema plugin :validation_helpers set_schema do primary_key :id String :name String :email_address index :name, unique: true index :email_address, unique: true end def validate super validates_unique :name, :email_address end end http://slides.games-with-brains.net Thursday, 4 April 2013

96. class Account < Sequel::Model plugin!:schema plugin!:validation_helpers set_schema do primary_key :id String :name String :email_address index :name, unique: true index :email_address, unique: true end def validate super validates_unique :name, :email_address end end http://slides.games-with-brains.net Thursday, 4 April 2013

97. class Account < Sequel::Model plugin!:schema plugin!:validation_helpers set_schema do primary_key :id String :name String :email_address index :name, unique: true index :email_address, unique: true end def validate super validates_unique :name, :email_address end end http://slides.games-with-brains.net Thursday, 4 April 2013

98. class Account < Sequel::Model plugin :schema plugin :validation_helpers set_schema do primary_key :id, type: :varchar, auto_increment: false, unique: true String :name String :email_address index :id, unique: true index :name, unique: true index :email_address, unique: true end unrestrict_primary_key def validate super validates_unique :id, :name, :email_address end end http://slides.games-with-brains.net Thursday, 4 April 2013

99. class Account < Sequel::Model plugin :schema plugin :validation_helpers set_schema do primary_key!:id, type: :varchar, auto_increment: false, unique: true String :name String :email_address index :id, unique: true index :name, unique: true index :email_address, unique: true end unrestrict_primary_key def validate super validates_unique :id, :name, :email_address end end http://slides.games-with-brains.net Thursday, 4 April 2013

103. class Account < Sequel::Model plugin :schema plugin :validation_helpers set_schema do primary_key!:id, type: :varchar, auto_increment: false, unique: true String :name String :email_address index! ! :id, unique: true index :name, unique: true index :email_address, unique: true end unrestrict_primary_key def validate super validates_unique :id, :name, :email_address end end http://slides.games-with-brains.net Thursday, 4 April 2013

106. class Account < Sequel::Model plugin! :schema plugin! :validation_helpers set_schema do primary_key :id, type: :varchar, auto_increment: false, unique: true String :name String :email_address index :id, unique: true index :name, unique: true index :email_address, unique: true end unrestrict_primary_key def validate super validates_unique :id, :name, :email_address end end http://slides.games-with-brains.net Thursday, 4 April 2013

107. module Model def self.included mod mod.plugin :validation_helpers mod.plugin :schema mod.module_eval <<-ACCESSOR, __FILE__, __LINE__ + 1 def self.retrieve id #{mod}.where(id: id).ﬁrst end ACCESSOR end end http://slides.games-with-brains.net Thursday, 4 April 2013

109. module Model def self.included mod mod.plugin!:validation_helpers mod.plugin!:schema mod.module_eval <<-ACCESSOR, __FILE__, __LINE__ + 1 def self.retrieve id #{mod}.where(id: id).ﬁrst end ACCESSOR end end http://slides.games-with-brains.net Thursday, 4 April 2013

110. class Account < Sequel::Model include Model set_schema do primary_key :id, type: :varchar, auto_increment: false, unique: true String :name String :email_address index :id, unique: true index :name, unique: true index :email_address, unique: true end unrestrict_primary_key def validate super validates_unique :id, :name, :email_address end end http://slides.games-with-brains.net Thursday, 4 April 2013

116. module Model def self.included mod mod.plugin :validation_helpers mod.plugin :schema mod.module_eval <<-ACCESSOR, __FILE__, __LINE__ + 1 def self.retrieve id #{mod}.where(id: id).ﬁrst end ACCESSOR end def == entity self[:id] == entity.id rescue false end end http://slides.games-with-brains.net Thursday, 4 April 2013

119. class Account < Sequel::Model include Model set_schema do primary_key!:id, type: :varchar, auto_increment: false, unique: true String :name String :email_address index :id, unique: true index :name, unique: true index :email_address, unique: true end unrestrict_primary_key def validate super validates_unique :id, :name, :email_address end end http://slides.games-with-brains.net Thursday, 4 April 2013

120. module Model require 'securerandom' def generate_id SecureRandom.uuid end end http://slides.games-with-brains.net Thursday, 4 April 2013

123. class Account < Sequel::Model include Model set_schema do primary_key! :id, type: :varchar, auto_increment: false, unique: true String :name String :retrieval_email index :id, unique: true index :name, unique: true index :retrieval_email, unique: true end unrestrict_primary_key def before_create generate_id super end def validate super validates_unique :id, :name, :retrieval_email end end http://slides.games-with-brains.net Thursday, 4 April 2013

124. class Account < Sequel::Model include Model set_schema do primary_key :id, type: :varchar, auto_increment: false, unique: true String :name String! ! :email_address index :id, unique: true index :name, unique: true index :email_address, unique: true end end http://slides.games-with-brains.net Thursday, 4 April 2013

125. module EncryptedModel def encrypted_fields fields = [], options = {} options = { rounds: 100000, salt: "", signing_key: "" }.merge options if fields.length > 0 end end end http://slides.games-with-brains.net Thursday, 4 April 2013

126. module EncryptedModel def encrypted_fields fields = [], options = {} options = { rounds: 100000, salt: "", signing_key: "" }.merge options if fields.length > 0 end end end http://slides.games-with-brains.net Thursday, 4 April 2013

127. class Account < Sequel::Model include Model extend EncryptedModel set_schema do primary_key :id, type: :varchar, auto_increment: false, unique: true String :name String! ! :email_address index :id, unique: true index :name, unique: true index :email_address, unique: true end encrypted_ﬁelds :email_address end http://slides.games-with-brains.net Thursday, 4 April 2013

128. class Account < Sequel::Model include Model extend EncryptedModel set_schema do primary_key :id, type: :varchar, auto_increment: false, unique: true String :name String! ! :email_address index :id, unique: true index :name, unique: true index :email_address, unique: true end encrypted_ﬁelds! :email_address end http://slides.games-with-brains.net Thursday, 4 April 2013

129. ﬁeld encryption with encrypted search http://slides.games-with-brains.net Thursday, 4 April 2013

130. automatically encrypt on storing automatically decrypt on retrieval support equality searches http://slides.games-with-brains.net Thursday, 4 April 2013

131. def encrypted_fields fields = [], options = {} options = { rounds: 100000, salt: "", signing_key: "" }.merge options if fields.length > 0 configure_field_encryption add_field_validation enable_equality_searches options add_field_accessors fields end end http://slides.games-with-brains.net Thursday, 4 April 2013

133. def conﬁgure_ﬁeld_encryption self.module_eval <<-CIPHER, __FILE__, __LINE__ + 1 def symmetric_cipher cipher = if self[:key] AES.new key: self[:key], iv: self[:iv] else AES.new end self[:key] ||= cipher.key self[:iv] ||= cipher.iv cipher end CIPHER end http://slides.games-with-brains.net Thursday, 4 April 2013

136. class Account < Sequel::Model include Model extend EncryptedModel set_schema do primary_key :id, type: :varchar, auto_increment: false, unique: true String :name String! ! :email_address blob :key, null: true blob :iv, null: true index :id, unique: true index :name, unique: true index :email_address, unique: true end encrypted_ﬁelds! :email_address end http://slides.games-with-brains.net Thursday, 4 April 2013

137. class Account < Sequel::Model include Model extend EncryptedModel set_schema do primary_key :id, type: :varchar, auto_increment: false, unique: true String :name String! ! :email_address blob! ! :key, null: true blob :iv, null: true index :id, unique: true index :name, unique: true index :email_address, unique: true end encrypted_ﬁelds! :email_address end http://slides.games-with-brains.net Thursday, 4 April 2013

138. class Account < Sequel::Model include Model extend EncryptedModel set_schema do primary_key :id, type: :varchar, auto_increment: false, unique: true String :name String! ! :email_address blob! ! :key, null: true blob! ! :iv, null: true index :id, unique: true index :name, unique: true index :email_address, unique: true end encrypted_ﬁelds! :email_address end http://slides.games-with-brains.net Thursday, 4 April 2013

146. def encrypted_fields fields = [], options = {} options = { rounds: 100000, salt: "", signing_key: "" }.merge options if fields.length > 0 configure_field_encryption self.module_eval <<-VALIDATION, __FILE__, __LINE__ + 1 def validates_encrypted_field_presence *fields validates_presence #{ fields.collect{ |f| "#{f}_key"}.inspect } end VALIDATION add_field_accessors enable_equality_searches end end http://slides.games-with-brains.net Thursday, 4 April 2013

150. def enable_equality_searches options = {} self.module_eval <<-SEARCH, __FILE__, __LINE__ + 1 def self.search_key v @@index_key = "#{options[:signing_key]}" @@rounds = #{options[:rounds]} @@salt = "#{options[:salt]}" if v && @@index_key digest = SHA512.new key: @@index_key, rounds: @@rounds, salt: @@salt digest.encode v digest.sign else v end end def search_key v self.class.search_key v end SEARCH end http://slides.games-with-brains.net Thursday, 4 April 2013

Adventures in Paranoia with Sinatra and Sequel

Recommandé

Recommandé

Contenu connexe

En vedette

En vedette (15)

Plus de Eleanor McHugh

Plus de Eleanor McHugh (20)

Dernier

Dernier (20)

Adventures in Paranoia with Sinatra and Sequel