SlideShare une entreprise Scribd logo

Abstractions to Help Developers Write Good Crypto

C4Media
C4Media

Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2HctWGT. Isaac Potoczny-Jones discusses the impact of programming abstractions on the correctness of cryptographic code, and shows why some cryptographic libraries succeed and why some fail. Filmed at qconsf.com. Isaac Potoczny-Jones founded Tozny to commercialize Galois’ research in cybersecurity and privacy. He has led many successful cybersecurity and identity management projects for government agencies since he started at Galois in 2004.

Technologie
1  sur  80
Good Abstractions Help Developers Write Good Crypto Isaac Potoczny-Jones ijones@tozny.com https://tozny.comProprietary Information
InfoQ.com: News & Community Site • Over 1,000,000 software developers, architects and CTOs read the site world- wide every month • 250,000 senior developers subscribe to our weekly newsletter • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • 2 dedicated podcast channels: The InfoQ Podcast, with a focus on Architecture and The Engineering Culture Podcast, with a focus on building • 96 deep dives on innovative topics packed as downloadable emags and minibooks • Over 40 new content items per week Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ abstractions-cryptography
Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide Presented at QCon San Francisco www.qconsf.com
Imagine Headlines From An Alternate Past…
How many of you prefer The fake headlines about security?
What is the reality behind this fantasy?
Good Crypto Makes Data Breaches Not Matter $ per Record Crypto Matters Ponemon - http://www-03.ibm.com/security/infographics/data-breach/ Costs Solutions
EU Privacy Law Creates New Cost • General Data Privacy Regulation (GDPR) • Violation hits 4% of annual revenue or €20M, whichever is greater • Global in impact if you manage data of EU citizens, including IP addr • Encryption is required for GDPR • €10M / 2% fine is waived if leaked data is encrypted • Notification is not required if leaked data is encrypted Proprietary Information
Let’s Face it: Privacy Gets in the Way We all could do more with data… • If Privacy was not a problem. But privacy matters… • Think of it as a foundation, not a gate. Do more with data by doing right with data.
Mistake 1 Not Using Crypto
Why Encrypt • Reduces the cost of a breach • Protects intellectual property • It protects the users • It’s the right thing to do Why Not • Access control is good enough • It causes overhead • We can’t query encrypted data • It’s hard to implement
It’s True, Encryption is Hard But Why?
Introduction: Isaac Potoczny-Jones Computer Science, Cybersecurity, CEO ijones@tozny.com
There’s a good chance you use our crypto • Tozny Android AES Library – More on this later… • Tens of millions of end-user installs • Fortune 500 companies • Open source projects • Debian / Ubuntu package integrity • Developed by Tozny CEO prior to company in 2003 • Most common server OS • Millions of server and desktop installs Our team has had a huge impact on open source crypto Proprietary Information
Takeaways • Security defense continues to be a disaster • The massive advantage goes to the attacker • Crypto is the recognized solution • The last line of defense when access control falls down • More crypto is getting written • By developers without training, in organizations without incentives • So developers are getting it wrong • Because the crypto community is not giving us good interfaces
“Cryptographic issues ranked higher than cross-site scripting, SQL injection and directory traversal.” “Developers are adding a lot of crypto … but they're doing it poorly.” - Veracode CTO Chris Wysopal.
What you’ll get from this talk Understand how typical devs approach crypto What’s the root cause of the problem Understand how you should approach crypto
It’s True, Encryption is Hard But Why?
Two Negative Examples Three Positive Examples
How Programmers Approach Encryption “Encryption feels like a function that inputs plaintext and outputs ciphertext.”
String encrypt (String plaintext) {…} // A nice, stateless function
byte [] encrypt (byte[] plaintext) {…} // Well, obviously it’s bytes not strings…
byte [] encrypt (byte[] plaintext, byte [] key) {…} // Of course, I need a key…
byte [] encrypt (byte[] plaintext, byte [] key, byte [] iv, String algorithm, String mode) {…} // I don’t know what those are, but how hard can it be?
Negative Example 1: Encrypting Strings in Java • Selecting an Algorithm and Mode • Symmetric vs. Asymmetric, AES, RSA, ECC • Symmetric modes: ECB, GCM, CBC, etc. • Hashing (where applicable): MD5, SHA1, SHA2 • Managing Keys • Generated randomly, generated from passwords • How to store, register, and communicate keys • Key size, key trust • User identification (passwords, biometrics, etc.) • Miscellaneous • How to generate, store, and communicate: Initialization vector (IV), salt, nonce • Padding, encoding, serializing, signing • How to communicate all these decisions to the other party
Let’s ask Google and Stack Overflow Proprietary Information Wrong Wrong Wrong Our Library
Bad code looks completely reasonable Insecure Key Generation Insecure Encryption Programmer Response Might Destroy Your Data
What’s the result of this? “65% of Android applications that use cryptography were found to use the default, insecure ECB mode for AES encryption.” - 2013 “An empirical study of cryptographic misuse in Android applications.
Concept: The abstraction stack of building crypto Proprietary Information The left side is completely generic and can be used for anything. The right side is specific and can only be used for one thing. This always happens with abstractions.
Mistakes creep into the gaps between layers Proprietary Information
Mistake 2 Directly using low-level primitives like AES.
This is how you should imagine the attacker A strong cryptographic attack model ignores “access control” • They can read all the encrypted data and plain text data • But they can’t decrypt it • They can change all the encrypted data and plain text data • But digital signatures should be able to catch it • They can choose example plain text data to encrypt • For instance by creating an account with known values • They know the algorithm and the format of the data • But not necessarily the keys
Mistake 3 Using a weak attack model.
Key Generation and Management • Randomly generated keys: High security, hard to manage • Need to store the key, introducing new attack vectors. • Bad: Storing the key next to the ciphertext. • Bad: Not using a cryptographically secure RNG. • Good: Use an HSM, keychain, or other kind of KMS. • Password-based keys: No “management” but weaker security • Bad: Using the password as the AES key: Wrong size, easy to crack. • Bad: Using password.getBytes() as a seed to RNG • Good: Use an approved password-based key derivation function “PBKDF”.
Mistake 4 Broken key management or No key management strategy.
Security Problems of Bad Crypto Losing Confidentiality and Integrity
AES Modes - ECB vs CBC (Encrypt)
AES Modes: ECB loses confidentiality • Gotchas: In Java, ECB is the default mode for AES • Password manager: I can tell which sites have the same password • Images: I can see the shape of the image • What to do instead: • Use CBC or GCM • Depends on what’s available
Integrity: ECB and CBC don’t provide it • Gotchas: Relying on integrity • You can change the ciphertext and still decrypt it • Sometimes it matters, sometimes it doesn’t • ECB can be broken up by blocks • CBC is harder • What to do instead • Use GCM • Add your own integrity
How to Break Security of Bad Crypto
Input Data – Winner = Bob (Orange) ECB Has Weak Confidentiality user=Isaac action=vote user=Alice user=Alice action=vote user=Bob user=Bob action=vote user=Bob user=Alice action=change_addr addr=123 Main user=Bob action=change_addr addr=123 Main user=Isaac action=vote user=Alice user=Alice action=vote user=Bob user=Bob action=vote user=Bob user=Alice action=change_addr addr=123 Main user=Bob action=change_addr addr=123 Main I know that I voted for Alice (green) and I didn’t change my address… 3 Users. Two actions.
Starting State – Winner = Bob (Orange) ECB Has Weak Integrity user=Isaac action=vote user=Alice user=Alice action=vote user=Bob user=Bob action=vote user=Bob user=Alice action=change_addr addr=123 Main user=Bob action=change_addr addr=123 Main user=Isaac action=vote user=Alice user=Alice action=vote user=Alice user=Bob action=vote user=Alice user=Alice action=change_addr addr=123 Main user=Bob action=change_addr addr=123 Main Attacker can mix and match records and make Alice (Green) win
Getting crypto right Preserves confidentiality and Integrity
Negative Example 2: Client-Side Certs in Curl Google: “PHP curl send client-side certificate”
Top hit – Looks reasonable…
Top hit disables server verification! Bad What we want
First comment at the bottom of curl docs
PHP Docs for Curl • How many key-related options are there to curl in PHP – CURLOPT_ • SSLCERT, SSLCERTPASSWD, SSLCERTTYPE, SSLKEY, SSLKEYPASSWD, SSLKEYTYPE, SSH_HOST_PUBLIC_KEY_MD5, SSH_PUBLIC_KEYFILE, SSH_PRIVATE_KEYFILE, PINNEDPUBLICKEY, CERTINFO, SSL_VERIFYPEER, CAINFO, CAPATH • Documentation: • CERTINFO: TRUE to output SSL certification information to STDERR on secure transfers. • SSLCERT: The name of a file containing a PEM formatted certificate. • SSLKEY: The name of a file containing a private SSL key.
Man page for --cert
It’s not that curl is bad! It’s just that it’s too low-level…
Mistake 5 Trusting crypto code examples without professional guidance.
Mistakes to watch out for 1. Not using crypto is the biggest mistake! 2. Directly using low-level primitives like AES 3. Letting a weak attack model undermine the correctness goal 4. Ask about the key management strategy 5. Trusting crypto code examples without professional guidance 6. Watch for “old or broken” stuff: DES, MD4, MD5, SHA1, RC4, (RSA)
But… I have a saying: "Don’t blame users for security problems.” e.g. You didn’t get hacked because you had a bad password, you got hacked because a programmer forgot to check for SQL injection vulnerabilities.
Likewise… "Don’t blame developers for crypto problems.” … What can the crypto community do better?
Solutions A world with better security
The Abstraction Gap Proprietary Information
The abstraction stack of building crypto Proprietary Information The left side is completely generic and can be used for anything. The right side is specific and can only be used for one thing. This always happens with abstractions.
Mistakes creep into the gaps between layers Proprietary Information
In Crypto, there are very few tools in this gap Proprietary Information
That big gap is an opportunity for improvement Proprietary Information
Positive Example 1: Our Java AES Library Proprietary Information Let’s dig in…
What Java Provides (the problem) javax.crypto functions are: getInstance(), init(), doFinal()
Experience: What Our Library Provides
System Properties • We realize that people want simple copy-paste code. • Works for Strings: Operates as a stream cipher, base64 encoding. • Algorithm & Mode: AES 128, CBC. • Secure IV generation and handling. • Secure key generation for random or password-based keys. • Integrity – add a SHA256 HMAC, we handle the keys. • Pull requests welcome! • https://github.com/tozny/java-aes-crypto
How does this Bridge the Gap It’s opinionated; it makes a LOT of choices for you • That means it’s not perfect for everything • It encrypts only strings, not any object of your choosing • It’s for data at rest, not transit • It generates keys, IVs, etc., all in the way we choose • It’s not transparent database encryption • For-instance on performance • 10k rounds of password-based key generation isn’t fast on all platforms
Positive Example 2: Signal Protocol Proprietary Information
End-to-end Crypto in Brief • Encrypt data as soon as it’s created • Decrypt it only when you need it • Distribute keys to the systems that need it • No intermediate systems get the data Proprietary Information Data Creation Data Use End-to-end encryption
Signal: An end-to-end secure chat protocol • Open Whisper Systems specified the protocol publically • Signal: Their secure chat app • WhatsApp, Facebook, and others have implemented it • It solves a specific problem and solves it well!
Positive Example 3: libSodium Proprietary Information A higher-level crypto library We love it and use it all the time
libSodium: Use it if there’s no protocol library • Pros: Higher-level than ciphers • Makes lots of choices for you • Combines authenticated symmetric and asymmetric crypto • Cons: Lower level than protocols • Its choices are somewhat odd - Doesn’t use the NIST ciphers • Documentation is still a little weak
End-to-end beyond chat (Bonus Example 4) We’ve launched a much more complete commercial product. • We used this Java AES project to verify the need • It was wildly successful, but the problem is much bigger than Java AES • Come chat with me if you’re curious
What you can do In your day job…
How to get it right Proprietary Information If you have the expertise, build Tools in this gap:
For the rest of us • Decide on your security and privacy goals • Plan for a strong attacker • Use a tool that’s close to your abstraction layer or libSodium • Ideally, use a trained cryptographer to implement your approach • Otherwise, get training and have a cryptographer check your work Remember: crypto is there for when “access control” fails
Thank You! Isaac Potoczny-Jones ijones@tozny.com https://tozny.com
Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ abstractions-cryptography

Recommandé

Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
C4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy Mobile
C4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020
C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java Applications
C4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No Keeper
C4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like Owners
C4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
C4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate Guide
C4Media
 

Recommandé

Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
C4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy Mobile
C4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020
C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java Applications
C4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No Keeper
C4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like Owners
C4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
C4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate Guide
C4Media
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CD
C4Media
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine Learning
C4Media
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at Speed
C4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep Systems
C4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.js
C4Media
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly Compiler
C4Media
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix Scale
C4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's Edge
C4Media
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home Everywhere
C4Media
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing For
C4Media
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data Engineering
C4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
C4Media
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery Teams
C4Media
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in Adtech
C4Media
 
Rust's Journey to Async/await
Rust's Journey to Async/awaitRust's Journey to Async/await
Rust's Journey to Async/await
C4Media
 
Opportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaOpportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven Utopia
C4Media
 
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayDatadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
C4Media
 
Are We Really Cloud-Native?
Are We Really Cloud-Native?Are We Really Cloud-Native?
Are We Really Cloud-Native?
C4Media
 
CockroachDB: Architecture of a Geo-Distributed SQL Database
CockroachDB: Architecture of a Geo-Distributed SQL DatabaseCockroachDB: Architecture of a Geo-Distributed SQL Database
CockroachDB: Architecture of a Geo-Distributed SQL Database
C4Media
 
A Dive into Streams @LinkedIn with Brooklin
A Dive into Streams @LinkedIn with BrooklinA Dive into Streams @LinkedIn with Brooklin
A Dive into Streams @LinkedIn with Brooklin
C4Media
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
 

Contenu connexe

Plus de C4Media

Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CD
C4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep Systems
C4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.js
C4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's Edge
C4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
C4Media
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery Teams
C4Media
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in Adtech
C4Media
 
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayDatadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
C4Media
 
CockroachDB: Architecture of a Geo-Distributed SQL Database
CockroachDB: Architecture of a Geo-Distributed SQL DatabaseCockroachDB: Architecture of a Geo-Distributed SQL Database
CockroachDB: Architecture of a Geo-Distributed SQL Database
C4Media
 

Plus de C4Media (20)

Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CD
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine Learning
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at Speed
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep Systems
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.js
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly Compiler
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix Scale
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's Edge
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home Everywhere
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing For
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data Engineering
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery Teams
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in Adtech
 
Rust's Journey to Async/await
Rust's Journey to Async/awaitRust's Journey to Async/await
Rust's Journey to Async/await
 
Opportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaOpportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven Utopia
 
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayDatadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
 
Are We Really Cloud-Native?
Are We Really Cloud-Native?Are We Really Cloud-Native?
Are We Really Cloud-Native?
 
CockroachDB: Architecture of a Geo-Distributed SQL Database
CockroachDB: Architecture of a Geo-Distributed SQL DatabaseCockroachDB: Architecture of a Geo-Distributed SQL Database
CockroachDB: Architecture of a Geo-Distributed SQL Database
 
A Dive into Streams @LinkedIn with Brooklin
A Dive into Streams @LinkedIn with BrooklinA Dive into Streams @LinkedIn with Brooklin
A Dive into Streams @LinkedIn with Brooklin
 

Dernier

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Dernier (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Abstractions to Help Developers Write Good Crypto

  • 1. Good Abstractions Help Developers Write Good Crypto Isaac Potoczny-Jones ijones@tozny.com https://tozny.comProprietary Information
  • 2. InfoQ.com: News & Community Site • Over 1,000,000 software developers, architects and CTOs read the site world- wide every month • 250,000 senior developers subscribe to our weekly newsletter • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • 2 dedicated podcast channels: The InfoQ Podcast, with a focus on Architecture and The Engineering Culture Podcast, with a focus on building • 96 deep dives on innovative topics packed as downloadable emags and minibooks • Over 40 new content items per week Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ abstractions-cryptography
  • 3. Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide Presented at QCon San Francisco www.qconsf.com
  • 4. Imagine Headlines From An Alternate Past…
  • 5.
  • 6.
  • 7.
  • 8.
  • 9. How many of you prefer The fake headlines about security?
  • 10. What is the reality behind this fantasy?
  • 11. Good Crypto Makes Data Breaches Not Matter $ per Record Crypto Matters Ponemon - http://www-03.ibm.com/security/infographics/data-breach/ Costs Solutions
  • 12. EU Privacy Law Creates New Cost • General Data Privacy Regulation (GDPR) • Violation hits 4% of annual revenue or €20M, whichever is greater • Global in impact if you manage data of EU citizens, including IP addr • Encryption is required for GDPR • €10M / 2% fine is waived if leaked data is encrypted • Notification is not required if leaked data is encrypted Proprietary Information
  • 13. Let’s Face it: Privacy Gets in the Way We all could do more with data… • If Privacy was not a problem. But privacy matters… • Think of it as a foundation, not a gate. Do more with data by doing right with data.
  • 15. Why Encrypt • Reduces the cost of a breach • Protects intellectual property • It protects the users • It’s the right thing to do Why Not • Access control is good enough • It causes overhead • We can’t query encrypted data • It’s hard to implement
  • 16. It’s True, Encryption is Hard But Why?
  • 17. Introduction: Isaac Potoczny-Jones Computer Science, Cybersecurity, CEO ijones@tozny.com
  • 18. There’s a good chance you use our crypto • Tozny Android AES Library – More on this later… • Tens of millions of end-user installs • Fortune 500 companies • Open source projects • Debian / Ubuntu package integrity • Developed by Tozny CEO prior to company in 2003 • Most common server OS • Millions of server and desktop installs Our team has had a huge impact on open source crypto Proprietary Information
  • 19. Takeaways • Security defense continues to be a disaster • The massive advantage goes to the attacker • Crypto is the recognized solution • The last line of defense when access control falls down • More crypto is getting written • By developers without training, in organizations without incentives • So developers are getting it wrong • Because the crypto community is not giving us good interfaces
  • 20. “Cryptographic issues ranked higher than cross-site scripting, SQL injection and directory traversal.” “Developers are adding a lot of crypto … but they're doing it poorly.” - Veracode CTO Chris Wysopal.
  • 21. What you’ll get from this talk Understand how typical devs approach crypto What’s the root cause of the problem Understand how you should approach crypto
  • 22. It’s True, Encryption is Hard But Why?
  • 23. Two Negative Examples Three Positive Examples
  • 24. How Programmers Approach Encryption “Encryption feels like a function that inputs plaintext and outputs ciphertext.”
  • 25. String encrypt (String plaintext) {…} // A nice, stateless function
  • 26. byte [] encrypt (byte[] plaintext) {…} // Well, obviously it’s bytes not strings…
  • 27. byte [] encrypt (byte[] plaintext, byte [] key) {…} // Of course, I need a key…
  • 28. byte [] encrypt (byte[] plaintext, byte [] key, byte [] iv, String algorithm, String mode) {…} // I don’t know what those are, but how hard can it be?
  • 29. Negative Example 1: Encrypting Strings in Java • Selecting an Algorithm and Mode • Symmetric vs. Asymmetric, AES, RSA, ECC • Symmetric modes: ECB, GCM, CBC, etc. • Hashing (where applicable): MD5, SHA1, SHA2 • Managing Keys • Generated randomly, generated from passwords • How to store, register, and communicate keys • Key size, key trust • User identification (passwords, biometrics, etc.) • Miscellaneous • How to generate, store, and communicate: Initialization vector (IV), salt, nonce • Padding, encoding, serializing, signing • How to communicate all these decisions to the other party
  • 30. Let’s ask Google and Stack Overflow Proprietary Information Wrong Wrong Wrong Our Library
  • 31. Bad code looks completely reasonable Insecure Key Generation Insecure Encryption Programmer Response Might Destroy Your Data
  • 32. What’s the result of this? “65% of Android applications that use cryptography were found to use the default, insecure ECB mode for AES encryption.” - 2013 “An empirical study of cryptographic misuse in Android applications.
  • 33. Concept: The abstraction stack of building crypto Proprietary Information The left side is completely generic and can be used for anything. The right side is specific and can only be used for one thing. This always happens with abstractions.
  • 34. Mistakes creep into the gaps between layers Proprietary Information
  • 35. Mistake 2 Directly using low-level primitives like AES.
  • 36. This is how you should imagine the attacker A strong cryptographic attack model ignores “access control” • They can read all the encrypted data and plain text data • But they can’t decrypt it • They can change all the encrypted data and plain text data • But digital signatures should be able to catch it • They can choose example plain text data to encrypt • For instance by creating an account with known values • They know the algorithm and the format of the data • But not necessarily the keys
  • 37. Mistake 3 Using a weak attack model.
  • 38. Key Generation and Management • Randomly generated keys: High security, hard to manage • Need to store the key, introducing new attack vectors. • Bad: Storing the key next to the ciphertext. • Bad: Not using a cryptographically secure RNG. • Good: Use an HSM, keychain, or other kind of KMS. • Password-based keys: No “management” but weaker security • Bad: Using the password as the AES key: Wrong size, easy to crack. • Bad: Using password.getBytes() as a seed to RNG • Good: Use an approved password-based key derivation function “PBKDF”.
  • 39. Mistake 4 Broken key management or No key management strategy.
  • 40. Security Problems of Bad Crypto Losing Confidentiality and Integrity
  • 41. AES Modes - ECB vs CBC (Encrypt)
  • 42. AES Modes: ECB loses confidentiality • Gotchas: In Java, ECB is the default mode for AES • Password manager: I can tell which sites have the same password • Images: I can see the shape of the image • What to do instead: • Use CBC or GCM • Depends on what’s available
  • 43. Integrity: ECB and CBC don’t provide it • Gotchas: Relying on integrity • You can change the ciphertext and still decrypt it • Sometimes it matters, sometimes it doesn’t • ECB can be broken up by blocks • CBC is harder • What to do instead • Use GCM • Add your own integrity
  • 44. How to Break Security of Bad Crypto
  • 45. Input Data – Winner = Bob (Orange) ECB Has Weak Confidentiality user=Isaac action=vote user=Alice user=Alice action=vote user=Bob user=Bob action=vote user=Bob user=Alice action=change_addr addr=123 Main user=Bob action=change_addr addr=123 Main user=Isaac action=vote user=Alice user=Alice action=vote user=Bob user=Bob action=vote user=Bob user=Alice action=change_addr addr=123 Main user=Bob action=change_addr addr=123 Main I know that I voted for Alice (green) and I didn’t change my address… 3 Users. Two actions.
  • 46. Starting State – Winner = Bob (Orange) ECB Has Weak Integrity user=Isaac action=vote user=Alice user=Alice action=vote user=Bob user=Bob action=vote user=Bob user=Alice action=change_addr addr=123 Main user=Bob action=change_addr addr=123 Main user=Isaac action=vote user=Alice user=Alice action=vote user=Alice user=Bob action=vote user=Alice user=Alice action=change_addr addr=123 Main user=Bob action=change_addr addr=123 Main Attacker can mix and match records and make Alice (Green) win
  • 47. Getting crypto right Preserves confidentiality and Integrity
  • 48. Negative Example 2: Client-Side Certs in Curl Google: “PHP curl send client-side certificate”
  • 49. Top hit – Looks reasonable…
  • 50. Top hit disables server verification! Bad What we want
  • 51. First comment at the bottom of curl docs
  • 52. PHP Docs for Curl • How many key-related options are there to curl in PHP – CURLOPT_ • SSLCERT, SSLCERTPASSWD, SSLCERTTYPE, SSLKEY, SSLKEYPASSWD, SSLKEYTYPE, SSH_HOST_PUBLIC_KEY_MD5, SSH_PUBLIC_KEYFILE, SSH_PRIVATE_KEYFILE, PINNEDPUBLICKEY, CERTINFO, SSL_VERIFYPEER, CAINFO, CAPATH • Documentation: • CERTINFO: TRUE to output SSL certification information to STDERR on secure transfers. • SSLCERT: The name of a file containing a PEM formatted certificate. • SSLKEY: The name of a file containing a private SSL key.
  • 53. Man page for --cert
  • 54. It’s not that curl is bad! It’s just that it’s too low-level…
  • 55. Mistake 5 Trusting crypto code examples without professional guidance.
  • 56. Mistakes to watch out for 1. Not using crypto is the biggest mistake! 2. Directly using low-level primitives like AES 3. Letting a weak attack model undermine the correctness goal 4. Ask about the key management strategy 5. Trusting crypto code examples without professional guidance 6. Watch for “old or broken” stuff: DES, MD4, MD5, SHA1, RC4, (RSA)
  • 57. But… I have a saying: "Don’t blame users for security problems.” e.g. You didn’t get hacked because you had a bad password, you got hacked because a programmer forgot to check for SQL injection vulnerabilities.
  • 58. Likewise… "Don’t blame developers for crypto problems.” … What can the crypto community do better?
  • 59. Solutions A world with better security
  • 61. The abstraction stack of building crypto Proprietary Information The left side is completely generic and can be used for anything. The right side is specific and can only be used for one thing. This always happens with abstractions.
  • 62. Mistakes creep into the gaps between layers Proprietary Information
  • 63. In Crypto, there are very few tools in this gap Proprietary Information
  • 64. That big gap is an opportunity for improvement Proprietary Information
  • 65. Positive Example 1: Our Java AES Library Proprietary Information Let’s dig in…
  • 66. What Java Provides (the problem) javax.crypto functions are: getInstance(), init(), doFinal()
  • 67. Experience: What Our Library Provides
  • 68. System Properties • We realize that people want simple copy-paste code. • Works for Strings: Operates as a stream cipher, base64 encoding. • Algorithm & Mode: AES 128, CBC. • Secure IV generation and handling. • Secure key generation for random or password-based keys. • Integrity – add a SHA256 HMAC, we handle the keys. • Pull requests welcome! • https://github.com/tozny/java-aes-crypto
  • 69. How does this Bridge the Gap It’s opinionated; it makes a LOT of choices for you • That means it’s not perfect for everything • It encrypts only strings, not any object of your choosing • It’s for data at rest, not transit • It generates keys, IVs, etc., all in the way we choose • It’s not transparent database encryption • For-instance on performance • 10k rounds of password-based key generation isn’t fast on all platforms
  • 70. Positive Example 2: Signal Protocol Proprietary Information
  • 71. End-to-end Crypto in Brief • Encrypt data as soon as it’s created • Decrypt it only when you need it • Distribute keys to the systems that need it • No intermediate systems get the data Proprietary Information Data Creation Data Use End-to-end encryption
  • 72. Signal: An end-to-end secure chat protocol • Open Whisper Systems specified the protocol publically • Signal: Their secure chat app • WhatsApp, Facebook, and others have implemented it • It solves a specific problem and solves it well!
  • 73. Positive Example 3: libSodium Proprietary Information A higher-level crypto library We love it and use it all the time
  • 74. libSodium: Use it if there’s no protocol library • Pros: Higher-level than ciphers • Makes lots of choices for you • Combines authenticated symmetric and asymmetric crypto • Cons: Lower level than protocols • Its choices are somewhat odd - Doesn’t use the NIST ciphers • Documentation is still a little weak
  • 75. End-to-end beyond chat (Bonus Example 4) We’ve launched a much more complete commercial product. • We used this Java AES project to verify the need • It was wildly successful, but the problem is much bigger than Java AES • Come chat with me if you’re curious
  • 76. What you can do In your day job…
  • 77. How to get it right Proprietary Information If you have the expertise, build Tools in this gap:
  • 78. For the rest of us • Decide on your security and privacy goals • Plan for a strong attacker • Use a tool that’s close to your abstraction layer or libSodium • Ideally, use a trained cryptographer to implement your approach • Otherwise, get training and have a cryptographer check your work Remember: crypto is there for when “access control” fails
  • 80. Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ abstractions-cryptography