Доклад Анастасии Войтовой на "Съесть собаку #4" 18/08/2016
Тезисы:
- Как построить прозрачную и надёжную security layers system?
- Что происходит с системой безопасности, если взламываются сервера или ключи приложения?
- До каких пор система безопасности остаётся надёжной?
- Что будет, если уникальные криптоключи или пароли пользователя предадутся огласке?
- Что за собой несёт изменение системы безопасности iOS10 и как с этим жить?
- Выводы.
Подробнее: http://eatdog.com.ua/
13. Risk Model & Threat Model
create demands
for security
#eatdog @vixentael
14. Real world risks
Data leak/
data tampering
Reputation risks
Legal responsibility
Financial damage
#eatdog @vixentael
15. Risk impact
Data is used/sold by someone
Data is tampered and you’re
operating on adversary’s plan
Identity/auth is used elsewhere
DL
DT
data leakage
data tampering
identity theft
17. - Encryption w/ secret or PKC
- Limit access
- Signed encryption
- Protected transport with trust
and integrity
- Authenticated encryption
- Action authentication
Risk prevention (for us)
confidentiality
(secrecy)
integrity
authentication
#eatdog @vixentael
18. Encryption is letting only those who
know the secret to access the data,
no matter how they alter
the code or the system
(read Kerckhoffs's desideratum)
#eatdog @vixentael
31. attacker steals stored data or tampers it
Threats: T1/T4
Secret Key Crypto
Protection
Symmetric crypto for storing data.
If user has no secret, he can’t read or change
data.
#eatdog @vixentael
35. Threats: T3
attacker redirects traffic and pretends to be remote
party (active MitM)
Public Key Cryptography, certificate pinning
Protection
Asymmetric crypto for sending data.
Check server certificate to make sure it matches
with pinned one.
#eatdog @vixentael
36. Protection methods
T2 T3
passive MitM active MitM
T1/T4 data loss/
tampering
Secret
Key
Crypto
PKC +
ephem.
keys
PKC +
cert.
pinning
#eatdog @vixentael
37. Public Key Crypto
Perfect Forward Secrecy
Secret Key Crypto
Authenticated Encryption
Certificate Pinning
Trust model
Trust the user only
#eatdog @vixentael
39. …what if trapdoor function fails?
…what if key exchange is flawed?
…what if we suspect that server is fraudulent?
#eatdog @vixentael
add more paranoia!
40. …what if trapdoor function fails?
…what if key exchange is flawed?
add more paranoia!
…what if we suspect that server is fraudulent?
Zero Knowledge Proof
for the rescue!
#eatdog @vixentael
41. ZKP is comparing shared secret
without transmitting it
does not require the key exchange,
does not leak password
https://www.cossacklabs.com/zero-knowledge-protocols-without-magic.html
#eatdog @vixentael
43. Secret key (SK) = KDF(user password)
Sensitive Data (SD) — passport photo
Metadata (M1) — timestamp+CRC of photo
Metadata (M2) — name of photo (user inputs)
#eatdog @vixentael
So, data model:
44. Secret key (SK) = KDF(user password)
Sensitive Data (SD) — passport photo
Metadata (M1) — timestamp+CRC of photo
Metadata (M2) — name of photo (user inputs)
Mobile Key Pair (MKP) — private+public keys gen. inside app.
Server Key Pair (SKP) — private+public keys gen. on server.
App pins Server Public Key.
#eatdog @vixentael
So, data model:
45. Pwd
Key + Data model
#eatdog @vixentael
SDM1
M2 MKP SKP
SK
48. Crypto primitives*
Symmetric cryptoSCell
Asymmetric crypto based on
ephemeral keys
SSession
SComparator ZKP implementation
#eatdog @vixentael
*based on Themis crypto lib
https://github.com/cossacklabs/themis
49. 2. Store EncData, M1, M2 in Local Store
3. Drop SD, SK from memory
prepare
data
#eatdog @vixentael
1. Encrypt photo
EncData = SCell_wrap(SD, SK, Context=M2)
Send photo to server
50. 2. Store EncData, M1, M2 in Local Store
3. Drop SD, SK from memory
prepare
data
transfer
data
#eatdog @vixentael
4. Connect to Server:
Session = SSession(Priv(MKP), Pub(SKP))
5. Send EncData, M1, M2 via Session
1. Encrypt photo
EncData = SCell_wrap(SD, SK, Context=M2)
Send photo to server
51. Send photo to server
1. Encrypt photo
EncData = SCell_wrap(SD, SK, Context=M2)
6. Receive OK
7. Terminate Session
8. Mark EncData in Local Store as Synced
2. Store EncData, M1, M2 in Local Store
3. Drop SD, SK from memory
4. Connect to Server:
Session = SSession(Priv(MKP), Pub(SKP))
5. Send EncData, M1, M2 via Session
prepare
data
transfer
data
terminate
session
52. Send photo to server
1. Encrypt photo
EncData = SCell_wrap(SD, SK, Context=M2)
6. Receive OK
7. Terminate Session
8. Mark EncData in Local Store as Synced
2. Store EncData, M1, M2 in Local Store
3. Drop SD, SK from memory
4. Connect to Server:
Session = SSession(Priv(MKP), Pub(SKP))
5. Send EncData, M1, M2 via Session
prepare
data
transfer
data
terminate
session
53. 1. Connect to Server:
Session = SSession(Priv(MKP), Pub(SKP))
2. Request EncData proof via ZKP:
2.1 Send M1
2.2 Request Server to prove he has M2 by
performing SComparator(M2)
initialize
connection
#eatdog @vixentael
Read photo from server
54. 1. Connect to Server:
Session = SSession(Priv(MKP), Pub(SKP))
3. Receive EncData
2. Request EncData proof via ZKP:
2.1 Send M1
2.2 Request Server to prove he has M2 by
performing SComparator(M2)
initialize
connection
transfer data
#eatdog @vixentael
Read photo from server
55. Read photo from server
1. Connect to Server:
Session = SSession(Priv(MKP), Pub(SKP))
3. Receive EncData
2. Request EncData proof via ZKP:
2.1 Send M1
2.2 Request Server to prove he has M2 by
performing SComparator(M2)
4. Request password from user
5. Decrypt data:
SD = SCell_unwrap(EncData, SK, Context=M2)
initialize
connection
transfer data
decrypt
data
56. Read photo from server
1. Connect to Server:
Session = SSession(Priv(MKP), Pub(SKP))
3. Receive EncData
2. Request EncData proof via ZKP:
2.1 Send M1
2.2 Request Server to prove he has M2 by
performing SComparator(M2)
4. Request password from user
5. Decrypt data:
SD = SCell_unwrap(EncData, SK, Context=M2)
initialize
connection
transfer data
decrypt
data
58. Generate keys
#eatdog @vixentael
// Generating EC keys
guard let keyGeneratorEC: TSKeyGen = TSKeyGen(algorithm: .EC) else {
print("Error occurred while initializing object keyGeneratorEC”)
return
}
let privateKeyEC: NSData = keyGeneratorEC.privateKey
let publicKeyEC: NSData = keyGeneratorEC.publicKey
https://github.com/cossacklabs/themis/wiki/Swift-Howto
59. Symmetric encryption
#eatdog @vixentael
let masterKeyData: NSData = self.generateMasterKey()
guard let cellSeal: TSCellSeal = TSCellSeal(key: masterKeyData) else {
print("Error occurred while initializing object cellSeal", #function)
return
}
let message: String = "All your base are belong to us!"
let context: String = "For great justice"
var encryptedMessage: NSData = NSData()
do {
// context is optional parameter and may be ignored
encryptedMessage = try cellSeal.wrapData(message.dataUsingEncoding(NSUTF8StringEncoding),
context: context.dataUsingEncoding(NSUTF8StringEncoding))
print("encryptedMessages = (encryptedMessage)")
} catch let error as NSError {
print("Error occurred while encrypting (error)", #function)
return
}
https://github.com/cossacklabs/themis/wiki/Swift-Howto
60. Symmetric decryption
#eatdog @vixentael
let masterKeyData: NSData = self.generateMasterKey()
guard let cellSeal: TSCellSeal = TSCellSeal(key: masterKeyData) else {
print("Error occurred while initializing object cellSeal", #function)
return
}
let message: String = "All your base are belong to us!"
let context: String = "For great justice"
do {
let decryptedMessage: NSData = try cellSeal.unwrapData(encryptedMessage,
context:
context.dataUsingEncoding(NSUTF8StringEncoding))
let resultString: String = String(data: decryptedMessage, encoding: NSUTF8StringEncoding)!
print("decryptedMessage = (resultString)")
} catch let error as NSError {
print("Error occurred while decrypting (error)", #function)
return
}
https://github.com/cossacklabs/themis/wiki/Swift-Howto
68. Best active MitM + hack server:
#eatdog @vixentael
The worst scenario attacks
Attacker seizes SKP from Server and pretends to be normal
server by DNS spoofing or routing redirection.
Results:
Accumulates useless M1, M2 and lousy EncData.
69. Active MitM without hacking the server:
#eatdog @vixentael
The worst scenario attacks
Attacker does not have SKP.
Results:
SecureSession initialization fails. App doesn’t start transfer
data to server at all.
70. Denial of Service:
#eatdog @vixentael
The worst scenario attacks
Attacker flood server with requests / tons of data.
Results:
Server may be flooded. Monitor all the things!
72. * hardware support (AES)
Crypto is very expensive!!11
https://www.cossacklabs.com/benchmarking-secure-comparator.html
* scripted language and questionable frameworks
affect performance as much as running the expensive
math, if not more
* endorse crypto everywhere to make it more cheap :)
#eatdog @vixentael
(it is not)
73. Apple enforces good security practices
iOS 10
use HTTPS everywhere!
https://developer.apple.com/videos/play/wwdc2016/706/
http://useyourloaf.com/blog/privacy-settings-in-ios-10/
add purpose strings for accessing private data
https://nabla-c0d3.github.io/blog/2016/08/14/ats-enforced-2017/
read more about Apple security care in Additional reading section
#eatdog @vixentael
drop TLS < 1.2
75. Security is a system, not a set of methods
You may need to re-read this slides when you
will plan your next app
User-centric trust is simple to implement, yet
almost impossible to hack
#eatdog @vixentael
Key points!
77. My other security talks
https://medium.com/@vixentael/upgrading-approaches-to-the-secure-mobile-
architectures-7a8fcb10d28a#.ffbsjwqx6
Upgrading Approaches to the Secure Mobile Architectures
https://medium.com/stanfy-engineering-practices/data-protection-for-mobile-client-
server-architectures-6e6dcabd871a
Data Protection For Mobile Client-Server Architectures
https://speakerdeck.com/vixentael/users-data-security-in-ios-applications
Users' data security in iOS applications
#eatdog @vixentael
78. Additional reading by Apple
https://developer.apple.com/videos/play/wwdc2016/705/
How iOS Security Really Works
https://developer.apple.com/videos/play/wwdc2016/706/
What's New in Security
https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf
Behind the Scenes with iOS Security
https://developer.apple.com/videos/play/wwdc2016/709/
Engineering Privacy for Your Users
#eatdog @vixentael
79. Additional reading by smarties
https://nabla-c0d3.github.io/blog/2016/08/14/ats-enforced-2017/
Getting Ready for ATS Enforcement in 2017
http://useyourloaf.com/blog/privacy-settings-in-ios-10/
Privacy Settings in iOS 10
https://www.cossacklabs.com/zero-knowledge-protocols-without-magic.html
Zero Knowledge Protocols Without Magic
#eatdog @vixentael
https://speakerdeck.com/mbazaliy/a-journey-through-exploit-mitigation-techniques-on-ios
A Journey Through Exploit Mitigation Techniques on iOS