Uploaded on

Bletchley is a home-grown decryption service that we built @square

Bletchley is a home-grown decryption service that we built @square

More in: Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,002
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
11
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Bletchley: dealing with HSM’s so you don’thave to@diogomonica • Square Security
  • 2. Roadmap‣ Square’s Service-Oriented Architecture‣ Why do we need a decryption service?‣ Our decryption service: Bletchley‣ Bletchley’s architecture‣ Use cases for Bletchley‣ Conclusion
  • 3. Square‣ Mobile Payments Company.‣ 1 Security Team.‣ Infra: Java & Ruby, some Go.‣ Moving > $15 billion annually.
  • 4. ServiceOrientedArchitecture‣ Move fast!‣ Loose component coupling.‣ Independent scaling.‣ Multiple languages.
  • 5. ‣ Front ends‣ User data‣ Payments service‣ Reader fulfillment‣ TokenizationExampleArchitecture
  • 6. SOASecurity GoalsEstablish Trust at Layer 7‣ Authenticate and authorize every requestProtect Secrets‣ Application secrets and customer dataSeparate Concerns‣ Principle of least privilegeProvide Common Security Infrastructure‣ Get it right once, other services benefit
  • 7. SecurityServices‣ Login Service:verify user creds, create client cookies‣ Token Service:associates stable identifier with secret data‣ Certificate Signing:manages CAs‣ Secret Management:delivers secrets to other services‣ Crypto Service:offloaded crypto, manages keys
  • 8. The Problem(s)‣ Managing keys is hard.‣ Infrastructure persists data aggressively.‣ Crypto is hard ™‣ Crypto can be expensive (CPU cycles && time && $$).
  • 9. Why do we needa decryptionservice?‣ Private Key centralization.‣ Guaranteed key deletion.‣ Get the code right, once.‣ Crypto offloading.‣ Database compromise requires an online attack.‣ Hide the HSM complexity.
  • 10. Bletchley
  • 11. Assumptions‣ We have a magic way to:• Distribute secrets (e.g. private keys)• Do strong S2S authentication
  • 12. Our Solution:Bletchley‣ Very simple API.‣ Issues public keys, decrypts with private keys.‣ Supports strong key deletion.‣ Backed by HSMs (nCipher).• Hides the complexity/pain of dealing withthese things.
  • 13. Bletchley API‣ (publicKey, keyId) = createKey()Bletchley HostServicecreateKey()Bletchley HostService(publicKey, keyId)12
  • 14. Bletchley API‣ data = decrypt(keyId, blob)Bletchley HostServicedecrypt(keyId,blob)Bletchley HostServicedata12
  • 15. Bletchley API‣ success = deleteKey(keyId)Bletchley HostServicedeleteKey(KeyId)Bletchley HostServicesuccess21
  • 16. Use Case 1:External PartnerSquare External Partner{message}KprivBletchley ClusterMoney Moving AppVisa{message}1234KpubKpriv
  • 17. BletchleyArchitecture‣ Several servers running the bletchley w/access to HSMs‣ Backed by a PG databaseBletchley ClusterDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabase
  • 18. Key Generation‣ Each individual bletchley host generates keyson it’s local HSM.‣ The HSM uses files on disk to represent thekeys.Bletchley ClusterDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabase
  • 19. Key Replication‣ New keys are registered in the database‣ Other bletchley hosts go to the original hostand retrieve itBletchley ClusterDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabaseBletchley ClusterDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabase
  • 20. DecryptionAuthorization‣ ACL could be stored in the Database‣ On decryption request, verify if servicematches ACLServiceDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabaseBletchleycreateKey() addPerm(keyId, service)ServiceDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabaseBletchleydecrypt(keyId, blob) checkPerm(keyId, service)12
  • 21. Database Failure‣ Decryptions become dependent on thedatabase for authorizationBletchley ClusterDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabase
  • 22. keyID to therescue‣ keyId = base64(key_alias|service1|HMAC(key_alias, service1)Bletchley HostServicedecrypt(keyId,blob)Bletchley HostServicedata12
  • 23. DecryptionAuthorization‣ Decryption authorization independent fromdatabaseService BletchleycreateKey(services)1newKeyId(services)Service Bletchleydecrypt(keyId, blob)2decrypt(blob)iff keyId.include?(service)
  • 24. Key Deletion‣ The key is marked for deletion in the DB‣ All bletchley hosts securely delete it from diskServiceDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabaseBletchleydeleteKey(KeyId) markDelete(keyId)Bletchley ClusterDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabase
  • 25. Key Rotation‣ Service requests for new key‣ Starts encrypting all new requests with newkey. Tries to decrypt all requests with both.Service BletchleycreateKey(services)1keyId2 = newKeyId(services)ServiceaddKey(keyId)2[ keyId1, keyId2 ]
  • 26. Scaling‣ Just add more hostsBletchley ClusterDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabase
  • 27. Use Case 2:Internal FileTransferSquare External Partner{blob}Bletchley ClusterFile Transfer App123Kprivservice1{blob}Kpub45createKey(service1)
  • 28. Use Case 2:Internal FileTransferSquare External PartnerBletchley ClusterFile Transfer App1Kprivservice1{blob}Kpub2decrypt(keyID, {blob})Kpub
  • 29. Use Case 2:Internal FileTransferSquare External PartnerBletchley ClusterFile Transfer App1Kprivservice1{blob}Kpubdecrypt(keyID, service1)
  • 30. Use Case 3:DownstreamOutageSquareCustomerBletchley ClusterMoney Moving AppVisa12{message}{message}KpubDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchDatabase{message} Kpub 534Kpriv
  • 31. Use Case 3:DownstreamOutageDatabaseSquareCustomerBletchley ClusterMoney Moving AppVisaKpub123{message}DATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitch4Kpriv
  • 32. Disadvantages‣ Cross-DC story is sad‣ Tied to one vendor‣ HSMs are hard to debug and support is bad.
  • 33. Conclusions‣ You should have a crypto service!‣ Solves a lot of architectural problems.‣ Get it right once.‣ Save money by sharing HSM resources with multipleapplications.‣ Not that hard to make HA
  • 34. Thanks@justincummins@ebolten
  • 35. @diogomonica diogo@squareup.comhttps://squareup.com/careers/engineering