TrialPay Security Tech Talk at Stanford ACM

  • 3,601 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
3,601
On Slideshare
0
From Embeds
0
Number of Embeds
6

Actions

Shares
Downloads
1
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Stanford ACM Tech Talk Jan 2013 All Rights Reserved | Copyright 2011
  • 2. Agenda• TrialPay Overview• Securing Your Startup: Basics• Two-Factor Authentication for VPN• Two-Factor Authentication for SSHD• Credit Card Vault All Rights Reserved | Copyright 2011 2
  • 3. TrialPay is a transactional advertising company TrialPay presents consumers with relevant promotions before, during, and after transactions -- creating a network that allows our clients to gain access to millions of new customers and monetize their current visitors more effectively All Rights Reserved | Copyright 2011 3
  • 4. Tracking online promotions to sales in-store via card-loaded offers 1 Promotion 2 Tracking 3 Purchase 4 RewardPromote offline offers: Users activate online: Track offline: Offer Reward user: We creditOffers promoted across Users activate offers by redemptions tracked in- user with their rewardthe web, mobile, & social submitting credit or debit store via registered card (e.g. statementmedia (incl. TrialPay card to attribute online source credit, virtual currency, giftnetwork of 300M+ users) card) upon offer completion All Rights Reserved | Copyright 2011 4
  • 5. Example user registration flow – Credit Card Form All Rights Reserved | Copyright 2011
  • 6. Agenda• TrialPay Overview• Securing Your Data: Basics• Two-Factor Authentication for VPN• Two-Factor Authentication for SSHD• Credit Card Vault All Rights Reserved | Copyright 2011 6
  • 7. Getting Started• Google Apps Two-Factor Authentication (2FA)• Amazon Web Services 2FA and ACLs• Secure Wireless Network – per-user certs• HTTPS for everything All Rights Reserved | Copyright 2011 7
  • 8. Passwords Reference: http://xkcd.com/936/ All Rights Reserved | Copyright 2011
  • 9. Passwords (cont’d)• 14-character password minimums, but more never hurts! • Basic GPU can crack 16B passwords per second• Make sure shadow files are configured correctly (e.g. crypt-sha512, not default DES or md5, 50K rounds) • GOOD: $6$rounds=50000$usesomesillystri$D4IrlXatmP7rx3P3InaxBeoomnAihCKRVQP22JZ6E Y47Wc6BkroIuUUBOov1i.S5KPgErtP/EN5mcO.ChWQW21 • BAD: $1$DaqXb3sb$m84WH8wkxBVl2WvZQboia.:13530:0:99999:7::: All Rights Reserved | Copyright 2011 9
  • 10. Agenda• TrialPay Overview• Securing Your Data: Basics• Two-Factor Authentication for VPN• Two-Factor Authentication for SSHD• Credit Card Vault All Rights Reserved | Copyright 2011 10
  • 11. 2FA for VPN – Standard VPN Login 1) Connect to VPN Client 2) Enter Credentials 3) VPN Device 4) Inside the VPN! Authenticates All Rights Reserved | Copyright 2011 11
  • 12. 2FA for VPN – Traditional 2FA• Traditional solutions use tokens (hardware, Google Authenticator, text messages)• Unintuitive input of token (concatenate with password)• IT burden• Hassle for end-user accessing VPN multiple times per day• Wouldn’t it be nice to leverage existing security mechanism? All Rights Reserved | Copyright 2011 12
  • 13. 2FA for VPN – Enter Google Apps!• User 1-click visits a Google App Engine hosted site https://xxxxxxxx.trialpay.com which auto-logs you in on browsers where you already read your Google Apps email.• This page just shows a 60 second timer for the user to complete the rest of the VPN login process. All Rights Reserved | Copyright 2011 13
  • 14. 2FA for VPN – Technical Details• Google App Engine – python script to get username from Google Apps and create 60-second memcache key• Auth Server – add Perl script to authorize with Google App Engine site• Reference: http://enginerds.trialpay.com/2013/01/08/leveraging-google-apps-email-to-set-up-two-factor-authentication All Rights Reserved | Copyright 2011 14
  • 15. Agenda• TrialPay Overview• Securing Your Data: Basics• Two-Factor Authentication for VPN• Two-Factor Authentication for SSHD• Credit Card Vault All Rights Reserved | Copyright 2011 15
  • 16. 2FA for SSHD – Background• For bastion / entrypoint servers into network, passwords by themselves are insufficient• Tokens are viable, but introduce complexity / hassle• SSH keys are convenient for developers• Passphrase-protected SSH keys are encouraged and can suffice for 2FA, but SSHD cannot enforce passphrase-usage• SSHD supports multiple authentication schemes, but they cannot be enforced simultaneously All Rights Reserved | Copyright 2011 16
  • 17. 2FA for SSHD – ForceCommand to the rescue!• /etc/ssh/sshd_config• sshd_gatekeeper.sh • IP whitelisting • Send intrusion alerts • Don’t forget to actually check the password!• Reference: http://enginerds.trialpay.com/2012/07/24/dual-factor-authentication-for-sshd/ All Rights Reserved | Copyright 2011 17
  • 18. Agenda• TrialPay Overview• Securing Your Data: Basics• Two-Factor Authentication for VPN• Two-Factor Authentication for SSHD• Credit Card Vault All Rights Reserved | Copyright 2011 18
  • 19. Credit Card Vault• Best practice is to insulate sensitive credit card data from rest of system in a secure “vault”• Vault has two major services: tokenizer and proxy All Rights Reserved | Copyright 2011 19
  • 20. Credit Card Vault – Tokenizer 1 Browser 2 App server Vault CC # 4 CVV 3 submit 1. HTML form is served from App server 2. The information provided by the user is sent directly to the vault by the browser (running JavaScript code from App) 3. The vault issues a token that maps to the credit card number 4. The browser sends the token and other non-sensitive information to App server All Rights Reserved | Copyright 2011
  • 21. Credit Card Vault – API request proxy 1 2 3rd party App server Vault i.e. Visa 4 3 • This assumes that 3rd party service’s API is HTTP based • Vault acts as a HTTP proxy with token to CC number translation 1. App server sends a HTTP request via Vault GET /auth?cc=token:1234&amount=4.00 Host: api.visa.com 2. Vault substitutes token:1234 with real CC number and relays the request to Visa GET /auth?cc=4444000012344321&amount=4.00 Host: api.visa.com 3. Visa processes the transaction and responds with a transaction id 4. Vault passes Visa’s response back to app All Rights Reserved | Copyright 2011
  • 22. Credit Card Vault – Key Encryption• Encrypt cardholder data using highest-grade standards (e.g. AES-256)• Standard mechanism is to use a global key • But what if key is compromised?• Instead take a multi-layer approach • Master key + per-card key • Cardholder data stored in one DB • Per-card keys stored in another DB (and managed by a separate team) All Rights Reserved | Copyright 2011 22
  • 23. Credit Card Vault – Token Generation• Token = 64-bit unique id, maps to cardholder data• Exposing last 4 CC digits in app is common use case, try encoding into token, e.g. • Token: 1304274640000970420 • Last 4: 0742• Even though cardholder data cannot be reverse engineered based on token, better safe than sorry! Encrypt token in response back to app server. • payload = {“token” => “1234”, “info1” => “abc”, “info2” => “def”} • message = {“payload” => aes_encrypt(payload), “aes_iv” => “09...AF” } • output(json_encode(message)) All Rights Reserved | Copyright 2011 23
  • 24. Credit Card Vault – Other things to consider• 2FA to physically access datacenter (password + handscan)• Additional firewall layer in front of CC Vault• Backups stored remotely for disaster recovery All Rights Reserved | Copyright 2011 24
  • 25. Thank You!• We’re Hiring!• Eddie Lim (eddie@trialpay.com) All Rights Reserved | Copyright 2011 25