Bletchley

2,936 views

Published on

Bletchley is a home-grown decryption service that we built @square

Published in: Technology, Education
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,936
On SlideShare
0
From Embeds
0
Number of Embeds
36
Actions
Shares
0
Downloads
23
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide

Bletchley

  1. 1. Bletchley: dealing with HSM’s so you don’thave to@diogomonica • Square Security
  2. 2. Roadmap‣ Square’s Service-Oriented Architecture‣ Why do we need a decryption service?‣ Our decryption service: Bletchley‣ Bletchley’s architecture‣ Use cases for Bletchley‣ Conclusion
  3. 3. Square‣ Mobile Payments Company.‣ 1 Security Team.‣ Infra: Java & Ruby, some Go.‣ Moving > $15 billion annually.
  4. 4. ServiceOrientedArchitecture‣ Move fast!‣ Loose component coupling.‣ Independent scaling.‣ Multiple languages.
  5. 5. ‣ Front ends‣ User data‣ Payments service‣ Reader fulfillment‣ TokenizationExampleArchitecture
  6. 6. SOASecurity GoalsEstablish Trust at Layer 7‣ Authenticate and authorize every requestProtect Secrets‣ Application secrets and customer dataSeparate Concerns‣ Principle of least privilegeProvide Common Security Infrastructure‣ Get it right once, other services benefit
  7. 7. SecurityServices‣ Login Service:verify user creds, create client cookies‣ Token Service:associates stable identifier with secret data‣ Certificate Signing:manages CAs‣ Secret Management:delivers secrets to other services‣ Crypto Service:offloaded crypto, manages keys
  8. 8. The Problem(s)‣ Managing keys is hard.‣ Infrastructure persists data aggressively.‣ Crypto is hard ™‣ Crypto can be expensive (CPU cycles && time && $$).
  9. 9. Why do we needa decryptionservice?‣ Private Key centralization.‣ Guaranteed key deletion.‣ Get the code right, once.‣ Crypto offloading.‣ Database compromise requires an online attack.‣ Hide the HSM complexity.
  10. 10. Bletchley
  11. 11. Assumptions‣ We have a magic way to:• Distribute secrets (e.g. private keys)• Do strong S2S authentication
  12. 12. Our Solution:Bletchley‣ Very simple API.‣ Issues public keys, decrypts with private keys.‣ Supports strong key deletion.‣ Backed by HSMs (nCipher).• Hides the complexity/pain of dealing withthese things.
  13. 13. Bletchley API‣ (publicKey, keyId) = createKey()Bletchley HostServicecreateKey()Bletchley HostService(publicKey, keyId)12
  14. 14. Bletchley API‣ data = decrypt(keyId, blob)Bletchley HostServicedecrypt(keyId,blob)Bletchley HostServicedata12
  15. 15. Bletchley API‣ success = deleteKey(keyId)Bletchley HostServicedeleteKey(KeyId)Bletchley HostServicesuccess21
  16. 16. Use Case 1:External PartnerSquare External Partner{message}KprivBletchley ClusterMoney Moving AppVisa{message}1234KpubKpriv
  17. 17. BletchleyArchitecture‣ Several servers running the bletchley w/access to HSMs‣ Backed by a PG databaseBletchley ClusterDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabase
  18. 18. Key Generation‣ Each individual bletchley host generates keyson it’s local HSM.‣ The HSM uses files on disk to represent thekeys.Bletchley ClusterDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabase
  19. 19. Key Replication‣ New keys are registered in the database‣ Other bletchley hosts go to the original hostand retrieve itBletchley ClusterDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabaseBletchley ClusterDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabase
  20. 20. DecryptionAuthorization‣ ACL could be stored in the Database‣ On decryption request, verify if servicematches ACLServiceDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabaseBletchleycreateKey() addPerm(keyId, service)ServiceDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabaseBletchleydecrypt(keyId, blob) checkPerm(keyId, service)12
  21. 21. Database Failure‣ Decryptions become dependent on thedatabase for authorizationBletchley ClusterDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabase
  22. 22. keyID to therescue‣ keyId = base64(key_alias|service1|HMAC(key_alias, service1)Bletchley HostServicedecrypt(keyId,blob)Bletchley HostServicedata12
  23. 23. DecryptionAuthorization‣ Decryption authorization independent fromdatabaseService BletchleycreateKey(services)1newKeyId(services)Service Bletchleydecrypt(keyId, blob)2decrypt(blob)iff keyId.include?(service)
  24. 24. Key Deletion‣ The key is marked for deletion in the DB‣ All bletchley hosts securely delete it from diskServiceDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabaseBletchleydeleteKey(KeyId) markDelete(keyId)Bletchley ClusterDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabase
  25. 25. Key Rotation‣ Service requests for new key‣ Starts encrypting all new requests with newkey. Tries to decrypt all requests with both.Service BletchleycreateKey(services)1keyId2 = newKeyId(services)ServiceaddKey(keyId)2[ keyId1, keyId2 ]
  26. 26. Scaling‣ Just add more hostsBletchley ClusterDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchdatabase
  27. 27. Use Case 2:Internal FileTransferSquare External Partner{blob}Bletchley ClusterFile Transfer App123Kprivservice1{blob}Kpub45createKey(service1)
  28. 28. Use Case 2:Internal FileTransferSquare External PartnerBletchley ClusterFile Transfer App1Kprivservice1{blob}Kpub2decrypt(keyID, {blob})Kpub
  29. 29. Use Case 2:Internal FileTransferSquare External PartnerBletchley ClusterFile Transfer App1Kprivservice1{blob}Kpubdecrypt(keyID, service1)
  30. 30. Use Case 3:DownstreamOutageSquareCustomerBletchley ClusterMoney Moving AppVisa12{message}{message}KpubDATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitchDatabase{message} Kpub 534Kpriv
  31. 31. Use Case 3:DownstreamOutageDatabaseSquareCustomerBletchley ClusterMoney Moving AppVisaKpub123{message}DATASHEETSANbox9000SeriesSANbox®ProductFamilyThenewlookforpowerful,easytomanagefabricsTheSANbox9000istheflagshipintheSANboxlineoffabricswitches,intelligentstoragerouters,andstorageser-vicesplatforms.Asindividualcomponents,everyQLogicSANboxdeliverstheadvantagesofabest-in-classproduct.Workingtogetherasanintelligentnetworksolution,theyareeasytodeployandadministratorandtheymakeyourSANperformbetter,too.That’swhytheentireQLogicSANboxlinewontheWindowsITPro“ReadersChoice”award.Foryourswitchedfabric,youcancountonQLogicforexactlytherightswitch…fromthecore,tothedistributionlayer,totheedge.Forlow-costlocalandremoteserverconnectivity,QLogicIntelligentStorageRoutersboostutili-zationwhiledrivingdowncostandcomplexity.Andforstoragevirtualization,theQLogicStorageServicesPlatformoffersnetwork-basedcommandandcontrolofyourheterogeneousstorage.Byvirtualizingstoragefromwithinthefabric,yougreatlysimplifymanagement.Moreimportantly,youensureanopenenvironmentthatcanaccommodatemultiplevendors,newsolutionsandfutureflexibility.SANbox®Thenewlookforpowerful,easytomanagefabrics•SANbox9000StackableChassisSwitch•SANbox8000StorageServicesPlatform•SANbox6000IntelligentStorageRouter•SANbox5000StackableSwitch•SANbox1000FixedPortSwitch4Kpriv
  32. 32. Disadvantages‣ Cross-DC story is sad‣ Tied to one vendor‣ HSMs are hard to debug and support is bad.
  33. 33. Conclusions‣ You should have a crypto service!‣ Solves a lot of architectural problems.‣ Get it right once.‣ Save money by sharing HSM resources with multipleapplications.‣ Not that hard to make HA
  34. 34. Thanks@justincummins@ebolten
  35. 35. @diogomonica diogo@squareup.comhttps://squareup.com/careers/engineering

×