Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Meditation 25
•
0 likes•299 views
Speech of Dmytro Shapovalov, Infrastructure Engineer at Cossack Labs, at Ruby Meditation #25 Kyiv 08.12.2018 Next conference - http://www.rubymeditation.com/ Making secure applications is not easy, especially when encryption tools are difficult and incomprehensible. We will talk about typical data security problems in web apps and how to implement encryption properly. We will review cryptographic approaches and exact tools that ensure that no sensitive data leaks from the application or database. Announcements and conference materials https://www.fb.me/RubyMeditation News https://twitter.com/RubyMeditation Photos https://www.instagram.com/RubyMeditation The stream of Ruby conferences (not just ours) https://t.me/RubyMeditation
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Meditation 25
Similar to Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Meditation 25 (20)
More from Ruby Meditation
More from Ruby Meditation (20)
Recently uploaded
Recently uploaded (20)
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Meditation 25
- 1. Data encryption for Ruby web applications Dmytro Shapovalov Infrastructure Engineer @ Cossack Labs
- 2. Who we are? • UK-based data security products and services company • Building security tools to prevent sensitive data leakage and to comply with data security regulations • Cryptographic tools, security consulting, training • We are cryptographers, system engineers, applied engineers, infrastructure engineers • We support community, speak, teach, open source a lot
- 3. What we are going to talk • Data breaches problem • Approaches to the protection of sensitive data • What we can and can not protect with encryption • Integration encryption into a Rails application
- 4. What does humanity have to protect information? Strong enough block crypto algorithms Rijndael (AES) Twofish Serpent Tons of structured information +
- 5. Data breaches continue rising 2018 • Facebook : 87 Million • Under Armour : 150 Million • Saks Fifth Avenue : 5 Million • SingHealth : 1.5 Million • British Airways : 0.38 Million • Ticketfly : 26 Million • Marriott : 500 Million • Quora : 100 Million • Instagram : plaintext passwords in the URL? Really?
- 6. So what should we do? 1. Classify and specify data that we want to protect 2. Classify and analyze risks 3. Determine threats 4. Choose techniques and tools 5. Integrate into application
- 7. Data classification and risks All data user service • Biographical information • Looks, appearance and behaviour • Private and subjective • Workplace, education • Health, sickness and genetics • Accounts, passwords • Certificates • Keys, tokens
- 8. Data classification and risks All data user service • Compliance risk • Legal risk • Reputational risk • Quality risk
- 9. Types of data breaches Unknown 15% Physical loss 12% Insider 1% Disclosure 22% Hacking 49% https://www.privacyrights.org/data-breaches
- 10. OWASP top 10 security risks — 2017 • Security Misconfiguration • Cross-Site Scripting (XSS) • Insure Deserialization • Using Components with Known Vulnerabilities • Insufficient Logging & Monitoring • Injection • Broken Authentication • Sensitive Data Exposure • XML External Entities (XXE) • Broken Access Control https://www.owasp.org/index.php/Top_10-2017_Top_10
- 11. Typical web application Frontend Backend DB
- 12. Typical web application reflection attacks XSS MITM SQL injections code injections execution flow attack crypto-miners everywhere Frontend Backend DB
- 13. Ways to decrease risks Administrative Technical • Infrastructure • Application
- 14. Decrease risks in application • Authentication & Authorization (inc. API), principle of least privileges • Filter input data, escaping output • Implement weak-password checks • Use less complex data formats • Compartmentalization — classify data and apply controls • Use strict DB queries • Security by default • Use secure connections • Log everything • Hash passwords and encrypt sensitive data
- 15. Protection of passwords Yes, plaintext passwords are a little insecure • DO NOT operate with plaintext passwords • use one-way hash functions whenever it possible
- 16. Password hashes • MD5 • SHA-1 • Argon2 • PBKDF2 • bcrypt • script • MD5 • SHA-1 https://dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm • SHA-256 • SHA-512 pre-image attack collision attack lookup tables attack
- 17. Data encryption implementation • Choose algorithm Expectations Reality • Design architecture • Choose abstraction level • Choose algorithm • Choose algorithm parameters • Choose library • Design key management
- 20. Encryption integrationcomplexity abstraction level Cipher Library Suite Cryptographers Developers
- 21. Why security fails? 83% 17% Weak algorithms Implementation mistakes https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf
- 22. Common data security mistakes • TLS is enough • Poor cryptographic design • Using database storage encryption only • Insecure key management model • Poor authentication
- 24. Quick review Algorithms • AES-256-GCM Libraries • bcrypt-ruby • rbnacl • rubythemis Suites • Acra • axolotl • hermes • ssh • truecrypt • vault • ZeroKit
- 25. What the implementation of data encryption should look like?
- 27. Minimize attack surface area!
- 28. Frontend Backend DB Architecture : components & transport
- 29. Architecture : components & transport Frontend Backend Decryption proxy DB
- 30. Architecture : components & transport Frontend Backend Decryption proxy DB input encrypt save output process decrypt read noop
- 31. Architecture : components & transport Frontend Backend Decryption proxy DB input encrypt save output process decrypt read noop TLS TLS
- 32. Architecture : keys Frontend Backend Decryption proxy DB public private
- 33. Integration Acra • Acra • Acra Engineering Demo • rubygems.org project Example based on: https://github.com/rubygems/rubygems https://github.com/cossacklabs/acra-engineering-demo https://github.com/cossacklabs/acra
- 34. Integration Frontend Backend AcraServer DB + AcraWriter
- 38. Integration 4. Change DB host to AcraServer 5. Convert DB columns to binary
- 39. Integration 4. Change DB host to AcraServer 5. Convert DB columns to binary Done!
- 40. Integration of cryptography should be simple!
- 41. OWASP top 10 security risks — 2017 • Security Misconfiguration • Cross-Site Scripting (XSS) • Insure Deserialization • Using Components with Known Vulnerabilities • Insufficient Logging & Monitoring • Injection • Broken Authentication • Sensitive Data Exposure • XML External Entities (XXE) • Broken Access Control https://www.owasp.org/index.php/Top_10-2017_Top_10
- 44. Links • OWASP (Open Web Application Security Project) https://www.owasp.org • Acra https://github.com/cossacklabs/acra • Acra Engineering Demo https://github.com/cossacklabs/acra-engineering-demo • Privacy Rights Clearinghouse https://www.privacyrights.org • MITTRE ATT&CK Matrix https://attack.mitre.org/
- 45. Dmytro Shapovalov Infrastructure Engineer @ Cossack Labs Thank you! shadinua shad.in.ua shad.in.ua