encryption without magic risk management without pain
play

ENCRYPTION WITHOUT MAGIC, RISK MANAGEMENT WITHOUT PAIN - PowerPoint PPT Presentation

Nov 12, 2023 •325 likes •1.03k views

ENCRYPTION WITHOUT MAGIC, RISK MANAGEMENT WITHOUT PAIN #qconlondon @vixentael @vixentael Product Engineer Feel free to reach me with security questions. I do check my inbox :) CRYPTOGRAPHY? Blowfish Twofish Rabbit Salsa20 AES OFB

  1. ENCRYPTION WITHOUT MAGIC, RISK MANAGEMENT WITHOUT PAIN #qconlondon @vixentael

  3. @vixentael Product Engineer Feel free to reach me with security questions. I do check my inbox :)

  4. CRYPTOGRAPHY?

  5. Blowfish Twofish Rabbit Salsa20 AES OFB SEED CRYPTOGRAPHY? CFB RSA DSS DES ECDSA Camelia SEAL DSA CBC 3DES SHARK RC4 CTR ECB #qconlondon @vixentael

  6. Blowfish Twofish MD5 Rabbit Salsa20 AES OFB SEED CRYPTOGRAPHY? SHA1 CFB RSA DSS DES ECDSA Camelia SEAL SHA3 DSA CBC 3DES SHARK RC4 CTR ECB #qconlondon @vixentael

  7. CRYPTOGRAPHY key management algorithms public key validity elliptic curves storing secrets cool, but… #qconlondon @vixentael

  8. crypto is not a but a method to manage the attack surface #qconlondon @vixentael

  9. ATTACK SURFACE – all the possible places where sensitive data may be stolen by adversary #qconlondon @vixentael https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet

  10. it’s easier to monitor the suspicious behavior in a small place #qconlondon @vixentael

  11. HANDLING SECRET DATA WITH CARE avoid plain text as possible manage keys properly decrease time of plaintext secrets in memory log, monitor and inspect #qconlondon @vixentael

  12. – HOW TO MANAGE THE ATTACK SURFACE OF MY DATA?

  13. symmetric encryption with poor key management one container one key #qconlondon @vixentael

  14. symmetric encryption with poor key management one container one key attack surface key leaked is arbitrary → data leaked #qconlondon @vixentael

  15. WHAT IS A CRYPTO-SYSTEM #qconlondon @vixentael https://en.wikipedia.org/wiki/Cryptosystem

  16. KEY AND TRUST MANAGEMENT SHOULD REFLECT YOUR SYSTEM #qconlondon @vixentael

  17. MESSAGING #qconlondon @vixentael https://core.telegram.org/api/end-to-end

  18. GOOD MESSAGING IS E2EE …but your infrastructures are not only for messaging #qconlondon @vixentael

  19. NAIVE DATABASE ENCRYPTION attack surface is almost everywhere #qconlondon @vixentael

  20. NARROWING ATTACK SURFACE middleware-side encryption client-side encryption #qconlondon @vixentael

  22. MIDDLEWARE-SIDE ENCRYPTION

  23. REAL-WORLD WEB SERVER XSS reflection attacks MitM SQL injections code injections crypto-miners everywhere execution flow attacks #qconlondon @vixentael

  24. REAL-WORLD WEB SERVER ATTACK SURFACE IS EVERYWHERE :( monitor everything #qconlondon @vixentael

  25. TRY SYMMETRIC ENCRYPTION? encrypt/decrypt data using symm key #qconlondon @vixentael

  26. TRY SYMMETRIC ENCRYPTION? encrypt/decrypt data using symm key easy to steal a key https://www.alibabacloud.com/ help/faq-detail/37505.htm #qconlondon @vixentael

  27. ASYMMETRIC ENCRYPTION wrapped data = Enc(data, random symm key) container = Enc(wrapped data, PKweb, PubKtds) #qconlondon @vixentael

  28. ASYMMETRIC ENCRYPTION wrapped data = Enc(data, random symm key) PubKey of ‘trusted container = Enc(wrapped decryption service’ data, PKweb, PubKtds) #qconlondon @vixentael

  29. TRUSTED DECRYPTION SERVICE decrypts data wrapped_data = Dec(container, PKtds, PubKweb) data = Dec(wrapped_data, random symm key) #qconlondon @vixentael

  30. SEPARATION OF DUTIES no decryption trusted element in keys infrastructure monitor & log #qconlondon @vixentael

  31. TRUSTED DECRYPTION SERVICE NARROWED ATTACK SURFACE #qconlondon @vixentael

  32. monitor decryption proxy monitor everything #qconlondon @vixentael

  33. WHERE TO USE THIS TECHNIQUE? micro-services infrastructure public-oriented interfaces non trusted client side (browsers, IoT devices) hard to store keys securely #qconlondon @vixentael

  34. HOW TO IMPLEMENT? ACRA HEXATIER https://github.com/cossacklabs/acra http://www.hexatier.com/ ORACLE DATABASE GREEN SQL FIREWALL / TDE https://github.com/larskanis/greensql-fw http://www.oracle.com/ #qconlondon @vixentael

  36. CLIENT-SIDE ENCRYPTION

  37. MOVE TRUST TO CLIENTS trusted element in infrastructure session hijacking MitM unattended backups replay attacks misconfigured ACL #qconlondon @vixentael

  38. P2P TRUST user-generated keys system doesn’t know encrypted containers anything about data #qconlondon @vixentael

  39. ZERO KNOWLEDGE ARCHITECTURES #qconlondon @vixentael

  40. ZKA is a design principle that enables software to provide services over protected client data without having an unencrypted access to it. #qconlondon @vixentael

  41. ZKA INCLUDES: e2ee clients #qconlondon @vixentael

  42. ZKA INCLUDES: e2ee clients all operations are on encrypted data: – CRUD – control access to data from different users – search (in encrypted data) #qconlondon @vixentael

  43. RISKS FOR ZKA: weak key management algorithm weakness user pocket a tu ack surface #qconlondon @vixentael

  44. WHEN TO USE ZKA? trusted client side (mobile, HSM/TPM) #qconlondon @vixentael

  45. ZKA is already solved for specific use-cases or in a naive ways #qconlondon @vixentael

  46. MESSAGING END-TO-END ENCRYPTION #qconlondon @vixentael

  47. AUTHENTICATION ZERO KNOWLEDGE PROOF https://www.cossacklabs.com/zero- knowledge-protocols-without-magic.html #qconlondon @vixentael

  48. COLLABORATING ??? ON DATA – store encrypted – share with others – manage access to parties #qconlondon @vixentael

  49. SHARING ENCRYPTED DATA naive approach – duplications – key management problems #qconlondon @vixentael

  50. OUR TAKE give access to certain blocks of data to exact users https://github.com/ cossacklabs/hermes-core #qconlondon @vixentael

  51. HOW TO BUILD IT? – Key wrapping blocks user keys storage keys #qconlondon @vixentael

  52. HOW TO BUILD IT? – Key wrapping – Manage privileges #qconlondon @vixentael

  53. HOW TO BUILD IT? – Key wrapping – Manage privileges – Control requests #qconlondon @vixentael

  54. MORE POSSIBLE USE-CASES shared file system complex docs, audit logs spreadsheets document store protection config files #qconlondon @vixentael

  55. OTHER IMPLEMENTATIONS HERMES https://github.com/cossacklabs/hermes-core ZEROKIT https://tresorit.com/zerokit LAFS https://tahoe-lafs.org/trac/tahoe-lafs #qconlondon @vixentael

  56. monitor client side monitor everything #qconlondon @vixentael

  57. MORE GOODIES TO THINK ABOUT

  58. Cryptography is well implemented, if it allows to narrow attack surface, and increase control of data. #qconlondon @vixentael

  59. ECHELONIZATION if the system has one perimeter, it will fail! #qconlondon @vixentael

  60. ECHELONIZATION ..add more layers of defense #qconlondon @vixentael

  61. EXCEPT CRYPTO, YOU ALSO NEED log and monitor events intrusion pattern detection access control firewall ...

  62. 269 CVEs from 2011-2014 17% bugs inside crypto libs misuses of crypto libs 83% by individual apps https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf #qconlondon @vixentael

  63. RECAP 2

  64. THINGS TO REMEMBER 1. cryptography aims to narrow the attack surface 2. choose relevant encryption scheme 3. combine crypto and classic techniques 4. there is a lib for that #qconlondon @vixentael

  66. LINKS 12 and 1 ideas how to enhance backend data security https://medium.com/@cossacklabs/12-and-1-ideas-how-to-enhance-backend-data- security-4b8ceb5ccb88 Explain Like I’m 5: Zero Knowledge Proof https://hackernoon.com/eli5-zero-knowledge-proof-78a276db9eff DevOps and security: from trenches to command centers https://medium.com/@9gunpi/devops-and-security-from-trenches-to-command- centers-466dfb58fe5b How GDPR Will Change The Way You Develop https://www.smashingmagazine.com/2018/02/gdpr-for-web-developers/

  67. MY OTHER SECURITY SLIDES https://github.com/ vixentael/my-talks …and more

  68. @vixentael Product Engineer Feel free to reach me with security questions. I do check my inbox :)

  69. IMAGE CREDITS www.flaticon.com Authors: freepik, linector, switficons, pixelperfect, smashicons, icon pond, dinosoftlabs

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk

Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk

FREE Lifelong Learning Event for Fasset Members Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk assessment control matrix management process Governance Risk appetite Agenda for and risk Risk

1.28k views • 105 slides
Market Risk Management Gen Ins. Risk Management Life Ins. Risk Management Op.

Market Risk Management Gen Ins. Risk Management Life Ins. Risk Management Op.

Market Risk Management Gen Ins. Risk Management Life Ins. Risk Management Op. Risk Management Board of Enterprise Risk Senior Management Committees Directors Management Credit Risk Cross-Border Exposure Country Rating

453 views • 6 slides
1 Early humans related pain to evil, magic, and demons. Relief of pain was the responsibility of

1 Early humans related pain to evil, magic, and demons. Relief of pain was the responsibility of

Managing Chronic Pain and Co Occurring Posttraumatic Stress Disorder (PTSD) John D. Otis, Ph.D. Research Service VA Boston Healthcare System I have no financial relationships with any commercial interests related to the content of this

614 views • 25 slides
Patient Satisfaction with their Pain Management: The Effect of Provision of Pain Management Advice

Patient Satisfaction with their Pain Management: The Effect of Provision of Pain Management Advice

Patient Satisfaction with their Pain Management: The Effect of Provision of Pain Management Advice David Taylor 1,2 , Marina Lee 2 , Olivier Grover Johnson 2 , Juen-Li Ding 2 , Aadith Ashok 2 1 Austin Health, Australia 2 University of Melbourne,

953 views • 15 slides
What is Risk Management? What is Risk Management? A (great) management tool Focus

What is Risk Management? What is Risk Management? A (great) management tool Focus

Proudly Presents How To Establish Functional Risk Management in Your Public Entity R. J oy J ackson, City of London Tina Gardiner, Region of York RIMS, Ottawa, 2011 What is Risk Management? What is Risk Management? A (great)

463 views • 24 slides
Feasibility study of a novel pain assessment tool for improving prehospital pain management M

Feasibility study of a novel pain assessment tool for improving prehospital pain management M

Feasibility study of a novel pain assessment tool for improving prehospital pain management M Iqbal, P A Spaight, R Kane, Z Asghar, A N Siriwardena Nottingham Conference Centre 04 February 2015 Background Pain - common Poorly assessed

476 views • 19 slides
Chronic pain management: Evidence for CBT Michael K. Nicholas, PhD Assoc. Prof. & Director

Chronic pain management: Evidence for CBT Michael K. Nicholas, PhD Assoc. Prof. & Director

Chronic pain management: Evidence for CBT Michael K. Nicholas, PhD Assoc. Prof. & Director of ADAPT Pain Management Program University of Sydney Pain Management & Research Institute Royal North Shore Hospital In the Himalayas, Sherpas

560 views • 28 slides
Magic Pixie Dust An Intro, History, and Practical Discussion of Encryption David Kennedy

Magic Pixie Dust An Intro, History, and Practical Discussion of Encryption David Kennedy

Magic Pixie Dust An Intro, History, and Practical Discussion of Encryption David Kennedy @failbridge Presented at Shellcon, 12 October 2019, in San Pedro, California Good morning. Everyone Enjoying Shellcon? Welcome to: Magie Pixie Dust -- An

1.22k views • 87 slides
Shared Decision Making in the ED for Patients with Low-Risk Chest Pain: The Chest Pain Choice

Shared Decision Making in the ED for Patients with Low-Risk Chest Pain: The Chest Pain Choice

Shared Decision Making in the ED for Patients with Low-Risk Chest Pain: The Chest Pain Choice Decision Aid Uli K. Chettipally, MD, MPH. CREST Network Kaiser Permanente PI: Erik P. Hess MD MSc PCORI Funding: Original Research funded through

573 views • 26 slides
Pain Practice Management Increasing Value, Efficiency and Health in your Pain Practice Ashley M.

Pain Practice Management Increasing Value, Efficiency and Health in your Pain Practice Ashley M.

Pain Practice Management Increasing Value, Efficiency and Health in your Pain Practice Ashley M. Classen, DO, FAOCA Adjunct Clinical Professor Department of Surgery Anesthesiology / Interventional Pain Medicine University of North Texas Health

294 views • 10 slides
The Management of Pain and Pain Care in the Czech Republic Prof. Richard Rokyta, MD, PhD, DSc,

The Management of Pain and Pain Care in the Czech Republic Prof. Richard Rokyta, MD, PhD, DSc,

The Management of Pain and Pain Care in the Czech Republic Prof. Richard Rokyta, MD, PhD, DSc, FCMA President of Czech Pain Society Charles University, 3 rd Faculty of Medicine, Department of Normal, Pathological and Clinical Physiology,

521 views • 20 slides
Preparedness Preliminary risk management Risk assessment Risk management Risk

Preparedness Preliminary risk management Risk assessment Risk management Risk

FAO/WHO guide for application of risk analysis principles to food safety emergencies Food Recall and Traceability (February 2013, Thailand) Preparedness Preliminary risk management Risk assessment Risk management Risk

440 views • 39 slides
Div iversion & Pain Management February ry 5, , 2020 th Annual Conference MDONS 30 th

Div iversion & Pain Management February ry 5, , 2020 th Annual Conference MDONS 30 th

Div iversion & Pain Management February ry 5, , 2020 th Annual Conference MDONS 30 th Linda Vanni, MSN, RN-BC, ACNS-BC, NP, AP-PMN Nurse Practitioner, Pain Management Professional Pain Education & Consulting, LLC Conflict of In

884 views • 56 slides
Disclosures Nothing to Disclose Coordination of Pain Management Strategies with Patients'

Disclosures Nothing to Disclose Coordination of Pain Management Strategies with Patients'

6/1/2013 Disclosures Nothing to Disclose Coordination of Pain Management Strategies with Patients' Primary Care Physician Melanie M. Henry, M.D., M.P.H. UCSF Associate Professor of Anesthesia & Pain Medicine 2 4 Chronic Pain Definition

260 views • 9 slides
POSTOPERATIVE PAIN MANAGEMENT IN PEDIATRICS PRESENTED BY: JENIFER LICHTENFELS, M.D. OBJECTIVES

POSTOPERATIVE PAIN MANAGEMENT IN PEDIATRICS PRESENTED BY: JENIFER LICHTENFELS, M.D. OBJECTIVES

9/29/2016 POSTOPERATIVE PAIN MANAGEMENT IN PEDIATRICS PRESENTED BY: JENIFER LICHTENFELS, M.D. OBJECTIVES PHARMACISTS Identify risk factors for narcotic induced respiratory depression in children with OSA State the current

468 views • 17 slides
Pain Management UCLH Members meeting October 2014 Ali Mofeez Consultant in Pain Medicine and

Pain Management UCLH Members meeting October 2014 Ali Mofeez Consultant in Pain Medicine and

Pain Management UCLH Members meeting October 2014 Ali Mofeez Consultant in Pain Medicine and Anaesthesia Anna Mandeville Senior Pain Psychologist Viki Mitchell Chair of Pain Steering Group and DCD for Theatres Pain Steering Group Chair

1.79k views • 23 slides
Cryptography for Cloud Security Mohsen Toorani Department of Informatics, University of Bergen

Cryptography for Cloud Security Mohsen Toorani Department of Informatics, University of Bergen

Cryptography for Cloud Security Mohsen Toorani Department of Informatics, University of Bergen Simula@UiB Coins Winter School Finse, Norway May 12, 2017 Mohsen Toorani Cryptography for Cloud Security Finse Winter School 2017 1 / 58 Our

1.39k views • 82 slides
Sample or Random Security A Security Model for Segment-Based Visual Cryptography Sebastian

Sample or Random Security A Security Model for Segment-Based Visual Cryptography Sebastian

Sample or Random Security A Security Model for Segment-Based Visual Cryptography Sebastian Pape Dortmund Technical University March 5th, 2014 Financial Cryptography and Data Security 2014 Sebastian Pape Sample or Random Security March

541 views • 25 slides
Distributed Identity Based Short Linkable Ring Signature Kasra EdalatNejad Prof. Bryan Ford

Distributed Identity Based Short Linkable Ring Signature Kasra EdalatNejad Prof. Bryan Ford

Distributed Identity Based Short Linkable Ring Signature Kasra EdalatNejad Prof. Bryan Ford DEcentralized and DIstributed Systems Goal Anonymity Accountability Usability 2 Ring Signature Anonymous Spontaneous 3 Linkable Ring

372 views • 24 slides
OpenStack Security Group (OSSG) An Update On Our Progress And Plans Bryan D. Payne Robert Clark

OpenStack Security Group (OSSG) An Update On Our Progress And Plans Bryan D. Payne Robert Clark

OpenStack Security Group (OSSG) An Update On Our Progress And Plans Bryan D. Payne Robert Clark Nathan Kinder Agenda What is OSSG? What have we been doing? What are OSSGs plans? How you can help! Introduction OSSG

495 views • 31 slides
Fitness Comparison by Statistical Testing in Construction of SAT-Based Guess-and-Determine

Fitness Comparison by Statistical Testing in Construction of SAT-Based Guess-and-Determine

Fitness Comparison by Statistical Testing in Construction of SAT-Based Guess-and-Determine Cryptographic Attacks Artem Pavlenko, Maxim Buzdalov, Vladimir Ulyantsev GECCO 2019, July 16 Symmetric cryptography Alice wants to send a secret

715 views • 44 slides
Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed

Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed

Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed Ledgers Authors Alberto Sonnino* Mustafa Al-Bassam* Shehar Bano* Sarah Meiklejohn* George Danezis* * University College London February 2019 The

553 views • 52 slides
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA

Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA

Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share the same secret key . Key Ciphertext

1.17k views • 59 slides
Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles

Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles

Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles Barthe Arthur Blot Benjamin Grgoire Vincent Laporte Tiago Oliveira Hugo Pacheco Benedick Schmidt Pierre-Yves Strub CCS17 2017-11-02

440 views • 31 slides

More recommend