How to Delete Data for Realz: This Presentation Will Self-Destruct - - PowerPoint PPT Presentation

how to delete data for realz this presentation will self
SMART_READER_LITE
LIVE PREVIEW

How to Delete Data for Realz: This Presentation Will Self-Destruct - - PowerPoint PPT Presentation

Nov 10, 2023 247 likes •600 views

#RSAC #RSAC SESSION ID: SESSION ID: PDAC-R10F How to Delete Data for Realz: This Presentation Will Self-Destruct In... Davi Ottenheimer Ian Smith President Research Scientist Flyingpenguin University of Washington @daviottenheimer

slide-1
SLIDE 1

#RSAC

Rashomon Security

SESSION ID: SESSION ID:

#RSAC

Davi Ottenheimer

How to Delete Data for Realz: This Presentation Will Self-Destruct In...

PDAC-R10F

President Flyingpenguin @daviottenheimer

Ian Smith

Research Scientist University of Washington @sesosek

slide-2
SLIDE 2

#RSAC

Rashomon Security

Rashomon = Solving “Uncertainty of Fact”*

* “The Samurai Film,” Alain Silver, 1983 p 47

slide-3
SLIDE 3

#RSAC

Rashomon Security

Rising Problem of “unDEAD” Data

The Ghost Kohada Koheiji Katsushika Hokusai (1760-1849) Rashomon Security

slide-4
SLIDE 4

#RSAC

Rashomon Security

Data Lifecycle

Create Store Access Modify Share Backup Destroy Destroy

slide-5
SLIDE 5

#RSAC

Rashomon Security

MSM Awareness

slide-6
SLIDE 6

#RSAC

Rashomon Security

Example: Internet of Snitches

US Government collecting social media information from foreign travelers

Data from pacemaker used to arrest man for arson, insurance fraud

slide-7
SLIDE 7

#RSAC

Rashomon Security

Example: Plaintext Distributed Data to Cloud

DB Flask REST API Container Engine (Docker) Host OS bins/libs bins/libs

slide-8
SLIDE 8

#RSAC

Rashomon Security Rashomon Security

Example: War of Words

slide-9
SLIDE 9

#RSAC

Rashomon Security

“Use Bleach” to Purge History

slide-10
SLIDE 10

#RSAC

Rashomon Security

Broken Solutions

Unlinking Overwriting Master Key Physical Destruction

slide-11
SLIDE 11

#RSAC

Rashomon Security

Classic PGP (No Forward Secrecy) is Classic

Epk_bob(M) →

Server

Classic PGP (No Forward Secrecy) is Classic

Dsk_bob(Epk_bob(M)) → M sk = secret key pk = public key

Rashomon Security

slide-12
SLIDE 12

#RSAC

Rashomon Security

Classic PGP (No Forward Secrecy) is Classic

Server Dsk_bob(Epk_bob(M)) → M

Attacker with sk_bob can read all past messages

Rashomon Security

Epk_bob(M) →

slide-13
SLIDE 13

#RSAC

Rashomon Security

In Search of an Improved Trust Level

slide-14
SLIDE 14

#RSAC

Rashomon Security

Distributed Expiring Auditable Data (DEAD)

  • 1. Automatic expiration timers
  • 2. Always, even when replicated or offline
  • 3. Audited
slide-15
SLIDE 15

#RSAC

Rashomon Security

Data, Prepare to be DEAD

slide-16
SLIDE 16

#RSAC

Rashomon Security

DEAD Example Architecture

  • 1. Automatic: Access gone after expiration
  • 2. Always: Stored keys disappear over time, destroying data
  • 3. Audited: Action required for initial data access
slide-17
SLIDE 17

#RSAC

Rashomon Security

  • Knowledge of any m of them makes S easy to compute.
  • Knowledge of any m - 1 or fewer leaves S completely

undetermined.

Plot: Vlsergey

Split secret S into n pieces

slide-18
SLIDE 18

#RSAC

Rashomon Security

Automatic Key Expiration

  • Store(secret, expiration time) → index
  • Get(index) → secret, if not yet expired

<index> Expire in: 72 hours Expire in: 72 hours

slide-19
SLIDE 19

#RSAC

Rashomon Security

Automatic Key Expiration

  • Store(secret, expiration time) → index
  • Get(index) → secret, if not yet expired

<index>

not found

slide-20
SLIDE 20

#RSAC

Rashomon Security

Server

Epk_bob(k) →S I S

Alice, Bob: xkcd.com

Always (Forward Secrecy)

Server

Epk_bob(Ek(M), I) →

Dk(Dsk_bob(Epk_bob(Ek(M), I))) → M

I Dsk_bob(S) → k S

Backups

slide-21
SLIDE 21

#RSAC

Rashomon Security

Server

Epk_bob(k) →S I S

Alice, Bob: xkcd.com

Always (Forward Secrecy)

Server Server

Epk_bob(Ek(M), I) → I Dsk_bob(S) → k S

Backups

Dk(Dsk_bob(Epk_bob(Ek(M), I))) → M

Attacker with sk_bob cannot read any expired messages Dsk_bob(S) → k

slide-22
SLIDE 22

#RSAC

Rashomon Security

Audited (e.g. Cloud Delete)

DEAD Service (audits key requests)

DB Flask REST API Container Engine (Docker) Host OS bins/libs bins/libs

slide-23
SLIDE 23

#RSAC

Rashomon Security

Audited (e.g. Cloud Delete)

DB Flask REST API Container Engine (Docker) Host OS bins/libs bins/libs

DEAD Service (audits key requests)

slide-24
SLIDE 24

#RSAC

Rashomon Security

DEAD secrets can not be read without the index

Resilient to Attack: Privacy

%#&$!!

slide-25
SLIDE 25

#RSAC

Rashomon Security

Resilient to Attack: Availability

Alice: xkcd.com

slide-26
SLIDE 26

#RSAC

Rashomon Security

Resilient to Attack: Availability

Alice: xkcd.com

slide-27
SLIDE 27

#RSAC

Rashomon Security

  • Num. storage locations

1 2 3 4 5 n Quorum threshold 1/1 1/2 2/2 1/3 2/3 3/3 1/4 2/4 3/4 4/4 1/5 2/5 3/5 4/5 5/5 m / n

  • Num. compromised to violate privacy

1 1 2 1 2 3 1 2 3 4 1 2 3 4 5 m

  • Num. failed to violate availability

1 2 1 3 2 1 4 3 2 1 5 4 3 2 1 n - m + 1

Resilient to Attack: Privacy + Availability

S S1 S2 S3 S4 S5

slide-28
SLIDE 28

#RSAC

Rashomon Security

  • Num. storage locations

1 2 3 4 5 n Quorum threshold 1/1 1/2 2/2 1/3 2/3 3/3 1/4 2/4 3/4 4/4 1/5 2/5 3/5 4/5 5/5 m / n

  • Num. compromised to violate privacy

1 1 2 1 2 3 1 2 3 4 1 2 3 4 5 m

  • Num. failed to violate availability

1 2 1 3 2 1 4 3 2 1 5 4 3 2 1 n - m + 1

Resilient to Attack: Privacy + Availability

S1 S2 S3 S4 S5

slide-29
SLIDE 29

#RSAC

Rashomon Security

Resilient to Attack: Privacy + Availability

  • Num. storage locations

1 2 3 4 5 n Quorum threshold 1/1 1/2 2/2 1/3 2/3 3/3 1/4 2/4 3/4 4/4 1/5 2/5 3/5 4/5 5/5 m / n

  • Num. compromised to violate privacy

1 1 2 1 2 3 1 2 3 4 1 2 3 4 5 m

  • Num. failed to violate availability

1 2 1 3 2 1 4 3 2 1 5 4 3 2 1 n - m + 1

S1 S2 S3 S4 S5 S

%#&$!! %#&$!!

slide-30
SLIDE 30

#RSAC

Rashomon Security

Example: 8/15

  • Num. storage locations

15 n Quorum threshold 8 / 15 m / n

  • Num. compromised to violate privacy

8 m

  • Num. failed to violate availability

8 n - m + 1

Resilient to Attack: Privacy + Availability

%#&$!! %#&$!!

%#&$!! %#&$!! %#&$!! %#&$!! %#&$!!

slide-31
SLIDE 31

#RSAC

Rashomon Security

Distributed Expiring Auditable Data (DEAD)

  • 1. Automatic expiration timers
  • 2. Always, even when replicated or offline
  • 3. Audited
slide-32
SLIDE 32

#RSAC

Rashomon Security

Apply

  • 1. Identify data flows in your organization
  • a. Source code
  • b. Customer and operations data
  • c. Internal communications
  • d. API tokens, TLS certs, SSH keys, DB credentials
  • e. Internet of snitches
  • f. Partners and service providers
  • 2. Assess unDEAD data risk (severity x probability)
  • 3. Flag processes where DEAD required
slide-33
SLIDE 33

#RSAC

Rashomon Security

Apply: Russian Containers

slide-34
SLIDE 34

#RSAC

Rashomon Security

Get DEAD

  • Amazon KMS
  • Fugue Credstash
  • HashiCorp Vault
  • Kubernetes secret objects
  • Docker SwarmKit secrets
  • OpenStack Barbican

Rashomon Security

slide-35
SLIDE 35

#RSAC

Rashomon Security

DEAD Data Demo

Join our Focus-On session Learn how to make data DEAD

  • Automatic
  • Always
  • Audited

Time: 2:45 - 3:30 PM Session Code: FON3-R11