Protect Sensitive Data with Ada Keystore Stphane Carrez FOSDEM - - PowerPoint PPT Presentation

SLIDE 1

Protect Sensitive Data with Ada Keystore

Stéphane Carrez FOSDEM 2020

SLIDE 2

https://github.com/stcarrez/ada-keystore

2

Why Ada Keystore?

• Store sensitive parameters of an Ada server :

– Database connection passwords – API secret keys

• Tool to store sensitive information :

– Passwords and accounts – Encrypted documents without exposing their

keys

SLIDE 3

https://github.com/stcarrez/ada-keystore

3

Getting a secret (1)

w i t h K e y s t

• r

e . F i l e s ; f u n c t i

• n

G e t _ S e c r e t r e t u r n S t r i n g i s W S : K e y s t

• r

e . F i l e s . W a l l e t _ F i l e ; P a s s : K e y s t

• r

e . S e c r e t _ K e y : = K e y s t

• r

e . C r e a t e ( " . . . " ) ; b e g i n W S . O p e n ( P a s s , “ s e c u r e . a k t ” ) ; r e t u r n W S . G e t ( " a p i

• k

e y " ) ; e n d G e t _ S e c r e t ;

• Open keystore with simple password

(simple but less secure : password in code!)

SLIDE 4

https://github.com/stcarrez/ada-keystore

4

Getting a secret (2)

w i t h K e y s t

• r

e . G P G ; w i t h K e y s t

• r

e . P a s s w

• r

d s . G P G ; w i t h K e y s t

• r

e . F i l e s ; f u n c t i

• n

G e t _ S e c r e t r e t u r n S t r i n g i s W S : K e y s t

• r

e . F i l e s . W a l l e t _ F i l e ; C t x : K e y s t

• r

e . P a s s w

• r

d s . G P G . C

• n

t e x t _ T y p e ; b e g i n K e y s t

• r

e . G P G . O p e n ( W S , C t x , “ s e c u r e . a k t ” ) ; r e t u r n W S . G e t ( " a p i

• k

e y " ) ; e n d G e t _ S e c r e t ;

• Open keystore protected with GPG

SLIDE 5

https://github.com/stcarrez/ada-keystore

5

Ada Keystore: a secure storage

AKT User password GPG protected key Encrypted Data Keystore Ada Keystore

SLIDE 6

https://github.com/stcarrez/ada-keystore

6

Ada Keystore: with multiple keys

Directory key

Master key block

Data info key Data key key Data keys Data keys Signature key

User password GPG protected key

Data fragment Data fragment Data fragment Data fragment Data fragment

Directory keys Encrypted Data

SLIDE 7

https://github.com/stcarrez/ada-keystore

7

Ada Keystore: with blocks (unchained)

HMAC-256 HDR (1815-12-10) (1852-11-27) Ada HMAC-256 UUID Storage ID HDR Data Storage Info + HMAC Directory Name Entry Data block indexes & keys HMAC-256 HDR Data fragment info HMAC-256

Data Fragment

Header block Directory block Data block Master key block

... HMAC-256 HDR Wallet info Key slot 1 UUID Key slot 7 ...

4K

SLIDE 8

https://github.com/stcarrez/ada-keystore

8

Ada Keystore: key protection

Wallet master key slot N (512 bytes) key slot N salt key N HMAC 256

= ?

AES-256 CBC Wallet Master Keys

(32 bytes) (240 bytes)

key key

(256 bits)

key IV

(128 bits)

dat key

(256 bits)

dat IV

(128 bits)

dir key

(256 bits)

dir IV

(128 bits)

Wallet master key block AES-256 CBC

PBKDF2 HMAC 256

ctr slot N

(4 bytes)

Sign N HMAC

(32 bytes) (32 bytes)

PBKDF2 HMAC 256

(4 bytes)

salt IV N

(32 bytes)

HMAC-256 HDR Wallet info Key slot 1 UUID Key slot 7 ...

Wallet Header Key, wallet header IV, Block ID User password NO, invalid password YES, valid password dir sign

(256 bits)

dat sign

(256 bits)

key sign

(256 bits)

Key IV HMAC 256

= ?

NO, invalid block YES, valid block Wallet Sign

SLIDE 9

https://github.com/stcarrez/ada-keystore

9

Ada Keystore: GPG protection

Wallet master key slot N (512 bytes) key slot N HMAC 256

= ?

AES-256 CBC Wallet Master Keys

(240 bytes)

key key

(256 bits)

key IV

(128 bits)

dat key

(256 bits)

dat IV

(128 bits)

dir key

(256 bits)

dir IV

(128 bits)

Wallet master key block AES-256 CBC Sign N HMAC

(32 bytes) (32 bytes)

HMAC-256 HDR Wallet info Key slot 1 UUID Key slot 7 ...

NO, invalid password YES, valid password dir sign

(256 bits)

dat sign

(256 bits)

key sign

(256 bits)

Key, IV GPG2 GPG Private key Header block Key

(32 bytes)

IV

(16 bytes)

IV Key

(16 bytes) (32 bytes)

(1815-12-10) (1852-11-27) Ada HMAC-256 UUID Storage ID HDR Data Storage Info + HMAC

Sign

(32 bytes)

HMAC 256

= ?

NO, invalid block YES, valid block header tag

(4 bytes)

SLIDE 10

https://github.com/stcarrez/ada-keystore

10

Ada Keystore: directory encryption

Directory block AES-256 CBC

HMAC-256 HDR ...

Directory Key, directory IV, Block ID HMAC 256 Directory Sign

Directory Name Entry Data block indexes & keys ...

Per data fragment encryption keys Name

(N bytes)

Entry ID

(4 bytes)

key

(256 bits)

IV

(128 bits)

Block Num Store ID

(4 bytes) (4 bytes) (4 bytes)

Entry ID

HMAC-256 HDR Data fragment info HMAC-256

Data Fragment

HMAC-256 HDR Data fragment info HMAC-256

Data Fragment

SLIDE 11

https://github.com/stcarrez/ada-keystore

11

Ada Keystore: data encryption

Data block AES-256 CBC

...

Data Key, IV, Block ID HMAC 256 Data Sign

HMAC-256

HDR

Data fragment info HMAC-256

Data Fragment

AES-256 CBC HMAC 256 Data entry descriptor HMAC

(256 bits)

Data Ofgset Slot Size

(8 bytes) (2 bytes) (4 bytes)

Entry ID Data fragment Key, IV, Block ID

Data Fragment

SLIDE 12

https://github.com/stcarrez/ada-keystore

12

Ada Keystore: directory decryption

Directory block AES-256 CBC

HMAC-256 HDR ...

Directory Key, directory IV, Block ID HMAC 256

= ?

NO, invalid block YES, valid block Directory Sign

Directory Name Entry Data block indexes & keys ...

Per data fragment encryption keys Name

(N bytes)

Entry ID

(4 bytes)

key

(256 bits)

IV

(128 bits)

Block Num Store ID

(4 bytes) (4 bytes) (4 bytes)

Entry ID

HMAC-256 HDR Data fragment info HMAC-256

Data Fragment

HMAC-256 HDR Data fragment info HMAC-256

Data Fragment

SLIDE 13

https://github.com/stcarrez/ada-keystore

13

Ada Keystore: data decryption

Data block AES-256 CBC

...

Data Key, IV, Block ID HMAC 256

= ?

NO, invalid block YES, valid block Data Sign

HMAC-256

HDR

Data fragment info HMAC-256

Data Fragment

AES-256 CBC HMAC 256 Data entry descriptor HMAC

(256 bits)

Data Ofgset Slot Size

(8 bytes) (2 bytes) (4 bytes)

Entry ID

= ?

NO, invalid fragment YES, valid fragment Data fragment Key, IV, Block ID

Data Fragment

SLIDE 14

https://github.com/stcarrez/ada-keystore

14

Ada Keystore: more complexity

Data block AES-256 CBC

...

Data Key, IV, Block ID HMAC 256

= ?

NO, invalid block YES, valid block Data Sign

HMAC-256 HDR Data fragment info HMAC-256

Data Fragment AES-256 CBC HMAC 256 Data entry descriptor HMAC

(256 bits)

Data Ofgset Slot Size

(8 bytes) (2 bytes) (4 bytes)

Entry ID

= ?

NO, invalid fragment YES, valid fragment Data fragment Key, IV, Block ID Data Fragment Directory block AES-256 CBC

HMAC-256 HDR ...

Directory Key, directory IV, Block ID HMAC 256

= ?

NO, invalid block YES, valid block Directory Sign

Directory Name Entry Data block indexes & keys ...

Per data fragment encryption keys Name

(N bytes)

Entry ID

(4 bytes)

key

(256 bits)

IV

(128 bits)

Block Num Store ID

(4 bytes) (4 bytes) (4 bytes)

Entry ID

HMAC-256 HDR Data fragment info HMAC-256 Data Fragment HMAC-256 HDR Data fragment info HMAC-256 Data Fragment

Wallet master key slot N (512 bytes) key slot N salt key N HMAC 256

= ?

AES-256 CBC Wallet Master Keys

(32 bytes) (240 bytes)

key key

(256 bits)

key IV

(128 bits)

dat key

(256 bits)

dat IV

(128 bits)

dir key

(256 bits)

dir IV

(128 bits)

Wallet master key block AES-256 CBC

PBKDF2 HMAC 256

ctr slot N

(4 bytes)

Sign N HMAC

(32 bytes) (32 bytes) PBKDF2 HMAC 256 (4 bytes)

salt IV N

(32 bytes)

HMAC-256 HDR Wallet info Key slot 1 UUID Key slot 7 ...

Wallet Header Key, wallet header IV, Block ID User password NO, invalid password YES, valid password dir sign

(256 bits)

dat sign

(256 bits)

key sign

(256 bits)

Key IV HMAC 256

= ?

NO, invalid block YES, valid block Wallet Sign

Update data Secure data erase Insert data Protect keys Thread safe API Multi-task encryption/decryption Prevent security holes

SLIDE 15

https://github.com/stcarrez/ada-keystore

15

Ada benefit : limited types

• Use limited record :

– Encryption keys cannot be copied – Secret key content visible only to AES operations

• Use Ada.Finalization.Limited_Controlled :

– Erase encryption keys when object is released

t y p e S e c r e t _ K e y ( L e n g t h : K e y _ L e n g t h ) i s l i m i t e d p r i v a t e ;

SLIDE 16

https://github.com/stcarrez/ada-keystore

16

Ada benefit : subtypes

• Use subtype to constraint index computation :

– Detect index errors when they are computed not

when we access the data

s u b t y p e B u fg e r _ S i z e i s S t r e a m _ E l e m e n t _ O fg s e t r a n g e . . 4 6 4 ; s u b t y p e B l

• c

k _ I n d e x i s S t r e a m _ E l e m e n t _ O fg s e t r a n g e 1 . . 4 6 4 ; s u b t y p e B l

• c

k _ T y p e i s S t r e a m _ E l e m e n t _ A r r a y ( B l

• c

k _ I n d e x ) ; K e y _ P

• s

: = K e y _ H e a d e r _ P

• s
• K

e y _ S l

• t

_ S i z e ( I t e r a t

• r

. K e y _ C

• u

n t ) ; B u f . D a t a ( K e y _ P

• s

. . K e y _ P

• s

+ K e y _ S i z e

• 1

) : = . . . ; better to raise Constraint_Error here bounds still verified

SLIDE 17

https://github.com/stcarrez/ada-keystore

17

Ada benefit : private child package

• Use private child package :

– Restrict scope of operations – Helps in refactoring decisions

Entries Data Keys Files Headers Refs Workers Containers Files T

• ols

GPG Cmds Files GPG Passwords Keystore Repository Bufgers Marshallers IO Keys Random Input Keys Unsafe

SLIDE 18

https://github.com/stcarrez/ada-keystore

18

Ada benefit : precondition

• Use Preconditions :

– Nice for API constraints – Helpful to detect internal errors earlier

f u n c t i

• n

C

• n

t a i n s ( C

• n

t a i n e r : i n W a l l e t ; N a m e : i n S t r i n g ) r e t u r n B

• l

e a n i s a b s t r a c t w i t h P r e ' C l a s s = > C

• n

t a i n e r . I s _ O p e n ; p r

• c

e d u r e P u t _ U n s i g n e d _ 3 2 ( I n t

• :

i n

• u

t M a r s h a l l e r ; V a l u e : i n I n t e r f a c e s . U n s i g n e d _ 3 2 ) w i t h P r e = > I n t

• .

P

• s

< = B l

• c

k _ T y p e ' L a s t

• 4

;

SLIDE 19

https://github.com/stcarrez/ada-keystore

19

Ada benefit : postcondition

• Use Postconditions :

– Nice for API clarification – More complex to write

f u n c t i

• n

G e t _ H e a d e r ( F r

• m

: i n

• u

t M a r s h a l l e r ) r e t u r n U n s i g n e d _ 3 2 w i t h P

• s

t = > F r

• m

. P

• s

= B l

• c

k _ T y p e ' F i r s t + 3 ; p r

• c

e d u r e G e t _ K e y s ( F r

• m

: i n K e y _ P r

• v

i d e r ; K e y :

• u

t S e c r e t _ K e y ; I V :

• u

t S e c r e t _ K e y ; S i g n :

• u

t S e c r e t _ K e y ) i s a b s t r a c t w i t h P

• s

t ' C l a s s = > K e y . L e n g t h = 3 2 a n d I V . L e n g t h = 1 6 a n d S i g n . L e n g t h = 3 2 ;

SLIDE 20

https://github.com/stcarrez/ada-keystore

20

Ada benefit : protected types

• Use protected types :

– Concurrent access to keystore objects – Holds de keystore internal data structures

p r

• t

e c t e d t y p e W a l l e t _ C

• n

t a i n e r i s p r

• c

e d u r e O p e n ( . . . ) ; p r

• c

e d u r e C r e a t e ( . . . ) ; p r

• c

e d u r e A d d ( . . . ) ; . . . e n d W a l l e t _ C

• n

t a i n e r ;

SLIDE 21

https://github.com/stcarrez/ada-keystore

21

Ada benefit : tasks

• Use tasks for encryption/decryption process:

– parallelize encryption and decryption – allow to configure the number of tasks – pre-allocation of tasks

SLIDE 22

https://github.com/stcarrez/ada-keystore

22

Ada Keystore Work Queues

AES-256 CBC HMAC 256 READ BLOCK Executor Queue Executor T ask #1 Sequence Queue AES-256 CBC HMAC 256 Executor T ask #N

HMAC-256 HDR Data fragment info HMAC-256

Data Fragment

HMAC-256 HDR Data fragment info HMAC-256

Data Fragment

HMAC-256 HDR Data fragment info HMAC-256

Data Fragment

Data Fragment #1 Data Fragment #2 Data Fragment #N

Prepare Work Collect Work READ BLOCK Work Pool

SLIDE 23

https://github.com/stcarrez/ada-keystore

23

Conclusion

• Writing a secure keystore is hard :

– insert, update, remove data entries that look random – don’t leak secret keys

• Project succeeded thanks to Ada :

– many errors prevented by the language – no buffer overflow, runtime error detection

• Secure storage made simple for Ada :

– simple Ada API (Open, Create, Add, Get, Remove) – https://ada-keystore.readthedocs.io/en/latest/

SLIDE 24

https://github.com/stcarrez/ada-keystore

24

Questions

?