secrets at planet scale
play

Secrets at Planet-Scale: Engineering the Internal Google Key - PowerPoint PPT Presentation

Aug 30, 2022 •824 likes •1.63k views

Secrets at Planet-Scale: Engineering the Internal Google Key Management System (KMS) Anvita Pandit Google LLC QCon San Francisco 2019, Nov 11-13 Anvita Pandit - Software engineer in Data Protection / Security and Privacy org in Google for

  1. Secrets at Planet-Scale: Engineering the Internal Google Key Management System (KMS) Anvita Pandit Google LLC QCon San Francisco 2019, Nov 11-13

  2. Anvita Pandit - Software engineer in Data Protection / Security and Privacy org in Google for 2 years. - Engineering Resident. - DEFCON 2019 Biohacking village: co-presented “Hacking Race” workshop with @HerroAnneKim

  3. Not the Google Cloud KMS

  4. Agenda 1. Why use a KMS? 2. Essential product features 3. Walkthrough of encrypted storage use case 4. System specs and architectural decisions 5. Walkthrough of an outage 6. More architecture! 7. Challenge: safe key rotation

  5. The Great Gmail Outage of 2014 https://googleblog.blogspot.com/2014/01/todays-outage-for-several-google.html

  7. Why Use a KMS?

  8. Why Use a KMS? Core motivation: code needs secrets!

  9. Why Use a KMS? Core motivation: code needs secrets! Secrets like: ● Database passwords, third party API and OAuth tokens ● Cryptographic keys used for data encryption, signing, etc

  10. Why Use a KMS? Core motivation: code needs secrets! Where?

  11. Why Use a KMS? Core motivation: code needs secrets! Where? ● In code repository?

  12. https://github.com/search?utf8=%E2%9C%93&q=remove+password&type=Commits&ref=searchresults

  13. Why Use a KMS? Core motivation: code needs secrets! Where? ● In code repository? ● On production hard drives?

  14. Why Use a KMS? Core motivation: code needs secrets! Where? ● In code repository? ● On production hard drives? Alternative: ● Use a KMS!

  15. Centralized Key Management Solves key problems for everybody.

  16. Centralized Key Management Solves key problems for everybody. Offers: ● Separate management of key-handling code

  17. Centralized Key Management Solves key problems for everybody. Offers: ● Separate management of key-handling code ● Separation of trust

  18. Centralized Key Management Solves key problems for everybody

  19. Centralized Key Management Solves key problems for everybody 1. Access control lists (ACLs)

  20. Centralized Key Management Solves key problems for everybody 1. Access control lists (ACLs) ● Who is allowed to use the key? Who is allowed to make updates to the key configuration?

  21. Centralized Key Management Solves key problems for everybody 1. Access control lists (ACLs) ● Who is allowed to use the key? Who is allowed to make updates to the key configuration? ● Identities are specified with the internal authentication system (see ALTS)

  22. Centralized Key Management Solves key problems for everybody. 2. Auditing aka Who touched my keys?

  23. Centralized Key Management Solves key problems for everybody. 2. Auditing aka Who touched my keys? ● Binary verification

  24. Centralized Key Management Solves key problems for everybody. 2. Auditing aka Who touched my keys? ● Binary verification ● Logging (but not the secrets!)

  29. Google’s Root of Trust Storage Systems (Millions) Data encrypted with data keys (DEKs) KMS (Tens of Thousands) Master keys and passwords are stored in KMS Root KMS (Hundreds) KMS is protected with a KMS master key in Root KMS Root KMS master key distributor (Hundreds) Root KMS master key is distributed in memory Physical safes (a few) Root KMS master key is backed up on hardware devices

  30. Google’s Root of Trust Storage Systems (Millions) Data encrypted with data keys (DEKs) KMS (Tens of Thousands) Master keys and passwords are stored in KMS Root KMS (Hundreds) KMS is protected with a KMS master key in Root KMS Root KMS master key distributor (Hundreds) Root KMS master key is distributed in memory Physical safes (a few) Root KMS master key is backed up on hardware devices

  31. Google’s Root of Trust Storage Systems (Millions) Data encrypted with data keys (DEKs) KMS (Tens of Thousands) Master keys and passwords are stored in KMS Root KMS (Hundreds) KMS is protected with a KMS master key in Root KMS Root KMS master key distributor (Hundreds) Root KMS master key is distributed in memory Physical safes (a few) Root KMS master key is backed up on hardware devices

  32. Google’s Root of Trust Storage Systems (Millions) Data encrypted with data keys (DEKs) KMS (Tens of Thousands) Master keys and passwords are stored in KMS Root KMS (Hundreds) KMS is protected with a KMS master key in Root KMS Root KMS master key distributor (Hundreds) Root KMS master key is distributed in memory Physical safes (a few) Root KMS master key is backed up on hardware devices

  33. Google’s Root of Trust Storage Systems (Millions) Data encrypted with data keys (DEKs) KMS (Tens of Thousands) Master keys and passwords are stored in KMS Root KMS (Hundreds) KMS is protected with a KMS master key in Root KMS Root KMS master key distributor (Hundreds) Root KMS master key is distributed in memory Physical safes (a few) Root KMS master key is backed up on hardware devices

  34. Design Requirements Category Requirement Availability 5 nines => 99.999% of requests are served Latency 99% of requests are served < 10 ms Scalability Planet-scale! Security Effortless key rotation

  35. Decisions, decisions ● Not an encryption/decryption service.

  36. Decisions, decisions ● Not an encryption/decryption service. ● Not a traditional database

  37. Decisions, decisions ● Not an encryption/decryption service. ● Not a traditional database ● Key wrapping ● Stateless serving

  38. Key Wrapping

  39. Key Wrapping ● Fewer centrally-managed keys improves availability but requires more trust in the client

  40. Stateless Serving Insight: At the KMS layer, key material is not mutable state. Immutable key material + key wrapping ==> Stateless server ==> Trivial scaling Keys in RAM ==> Low latency serving

  41. What Could Go Wrong?

  42. The Great Gmail Outage of 2014 https://googleblog.blogspot.com/2014/01/todays-outage-for-several-google.html

  43. Normal Operation Each team Each team Individual Team Config Changes maintains their maintains their KMS own KMS own KMS Client Server KMS Sees KMS Merging Source configurations configurations, incorrect Config Truncated KMS Problem Repository Update Single image of merge KMS Config Local 🐜 (holds Data Merged source repo KMS cron ☠ Config all stored in encrypted Pusher Config KMS 😶 job configs) Client Many KMS 😢 Google’s Client Servers A bad config pushed globally Which get automatically merged Which is distributed to all monolithic repo Each All Local Local Configs into a combined config file KMS shards for serving means a global outage Config ☠

  44. Lessons Learned The KMS had become ● a single point of failure ● a startup dependency for services ● often a runtime dependency ==> KMS Must Not Fail Globally

  45. KMS Must Not Fail Globally ● No more all-at-once global rollout of binaries and configuration ● Regional failure isolation and client isolation ● Minimize dependencies

  46. Google KMS Current Stats: ● No downtime since the Gmail outage in 2014 January: >> 99.9999% ● 99.9% of requests are served < 6 ms ● ~10 7 requests/sec (~10 M QPS) ● ~10 4 processes & cores

  47. Challenge: Safe Key Rotation

  48. Make It Easy To Rotate Keys ● Key compromise ○ Also requires access to cipher text

  49. Make It Easy To Rotate Keys ● Key compromise ○ Also requires access to cipher text ● Broken ciphers ○ Access to cipher text is enough

  50. Make It Easy To Rotate Keys ● Key compromise ○ Also requires access to cipher text ● Broken ciphers ○ Access to cipher text is enough ● Rotating keys limits the window of vulnerability

  51. Make It Easy To Rotate Keys ● Key compromise ○ Also requires access to cipher text ● Broken ciphers ○ Access to cipher text is enough ● Rotating keys limits the window of vulnerability ● But rotating keys means there is potential for data loss

  52. Robust Key Rotation at Scale - 0 Goals 1. KMS users design with rotation in mind 2. Using multiple key versions is no harder than using a single key 3. Very hard to lose data

  53. Robust Key Rotation at Scale - 1 Goal #1: KMS users design with rotation in mind ● Users choose ○ Frequency of rotation: e.g. every 30 days ○ TTL of cipher text: e.g. 30,90,180 days, 2 years, etc.

  54. Robust Key Rotation at Scale - 1 Goal #1: KMS users design with rotation in mind ● Users choose ○ Frequency of rotation: e.g. every 30 days ○ TTL of cipher text: e.g. 30,90,180 days, 2 years, etc. ● KMS guarantees ‘Safety Condition’ ○ All ciphertext produced within the TTL can be deciphered using a keyset in the KMS.

  55. Robust Key Rotation at Scale - 2 Goal #2: Using multiple key versions is no harder than using a single key

  56. Robust Key Rotation at Scale - 2 Goal #2: Using multiple key versions is no harder than using a single key ● Tightly integrated with Google's standard cryptographic libraries: see Tink

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The secrets revealed by multi-planet systems Rosemary Mardling Monash &amp; Geneva Sunday, 22

The secrets revealed by multi-planet systems Rosemary Mardling Monash &amp; Geneva Sunday, 22

The secrets revealed by multi-planet systems Rosemary Mardling Monash &amp; Geneva Sunday, 22 November 15 Outline What can we learn from planets with companions that we cant learn from single planets? Transiting hot jupiters with

859 views • 59 slides
Whispered Secrets Eleanor McHugh Whispered Secrets @feyeleanor http://leanpub.com/GoNotebook

Whispered Secrets Eleanor McHugh Whispered Secrets @feyeleanor http://leanpub.com/GoNotebook

Whispered Secrets Eleanor McHugh Whispered Secrets @feyeleanor http://leanpub.com/GoNotebook we all have secrets and these secrets matter to us thats what makes them secrets software should keep our secrets some secrets are awful

1k views • 75 slides
own Planet Image Source: NASA What makes a planet a planet? There are 3 rules for a celestial

own Planet Image Source: NASA What makes a planet a planet? There are 3 rules for a celestial

Trio Sci Cymru Design your own Planet Image Source: NASA What makes a planet a planet? There are 3 rules for a celestial object to be classified as a planet 1. It must orbit a star. 2. It must have enough mass that its rounded by its own

338 views • 15 slides
attention on Geoengineering the planet?

attention on Geoengineering the planet?

Has the need for Negative Emissions refocussed attention on Geoengineering the planet? https://www.theguardian.com/environment/2016/nov/04/paris-climate-change-agreement-enters-into-force What is geoengineering? Large scale intervention in

332 views • 8 slides
Presentation Secrets Presentation Secrets Filesize: 9.28 MB Reviews Reviews Just no phrases to

Presentation Secrets Presentation Secrets Filesize: 9.28 MB Reviews Reviews Just no phrases to

NAHPXXJI6KNA Book ^ Presentation Secrets Presentation Secrets Presentation Secrets Filesize: 9.28 MB Reviews Reviews Just no phrases to describe. It typically does not price an excessive amount of. It is extremely difficult to leave it before

260 views • 3 slides
M3 and Prometheus Monitoring at Planet Scale for Everyone Berlin, 2019-11-06 Rob Skillington

M3 and Prometheus Monitoring at Planet Scale for Everyone Berlin, 2019-11-06 Rob Skillington

M3 and Prometheus Monitoring at Planet Scale for Everyone Berlin, 2019-11-06 Rob Skillington &amp; ukasz Szczsny Who are we? Rob Skillington CTO at Chronosphere @robskillington M3DB Creator OpenMetrics Contributor ukasz Szczsny

425 views • 41 slides
Monitoring Cloudflare's planet-scale edge network with Prometheus Matt Bostock @mattbostock

Monitoring Cloudflare's planet-scale edge network with Prometheus Matt Bostock @mattbostock

Monitoring Cloudflare's planet-scale edge network with Prometheus Matt Bostock @mattbostock Platform Operations Prometheus for monitoring Alerting on critical production issues Incident response Post-mortem analysis Metrics, but

819 views • 70 slides
Apache spark on planet scale Denis Chaplygin Software engineer @ Wolt Jan 2020 This

Apache spark on planet scale Denis Chaplygin Software engineer @ Wolt Jan 2020 This

Apache spark on planet scale Denis Chaplygin Software engineer @ Wolt Jan 2020 This presentation is licensed under a Creative Commons Attribution 4.0 International License OpenStreetMap OpenStreetMap (OSM) is a collaborative project to

619 views • 19 slides
Monarch Googles planet-scale streaming monitoring infrastructure. Background Architecture and

Monarch Googles planet-scale streaming monitoring infrastructure. Background Architecture and

Monarch Googles planet-scale streaming monitoring infrastructure. Background Architecture and Data Model Queries Using Monarch Monarch Platform Lessons Learned re: Scaling Monitoring at Google Ref:

854 views • 51 slides
Presentation Secrets Presentation Secrets Filesize: 8.11 MB Reviews Reviews It is really an

Presentation Secrets Presentation Secrets Filesize: 8.11 MB Reviews Reviews It is really an

XUECRQXNRXVS Book Presentation Secrets Presentation Secrets Presentation Secrets Filesize: 8.11 MB Reviews Reviews It is really an remarkable book which i have ever go through. It can be writter in simple terms and not difficult to

343 views • 3 slides
Seven Secrets to Building a Successful Business Introductions The Seven Secrets to Building a

Seven Secrets to Building a Successful Business Introductions The Seven Secrets to Building a

Seven Secrets to Building a Successful Business Introductions The Seven Secrets to Building a Successful Business The Essential Tools Incredible Offer!!! Todays Agenda Just for attending you get Copy of the Presentation Link to the

698 views • 56 slides
Presentation Secrets Presentation Secrets Filesize: 3.61 MB Reviews Reviews This is basically

Presentation Secrets Presentation Secrets Filesize: 3.61 MB Reviews Reviews This is basically

NHHOGOEDX28F PDF Presentation Secrets Presentation Secrets Presentation Secrets Filesize: 3.61 MB Reviews Reviews This is basically the greatest pdf i have got go through right up until now. It normally fails to cost excessive. Once you

397 views • 3 slides
There is no Planet B. We only have one Earth. We only get one chance. We need to keep in

There is no Planet B. We only have one Earth. We only get one chance. We need to keep in

There is no Planet B. We only have one Earth. We only get one chance. We need to keep in mind the nature of our larger problem. https://environmentaljusticetv.wordpress.com/2012/08/16/people- Tim Weiskel - 2 and-planet-speech-only/

839 views • 59 slides
Planet 13 Holdings Inc. Corporate Presentation Planet 13 Holdings Inc. 1 1 September 2018

Planet 13 Holdings Inc. Corporate Presentation Planet 13 Holdings Inc. 1 1 September 2018

Planet 13 Holdings Inc. Corporate Presentation Planet 13 Holdings Inc. 1 1 September 2018 DISCLAIMER This confidential presentation has been prepared by Planet 13 Holdings Inc. (Planet 13 Holdings or the Company) solely fo r

430 views • 17 slides
1 Secrets to Successful Retreat Planning Your Questions/Goals What are some of your best camp

1 Secrets to Successful Retreat Planning Your Questions/Goals What are some of your best camp

Welcome Secrets to Successful Retreat Planning Secrets to Successful Retreat Planning Be still and know that I am God Psalm 46:10 Secrets to Successful Retreat Planning Welcome Introduction (Leave w/everything you need to create your

465 views • 12 slides
Welcome! Developed by the PLANET MassCONECT Team, 2018 Funded by NCI (U54 CA156732) PLANET

Welcome! Developed by the PLANET MassCONECT Team, 2018 Funded by NCI (U54 CA156732) PLANET

Welcome! Developed by the PLANET MassCONECT Team, 2018 Funded by NCI (U54 CA156732) PLANET MassCONECT U54 Outreach Core of the U54 Partnership What we ask Training Engagement Toolkit Surveys Technical assistance What we provide Online

767 views • 51 slides
Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11

Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11

Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11 December 2007 1 Why? Maintaining state allows for decisions to be made based on runtime conditions. State based policy can be more concise

576 views • 18 slides
Amazon Confidential 7/11/2019 Amazon Confidential Security | Accurate Delivery | Cost Savings

Amazon Confidential 7/11/2019 Amazon Confidential Security | Accurate Delivery | Cost Savings

Amazon Confidential 7/11/2019 Amazon Confidential Security | Accurate Delivery | Cost Savings Increase Building Security Improperly delivered packages are at risk for theft. Drafting of residents through gates and doors cannot be

376 views • 13 slides
Oracle Buys Secerno Adds Heterogeneous Database Firewall to Oracles Industry-Leading Database

Oracle Buys Secerno Adds Heterogeneous Database Firewall to Oracles Industry-Leading Database

Oracle Buys Secerno Adds Heterogeneous Database Firewall to Oracles Industry-Leading Database Security Solutions June 21, 2010 Oracle is currently reviewing the existing Secernos product roadmap and will be providing guidance to customers

512 views • 10 slides
P trt t t

P trt t t

t Pr r P trt t t

793 views • 36 slides
Warm Welcome Presentation Agenda COSEC Access Control Applications COSEC Solution

Warm Welcome Presentation Agenda COSEC Access Control Applications COSEC Solution

Warm Welcome Presentation Agenda COSEC Access Control Applications COSEC Solution Key Features Advanced Access Control Emergency Handling Monitoring and Controlling Hardware Access Control Reports and Features

1.3k views • 77 slides
Computer Security Summer Scholars 2014 MaF Vander Werf 1

Computer Security Summer Scholars 2014 MaF Vander Werf 1

Computer Security Summer Scholars 2014 MaF Vander Werf 1 Center For Research Compu1ng (CRC), University of Notre Dame, Indiana Security in HPC

265 views • 22 slides
How Fijoport works. Contents. About Fijoport. How it works. Fijoport for security. About

How Fijoport works. Contents. About Fijoport. How it works. Fijoport for security. About

How Fijoport works. Contents. About Fijoport. How it works. Fijoport for security. About Fijoport. Fijoport gives you remote access to equipment management and control over a secure IP network. No unnecessary call-outs. Simple to install.

264 views • 8 slides
CIS Controls, the Building Blocks of Organizational Cybersecurity Independent Bankers of Colorado

CIS Controls, the Building Blocks of Organizational Cybersecurity Independent Bankers of Colorado

1 CIS Controls, the Building Blocks of Organizational Cybersecurity Independent Bankers of Colorado Convention 2019 2 TODAYS PRESENTER RACHAEL SCHWARTZ Rachael has been an IT consultant for financial firms for more than 9 years. Prior to

658 views • 20 slides

More recommend