SlideShare ist ein Scribd-Unternehmen logo

No more (unsecure) secrets, Marty

Mathias Herberts
Mathias Herberts

This document describes a demo of an OSS (Open Secret Service) that securely generates, stores, and retrieves secrets using cryptographic techniques like Shamir secret sharing and symmetric/asymmetric encryption. The demo shows how to initialize the OSS with a master key split into shares, generate and retrieve secrets, modify access control lists, wrap data with secrets, and retrieve the original data by unwrapping it with the secret. The goal is to eliminate storing secrets in clear text files, environment variables, or other unsecure locations.

Technologie
1 von 37
No more (unsecure) secrets, Marty 18h20 - 18h50 - Salle Miles Davis A
No more (unsecure) secrets, Marty Mathias Herberts Disruptive Engineer – Crédit Mutuel Arkéa @herberts 27 au 29 mars 2013
Does any of those look familiar? SecretConstants.java secrets.properties public class SecretConstants { user = foo password = bar /** * Database User */ public static final String USER = "foo"; secrets.xml /** <secret> * Database Password <user>foo</user> */ <password>bar</password> public static final String PASSWORD = "bar"; </secret> } secrets.yaml secret: user: foo password: bar …
Or maybe one of these? SuperStrongCryptoConfig.java Use environment variables public class SuperStrongCryptoConfig { export PASSWORD = 'foo' /** java -jar app.jar * Encrypted User Name */ advanced spying tools: public static final byte[] USER = { 0x33, 0x3a, 0x3a }; /** ps -H e (ps -E) * Encryption key cat /proc/xxxx/environ */ private static final byte KEY = 0x55; Use system properties // // Decrypt the User Name using advanced crypto java -Dpassword=foo -jar app.jar // static { more advanced spying tools: for (int i = 0; i < USER.length; i++) { USER[i] = (byte) ((USER[i] ^ KEY) & 0xff); ps } cat /proc/xxxx/cmdline } } …
Demo #1 – OSS Initialization GenMasterSecret Offline operation Generate master key Split key using a N / K Shamir sharing scheme Init Online operation Needs an SSH key specified in oss.init.sshkeys loaded in the SSH agent Send K shares of master key to OSS instance <WRAPPED(<TS><SHARE><SSH SIGNING KEY BLOB><SSH SIGNATURE BLOB>)><SEALED WRAPPING KEY> OSS instance reassembles shares into master key 27 au 29 mars 2013
Demo #1 – OSS Initialization # # Generate Master Secret (do it once) # java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSGenMasterSecret secops.gpg ID1,...,IDN K # # Launch OSS (in production, run it in your webapp container of choice) # Check logs for session RSA public key (-Doss.rsa=......:...) # gradle -Doss.init.sshkeys=... -Doss.gensecret.sshkeys=... -Doss.acl.sshkeys=... -Doss.keystore.dir=... jettyRun # # Send K parts to OSS (need to have authorized SSH keys loaded in SSH agent) # gpg -d share-1 | java -Doss.rsa=......:... -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSInit http://127.0.0.1:8080/oss ... gpg -d share-K | java -Doss.rsa=......:... -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSInit http://127.0.0.1:8080/oss 27 au 29 mars 2013
Demo #2 – OSS Secret Generation GenSecret Online operation Needs an SSH key specified in oss.gensecret.sshkeys loaded in the SSH agent Send secret name to OSS instance <TS><SECRET NAME><SSH SIGNING KEY BLOB><SSH SIGNATURE BLOB> Generate 256 random bits Encrypt random bits using OSS Master Key Store blob under oss.keystore.dir (in .secret file, converting dot to path separator) 27 au 29 mars 2013
Demo #2 – OSS Secret Generation # # Generate Secret named 'devoxx.secret1' # java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSGenSecret devoxx.secret1 # # Secret file under oss.keystore.dir # find oss.keystore.dir -type f oss.keystore.dir/devoxx/secret1.secret 27 au 29 mars 2013
Demo #3 – Modify ACLs for secret {Add,Remove}ACL Online operation Needs an SSH key specified in oss.acl.sshkeys loaded in the SSH agent Send secret name and SSH key fingeprints to add/remove from ACL to OSS instance WRAPPED<<TS><<SECRET NAME> <FPR1>...<FPRN>> <SSH SIGNING KEY BLOB><SSH SIGNATURE BLOB>> <SEALED WRAPPING KEY> OSS instance checks SSH signing key OSS instance updates ACL file (.acl file at same level as .secret file) 27 au 29 mars 2013
Demo #3 – Modify ACLs for secret # # Add ACL for devoxx.secret1 # SSH_FINGERPRINT=2a:e8:a3:c1:e7:89:e3:84:ba:7e:46:3a:0c:24:aa:09 java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSAddACL URL devoxx.secret1 ${SSH_FINGERPRINT} # # ACL file under oss.keystore.dir # find oss.keystore.dir -type f oss.keystore.dir/devoxx/secret1.acl oss.keystore.dir/devoxx/secret1.secret # # Retrieve ACL # java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSGetACL URL devoxx.secret1 [devoxx.secret1] 2a:e8:a3:c1:e7:89:e3:84:ba:7e:46:3a:0c:24:aa:09: 27 au 29 mars 2013
Demo #4 – Retrieve secret GetSecret Online operation Needs an SSH key specified in secret ACL file Send secret name and a temporary RSA public key to OSS instance <TS><<SECRET NAME> <RSA PUBLIC KEY>> <SSH SIGNING KEY BLOB><SSH SIGNATURE BLOB> OSS instance checks SSH signing key against secret ACL OSS instance reads secret from .secret file OSS instance unwraps secret using its Master Key OSS instance wraps secret using a random AES key and sends response to client <WRAPPED SECRET><SEALED WRAPPING KEY> 27 au 29 mars 2013
Demo #4 – Retrieve secret # # Retrieve Secret # java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSGetSecret URL devoxx.secret1 Secret = e1c5129baeb0454588ebeda7a3742a7a3678aabcaa0cd390 27 au 29 mars 2013
Demo #5 – Wrap secret data Wrap Online operation Needs an SSH key specified in secret ACL file Retrieve secret (cf GetSecret) Wrap data read on stdin using secret (with a random 8 bytes prefix) 27 au 29 mars 2013
Demo #5 – Wrap secret data # # Wrap data using secret # echo -n “Hello Devoxx” | java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSWrap URL devoxx.secret1 Wrapped (8 bytes nonce prefix) = 8476e13e2254e7d276b3dc1616aaa794bdd69cd5916f528cebd6c3527663642f 27 au 29 mars 2013
Demo #6 – No more unsecure secrets import org.apache.commons.codec.binary.Hex; import com.geoxp.oss.CryptoHelper; import com.geoxp.oss.client.OSSClient; public class NoMoreUnsecureSecretsMarty { private static final String OSS_URL = "oss.url"; private static final String OSS_SECRET = "devoxx.secret1"; private static final String SECRET_DATA = "8476e13e2254e7d276b3dc1616aaa794bdd69cd5916f528cebd6c3527663642f"; public static void main(String[] args) throws Exception { byte[] secret = OSSClient.getSecret(System.getProperty(OSS_URL), OSS_SECRET, null); byte[] blob = CryptoHelper.unwrapBlob(secret, Hex.decodeHex(SECRET_DATA.toCharArray())); System.out.println(new String(blob)); } } 27 au 29 mars 2013
No more (unsecure) secrets, Marty
No more (unsecure) secrets, Marty
No more (unsecure) secrets, Marty
No more (unsecure) secrets, Marty
No more (unsecure) secrets, Marty
No more (unsecure) secrets, Marty
No more (unsecure) secrets, Marty

Empfohlen

Warp 10 Platform Presentation - Criteo Beer & Tech 2016-02-03
Warp 10 Platform Presentation - Criteo Beer & Tech 2016-02-03Warp 10 Platform Presentation - Criteo Beer & Tech 2016-02-03
Warp 10 Platform Presentation - Criteo Beer & Tech 2016-02-03
Mathias Herberts
 
Leveraging Hadoop for Legacy Systems
Leveraging Hadoop for Legacy SystemsLeveraging Hadoop for Legacy Systems
Leveraging Hadoop for Legacy Systems
Mathias Herberts
 
This is not your father's monitoring.
This is not your father's monitoring.This is not your father's monitoring.
This is not your father's monitoring.
Mathias Herberts
 
Artimon - Apache Flume (incubating) NYC Meetup 20111108
Artimon - Apache Flume (incubating) NYC Meetup 20111108Artimon - Apache Flume (incubating) NYC Meetup 20111108
Artimon - Apache Flume (incubating) NYC Meetup 20111108
Mathias Herberts
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloud
NUTC, imac
 
Docker 基本概念與指令操作
Docker 基本概念與指令操作Docker 基本概念與指令操作
Docker 基本概念與指令操作
NUTC, imac
 
使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台
NUTC, imac
 
R-House (LSRC)
R-House (LSRC)R-House (LSRC)
R-House (LSRC)
Fernand Galiana
 

Empfohlen

Warp 10 Platform Presentation - Criteo Beer & Tech 2016-02-03
Warp 10 Platform Presentation - Criteo Beer & Tech 2016-02-03Warp 10 Platform Presentation - Criteo Beer & Tech 2016-02-03
Warp 10 Platform Presentation - Criteo Beer & Tech 2016-02-03
Mathias Herberts
 
Leveraging Hadoop for Legacy Systems
Leveraging Hadoop for Legacy SystemsLeveraging Hadoop for Legacy Systems
Leveraging Hadoop for Legacy Systems
Mathias Herberts
 
This is not your father's monitoring.
This is not your father's monitoring.This is not your father's monitoring.
This is not your father's monitoring.
Mathias Herberts
 
Artimon - Apache Flume (incubating) NYC Meetup 20111108
Artimon - Apache Flume (incubating) NYC Meetup 20111108Artimon - Apache Flume (incubating) NYC Meetup 20111108
Artimon - Apache Flume (incubating) NYC Meetup 20111108
Mathias Herberts
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloud
NUTC, imac
 
Docker 基本概念與指令操作
Docker 基本概念與指令操作Docker 基本概念與指令操作
Docker 基本概念與指令操作
NUTC, imac
 
使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台
NUTC, imac
 
R-House (LSRC)
R-House (LSRC)R-House (LSRC)
R-House (LSRC)
Fernand Galiana
 
Linux configer
Linux configerLinux configer
Linux configer
MD. AL AMIN
 
Linux Containers (LXC)
Linux Containers (LXC)Linux Containers (LXC)
Linux Containers (LXC)
Vladimir Melnic
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Group
siculars
 
[4] 아두이노와 인터넷
[4] 아두이노와 인터넷[4] 아두이노와 인터넷
[4] 아두이노와 인터넷
Chiwon Song
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
Erik LaBianca
 
Kubernetes Tutorial
Kubernetes TutorialKubernetes Tutorial
Kubernetes Tutorial
Ci Jie Li
 
Redis - Usability and Use Cases
Redis - Usability and Use CasesRedis - Usability and Use Cases
Redis - Usability and Use Cases
Fabrizio Farinacci
 
Gr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Gr8conf EU 2018 - Bring you infrastructure under control with InfrastructorGr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Gr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Stanislav Tiurikov
 
glance replicator
glance replicatorglance replicator
glance replicator
irix_jp
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
Retrieva inc.
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
GangSeok Lee
 
SCALE 15x Minimizing PostgreSQL Major Version Upgrade Downtime
SCALE 15x Minimizing PostgreSQL Major Version Upgrade DowntimeSCALE 15x Minimizing PostgreSQL Major Version Upgrade Downtime
SCALE 15x Minimizing PostgreSQL Major Version Upgrade Downtime
Jeff Frost
 
X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 new
Yiwei Ma
 
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and RailsAnchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
Eleanor McHugh
 
Nko workshop - node js crud & deploy
Nko workshop - node js crud & deployNko workshop - node js crud & deploy
Nko workshop - node js crud & deploy
Simon Su
 
Nginx-lua
Nginx-luaNginx-lua
Nginx-lua
Дэв Тим Афс
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22
Yuya Takei
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedVmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Adrian Huang
 
Devinsampa nginx-scripting
Devinsampa nginx-scriptingDevinsampa nginx-scripting
Devinsampa nginx-scripting
Tony Fabeen
 
Getting started with RDO Havana
Getting started with RDO HavanaGetting started with RDO Havana
Getting started with RDO Havana
Dan Radez
 
Big Data - Open Coffee Brest - 20121121
Big Data - Open Coffee Brest - 20121121Big Data - Open Coffee Brest - 20121121
Big Data - Open Coffee Brest - 20121121
Mathias Herberts
 
The Hadoop Ecosystem
The Hadoop EcosystemThe Hadoop Ecosystem
The Hadoop Ecosystem
Mathias Herberts
 

Weitere ähnliche Inhalte

Was ist angesagt?

glance replicator
glance replicatorglance replicator
glance replicator
irix_jp
 
X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 new
Yiwei Ma
 
Nko workshop - node js crud & deploy
Nko workshop - node js crud & deployNko workshop - node js crud & deploy
Nko workshop - node js crud & deploy
Simon Su
 
Devinsampa nginx-scripting
Devinsampa nginx-scriptingDevinsampa nginx-scripting
Devinsampa nginx-scripting
Tony Fabeen
 

Was ist angesagt? (20)

Linux configer
Linux configerLinux configer
Linux configer
 
Linux Containers (LXC)
Linux Containers (LXC)Linux Containers (LXC)
Linux Containers (LXC)
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Group
 
[4] 아두이노와 인터넷
[4] 아두이노와 인터넷[4] 아두이노와 인터넷
[4] 아두이노와 인터넷
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
Kubernetes Tutorial
Kubernetes TutorialKubernetes Tutorial
Kubernetes Tutorial
 
Redis - Usability and Use Cases
Redis - Usability and Use CasesRedis - Usability and Use Cases
Redis - Usability and Use Cases
 
Gr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Gr8conf EU 2018 - Bring you infrastructure under control with InfrastructorGr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
Gr8conf EU 2018 - Bring you infrastructure under control with Infrastructor
 
glance replicator
glance replicatorglance replicator
glance replicator
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
 
SCALE 15x Minimizing PostgreSQL Major Version Upgrade Downtime
SCALE 15x Minimizing PostgreSQL Major Version Upgrade DowntimeSCALE 15x Minimizing PostgreSQL Major Version Upgrade Downtime
SCALE 15x Minimizing PostgreSQL Major Version Upgrade Downtime
 
X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 new
 
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and RailsAnchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
Anchoring Trust: Rewriting DNS for the Semantic Network with Ruby and Rails
 
Nko workshop - node js crud & deploy
Nko workshop - node js crud & deployNko workshop - node js crud & deploy
Nko workshop - node js crud & deploy
 
Nginx-lua
Nginx-luaNginx-lua
Nginx-lua
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedVmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
 
Devinsampa nginx-scripting
Devinsampa nginx-scriptingDevinsampa nginx-scripting
Devinsampa nginx-scripting
 
Getting started with RDO Havana
Getting started with RDO HavanaGetting started with RDO Havana
Getting started with RDO Havana
 

Andere mochten auch

Big Data - Open Coffee Brest - 20121121
Big Data - Open Coffee Brest - 20121121Big Data - Open Coffee Brest - 20121121
Big Data - Open Coffee Brest - 20121121
Mathias Herberts
 
Mathias Herberts fait le retour d'expérience Hadoop au Crédit Mutuel Arkéa
Mathias Herberts fait le retour d'expérience Hadoop au Crédit Mutuel ArkéaMathias Herberts fait le retour d'expérience Hadoop au Crédit Mutuel Arkéa
Mathias Herberts fait le retour d'expérience Hadoop au Crédit Mutuel Arkéa
Modern Data Stack France
 

Andere mochten auch (9)

Big Data - Open Coffee Brest - 20121121
Big Data - Open Coffee Brest - 20121121Big Data - Open Coffee Brest - 20121121
Big Data - Open Coffee Brest - 20121121
 
The Hadoop Ecosystem
The Hadoop EcosystemThe Hadoop Ecosystem
The Hadoop Ecosystem
 
IoT Silicon Valley - Cityzen Sciences and Cityzen Data presentation
IoT Silicon Valley - Cityzen Sciences and Cityzen Data presentationIoT Silicon Valley - Cityzen Sciences and Cityzen Data presentation
IoT Silicon Valley - Cityzen Sciences and Cityzen Data presentation
 
Programmation fonctionnelle
Programmation fonctionnelleProgrammation fonctionnelle
Programmation fonctionnelle
 
Scala : programmation fonctionnelle
Scala : programmation fonctionnelleScala : programmation fonctionnelle
Scala : programmation fonctionnelle
 
The Lambda Calculus and The JavaScript
The Lambda Calculus and The JavaScriptThe Lambda Calculus and The JavaScript
The Lambda Calculus and The JavaScript
 
Programmation fonctionnelle en JavaScript
Programmation fonctionnelle en JavaScriptProgrammation fonctionnelle en JavaScript
Programmation fonctionnelle en JavaScript
 
Comprendre la programmation fonctionnelle, Blend Web Mix le 02/11/2016
Comprendre la programmation fonctionnelle, Blend Web Mix le 02/11/2016Comprendre la programmation fonctionnelle, Blend Web Mix le 02/11/2016
Comprendre la programmation fonctionnelle, Blend Web Mix le 02/11/2016
 
Mathias Herberts fait le retour d'expérience Hadoop au Crédit Mutuel Arkéa
Mathias Herberts fait le retour d'expérience Hadoop au Crédit Mutuel ArkéaMathias Herberts fait le retour d'expérience Hadoop au Crédit Mutuel Arkéa
Mathias Herberts fait le retour d'expérience Hadoop au Crédit Mutuel Arkéa
 

Ähnlich wie No more (unsecure) secrets, Marty

PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 
Using Puppet to Create a Dynamic Network - PuppetConf 2013
Using Puppet to Create a Dynamic Network - PuppetConf 2013Using Puppet to Create a Dynamic Network - PuppetConf 2013
Using Puppet to Create a Dynamic Network - PuppetConf 2013
Puppet
 
Webinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and moreWebinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and more
panagenda
 
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Mauricio Velazco
 
June 2014 PDX PUG: Writing and Publishing Puppet Modules
June 2014 PDX PUG: Writing and Publishing Puppet Modules June 2014 PDX PUG: Writing and Publishing Puppet Modules
June 2014 PDX PUG: Writing and Publishing Puppet Modules
Puppet
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
DevSecCon
 

Ähnlich wie No more (unsecure) secrets, Marty (20)

Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
 
OpenStack Day 2 Operations (Toronto)
OpenStack Day 2 Operations (Toronto)OpenStack Day 2 Operations (Toronto)
OpenStack Day 2 Operations (Toronto)
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
 
JavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersJavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developers
 
Introduction to Apache Mesos
Introduction to Apache MesosIntroduction to Apache Mesos
Introduction to Apache Mesos
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
 
Using Puppet to Create a Dynamic Network - PuppetConf 2013
Using Puppet to Create a Dynamic Network - PuppetConf 2013Using Puppet to Create a Dynamic Network - PuppetConf 2013
Using Puppet to Create a Dynamic Network - PuppetConf 2013
 
Webinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and moreWebinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and more
 
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
 
Charla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo WebCharla EHU Noviembre 2014 - Desarrollo Web
Charla EHU Noviembre 2014 - Desarrollo Web
 
Portland Puppet User Group June 2014: Writing and publishing puppet modules
Portland Puppet User Group June 2014: Writing and publishing puppet modulesPortland Puppet User Group June 2014: Writing and publishing puppet modules
Portland Puppet User Group June 2014: Writing and publishing puppet modules
 
June 2014 PDX PUG: Writing and Publishing Puppet Modules
June 2014 PDX PUG: Writing and Publishing Puppet Modules June 2014 PDX PUG: Writing and Publishing Puppet Modules
June 2014 PDX PUG: Writing and Publishing Puppet Modules
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
OpenStack Day 2 Operations
OpenStack Day 2 OperationsOpenStack Day 2 Operations
OpenStack Day 2 Operations
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure Containers
 
Osquery
OsqueryOsquery
Osquery
 
Building Your Own IoT Platform using FIWARE GEis
Building Your Own IoT Platform using FIWARE GEisBuilding Your Own IoT Platform using FIWARE GEis
Building Your Own IoT Platform using FIWARE GEis
 

Mehr von Mathias Herberts

Mehr von Mathias Herberts (6)

2019-09-25 Paris Time Series Meetup - Warp 10 - Advanced Time Series Technolo...
2019-09-25 Paris Time Series Meetup - Warp 10 - Advanced Time Series Technolo...2019-09-25 Paris Time Series Meetup - Warp 10 - Advanced Time Series Technolo...
2019-09-25 Paris Time Series Meetup - Warp 10 - Advanced Time Series Technolo...
 
20170516 hug france-warp10-time-seriesanalysisontopofhadoop
20170516 hug france-warp10-time-seriesanalysisontopofhadoop20170516 hug france-warp10-time-seriesanalysisontopofhadoop
20170516 hug france-warp10-time-seriesanalysisontopofhadoop
 
Big Data Tribute
Big Data TributeBig Data Tribute
Big Data Tribute
 
Hadoop Pig Syntax Card
Hadoop Pig Syntax CardHadoop Pig Syntax Card
Hadoop Pig Syntax Card
 
Hadoop Pig
Hadoop PigHadoop Pig
Hadoop Pig
 
WebScale Computing and Big Data a Pragmatic Approach
WebScale Computing and Big Data a Pragmatic ApproachWebScale Computing and Big Data a Pragmatic Approach
WebScale Computing and Big Data a Pragmatic Approach
 

Kürzlich hochgeladen

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Kürzlich hochgeladen (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

No more (unsecure) secrets, Marty

  • 1. No more (unsecure) secrets, Marty 18h20 - 18h50 - Salle Miles Davis A
  • 2. No more (unsecure) secrets, Marty Mathias Herberts Disruptive Engineer – Crédit Mutuel Arkéa @herberts 27 au 29 mars 2013
  • 3.
  • 4.
  • 5. Does any of those look familiar? SecretConstants.java secrets.properties public class SecretConstants { user = foo password = bar /** * Database User */ public static final String USER = "foo"; secrets.xml /** <secret> * Database Password <user>foo</user> */ <password>bar</password> public static final String PASSWORD = "bar"; </secret> } secrets.yaml secret: user: foo password: bar …
  • 6. Or maybe one of these? SuperStrongCryptoConfig.java Use environment variables public class SuperStrongCryptoConfig { export PASSWORD = 'foo' /** java -jar app.jar * Encrypted User Name */ advanced spying tools: public static final byte[] USER = { 0x33, 0x3a, 0x3a }; /** ps -H e (ps -E) * Encryption key cat /proc/xxxx/environ */ private static final byte KEY = 0x55; Use system properties // // Decrypt the User Name using advanced crypto java -Dpassword=foo -jar app.jar // static { more advanced spying tools: for (int i = 0; i < USER.length; i++) { USER[i] = (byte) ((USER[i] ^ KEY) & 0xff); ps } cat /proc/xxxx/cmdline } } …
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20. Demo #1 – OSS Initialization GenMasterSecret Offline operation Generate master key Split key using a N / K Shamir sharing scheme Init Online operation Needs an SSH key specified in oss.init.sshkeys loaded in the SSH agent Send K shares of master key to OSS instance <WRAPPED(<TS><SHARE><SSH SIGNING KEY BLOB><SSH SIGNATURE BLOB>)><SEALED WRAPPING KEY> OSS instance reassembles shares into master key 27 au 29 mars 2013
  • 21. Demo #1 – OSS Initialization # # Generate Master Secret (do it once) # java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSGenMasterSecret secops.gpg ID1,...,IDN K # # Launch OSS (in production, run it in your webapp container of choice) # Check logs for session RSA public key (-Doss.rsa=......:...) # gradle -Doss.init.sshkeys=... -Doss.gensecret.sshkeys=... -Doss.acl.sshkeys=... -Doss.keystore.dir=... jettyRun # # Send K parts to OSS (need to have authorized SSH keys loaded in SSH agent) # gpg -d share-1 | java -Doss.rsa=......:... -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSInit http://127.0.0.1:8080/oss ... gpg -d share-K | java -Doss.rsa=......:... -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSInit http://127.0.0.1:8080/oss 27 au 29 mars 2013
  • 22. Demo #2 – OSS Secret Generation GenSecret Online operation Needs an SSH key specified in oss.gensecret.sshkeys loaded in the SSH agent Send secret name to OSS instance <TS><SECRET NAME><SSH SIGNING KEY BLOB><SSH SIGNATURE BLOB> Generate 256 random bits Encrypt random bits using OSS Master Key Store blob under oss.keystore.dir (in .secret file, converting dot to path separator) 27 au 29 mars 2013
  • 23. Demo #2 – OSS Secret Generation # # Generate Secret named 'devoxx.secret1' # java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSGenSecret devoxx.secret1 # # Secret file under oss.keystore.dir # find oss.keystore.dir -type f oss.keystore.dir/devoxx/secret1.secret 27 au 29 mars 2013
  • 24. Demo #3 – Modify ACLs for secret {Add,Remove}ACL Online operation Needs an SSH key specified in oss.acl.sshkeys loaded in the SSH agent Send secret name and SSH key fingeprints to add/remove from ACL to OSS instance WRAPPED<<TS><<SECRET NAME> <FPR1>...<FPRN>> <SSH SIGNING KEY BLOB><SSH SIGNATURE BLOB>> <SEALED WRAPPING KEY> OSS instance checks SSH signing key OSS instance updates ACL file (.acl file at same level as .secret file) 27 au 29 mars 2013
  • 25. Demo #3 – Modify ACLs for secret # # Add ACL for devoxx.secret1 # SSH_FINGERPRINT=2a:e8:a3:c1:e7:89:e3:84:ba:7e:46:3a:0c:24:aa:09 java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSAddACL URL devoxx.secret1 ${SSH_FINGERPRINT} # # ACL file under oss.keystore.dir # find oss.keystore.dir -type f oss.keystore.dir/devoxx/secret1.acl oss.keystore.dir/devoxx/secret1.secret # # Retrieve ACL # java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSGetACL URL devoxx.secret1 [devoxx.secret1] 2a:e8:a3:c1:e7:89:e3:84:ba:7e:46:3a:0c:24:aa:09: 27 au 29 mars 2013
  • 26. Demo #4 – Retrieve secret GetSecret Online operation Needs an SSH key specified in secret ACL file Send secret name and a temporary RSA public key to OSS instance <TS><<SECRET NAME> <RSA PUBLIC KEY>> <SSH SIGNING KEY BLOB><SSH SIGNATURE BLOB> OSS instance checks SSH signing key against secret ACL OSS instance reads secret from .secret file OSS instance unwraps secret using its Master Key OSS instance wraps secret using a random AES key and sends response to client <WRAPPED SECRET><SEALED WRAPPING KEY> 27 au 29 mars 2013
  • 27. Demo #4 – Retrieve secret # # Retrieve Secret # java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSGetSecret URL devoxx.secret1 Secret = e1c5129baeb0454588ebeda7a3742a7a3678aabcaa0cd390 27 au 29 mars 2013
  • 28. Demo #5 – Wrap secret data Wrap Online operation Needs an SSH key specified in secret ACL file Retrieve secret (cf GetSecret) Wrap data read on stdin using secret (with a random 8 bytes prefix) 27 au 29 mars 2013
  • 29. Demo #5 – Wrap secret data # # Wrap data using secret # echo -n “Hello Devoxx” | java -cp build/libs/oss-client.jar com.geoxp.oss.client.OSSWrap URL devoxx.secret1 Wrapped (8 bytes nonce prefix) = 8476e13e2254e7d276b3dc1616aaa794bdd69cd5916f528cebd6c3527663642f 27 au 29 mars 2013
  • 30. Demo #6 – No more unsecure secrets import org.apache.commons.codec.binary.Hex; import com.geoxp.oss.CryptoHelper; import com.geoxp.oss.client.OSSClient; public class NoMoreUnsecureSecretsMarty { private static final String OSS_URL = "oss.url"; private static final String OSS_SECRET = "devoxx.secret1"; private static final String SECRET_DATA = "8476e13e2254e7d276b3dc1616aaa794bdd69cd5916f528cebd6c3527663642f"; public static void main(String[] args) throws Exception { byte[] secret = OSSClient.getSecret(System.getProperty(OSS_URL), OSS_SECRET, null); byte[] blob = CryptoHelper.unwrapBlob(secret, Hex.decodeHex(SECRET_DATA.toCharArray())); System.out.println(new String(blob)); } } 27 au 29 mars 2013