This talk is about the creation of a new security tool, Red October. Red October can be used to enforce the two-person rule for access to critical data, helping keep company data protected from insider threats.
The security industry tends to be less open about the details of how their software works than other parts of the software industry. This project was created to tackle the practical challenges of traditional security compliance, but inspired by an open source mentality. By taking a vague set of regulatory requirements we devised a user-friendly tool that solves a broader problem that is an issue for many small organizations.
This talk will teach people about cryptography and division of responsibility in key management, a very important consideration when moving a business to the cloud. It will also help show where to draw the line between using existing cryptographic and security mechanisms, and building your own.
11. Threats to secrets
• Insider threat — don’t trust access control
!
• Insecure build machine
• Insecure production environment
• Binary disclosure
11
12. Suggestions from compliance
• PCI DSS requirement 3.5.2
• Encrypt them with a key-encrypting key that is at least as strong as the data-encrypting key and
stored in a separate location
• Store them within a secure cryptographic device
• Store them in two pieces
12
13. Improving the secret management
• Encrypt with PGP
• Check into SCM
!
• Problem: single admin can walk off with secrets
13
15. Improving the secret management
• Double-encrypt
• Two engineers need to PGP decrypt secret
!
!
• Hard to use in practice: no remote PGP decrypt
• PGP/GnuPG not the right tool for the job
15
25. Passwords are fundamental
25
• In login: hashed+salted passwords are compared
• In Red October: hashed+salted passwords are the key
!
• Server can’t decrypt secrets without password
26. Usage
26
• Run Red October
• pick a port
• use a TLS certificate + key
• JSON API or Web interface
• Create admin account
• Create user accounts
27. Usage
27
• Encrypt data to a set of users
• only needs public key
• Users delegate their key for time or number of usages
• Admins can decrypt if enough users are delegated
30. Why is this in Go?
And how does the code work?
30
31. Why Go?
31
• easy and fun to write
• JSON serialization a snap
• simple to set up TLS 1.2 server
• simple to make servers multi-threaded
• crypto baked in
• simplified deployment
32. Golang features used
32
• Structs are serialized and deserialized to JSON automatically
• Caps means public, missing means native zero
• json.Marshal
type delegate struct {!
! Name string!
! Password string!
!
! Time string!
Uses int!
admin bool!
}
{“Name":"Bob",!
“Password":"Rob",!
“Time":"2h",!
"Uses":1}
33. Golang features used
33
• Built in TLS support (tls.NewListener)
config := tls.Config{!
Certificates: []tls.Certificate{cert},!
Rand: rand.Reader,!
PreferServerCipherSuites: true,!
SessionTicketsDisabled: true,!
}!
!
!
lstnr := tls.NewListener(conn, &config)
34. Golang features used
34
• goroutines and channels for multi-processor support
runtime.GOMAXPROCS(runtime.NumCPU())!
!
process := make(chan userRequest)!
go func() {!
for {!
req := <-process!
if f, ok := functions[req.rt]; ok {!
r, err := f(req.in)!
if err == nil {!
req.resp <- r!
} else {!
log.Printf("Error handling %s: %sn", req.rt, err)!
}
35. Golang features used
35
• go crypto
• Support for RSA, AES, ECC, HMAC in standard library
// encrypt!
aesSession, err := aes.NewCipher(aesKey)!
if err != nil {!
return!
}!
out = make([]byte, 16)!
aesSession.Encrypt(out, in)
37. Code Structure
37
• cryptor: encryption and decryption of data
• keycache: storage of live encryption/decryption keys
• passvault: management of disk vault
• core: API interface
• redoctober: https server
38. Who uses it?
38
• TheGoodData (https://thegooddata.org:81)
• U.S. Navy
• More people and projects (let me know!)
41. Current Implementation Drawbacks
41
• 2 of m only
• No two-factor auth, or key-based authentication (like ssh)
• Awkward workflow
• No delegation granularity
• No secure hardware support
43. 2 of m only
43
• Adding support for Shamir’s scheme
44. Key-based authentication
44
• Add support for PGP-based replacement of passwords
• Sign a challenge instead of providing a password
45. Awkward workflow
45
• Delegation has to happen before build — bad workflow
!
• New push-based system
• Decryption request triggers push notification to file owners
• Delegation request in a mobile app or email
• Details visible to delegators
46. Granularity of delegation
46
• All-or-nothing right now, good for one secret per server
• Only admins can encrypt/decrypt
!
• Delegators can choose which users can decrypt which files
49. Conclusions
49
• Does this solve the insider threat?
!
• Red October server does not get secrets without passwords
• Admin of build machine gets temporary access — automate secret
deletion?
• Who created the secret in the first place?
• What about build artifacts or binary disassembly?
50. Open Questions
50
• How to securely create secrets
• Secure multi-party computation?
• How to adapt Red October to other types of services
• API keys
• SSL private keys
51. Red October
Implementing the Two-man Rule for Keeping Secrets
July 23, 2014
!
Nick Sullivan
@grittygrease
github.com/cloudflare/redoctober