The document summarizes security best practices presented in a tech talk at Stanford ACM. It discusses TrialPay's service overview, basics of securing data and systems, implementing two-factor authentication for VPN and SSH access, and best practices for securing credit card data in a vault. The presentation covers password security, encrypting sensitive data, access controls, backups, and other techniques for protecting online systems and user information.
2. Agenda
• TrialPay Overview
• Securing Your Startup: Basics
• Two-Factor Authentication for VPN
• Two-Factor Authentication for SSHD
• Credit Card Vault
All Rights Reserved | Copyright 2011 2
3. TrialPay is a transactional advertising company
TrialPay presents consumers with relevant promotions before, during, and after
transactions -- creating a network that allows our clients to gain access to millions of
new customers and monetize their current visitors more effectively
All Rights Reserved | Copyright 2011 3
4. Tracking online promotions to sales in-store via card-loaded offers
1 Promotion 2 Tracking 3 Purchase 4 Reward
Promote offline offers: Users activate online: Track offline: Offer Reward user: We credit
Offers promoted across Users activate offers by redemptions tracked in- user with their reward
the web, mobile, & social submitting credit or debit store via registered card (e.g. statement
media (incl. TrialPay card to attribute online source credit, virtual currency, gift
network of 300M+ users) card) upon offer
completion
All Rights Reserved | Copyright 2011 4
6. Agenda
• TrialPay Overview
• Securing Your Data: Basics
• Two-Factor Authentication for VPN
• Two-Factor Authentication for SSHD
• Credit Card Vault
All Rights Reserved | Copyright 2011 6
7. Getting Started
• Google Apps Two-Factor Authentication (2FA)
• Amazon Web Services 2FA and ACLs
• Secure Wireless Network – per-user certs
• HTTPS for everything
All Rights Reserved | Copyright 2011 7
8. Passwords
Reference: http://xkcd.com/936/
All Rights Reserved | Copyright 2011
9. Passwords (cont’d)
• 14-character password minimums, but more never hurts!
• Basic GPU can crack 16B passwords per second
• Make sure shadow files are configured correctly (e.g. crypt-sha512, not default
DES or md5, 50K rounds)
• GOOD:
$6$rounds=50000$usesomesillystri$D4IrlXatmP7rx3P3InaxBeoomnAihCKRVQP22JZ6E
Y47Wc6BkroIuUUBOov1i.S5KPgErtP/EN5mcO.ChWQW21
• BAD: $1$DaqXb3sb$m84WH8wkxBVl2WvZQboia.:13530:0:99999:7:::
All Rights Reserved | Copyright 2011 9
10. Agenda
• TrialPay Overview
• Securing Your Data: Basics
• Two-Factor Authentication for VPN
• Two-Factor Authentication for SSHD
• Credit Card Vault
All Rights Reserved | Copyright 2011 10
11. 2FA for VPN – Standard VPN Login
1) Connect to VPN Client 2) Enter Credentials
3) VPN Device 4) Inside the VPN!
Authenticates
All Rights Reserved | Copyright 2011 11
12. 2FA for VPN – Traditional 2FA
• Traditional solutions use tokens (hardware, Google Authenticator, text messages)
• Unintuitive input of token (concatenate with password)
• IT burden
• Hassle for end-user accessing VPN multiple times per day
• Wouldn’t it be nice to leverage existing security mechanism?
All Rights Reserved | Copyright 2011 12
13. 2FA for VPN – Enter Google Apps!
• User 1-click visits a Google App Engine hosted site https://xxxxxxxx.trialpay.com
which auto-logs you in on browsers where you already read your Google Apps
email.
• This page just shows a 60 second timer for the user to complete the rest of the
VPN login process.
All Rights Reserved | Copyright 2011 13
14. 2FA for VPN – Technical Details
• Google App Engine – python script to get username from Google Apps and
create 60-second memcache key
• Auth Server – add Perl script to authorize with Google App Engine site
• Reference: http://enginerds.trialpay.com/2013/01/08/leveraging-google-apps-email-to-set-up-two-factor-authentication
All Rights Reserved | Copyright 2011 14
15. Agenda
• TrialPay Overview
• Securing Your Data: Basics
• Two-Factor Authentication for VPN
• Two-Factor Authentication for SSHD
• Credit Card Vault
All Rights Reserved | Copyright 2011 15
16. 2FA for SSHD – Background
• For bastion / entrypoint servers into network, passwords by themselves are
insufficient
• Tokens are viable, but introduce complexity / hassle
• SSH keys are convenient for developers
• Passphrase-protected SSH keys are encouraged and can suffice for 2FA, but SSHD
cannot enforce passphrase-usage
• SSHD supports multiple authentication schemes, but they cannot be enforced
simultaneously
All Rights Reserved | Copyright 2011 16
17. 2FA for SSHD – ForceCommand to the rescue!
• /etc/ssh/sshd_config
• sshd_gatekeeper.sh
• IP whitelisting
• Send intrusion alerts
• Don’t forget to actually check the password!
• Reference: http://enginerds.trialpay.com/2012/07/24/dual-factor-authentication-for-sshd/
All Rights Reserved | Copyright 2011 17
18. Agenda
• TrialPay Overview
• Securing Your Data: Basics
• Two-Factor Authentication for VPN
• Two-Factor Authentication for SSHD
• Credit Card Vault
All Rights Reserved | Copyright 2011 18
19. Credit Card Vault
• Best practice is to insulate sensitive credit card data from rest of system in a
secure “vault”
• Vault has two major services: tokenizer and proxy
All Rights Reserved | Copyright 2011 19
20. Credit Card Vault – Tokenizer
1 Browser 2
App server Vault
CC #
4 CVV 3
submit
1. HTML form is served from App server
2. The information provided by the user is sent directly to the vault by
the browser (running JavaScript code from App)
3. The vault issues a token that maps to the credit card number
4. The browser sends the token and other non-sensitive information to
App server
All Rights Reserved | Copyright 2011
21. Credit Card Vault – API request proxy
1 2
3rd party
App server Vault
i.e. Visa
4 3
• This assumes that 3rd party service’s API is HTTP based
• Vault acts as a HTTP proxy with token to CC number translation
1. App server sends a HTTP request via Vault
GET /auth?cc=token:1234&amount=4.00
Host: api.visa.com
2. Vault substitutes token:1234 with real CC number and relays the request to Visa
GET /auth?cc=4444000012344321&amount=4.00
Host: api.visa.com
3. Visa processes the transaction and responds with a transaction id
4. Vault passes Visa’s response back to app
All Rights Reserved | Copyright 2011
22. Credit Card Vault – Key Encryption
• Encrypt cardholder data using highest-grade standards (e.g. AES-256)
• Standard mechanism is to use a global key
• But what if key is compromised?
• Instead take a multi-layer approach
• Master key + per-card key
• Cardholder data stored in one DB
• Per-card keys stored in another DB (and managed by a separate team)
All Rights Reserved | Copyright 2011 22
23. Credit Card Vault – Token Generation
• Token = 64-bit unique id, maps to cardholder data
• Exposing last 4 CC digits in app is common use case, try encoding into token, e.g.
• Token: 1304274640000970420
• Last 4: 0742
• Even though cardholder data cannot be reverse engineered based on token,
better safe than sorry! Encrypt token in response back to app server.
• payload = {“token” => “1234”, “info1” => “abc”, “info2” => “def”}
• message = {“payload” => aes_encrypt(payload), “aes_iv” => “09...AF” }
• output(json_encode(message))
All Rights Reserved | Copyright 2011 23
24. Credit Card Vault – Other things to consider
• 2FA to physically access datacenter (password + handscan)
• Additional firewall layer in front of CC Vault
• Backups stored remotely for disaster recovery
All Rights Reserved | Copyright 2011 24
25. Thank You!
• We’re Hiring!
• Eddie Lim (eddie@trialpay.com)
All Rights Reserved | Copyright 2011 25