encryption without magic risk management without pain
play

ENCRYPTION WITHOUT MAGIC, RISK MANAGEMENT WITHOUT PAIN - PowerPoint PPT Presentation

Nov 12, 2023 •325 likes •1.03k views

ENCRYPTION WITHOUT MAGIC, RISK MANAGEMENT WITHOUT PAIN #qconlondon @vixentael @vixentael Product Engineer Feel free to reach me with security questions. I do check my inbox :) CRYPTOGRAPHY? Blowfish Twofish Rabbit Salsa20 AES OFB

  1. ENCRYPTION WITHOUT MAGIC, RISK MANAGEMENT WITHOUT PAIN #qconlondon @vixentael

  3. @vixentael Product Engineer Feel free to reach me with security questions. I do check my inbox :)

  4. CRYPTOGRAPHY?

  5. Blowfish Twofish Rabbit Salsa20 AES OFB SEED CRYPTOGRAPHY? CFB RSA DSS DES ECDSA Camelia SEAL DSA CBC 3DES SHARK RC4 CTR ECB #qconlondon @vixentael

  6. Blowfish Twofish MD5 Rabbit Salsa20 AES OFB SEED CRYPTOGRAPHY? SHA1 CFB RSA DSS DES ECDSA Camelia SEAL SHA3 DSA CBC 3DES SHARK RC4 CTR ECB #qconlondon @vixentael

  7. CRYPTOGRAPHY key management algorithms public key validity elliptic curves storing secrets cool, but… #qconlondon @vixentael

  8. crypto is not a but a method to manage the attack surface #qconlondon @vixentael

  9. ATTACK SURFACE – all the possible places where sensitive data may be stolen by adversary #qconlondon @vixentael https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet

  10. it’s easier to monitor the suspicious behavior in a small place #qconlondon @vixentael

  11. HANDLING SECRET DATA WITH CARE avoid plain text as possible manage keys properly decrease time of plaintext secrets in memory log, monitor and inspect #qconlondon @vixentael

  12. – HOW TO MANAGE THE ATTACK SURFACE OF MY DATA?

  13. symmetric encryption with poor key management one container one key #qconlondon @vixentael

  14. symmetric encryption with poor key management one container one key attack surface key leaked is arbitrary → data leaked #qconlondon @vixentael

  15. WHAT IS A CRYPTO-SYSTEM #qconlondon @vixentael https://en.wikipedia.org/wiki/Cryptosystem

  16. KEY AND TRUST MANAGEMENT SHOULD REFLECT YOUR SYSTEM #qconlondon @vixentael

  17. MESSAGING #qconlondon @vixentael https://core.telegram.org/api/end-to-end

  18. GOOD MESSAGING IS E2EE …but your infrastructures are not only for messaging #qconlondon @vixentael

  19. NAIVE DATABASE ENCRYPTION attack surface is almost everywhere #qconlondon @vixentael

  20. NARROWING ATTACK SURFACE middleware-side encryption client-side encryption #qconlondon @vixentael

  22. MIDDLEWARE-SIDE ENCRYPTION

  23. REAL-WORLD WEB SERVER XSS reflection attacks MitM SQL injections code injections crypto-miners everywhere execution flow attacks #qconlondon @vixentael

  24. REAL-WORLD WEB SERVER ATTACK SURFACE IS EVERYWHERE :( monitor everything #qconlondon @vixentael

  25. TRY SYMMETRIC ENCRYPTION? encrypt/decrypt data using symm key #qconlondon @vixentael

  26. TRY SYMMETRIC ENCRYPTION? encrypt/decrypt data using symm key easy to steal a key https://www.alibabacloud.com/ help/faq-detail/37505.htm #qconlondon @vixentael

  27. ASYMMETRIC ENCRYPTION wrapped data = Enc(data, random symm key) container = Enc(wrapped data, PKweb, PubKtds) #qconlondon @vixentael

  28. ASYMMETRIC ENCRYPTION wrapped data = Enc(data, random symm key) PubKey of ‘trusted container = Enc(wrapped decryption service’ data, PKweb, PubKtds) #qconlondon @vixentael

  29. TRUSTED DECRYPTION SERVICE decrypts data wrapped_data = Dec(container, PKtds, PubKweb) data = Dec(wrapped_data, random symm key) #qconlondon @vixentael

  30. SEPARATION OF DUTIES no decryption trusted element in keys infrastructure monitor & log #qconlondon @vixentael

  31. TRUSTED DECRYPTION SERVICE NARROWED ATTACK SURFACE #qconlondon @vixentael

  32. monitor decryption proxy monitor everything #qconlondon @vixentael

  33. WHERE TO USE THIS TECHNIQUE? micro-services infrastructure public-oriented interfaces non trusted client side (browsers, IoT devices) hard to store keys securely #qconlondon @vixentael

  34. HOW TO IMPLEMENT? ACRA HEXATIER https://github.com/cossacklabs/acra http://www.hexatier.com/ ORACLE DATABASE GREEN SQL FIREWALL / TDE https://github.com/larskanis/greensql-fw http://www.oracle.com/ #qconlondon @vixentael

  36. CLIENT-SIDE ENCRYPTION

  37. MOVE TRUST TO CLIENTS trusted element in infrastructure session hijacking MitM unattended backups replay attacks misconfigured ACL #qconlondon @vixentael

  38. P2P TRUST user-generated keys system doesn’t know encrypted containers anything about data #qconlondon @vixentael

  39. ZERO KNOWLEDGE ARCHITECTURES #qconlondon @vixentael

  40. ZKA is a design principle that enables software to provide services over protected client data without having an unencrypted access to it. #qconlondon @vixentael

  41. ZKA INCLUDES: e2ee clients #qconlondon @vixentael

  42. ZKA INCLUDES: e2ee clients all operations are on encrypted data: – CRUD – control access to data from different users – search (in encrypted data) #qconlondon @vixentael

  43. RISKS FOR ZKA: weak key management algorithm weakness user pocket a tu ack surface #qconlondon @vixentael

  44. WHEN TO USE ZKA? trusted client side (mobile, HSM/TPM) #qconlondon @vixentael

  45. ZKA is already solved for specific use-cases or in a naive ways #qconlondon @vixentael

  46. MESSAGING END-TO-END ENCRYPTION #qconlondon @vixentael

  47. AUTHENTICATION ZERO KNOWLEDGE PROOF https://www.cossacklabs.com/zero- knowledge-protocols-without-magic.html #qconlondon @vixentael

  48. COLLABORATING ??? ON DATA – store encrypted – share with others – manage access to parties #qconlondon @vixentael

  49. SHARING ENCRYPTED DATA naive approach – duplications – key management problems #qconlondon @vixentael

  50. OUR TAKE give access to certain blocks of data to exact users https://github.com/ cossacklabs/hermes-core #qconlondon @vixentael

  51. HOW TO BUILD IT? – Key wrapping blocks user keys storage keys #qconlondon @vixentael

  52. HOW TO BUILD IT? – Key wrapping – Manage privileges #qconlondon @vixentael

  53. HOW TO BUILD IT? – Key wrapping – Manage privileges – Control requests #qconlondon @vixentael

  54. MORE POSSIBLE USE-CASES shared file system complex docs, audit logs spreadsheets document store protection config files #qconlondon @vixentael

  55. OTHER IMPLEMENTATIONS HERMES https://github.com/cossacklabs/hermes-core ZEROKIT https://tresorit.com/zerokit LAFS https://tahoe-lafs.org/trac/tahoe-lafs #qconlondon @vixentael

  56. monitor client side monitor everything #qconlondon @vixentael

  57. MORE GOODIES TO THINK ABOUT

  58. Cryptography is well implemented, if it allows to narrow attack surface, and increase control of data. #qconlondon @vixentael

  59. ECHELONIZATION if the system has one perimeter, it will fail! #qconlondon @vixentael

  60. ECHELONIZATION ..add more layers of defense #qconlondon @vixentael

  61. EXCEPT CRYPTO, YOU ALSO NEED log and monitor events intrusion pattern detection access control firewall ...

  62. 269 CVEs from 2011-2014 17% bugs inside crypto libs misuses of crypto libs 83% by individual apps https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf #qconlondon @vixentael

  63. RECAP 2

  64. THINGS TO REMEMBER 1. cryptography aims to narrow the attack surface 2. choose relevant encryption scheme 3. combine crypto and classic techniques 4. there is a lib for that #qconlondon @vixentael

  66. LINKS 12 and 1 ideas how to enhance backend data security https://medium.com/@cossacklabs/12-and-1-ideas-how-to-enhance-backend-data- security-4b8ceb5ccb88 Explain Like I’m 5: Zero Knowledge Proof https://hackernoon.com/eli5-zero-knowledge-proof-78a276db9eff DevOps and security: from trenches to command centers https://medium.com/@9gunpi/devops-and-security-from-trenches-to-command- centers-466dfb58fe5b How GDPR Will Change The Way You Develop https://www.smashingmagazine.com/2018/02/gdpr-for-web-developers/

  67. MY OTHER SECURITY SLIDES https://github.com/ vixentael/my-talks …and more

  68. @vixentael Product Engineer Feel free to reach me with security questions. I do check my inbox :)

  69. IMAGE CREDITS www.flaticon.com Authors: freepik, linector, switficons, pixelperfect, smashicons, icon pond, dinosoftlabs

Recommend

Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk

Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk

FREE Lifelong Learning Event for Fasset Members Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk assessment control matrix management process Governance Risk appetite Agenda for and risk Risk

1.28k views • 105 slides
Market Risk Management Gen Ins. Risk Management Life Ins. Risk Management Op.

Market Risk Management Gen Ins. Risk Management Life Ins. Risk Management Op.

Market Risk Management Gen Ins. Risk Management Life Ins. Risk Management Op. Risk Management Board of Enterprise Risk Senior Management Committees Directors Management Credit Risk Cross-Border Exposure Country Rating

453 views • 6 slides
1 Early humans related pain to evil, magic, and demons. Relief of pain was the responsibility of

1 Early humans related pain to evil, magic, and demons. Relief of pain was the responsibility of

Managing Chronic Pain and Co Occurring Posttraumatic Stress Disorder (PTSD) John D. Otis, Ph.D. Research Service VA Boston Healthcare System I have no financial relationships with any commercial interests related to the content of this

614 views • 25 slides
Patient Satisfaction with their Pain Management: The Effect of Provision of Pain Management Advice

Patient Satisfaction with their Pain Management: The Effect of Provision of Pain Management Advice

Patient Satisfaction with their Pain Management: The Effect of Provision of Pain Management Advice David Taylor 1,2 , Marina Lee 2 , Olivier Grover Johnson 2 , Juen-Li Ding 2 , Aadith Ashok 2 1 Austin Health, Australia 2 University of Melbourne,

953 views • 15 slides
What is Risk Management? What is Risk Management? A (great) management tool Focus

What is Risk Management? What is Risk Management? A (great) management tool Focus

Proudly Presents How To Establish Functional Risk Management in Your Public Entity R. J oy J ackson, City of London Tina Gardiner, Region of York RIMS, Ottawa, 2011 What is Risk Management? What is Risk Management? A (great)

463 views • 24 slides
Feasibility study of a novel pain assessment tool for improving prehospital pain management M

Feasibility study of a novel pain assessment tool for improving prehospital pain management M

Feasibility study of a novel pain assessment tool for improving prehospital pain management M Iqbal, P A Spaight, R Kane, Z Asghar, A N Siriwardena Nottingham Conference Centre 04 February 2015 Background Pain - common Poorly assessed

476 views • 19 slides
Chronic pain management: Evidence for CBT Michael K. Nicholas, PhD Assoc. Prof. & Director

Chronic pain management: Evidence for CBT Michael K. Nicholas, PhD Assoc. Prof. & Director

Chronic pain management: Evidence for CBT Michael K. Nicholas, PhD Assoc. Prof. & Director of ADAPT Pain Management Program University of Sydney Pain Management & Research Institute Royal North Shore Hospital In the Himalayas, Sherpas

560 views • 28 slides
Magic Pixie Dust An Intro, History, and Practical Discussion of Encryption David Kennedy

Magic Pixie Dust An Intro, History, and Practical Discussion of Encryption David Kennedy

Magic Pixie Dust An Intro, History, and Practical Discussion of Encryption David Kennedy @failbridge Presented at Shellcon, 12 October 2019, in San Pedro, California Good morning. Everyone Enjoying Shellcon? Welcome to: Magie Pixie Dust -- An

1.22k views • 87 slides
Shared Decision Making in the ED for Patients with Low-Risk Chest Pain: The Chest Pain Choice

Shared Decision Making in the ED for Patients with Low-Risk Chest Pain: The Chest Pain Choice

Shared Decision Making in the ED for Patients with Low-Risk Chest Pain: The Chest Pain Choice Decision Aid Uli K. Chettipally, MD, MPH. CREST Network Kaiser Permanente PI: Erik P. Hess MD MSc PCORI Funding: Original Research funded through

573 views • 26 slides
Pain Practice Management Increasing Value, Efficiency and Health in your Pain Practice Ashley M.

Pain Practice Management Increasing Value, Efficiency and Health in your Pain Practice Ashley M.

Pain Practice Management Increasing Value, Efficiency and Health in your Pain Practice Ashley M. Classen, DO, FAOCA Adjunct Clinical Professor Department of Surgery Anesthesiology / Interventional Pain Medicine University of North Texas Health

294 views • 10 slides
The Management of Pain and Pain Care in the Czech Republic Prof. Richard Rokyta, MD, PhD, DSc,

The Management of Pain and Pain Care in the Czech Republic Prof. Richard Rokyta, MD, PhD, DSc,

The Management of Pain and Pain Care in the Czech Republic Prof. Richard Rokyta, MD, PhD, DSc, FCMA President of Czech Pain Society Charles University, 3 rd Faculty of Medicine, Department of Normal, Pathological and Clinical Physiology,

521 views • 20 slides
Preparedness Preliminary risk management Risk assessment Risk management Risk

Preparedness Preliminary risk management Risk assessment Risk management Risk

FAO/WHO guide for application of risk analysis principles to food safety emergencies Food Recall and Traceability (February 2013, Thailand) Preparedness Preliminary risk management Risk assessment Risk management Risk

440 views • 39 slides
Div iversion & Pain Management February ry 5, , 2020 th Annual Conference MDONS 30 th

Div iversion & Pain Management February ry 5, , 2020 th Annual Conference MDONS 30 th

Div iversion & Pain Management February ry 5, , 2020 th Annual Conference MDONS 30 th Linda Vanni, MSN, RN-BC, ACNS-BC, NP, AP-PMN Nurse Practitioner, Pain Management Professional Pain Education & Consulting, LLC Conflict of In

884 views • 56 slides
Disclosures Nothing to Disclose Coordination of Pain Management Strategies with Patients'

Disclosures Nothing to Disclose Coordination of Pain Management Strategies with Patients'

6/1/2013 Disclosures Nothing to Disclose Coordination of Pain Management Strategies with Patients' Primary Care Physician Melanie M. Henry, M.D., M.P.H. UCSF Associate Professor of Anesthesia & Pain Medicine 2 4 Chronic Pain Definition

260 views • 9 slides
POSTOPERATIVE PAIN MANAGEMENT IN PEDIATRICS PRESENTED BY: JENIFER LICHTENFELS, M.D. OBJECTIVES

POSTOPERATIVE PAIN MANAGEMENT IN PEDIATRICS PRESENTED BY: JENIFER LICHTENFELS, M.D. OBJECTIVES

9/29/2016 POSTOPERATIVE PAIN MANAGEMENT IN PEDIATRICS PRESENTED BY: JENIFER LICHTENFELS, M.D. OBJECTIVES PHARMACISTS Identify risk factors for narcotic induced respiratory depression in children with OSA State the current

468 views • 17 slides
Pain Management UCLH Members meeting October 2014 Ali Mofeez Consultant in Pain Medicine and

Pain Management UCLH Members meeting October 2014 Ali Mofeez Consultant in Pain Medicine and

Pain Management UCLH Members meeting October 2014 Ali Mofeez Consultant in Pain Medicine and Anaesthesia Anna Mandeville Senior Pain Psychologist Viki Mitchell Chair of Pain Steering Group and DCD for Theatres Pain Steering Group Chair

1.79k views • 23 slides
Meeting the Challenge of Chronic Pain Jonathan Kenyon Pain Lead, SMSKP Pain ESP Physiotherapy

Meeting the Challenge of Chronic Pain Jonathan Kenyon Pain Lead, SMSKP Pain ESP Physiotherapy

Meeting the Challenge of Chronic Pain Jonathan Kenyon Pain Lead, SMSKP Pain ESP Physiotherapy Clinical Team Lead What do we need to do? Prevent chronicity developing - Identify those at risk as early as possible - Stop the cycle of

197 views • 18 slides
Med edic icatio tion M Management f for or P Pain: Opiate Analgesics and Safe Prescribing

Med edic icatio tion M Management f for or P Pain: Opiate Analgesics and Safe Prescribing

Med edic icatio tion M Management f for or P Pain: Opiate Analgesics and Safe Prescribing Joanna G. Katzman, MD, MSPH Director, UNM Pain Center Director, Project ECHO Chronic Pain and Headache Management Program Associate Professor, Neurology;

591 views • 33 slides
Synopsis A COMPREHENSIVE PAIN MANAGEMENT APPROACH HOWARD KONOWITZ, MD BOARD CERTIFICATION:

Synopsis A COMPREHENSIVE PAIN MANAGEMENT APPROACH HOWARD KONOWITZ, MD BOARD CERTIFICATION:

Complex Regional Pain Syndrome Evidence Based Care Synopsis A COMPREHENSIVE PAIN MANAGEMENT APPROACH HOWARD KONOWITZ, MD BOARD CERTIFICATION: INTERNAL MEDICINE, ANESTHESIOLOGY, PAIN MANAGEMENT National Guidelines and international evidence

482 views • 15 slides
In Interv rventional Pain Management Primary Spine and Joint Conference Carlton K. McQueen MD

In Interv rventional Pain Management Primary Spine and Joint Conference Carlton K. McQueen MD

In Interv rventional Pain Management Primary Spine and Joint Conference Carlton K. McQueen MD Fourth Corner Pain Management Bellingham, WA Dolores-Presentation 77 years old 1 year history of back and bilateral leg pain. Obese,

534 views • 42 slides
Medication Management for Pain : Opiate Analgesics and Safe Prescribing Joanna G. Katzman, MD,

Medication Management for Pain : Opiate Analgesics and Safe Prescribing Joanna G. Katzman, MD,

Medication Management for Pain : Opiate Analgesics and Safe Prescribing Joanna G. Katzman, MD, MSPH Director, UNM Pain Center Director, Project ECHO Chronic Pain and Headache Management Program Associate Professor, Neurology; Department of

493 views • 36 slides
Persistent pain cycle pain Peripheral sensi2sa2on Central

Persistent pain cycle pain Peripheral sensi2sa2on Central

Pain: NWH Community Pharmacy Engagement Event January 2015 1 What is pain? Time-based classifica2on of pain

462 views • 10 slides
CHRONIC PAIN MANAGEMENT: TO O LS FO R A C A R E M A N A G ER N IC O LE C A R TER BSN , R N

CHRONIC PAIN MANAGEMENT: TO O LS FO R A C A R E M A N A G ER N IC O LE C A R TER BSN , R N

CHRONIC PAIN MANAGEMENT: TO O LS FO R A C A R E M A N A G ER N IC O LE C A R TER BSN , R N CHRONIC PAIN MANAGEMENT Be st pra c tic e mo de ls fo r c hro nic pa in ma na g e me nt re q uire a multidisc iplina ry a ppro a c h

313 views • 15 slides
Pain Management in Primary Care Pain was primary reason for 40% of doctor visits in a Finnish

Pain Management in Primary Care Pain was primary reason for 40% of doctor visits in a Finnish

Pain in Primary Care Pain Management in Primary Care Pain was primary reason for 40% of doctor visits in a Finnish study from 2001 Most common reason for visiting doctor Robert M. Taylor, MD Not enough pain specialists to treat all

426 views • 13 slides

More recommend