how to delete data for realz this presentation will self
play

How to Delete Data for Realz: This Presentation Will Self-Destruct - PowerPoint PPT Presentation

#RSAC #RSAC SESSION ID: SESSION ID: PDAC-R10F How to Delete Data for Realz: This Presentation Will Self-Destruct In... Davi Ottenheimer Ian Smith President Research Scientist Flyingpenguin University of Washington @daviottenheimer


  1. #RSAC #RSAC SESSION ID: SESSION ID: PDAC-R10F How to Delete Data for Realz: This Presentation Will Self-Destruct In... Davi Ottenheimer Ian Smith President Research Scientist Flyingpenguin University of Washington @daviottenheimer @sesosek Rashomon Security

  2. #RSAC Rashomon = Solving “Uncertainty of Fact” * * “The Samurai Film,” Alain Silver, 1983 p 47 Rashomon Security

  3. #RSAC Rising Problem of “ unDEAD ” Data The Ghost Kohada Koheiji Rashomon Rashomon Katsushika Hokusai (1760-1849) Security Security

  4. #RSAC Data Lifecycle Store Access Create Modify Destroy Destroy Share Backup Rashomon Security

  5. #RSAC MSM Awareness Rashomon Security

  6. #RSAC Example: Internet of Snitches US Government collecting social media information from foreign travelers Data from pacemaker used to arrest man for arson, insurance fraud Rashomon Security

  7. #RSAC Example: Plaintext Distributed Data to Cloud Flask DB REST API bins/libs bins/libs Container Engine (Docker) Host OS Rashomon Security

  8. #RSAC Example: War of Words Rashomon Rashomon Security Security

  9. #RSAC “Use Bleach” to Purge History Rashomon Security

  10. #RSAC Broken Solutions Unlinking Overwriting Master Key Physical Destruction Rashomon Security

  11. #RSAC Classic PGP (No Forward Secrecy) is Classic Classic PGP (No Forward Secrecy) is Classic D sk_bob (E pk_bob (M)) E pk_bob (M) → Server → M sk = secret key pk = public key Rashomon Rashomon Security Security

  12. #RSAC Classic PGP (No Forward Secrecy) is Classic D sk_bob (E pk_bob (M)) → E pk_bob (M) → Server M Attacker with sk_bob can read all past messages Rashomon Rashomon Security Security

  13. #RSAC In Search of an Improved Trust Level Rashomon Security

  14. Distributed Expiring Auditable Data (DEAD) #RSAC 1. Automatic expiration timers 2. Always, even when replicated or offline 3. Audited Rashomon Security

  15. #RSAC Data, Prepare to be DEAD Rashomon Security

  16. #RSAC DEAD Example Architecture 1. Automatic: Access gone after expiration 2. Always: Stored keys disappear over time, destroying data 3. Audited: Action required for initial data access Rashomon Security

  17. #RSAC Split secret S into n pieces • Knowledge of any m of them makes S easy to compute. • Knowledge of any m - 1 or fewer leaves S completely undetermined. Plot: Vlsergey Rashomon Security

  18. #RSAC Automatic Key Expiration • Store(secret, expiration time) → index • Get(index) → secret, if not yet expired Expire in: Expire in: 72 hours 72 hours <index> Rashomon Security

  19. #RSAC Automatic Key Expiration • Store(secret, expiration time) → index • Get(index) → secret, if not yet expired <index> not found Rashomon Security

  20. #RSAC Always (Forward Secrecy) Backups Server Server D k (D sk_bob (E pk_bob (E k (M), I))) → M E pk_bob (E k (M), I) → I I E pk_bob (k) →S D sk_bob (S) → k S S Rashomon Security Alice, Bob: xkcd.com

  21. #RSAC Always (Forward Secrecy) Attacker with sk_bob cannot Backups read any expired messages Server Server Server D k (D sk_bob (E pk_bob (E k (M), I))) → M E pk_bob (E k (M), I) → I I E pk_bob (k) →S D sk_bob (S) → k D sk_bob (S) → k S S Rashomon Security Alice, Bob: xkcd.com

  22. #RSAC Audited (e.g. Cloud Delete) Flask DB REST API bins/libs bins/libs Container Engine (Docker) Host OS DEAD Service (audits key requests) Rashomon Security

  23. #RSAC Audited (e.g. Cloud Delete) Flask DB REST API bins/libs bins/libs Container Engine (Docker) Host OS DEAD Service (audits key requests) Rashomon Security

  24. #RSAC Resilient to Attack: Privacy DEAD secrets can not be read without the index %#&$!! Rashomon Security

  25. #RSAC Resilient to Attack: Availability Rashomon Security Alice: xkcd.com

  26. #RSAC Resilient to Attack: Availability Rashomon Security Alice: xkcd.com

  27. #RSAC Resilient to Attack: Privacy + Availability Num. storage locations 1 2 3 4 5 n Quorum threshold 1/1 1/2 2/2 1/3 2/3 3/3 1/4 2/4 3/4 4/4 1/5 2/5 3/5 4/5 5/5 m / n Num. compromised to violate privacy 1 1 2 1 2 3 1 2 3 4 1 2 3 4 5 m Num. failed to violate availability 1 2 1 3 2 1 4 3 2 1 5 4 3 2 1 n - m + 1 S S 1 S 2 S 3 S 4 S 5 Rashomon Security

  28. #RSAC Resilient to Attack: Privacy + Availability Num. storage locations 1 2 3 4 5 n Quorum threshold 1/1 1/2 2/2 1/3 2/3 3/3 1/4 2/4 3/4 4/4 1/5 2/5 3/5 4/5 5/5 m / n Num. compromised to violate privacy 1 1 2 1 2 3 1 2 3 4 1 2 3 4 5 m Num. failed to violate availability 1 2 1 3 2 1 4 3 2 1 5 4 3 2 1 n - m + 1 S 1 S 2 S 3 S 4 S 5 Rashomon Security

  29. #RSAC Resilient to Attack: Privacy + Availability Num. storage locations 1 2 3 4 5 n Quorum threshold 1/1 1/2 2/2 1/3 2/3 3/3 1/4 2/4 3/4 4/4 1/5 2/5 3/5 4/5 5/5 m / n Num. compromised to violate privacy 1 1 2 1 2 3 1 2 3 4 1 2 3 4 5 m Num. failed to violate availability 1 2 1 3 2 1 4 3 2 1 5 4 3 2 1 n - m + 1 S %#&$!! %#&$!! S 1 S 2 S 3 S 4 S 5 Rashomon Security

  30. #RSAC Resilient to Attack: Privacy + Availability Num. storage locations 15 n Quorum threshold 8 / 15 m / n Num. compromised to violate privacy 8 m Num. failed to violate availability 8 n - m + 1 %#&$!! %#&$!! Example: 8/15 %#&$!! %#&$!! %#&$!! %#&$!! %#&$!! Rashomon Security

  31. #RSAC Distributed Expiring Auditable Data (DEAD) 1. Automatic expiration timers 2. Always, even when replicated or offline 3. Audited Rashomon Security

  32. #RSAC Apply 1. Identify data flows in your organization a. Source code b. Customer and operations data c. Internal communications d. API tokens, TLS certs, SSH keys, DB credentials e. Internet of snitches f. Partners and service providers 2. Assess unDEAD data risk (severity x probability) 3. Flag processes where DEAD required Rashomon Security

  33. #RSAC Apply: Russian Containers Rashomon Security

  34. #RSAC Get DEAD • Amazon KMS • Fugue Credstash • HashiCorp Vault • Kubernetes secret objects • Docker SwarmKit secrets • OpenStack Barbican Rashomon Rashomon Security Security

  35. #RSAC DEAD Data Demo Join our Focus-On session Learn how to make data DEAD • Automatic • Always • Audited Time: 2:45 - 3:30 PM Session Code: FON3-R11 Rashomon Security

Recommend


More recommend