Securing

Automated

Decryption

Nathaniel McCallum

Principal Engineer - Red Hat, Inc.

Booting...

Disk Password: █
Booting...

Disk Password: █
Booting...

Disk Password: █
Booting...

Disk Password: █
Booting...

Disk Password: █
Booting...

Disk Password: █
Booting...

Disk Password: █
Booting...

Disk Password: █
Booting...

Disk Password: █
Booting...

Disk Password: █
Booting...

Disk Password: █
Booting...

Disk Password: █
Booting...

Disk Password: █
Booting...

Disk Password: █

Standards (AES, PCI-DSS, etc.)

Yesterday

Automation

Today

Policy

Tomorrow

Standards (AES, PCI-DSS, etc.)

Yesterday

Automation

Today

Policy

Tomorrow

How do we automate?

Shh... I'm Secret!

Encryption Key

Shh... I'm Secret!

Key Encryption Key

Encryption Key

Shh... I'm Secret!

Key Encryption Key

Encryption Key

Shh... I'm Secret!

"correct battery horse staple"

Key Encryption Key

Encryption Key

Shh... I'm Secret!

"correct battery horse staple"

Standard Password Model

Key Encryption Key

Encryption Key

Shh... I'm Secret!

"d41d8cd9...ecf8427e"

Key Encryption Key

Encryption Key

Shh... I'm Secret!

"d41d8cd9...ecf8427e"

Escrow

Standard Escrow Model?

Key Encryption Key

Encryption Key

Shh... I'm Secret!

"d41d8cd9...ecf8427e"

Escrow

TLS / GSSAPI

Standard Escrow Model?

Key Encryption Key

Encryption Key

Shh... I'm Secret!

"d41d8cd9...ecf8427e"

Escrow

TLS / GSSAPI

Standard Escrow Model?

Key Encryption Key

Encryption Key

Shh... I'm Secret!

"d41d8cd9...ecf8427e"

Escrow

TLS / GSSAPI

Standard Escrow Model?

Key Encryption Key

Encryption Key

Shh... I'm Secret!

"d41d8cd9...ecf8427e"

Escrow

TLS / GSSAPI

Standard Escrow Model?

KDC/CA

Key Encryption Key

Encryption Key

Shh... I'm Secret!

"d41d8cd9...ecf8427e"

Escrow

TLS / GSSAPI

Standard Escrow Model

KDC/CA

Backups

Key Encryption Key

Encryption Key

Shh... I'm Secret!

"d41d8cd9...ecf8427e"

Escrow

TLS / GSSAPI

Standard Escrow Model

KDC/CA

Backups

HEARTBLEED

Lessons Learned

  • Presuming TLS will protect key transfer is dangerous
  • Complexity increases attack surface
  • Escrows are difficult to deploy
  • X.509 is hard to get right

asymmetric crypto?

(EC) Diffie-Hellman Key Exchange

S \in_{R} [1, p-1]
SR[1,p1]S \in_{R} [1, p-1]
s = gS
s=gSs = gS
\longleftarrow s
s\longleftarrow s
C \in_{R} [1, p-1]
CR[1,p1]C \in_{R} [1, p-1]
c = gC
c=gCc = gC
c \longrightarrow
cc \longrightarrow
K = gCS = cS
K=gCS=cSK = gCS = cS
K = gSC = sC
K=gSC=sCK = gSC = sC

McCallum-Relyea Key Exchange

S \in_{R} [1, p-1]
SR[1,p1]S \in_{R} [1, p-1]
s = gS
s=gSs = gS
\longleftarrow s
s\longleftarrow s
C \in_{R} [1, p-1]
CR[1,p1]C \in_{R} [1, p-1]
c = gC
c=gCc = gC
K = gSC = sC
K=gSC=sCK = gSC = sC

Provisioning

Recovery

E \in_{R} [1, p-1]
ER[1,p1]E \in_{R} [1, p-1]
Discard: K, C
Discard:K,CDiscard: K, C
x = c + gE
x=c+gEx = c + gE
x \longrightarrow
xx \longrightarrow
y = xS
y=xSy = xS
\longleftarrow y
y\longleftarrow y
K = y - sE
K=ysEK = y - sE
Because: K = gCS + gES - gSE
Because:K=gCS+gESgSEBecause: K = gCS + gES - gSE
Retain: s, c
Retain:s,cRetain: s, c

Key Encryption Key

Encryption Key

Shh... I'm Secret!

Server

MR Exchange

Key Encryption Key

Encryption Key

Shh... I'm Secret!

Server

MR Exchange

Crypto HW

Property Escrow MR Exchange
Server presence during provisioning Required Optional
Server presence during recovery Required Required
Server knowledge of keys Required None
Key transfer Required None
Client authentication Required Optional
Transport encryption Required Optional
End-to-end Encryption Difficult Unneeded

Tang

  • https://github.com/latchset/tang
  • Server-side daemon
  • Simple: HTTP + JOSE
  • Fast (>2k req/sec)
  • Extremely small
  • Minimal dependencies
  • Fedora 23+
$ dnf install tang

$ systemctl enable tangd.socket
$ systemctl start tangd.socket

$ jose gen -t '{"alg":"ES256"}' \
           -o /var/db/tang/sig.jwk
$ jose gen -t '{"kty":"EC","crv":"P-256","key_ops":["deriveKey"]}' \
           -o /var/db/tang/exc.jwk

Installing a Tang Server

On the client...

Clevis

  • https://github.com/latchset/clevis/
  • Decryption automation and policy framework
  • Minimal dependencies
  • Early boot integration
  • GNOME integration
  • Fedora 24+
$ dnf install clevis

$ echo PT | clevis encrypt tang '{"url":"http://localhost"}' > mydata.jwe
The advertisement is signed with the following keys:
	haD7Y-8VkAyJo6-vdZMrGQXCSfI

Do you wish to trust the advertisement? [yN] y

$ cat mydata.jwe
{"ciphertext":"-O59czAqybvxHdme2t3I5A", ...}

$ clevis decrypt < mydata.jwe
PT

$ sudo systemctl stop tangd.socket

$ clevis decrypt < mydata.jwe
$ echo $?
1

Basic Encryption with Tang

$ dnf install clevis

$ echo PT | clevis encrypt http '{"url":"http://localhost/key"}' > mydata.jwe

$ cat mydata.jwe
{"ciphertext":"-O59czAqybvxHdme2t3I5A", ...}

$ clevis decrypt < mydata.jwe
PT

Basic Encryption with an Escrow

$ clevis bind-luks /dev/sda1 tang '{"url":"http://tang.company.com"}'
The advertisement is signed with the following keys:
	haD7Y-8VkAyJo6-vdZMrGQXCSfI

Do you wish to trust the advertisement? [yN] y
Enter passphrase for /dev/sda1:

$ sudo luksmeta show -d /dev/sda1
0   active empty
1   active cb6e8904-81ff-40da-a84a-07ab9ab5715e
2 inactive empty
3 inactive empty
4 inactive empty
5 inactive empty
6 inactive empty
7 inactive empty

# For root volume unlocking at boot:
$ dnf install clevis-dracut
$ dracut -f
$ reboot

# For removable storage GNOME unlocking:
$ dnf install clevis-udisks2

Disk Binding with Tang

From Automation to Policy

Standards (AES, PCI-DSS, etc.)

Yesterday

Automation

Today

Policy

Tomorrow

Shamir Secret Sharing

threshold = ?

Shamir Secret Sharing

threshold = ?

threshold = ?

Simple Laptop

unlock?

Admin Password

User Password

threshold = 1

Automated Laptop

unlock?

Admin Password

User Password

threshold = 1

Tang

High Security System

unlock?

User Password

User Password

threshold = 2

User Password

Complex Laptop Policy

unlock?

QR Code

thresh. = 1

SSS

TPM

thresh. = 2

SSS

thresh. = 2

Password

Fingerprint

Tang

Bluetooth

$ echo PT | clevis encrypt sss \
'{"pins": {"tang": [{"url": "http://a.tang.foo"}, {"url": "http://b.tang.foo"}]}, "t": 1}' \
> out.jwe
The advertisement is signed with the following keys:
	haD7Y-8VkAyJo6-vdZMrGQXCSfI

Do you wish to trust the advertisement? [yN] y

The advertisement is signed with the following keys:
	Edp-ESShUx4_95kGt-DTsCBbPag

Do you wish to trust the advertisement? [yN] y

$ clevis decrypt < out.jwe
PT

# Bring Down Tang Server A
$ clevis decrypt < out.jwe
PT

# Bring Down Tang Server B
$ clevis decrypt < out.jwe
$ echo $?
1

Basic Shamir's with Tang

Exploring the ecosystem

Dependency: José

  • https://github.com/latchset/jose
  • JSON Object Signing and Encryption
  • C Library & Command Line Utility
  • Bottom Line: User-Friendly, Standards Compliant Crypto
$ jose gen -t '{"alg": "A128GCM"}' -o oct.jwk
$ jose gen -t '{"alg": "RSA1_5"}' -o rsa.jwk
$ jose gen -t '{"alg": "ES256"}' -o ec.jwk

$ echo hi | jose enc -i- -k rsa.pub.jwk -o msg.jwe
$ jose dec -i msg.jwe -k rsa.jwk
hi
$ jose dec -i msg.jwe -k oct.jwk
Decryption failed!

$ echo hi | jose sig -i- -k ec.jwk -o msg.jws
$ jose ver -i msg.jws -k ec.pub.jwk
hi
$ jose ver -i msg.jws -k oct.jwk
No signatures validated!

Dependency: LUKSMeta

  • https://github.com/latchset/luksmeta
  • Store metadata in LUKSv1 header gap
  • C library & Command Line Utility
$ echo hi | luksmeta save -d /dev/sdc1 -s 2 -u EC998562-B60D-47F0-A579-DCA8C12F5BF6

$ luksmeta load -d /dev/sdc1 -s 2 -u EC998562-B60D-47F0-A579-DCA8C12F5BF6
hi

$ luksmeta load -d /dev/sdc1 -s 2 -u 12618962-A1E5-48F1-B327-D7C60E20FC02
Slot contains different UUID

the Near Future

José

  • PKCS#11 Support
  • Python Bindings
  • Additional crypto backends
  • Additional algorithms

Clevis

  • Password Pin
  • PKCS#11 Pin (including, in the future, TPM)
  • Support for non-root, non-removable volumes
  • Ext4 encryption support

Tang

  • Binding IDs (Optional; sacrifices anonymity)
  • Revocation (requires Binding IDs)

Patches Welcome!

Questions?

DevConf 2017

By Nathaniel McCallum

DevConf 2017

  • 2,056
Loading comments...

More from Nathaniel McCallum