Protecting “Cloud” Secrets With Grendel - O'Reilly...

Protecting “Cloud” Secrets With Grendel

http://github.com/wesabe/grendel

Sam QuigleySquare

@emerose

Coda HaleYammer, Inc.@coda

You store private information.

passwordshttp://techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/

credit card numbers

bank account info

social security numbershttp://www.wired.com/threatlevel/2010/05/lifelock-identity-theft

health care informationhttps://health.google.com

confidential business documents

http://techcrunch.com/2009/07/14/in-our-inbox-hundreds-of-confidential-twitter-documents/

but also…

personal conversationshttp://www.businessinsider.com/well-these-new-zuckerberg-ims-wont-help-facebooks-privacy-problems-2010-5

photoshttp://valleywag.gawker.com/321802/bank-intern-busted-by-facebook

videoshttp://gawker.com/034201/the-fred-durst-sex-tape-you-never-wanted

purchase histories

usage patternshttp://aolpsycho.com/user/14162375-yahoo

All of this is private.

Anything your users don’t want shared

We all store private information.

How well do we protect it?

Firewall!

VPN!

Firewall!

VPN!

Passwords!

Firewall!

Useless.

Really Useless.http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Encryption!

Hard.

Really hard.http://www.veracode.com/images/pdf/veracode_state_of_software_security_report_volume_1.pdf

We still need to protect it.

We have ideas.

Grendel!

Grendel!A Secure Document Storage System

Simplest Thing That Can Work

Simplest Thing That Can Work

Minimum Viable Product

Simplest Thing That Can Work

Minimum Viable Product

Open Source

Simplest Thing That Can Work

Minimum Viable Product

Open Source

Big Plans for the Future

Simplest Thing That Can Work

Minimum Viable Product

Open Source

Big Plans for the Future

Gets the Fundamentals Right

Data Storage

Data StorageAuthentication

Data StorageAuthenticationAccess Control

OpenPGP

OpenPGPREST

OpenPGPREST

Java + RDBMS

OpenPGP

Message FormatWhat PGP and GPG Use

RFC 4880

Open Standard

Well Reviewed

Used Everywhere

Flexible

Confidentiality

Integrity

Keys!

Asymmetric

One Set Per User

Stored Encrypted with User’s Passphrase

Documents!

Arbitrary Contents

Recipients!

OpenPGPREST

Java + RDBMS

✓

REST

HTTP

HTTPSpoken Natively

Why REST?

Simple

Ubiquitous

Well-Understood

Easy to Debug

Lots of Free Features

OpenPGPREST

Java + RDBMS

✓✓

Java + RDBMS

Java 6

Java 6Bouncy Castle

Java 6Bouncy Castle

Jetty

Java 6Bouncy Castle

JettyJersey

Java 6Bouncy Castle

JettyJerseyGuice

Java 6Bouncy Castle

JettyJerseyGuice

Hibernate

Why Java?

Fast

FastStable

FastStable

Well-Understood

Why RDBMS?

You Already Have One

OpenPGPREST

Java + RDBMS

✓✓✓

Easy To Use

One Config File

hibernate.dialect=org.hibernate.dialect.MySQL5InnoDBDialecthibernate.connection.username=grendelhibernate.connection.password=sn00persn33krithibernate.connection.url=jdbc:mysql://db1.example.com/grendel_prodhibernate.c3p0.min_size=10hibernate.c3p0.max_size=50

Generating Schemas

$ java -jar grendel.jar schema \ -c database.properties

create table documents ( name varchar(255) not null, body longblob not null, content_type varchar(40) not null, created_at datetime not null, modified_at datetime not null, version bigint not null, owner_id varchar(255) not null, primary key (name, owner_id)) ENGINE=InnoDB;

create table links ( user_id varchar(255) not null, document_name varchar(255) not null, document_owner_id varchar(255) not null, primary key (user_id, document_name, document_owner_id)) ENGINE=InnoDB;

create table users ( id varchar(255) not null, created_at datetime not null, keyset longblob not null, modified_at datetime not null, version bigint not null, primary key (id)) ENGINE=InnoDB;

Running the Server

$ java -jar grendel.jar server \ -c database.properties \ -p 8080

Grendel’s API/users/users/{id}/users/{id}/documents/users/{id}/documents/{name}/users/{id}/documents/{name}/links/users/{id}/documents/{name}/links/{otherid}/users/{id}/linked-documents/users/{id}/linked-documents/{otherid}/{name}

Creating a User

Creating a User

HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale

POST /users/ HTTP/1.1Content-Type: application/json

{ "id": "codahale", "password": "woowoo"}

Creating a User

HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale

POST /users/ HTTP/1.1Content-Type: application/json

{ "id": "codahale", "password": "woowoo"}

Creating a User

HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale

POST /users/ HTTP/1.1Content-Type: application/json

{ "id": "codahale", "password": "woowoo"}

Creating a User

HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale

POST /users/ HTTP/1.1Content-Type: application/json

{ "id": "codahale", "password": "woowoo"}

Creating a User

HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale

POST /users/ HTTP/1.1Content-Type: application/json

{ "id": "codahale", "password": "woowoo"}

Creating a User

HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale

POST /users/ HTTP/1.1Content-Type: application/json

{ "id": "codahale", "password": "woowoo"}

Creating a User

HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale

POST /users/ HTTP/1.1Content-Type: application/json

{ "id": "codahale", "password": "woowoo"}

Creating a User

HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale

POST /users/ HTTP/1.1Content-Type: application/json

{ "id": "codahale", "password": "woowoo"}

Creating a User

HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale

POST /users/ HTTP/1.1Content-Type: application/json

{ "id": "codahale", "password": "woowoo"}

Creating a User

HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale

Generates a New Key Pair

POST /users/ HTTP/1.1Content-Type: application/json

{ "id": "codahale", "password": "woowoo"}

Creating a User

HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale

Generates a New Key PairEncrypts The Private Key

POST /users/ HTTP/1.1Content-Type: application/json

{ "id": "codahale", "password": "woowoo"}

Creating a User

HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale

Generates a New Key PairEncrypts The Private Key

Stores It with the User Record

POST /users/ HTTP/1.1Content-Type: application/json

{ "id": "codahale", "password": "woowoo"}

Storing a Document

Storing a Document

HTTP/1.1 204 No Content

PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v

yay for me

Storing a Document

HTTP/1.1 204 No Content

PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v

yay for me

Storing a Document

HTTP/1.1 204 No Content

PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v

yay for me

Storing a Document

HTTP/1.1 204 No Content

PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v

yay for me

Storing a Document

HTTP/1.1 204 No Content

PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v

yay for me

Storing a Document

HTTP/1.1 204 No Content

PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v

yay for me

Storing a Document

HTTP/1.1 204 No Content

PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v

yay for me

Storing a Document

HTTP/1.1 204 No Content

PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v

yay for me

Storing a Document

HTTP/1.1 204 No Content

Decrypts the User’s Key Set

PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v

yay for me

Storing a Document

HTTP/1.1 204 No Content

Decrypts the User’s Key SetSigns the Document With It

PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v

yay for me

Storing a Document

HTTP/1.1 204 No Content

Decrypts the User’s Key SetSigns the Document With It

Encrypts the Document With It

PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v

yay for me

Storing a Document

HTTP/1.1 204 No Content

Decrypts the User’s Key SetSigns the Document With It

Encrypts the Document With ItStores The Encrypted Document

PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v

yay for me

Listing Documents

Listing DocumentsGET /users/codahale/documents/ HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29vAccept: application/json

HTTP/1.1 200 OKContent-Type: application/json

{ "documents":[{ "name":"foo.txt", "uri":"/users/codahale/documents/foo.txt" }]}

Listing DocumentsGET /users/codahale/documents/ HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29vAccept: application/json

HTTP/1.1 200 OKContent-Type: application/json

{ "documents":[{ "name":"foo.txt", "uri":"/users/codahale/documents/foo.txt" }]}

Listing DocumentsGET /users/codahale/documents/ HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29vAccept: application/json

HTTP/1.1 200 OKContent-Type: application/json

{ "documents":[{ "name":"foo.txt", "uri":"/users/codahale/documents/foo.txt" }]}

Listing DocumentsGET /users/codahale/documents/ HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29vAccept: application/json

HTTP/1.1 200 OKContent-Type: application/json

{ "documents":[{ "name":"foo.txt", "uri":"/users/codahale/documents/foo.txt" }]}

Listing DocumentsGET /users/codahale/documents/ HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29vAccept: application/json

HTTP/1.1 200 OKContent-Type: application/json

{ "documents":[{ "name":"foo.txt", "uri":"/users/codahale/documents/foo.txt" }]}

Listing DocumentsGET /users/codahale/documents/ HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29vAccept: application/json

HTTP/1.1 200 OKContent-Type: application/json

{ "documents":[{ "name":"foo.txt", "uri":"/users/codahale/documents/foo.txt" }]}

Listing DocumentsGET /users/codahale/documents/ HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29vAccept: application/json

HTTP/1.1 200 OKContent-Type: application/json

{ "documents":[{ "name":"foo.txt", "uri":"/users/codahale/documents/foo.txt" }]}

Listing DocumentsGET /users/codahale/documents/ HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29vAccept: application/json

Decrypts the User’s Key Set

HTTP/1.1 200 OKContent-Type: application/json

{ "documents":[{ "name":"foo.txt", "uri":"/users/codahale/documents/foo.txt" }]}

Listing DocumentsGET /users/codahale/documents/ HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29vAccept: application/json

Decrypts the User’s Key SetLoads the List of Documents

HTTP/1.1 200 OKContent-Type: application/json

{ "documents":[{ "name":"foo.txt", "uri":"/users/codahale/documents/foo.txt" }]}

Viewing a Document

Viewing a Document

HTTP/1.1 200 OKCache-Control: private, no-cache, no-storeContent-Type: text/plain

yay for me

GET /users/codahale/documents/foo.txt HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29v

Viewing a Document

HTTP/1.1 200 OKCache-Control: private, no-cache, no-storeContent-Type: text/plain

yay for me

GET /users/codahale/documents/foo.txt HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29v

Viewing a Document

HTTP/1.1 200 OKCache-Control: private, no-cache, no-storeContent-Type: text/plain

yay for me

GET /users/codahale/documents/foo.txt HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29v

Viewing a Document

HTTP/1.1 200 OKCache-Control: private, no-cache, no-storeContent-Type: text/plain

yay for me

GET /users/codahale/documents/foo.txt HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29v

Viewing a Document

HTTP/1.1 200 OKCache-Control: private, no-cache, no-storeContent-Type: text/plain

yay for me

GET /users/codahale/documents/foo.txt HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29v

Viewing a Document

HTTP/1.1 200 OKCache-Control: private, no-cache, no-storeContent-Type: text/plain

yay for me

GET /users/codahale/documents/foo.txt HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29v

Viewing a Document

Decrypts the User’s Key Set

HTTP/1.1 200 OKCache-Control: private, no-cache, no-storeContent-Type: text/plain

yay for me

GET /users/codahale/documents/foo.txt HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29v

Viewing a Document

Decrypts the User’s Key SetDecrypts the Document

HTTP/1.1 200 OKCache-Control: private, no-cache, no-storeContent-Type: text/plain

yay for me

GET /users/codahale/documents/foo.txt HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29v

Viewing a Document

Decrypts the User’s Key SetDecrypts the Document

Verifies the Signature

HTTP/1.1 200 OKCache-Control: private, no-cache, no-storeContent-Type: text/plain

yay for me

GET /users/codahale/documents/foo.txt HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29v

Linking a Documentto Another User

Linking a Document

HTTP/1.1 204 No Content

PUT /users/codahale/documents/foo.txt/links/samquigleyAuthorization: Basic Y29kYWhhbGU6d29vd29v

Linking a Document

HTTP/1.1 204 No Content

PUT /users/codahale/documents/foo.txt/links/samquigleyAuthorization: Basic Y29kYWhhbGU6d29vd29v

Linking a Document

HTTP/1.1 204 No Content

PUT /users/codahale/documents/foo.txt/links/samquigleyAuthorization: Basic Y29kYWhhbGU6d29vd29v

Linking a Document

HTTP/1.1 204 No Content

PUT /users/codahale/documents/foo.txt/links/samquigleyAuthorization: Basic Y29kYWhhbGU6d29vd29v

Linking a Document

HTTP/1.1 204 No Content

PUT /users/codahale/documents/foo.txt/links/samquigleyAuthorization: Basic Y29kYWhhbGU6d29vd29v

Linking a Document

HTTP/1.1 204 No Content

Decrypts the Document

PUT /users/codahale/documents/foo.txt/links/samquigleyAuthorization: Basic Y29kYWhhbGU6d29vd29v

Linking a Document

HTTP/1.1 204 No Content

Decrypts the DocumentRe-encrypts the Document for Both Users

PUT /users/codahale/documents/foo.txt/links/samquigleyAuthorization: Basic Y29kYWhhbGU6d29vd29v

Linking a Document

HTTP/1.1 204 No Content

Decrypts the DocumentRe-encrypts the Document for Both Users

Gives Read-Only Access To The Second User

PUT /users/codahale/documents/foo.txt/links/samquigleyAuthorization: Basic Y29kYWhhbGU6d29vd29v

GPG as a Service

GPG as a Service(GaaS)

What’s the big deal?

Self-Defending Data

Self-Defending Datasudo for the Web

Self-Defending Datasudo for the Web

Privacy Wall

Self-Defending Data

Data EnforcesAccess Rules

Enforce Business Logic with Math

But Wait!There’s More!

Authentication Done Right

Adaptive Hashing

Adaptive HashingCentralized, as a Service

Adaptive HashingCentralized, as a Service

Resistant to Modern Attacks

sudo for the Web

Long-Lived Session Cookies

Long-Lived Session CookiesRe-Auth for Privileged Access

Long-Lived Session CookiesRe-Auth for Privileged AccessMitigates XSS/CSRF (sorta)

Privacy Wall

You’re Locked Out

You’re Locked OutThis is Good

You’re Locked OutThis is Good

Protects Everyone from Insiders

You’re Locked OutThis is Good

Protects Everyone from InsidersProtects Everyone from Outsiders

Summary

Grendel: OpenPGP + REST + Java

Grendel: OpenPGP + REST + JavaSelf-Defending Data

Grendel: OpenPGP + REST + JavaSelf-Defending Data

Authentication + sudo

Grendel: OpenPGP + REST + JavaSelf-Defending Data

Authentication + sudoPrivacy Wall

Progress

✓ –✓✓–

✓

Future Directions

Sessions

SessionsOAuth (2.0)

SessionsOAuth (2.0)

Spreading the Ideas

Questions?http://github.com/wesabe/grendel