Embed Size (px)
Citation preview
Protecting “Cloud” Secrets With Grendel
http://github.com/wesabe/grendel
Sam QuigleySquare
@emerose
Coda HaleYammer, Inc.@coda
You store private information.
passwordshttp://techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/
credit card numbers
bank account info
social security numbershttp://www.wired.com/threatlevel/2010/05/lifelock-identity-theft
health care informationhttps://health.google.com
confidential business documents
http://techcrunch.com/2009/07/14/in-our-inbox-hundreds-of-confidential-twitter-documents/
but also…
personal conversationshttp://www.businessinsider.com/well-these-new-zuckerberg-ims-wont-help-facebooks-privacy-problems-2010-5
photoshttp://valleywag.gawker.com/321802/bank-intern-busted-by-facebook
videoshttp://gawker.com/034201/the-fred-durst-sex-tape-you-never-wanted
purchase histories
usage patternshttp://aolpsycho.com/user/14162375-yahoo
All of this is private.
Anything your users don’t want shared
We all store private information.
How well do we protect it?
Firewall!
VPN!
Firewall!
VPN!
Passwords!
Firewall!
Useless.
Really Useless.http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Encryption!
Hard.
Really hard.http://www.veracode.com/images/pdf/veracode_state_of_software_security_report_volume_1.pdf
We still need to protect it.
We have ideas.
Grendel!
Grendel!A Secure Document Storage System
Simplest Thing That Can Work
Simplest Thing That Can Work
Minimum Viable Product
Simplest Thing That Can Work
Minimum Viable Product
Open Source
Simplest Thing That Can Work
Minimum Viable Product
Open Source
Big Plans for the Future
Simplest Thing That Can Work
Minimum Viable Product
Open Source
Big Plans for the Future
Gets the Fundamentals Right
Data Storage
Data StorageAuthentication
Data StorageAuthenticationAccess Control
OpenPGP
OpenPGPREST
OpenPGPREST
Java + RDBMS
OpenPGP
Message FormatWhat PGP and GPG Use
RFC 4880
Open Standard
Well Reviewed
Used Everywhere
Flexible
Confidentiality
Integrity
Keys!
Asymmetric
One Set Per User
Stored Encrypted with User’s Passphrase
Documents!
Arbitrary Contents
Recipients!
OpenPGPREST
Java + RDBMS
✓
REST
HTTP
HTTPSpoken Natively
Why REST?
Simple
Ubiquitous
Well-Understood
Easy to Debug
Lots of Free Features
OpenPGPREST
Java + RDBMS
✓✓
Java + RDBMS
Java 6
Java 6Bouncy Castle
Java 6Bouncy Castle
Jetty
Java 6Bouncy Castle
JettyJersey
Java 6Bouncy Castle
JettyJerseyGuice
Java 6Bouncy Castle
JettyJerseyGuice
Hibernate
Why Java?
Fast
FastStable
FastStable
Well-Understood
Why RDBMS?
You Already Have One
OpenPGPREST
Java + RDBMS
✓✓✓
Easy To Use
One Config File
hibernate.dialect=org.hibernate.dialect.MySQL5InnoDBDialecthibernate.connection.username=grendelhibernate.connection.password=sn00persn33krithibernate.connection.url=jdbc:mysql://db1.example.com/grendel_prodhibernate.c3p0.min_size=10hibernate.c3p0.max_size=50
Generating Schemas
$ java -jar grendel.jar schema \ -c database.properties
create table documents ( name varchar(255) not null, body longblob not null, content_type varchar(40) not null, created_at datetime not null, modified_at datetime not null, version bigint not null, owner_id varchar(255) not null, primary key (name, owner_id)) ENGINE=InnoDB;
create table links ( user_id varchar(255) not null, document_name varchar(255) not null, document_owner_id varchar(255) not null, primary key (user_id, document_name, document_owner_id)) ENGINE=InnoDB;
create table users ( id varchar(255) not null, created_at datetime not null, keyset longblob not null, modified_at datetime not null, version bigint not null, primary key (id)) ENGINE=InnoDB;
Running the Server
$ java -jar grendel.jar server \ -c database.properties \ -p 8080
Grendel’s API/users/users/{id}/users/{id}/documents/users/{id}/documents/{name}/users/{id}/documents/{name}/links/users/{id}/documents/{name}/links/{otherid}/users/{id}/linked-documents/users/{id}/linked-documents/{otherid}/{name}
Creating a User
Creating a User
HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale
POST /users/ HTTP/1.1Content-Type: application/json
{ "id": "codahale", "password": "woowoo"}
Creating a User
HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale
POST /users/ HTTP/1.1Content-Type: application/json
{ "id": "codahale", "password": "woowoo"}
Creating a User
HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale
POST /users/ HTTP/1.1Content-Type: application/json
{ "id": "codahale", "password": "woowoo"}
Creating a User
HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale
POST /users/ HTTP/1.1Content-Type: application/json
{ "id": "codahale", "password": "woowoo"}
Creating a User
HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale
POST /users/ HTTP/1.1Content-Type: application/json
{ "id": "codahale", "password": "woowoo"}
Creating a User
HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale
POST /users/ HTTP/1.1Content-Type: application/json
{ "id": "codahale", "password": "woowoo"}
Creating a User
HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale
POST /users/ HTTP/1.1Content-Type: application/json
{ "id": "codahale", "password": "woowoo"}
Creating a User
HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale
POST /users/ HTTP/1.1Content-Type: application/json
{ "id": "codahale", "password": "woowoo"}
Creating a User
HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale
POST /users/ HTTP/1.1Content-Type: application/json
{ "id": "codahale", "password": "woowoo"}
Creating a User
HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale
Generates a New Key Pair
POST /users/ HTTP/1.1Content-Type: application/json
{ "id": "codahale", "password": "woowoo"}
Creating a User
HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale
Generates a New Key PairEncrypts The Private Key
POST /users/ HTTP/1.1Content-Type: application/json
{ "id": "codahale", "password": "woowoo"}
Creating a User
HTTP/1.1 201 CreatedLocation: http://example.com/users/codahale
Generates a New Key PairEncrypts The Private Key
Stores It with the User Record
POST /users/ HTTP/1.1Content-Type: application/json
{ "id": "codahale", "password": "woowoo"}
Storing a Document
Storing a Document
HTTP/1.1 204 No Content
PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v
yay for me
Storing a Document
HTTP/1.1 204 No Content
PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v
yay for me
Storing a Document
HTTP/1.1 204 No Content
PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v
yay for me
Storing a Document
HTTP/1.1 204 No Content
PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v
yay for me
Storing a Document
HTTP/1.1 204 No Content
PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v
yay for me
Storing a Document
HTTP/1.1 204 No Content
PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v
yay for me
Storing a Document
HTTP/1.1 204 No Content
PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v
yay for me
Storing a Document
HTTP/1.1 204 No Content
PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v
yay for me
Storing a Document
HTTP/1.1 204 No Content
Decrypts the User’s Key Set
PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v
yay for me
Storing a Document
HTTP/1.1 204 No Content
Decrypts the User’s Key SetSigns the Document With It
PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v
yay for me
Storing a Document
HTTP/1.1 204 No Content
Decrypts the User’s Key SetSigns the Document With It
Encrypts the Document With It
PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v
yay for me
Storing a Document
HTTP/1.1 204 No Content
Decrypts the User’s Key SetSigns the Document With It
Encrypts the Document With ItStores The Encrypted Document
PUT /users/codahale/documents/foo.txt HTTP/1.1Content-Type: text/plainAuthorization: Basic Y29kYWhhbGU6d29vd29v
yay for me
Listing Documents
Listing DocumentsGET /users/codahale/documents/ HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29vAccept: application/json
HTTP/1.1 200 OKContent-Type: application/json
{ "documents":[{ "name":"foo.txt", "uri":"/users/codahale/documents/foo.txt" }]}
Listing DocumentsGET /users/codahale/documents/ HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29vAccept: application/json
HTTP/1.1 200 OKContent-Type: application/json
{ "documents":[{ "name":"foo.txt", "uri":"/users/codahale/documents/foo.txt" }]}
Listing DocumentsGET /users/codahale/documents/ HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29vAccept: application/json
HTTP/1.1 200 OKContent-Type: application/json
{ "documents":[{ "name":"foo.txt", "uri":"/users/codahale/documents/foo.txt" }]}
Listing DocumentsGET /users/codahale/documents/ HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29vAccept: application/json
HTTP/1.1 200 OKContent-Type: application/json
{ "documents":[{ "name":"foo.txt", "uri":"/users/codahale/documents/foo.txt" }]}
Listing DocumentsGET /users/codahale/documents/ HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29vAccept: application/json
HTTP/1.1 200 OKContent-Type: application/json
{ "documents":[{ "name":"foo.txt", "uri":"/users/codahale/documents/foo.txt" }]}
Listing DocumentsGET /users/codahale/documents/ HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29vAccept: application/json
HTTP/1.1 200 OKContent-Type: application/json
{ "documents":[{ "name":"foo.txt", "uri":"/users/codahale/documents/foo.txt" }]}
Listing DocumentsGET /users/codahale/documents/ HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29vAccept: application/json
HTTP/1.1 200 OKContent-Type: application/json
{ "documents":[{ "name":"foo.txt", "uri":"/users/codahale/documents/foo.txt" }]}
Listing DocumentsGET /users/codahale/documents/ HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29vAccept: application/json
Decrypts the User’s Key Set
HTTP/1.1 200 OKContent-Type: application/json
{ "documents":[{ "name":"foo.txt", "uri":"/users/codahale/documents/foo.txt" }]}
Listing DocumentsGET /users/codahale/documents/ HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29vAccept: application/json
Decrypts the User’s Key SetLoads the List of Documents
HTTP/1.1 200 OKContent-Type: application/json
{ "documents":[{ "name":"foo.txt", "uri":"/users/codahale/documents/foo.txt" }]}
Viewing a Document
Viewing a Document
HTTP/1.1 200 OKCache-Control: private, no-cache, no-storeContent-Type: text/plain
yay for me
GET /users/codahale/documents/foo.txt HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29v
Viewing a Document
HTTP/1.1 200 OKCache-Control: private, no-cache, no-storeContent-Type: text/plain
yay for me
GET /users/codahale/documents/foo.txt HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29v
Viewing a Document
HTTP/1.1 200 OKCache-Control: private, no-cache, no-storeContent-Type: text/plain
yay for me
GET /users/codahale/documents/foo.txt HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29v
Viewing a Document
HTTP/1.1 200 OKCache-Control: private, no-cache, no-storeContent-Type: text/plain
yay for me
GET /users/codahale/documents/foo.txt HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29v
Viewing a Document
HTTP/1.1 200 OKCache-Control: private, no-cache, no-storeContent-Type: text/plain
yay for me
GET /users/codahale/documents/foo.txt HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29v
Viewing a Document
HTTP/1.1 200 OKCache-Control: private, no-cache, no-storeContent-Type: text/plain
yay for me
GET /users/codahale/documents/foo.txt HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29v
Viewing a Document
Decrypts the User’s Key Set
HTTP/1.1 200 OKCache-Control: private, no-cache, no-storeContent-Type: text/plain
yay for me
GET /users/codahale/documents/foo.txt HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29v
Viewing a Document
Decrypts the User’s Key SetDecrypts the Document
HTTP/1.1 200 OKCache-Control: private, no-cache, no-storeContent-Type: text/plain
yay for me
GET /users/codahale/documents/foo.txt HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29v
Viewing a Document
Decrypts the User’s Key SetDecrypts the Document
Verifies the Signature
HTTP/1.1 200 OKCache-Control: private, no-cache, no-storeContent-Type: text/plain
yay for me
GET /users/codahale/documents/foo.txt HTTP/1.1Authorization: Basic Y29kYWhhbGU6d29vd29v
Linking a Documentto Another User
Linking a Document
HTTP/1.1 204 No Content
PUT /users/codahale/documents/foo.txt/links/samquigleyAuthorization: Basic Y29kYWhhbGU6d29vd29v
Linking a Document
HTTP/1.1 204 No Content
PUT /users/codahale/documents/foo.txt/links/samquigleyAuthorization: Basic Y29kYWhhbGU6d29vd29v
Linking a Document
HTTP/1.1 204 No Content
PUT /users/codahale/documents/foo.txt/links/samquigleyAuthorization: Basic Y29kYWhhbGU6d29vd29v
Linking a Document
HTTP/1.1 204 No Content
PUT /users/codahale/documents/foo.txt/links/samquigleyAuthorization: Basic Y29kYWhhbGU6d29vd29v
Linking a Document
HTTP/1.1 204 No Content
PUT /users/codahale/documents/foo.txt/links/samquigleyAuthorization: Basic Y29kYWhhbGU6d29vd29v
Linking a Document
HTTP/1.1 204 No Content
Decrypts the Document
PUT /users/codahale/documents/foo.txt/links/samquigleyAuthorization: Basic Y29kYWhhbGU6d29vd29v
Linking a Document
HTTP/1.1 204 No Content
Decrypts the DocumentRe-encrypts the Document for Both Users
PUT /users/codahale/documents/foo.txt/links/samquigleyAuthorization: Basic Y29kYWhhbGU6d29vd29v
Linking a Document
HTTP/1.1 204 No Content
Decrypts the DocumentRe-encrypts the Document for Both Users
Gives Read-Only Access To The Second User
PUT /users/codahale/documents/foo.txt/links/samquigleyAuthorization: Basic Y29kYWhhbGU6d29vd29v
GPG as a Service
GPG as a Service(GaaS)
What’s the big deal?
Self-Defending Data
Self-Defending Datasudo for the Web
Self-Defending Datasudo for the Web
Privacy Wall
Self-Defending Data
Data EnforcesAccess Rules
Enforce Business Logic with Math
But Wait!There’s More!
Authentication Done Right
Adaptive Hashing
Adaptive HashingCentralized, as a Service
Adaptive HashingCentralized, as a Service
Resistant to Modern Attacks
sudo for the Web
Long-Lived Session Cookies
Long-Lived Session CookiesRe-Auth for Privileged Access
Long-Lived Session CookiesRe-Auth for Privileged AccessMitigates XSS/CSRF (sorta)
Privacy Wall
You’re Locked Out
You’re Locked OutThis is Good
You’re Locked OutThis is Good
Protects Everyone from Insiders
You’re Locked OutThis is Good
Protects Everyone from InsidersProtects Everyone from Outsiders
Summary
Grendel: OpenPGP + REST + Java
Grendel: OpenPGP + REST + JavaSelf-Defending Data
Grendel: OpenPGP + REST + JavaSelf-Defending Data
Authentication + sudo
Grendel: OpenPGP + REST + JavaSelf-Defending Data
Authentication + sudoPrivacy Wall
Progress
✓ –✓✓–
✓
Future Directions
Sessions
SessionsOAuth (2.0)
SessionsOAuth (2.0)
Spreading the Ideas
Questions?http://github.com/wesabe/grendel
