Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bringing usable crypto to 7 million developers

Kenn White
January 27, 2020

Bringing usable crypto to 7 million developers

Enigma 2020 | USENIX

Kenn White

January 27, 2020
Tweet

More Decks by Kenn White

Other Decks in Technology

Transcript

  1. Bringing usable crypto to 7 million developers Kenneth White @kennwhite

    A story about lessons in end-to-end encryption
  2. /about - Security Principal at MongoDB - Focus on applied

    encryption & distributed systems - Some past projects: TrueCrypt & OpenSSL audits, Linux Foundation Core Infrastructure Initiative, super cookie research, DHS, DOD - Life- and safety-critical systems
  3. Bringing usable crypto to 7 million developers ❏ Database myths

    ❏ The trust problem ❏ Encrypting Hello World on every major platform ❏ Things they don't teach you in CS ❏ Lessons ❏ Reflections
  4. Database myths ❏ Database encryption is a solved problem (it

    is not) "I want database encryption" "Here. Here's TLS."
  5. Database myths ❏ Database encryption is a solved problem (it

    is not) "I want database encryption" "Here. Here's TLS." "I want database encryption" "Here. Here's FDE."
  6. Database myths ❏ Database encryption is a solved problem (it

    is not) "I want database encryption" "Here. Here's TLS." "I want database encryption" "Here. Here's FDE." "I want database encryption" "Here. Here's encrypted datastore files."
  7. The trust problem ❏ We've done a (pretty) good job

    of addressing: ❏ network confidentiality/encryption-in-transit ❏ Modern TLS (PFS, abuse-resistance)
  8. The trust problem ❏ We've done a (pretty) good job

    of addressing: ❏ network confidentiality/encryption-in-transit ❏ Modern TLS (PFS, abuse-resistance) ❏ storage confidentiality/encryption-at-rest ❏ FDE / encrypted volumes / file encryption
  9. The trust problem Who holds the keys? ❏ Who can

    see the plaintext? - The database operator?
  10. The trust problem Who holds the keys? ❏ Who can

    see the plaintext? - The database operator? - The sys admin?
  11. The trust problem Who holds the keys? ❏ Who can

    see the plaintext? - The database operator? - The sys admin? - The DB server?
  12. The trust problem Who holds the keys? ❏ Who can

    see the plaintext? - The database operator? - The sys admin? - The DB server? - The VM hypervisor host?
  13. The trust problem Who holds the keys? ❏ Who can

    see the plaintext? - The database operator? - The sys admin? - The DB server? - The VM hypervisor host? - The infrastructure/cloud provider?
  14. The trust problem ❏ A question of trust. What is

    the source of trust? - In a server-side encryption model, a leak or breach can be catastrophic
  15. The trust problem ❏ A question of trust. What is

    the source of trust? - In a server-side encryption model, a leak or breach can be catastrophic - This potentially includes: logs, backups, temp files, process memory…
  16. The trust problem ❏ A question of trust. What is

    the source of trust? - In a server-side encryption model, a leak or breach can be catastrophic - This potentially includes: logs, backups, temp files, process memory… - Privileged credential users/processes see everything
  17. The trust problem ❏ A question of trust. What is

    the source of trust? - In a server-side encryption model, a leak or breach can be catastrophic - This potentially includes: logs, backups, temp files, process memory… - Privileged credential users/processes see everything
  18. The trust problem ❏ We have far fewer options to

    protect data-in-use ❏ In theory, we have lots of choices
  19. The trust problem ❏ We have far fewer options to

    protect data-in-use ❏ In theory, we have lots of choices ❏ In practice, not so much
  20. “The difference between ‘possible’ and ‘lol nope’ is a vast

    lonely wasteland that's crushed countless souls.” — me
  21. The trust problem ❏ Can we encrypt data before it

    ever leaves the application? ❏ Some workloads require end-to-end or client-side encryption
  22. The trust problem ❏ Can we encrypt data before it

    ever leaves the application? ❏ Some workloads require end-to-end or client-side encryption
  23. The trust problem ❏ Can we encrypt data before it

    ever leaves the application? ❏ Some workloads require end-to-end or client-side encryption ❏ Similar to e2e in messaging apps
  24. The trust problem ❏ Can we encrypt data before it

    ever leaves the application? ❏ Some workloads require end-to-end or client-side encryption ❏ Similar to e2e in messaging apps ❏ This is a solved problem, yes?
  25. The trust problem ❏ Can we encrypt data before it

    ever leaves the application? ❏ Some workloads require end-to-end or client-side encryption ❏ Similar to e2e in messaging apps ❏ This is a solved problem, yes?
  26. The trust problem ❏ Can we encrypt data before it

    ever leaves the application? ❏ Some workloads require end-to-end or client-side encryption ❏ Similar to e2e in messaging apps ❏ This is a solved problem, yes? Narrator: It is not.
  27. The trust problem ❏ Database encryption is not a solved

    problem "I want client-side database encryption" "Here. Here's an SDK."
  28. The trust problem ❏ Database encryption is not a solved

    problem "I want client-side database encryption" "Here. Here's an SDK." "So I just run my queries as-is?" "Oh, no sorry. You'll have to re-write everything."
  29. The trust problem ❏ Database encryption is not a solved

    problem "I want client-side database encryption" "Here. Here's an SDK." "So I just run my queries as-is?" "Oh, no sorry. You'll have to re-write everything." "But at least I can search my database?" "Oh, no sorry."
  30. The trust problem ❏ Database encryption is not a solved

    problem A github repo or a complicated bolt-on SDK doesn't count.
  31. An idea was born What if... You didn't have to

    ...use some clunky and limited SDK ...rewrite all your app query code ...lose the ability to search your database
  32. An idea was born What if... You didn't have to

    ...use some clunky and limited SDK ...rewrite all your app query code ...lose the ability to search your database What if...
  33. An idea was born What if... You didn't have to

    ...use some clunky and limited SDK ...rewrite all your app query code ...lose the ability to search your database What if... You could create a key, set a config, and just go?
  34. So began the journey ❏ 24+ engineers (core server, query,

    drivers, platforms, build) ❏ 3 independent security reviews
  35. So began the journey ❏ 24+ engineers (core server, query,

    drivers, platforms, build) ❏ 3 independent security reviews ❏ dozens of formal developer UX studies
  36. So began the journey ❏ 24+ engineers (core server, query,

    drivers, platforms, build) ❏ 3 independent security reviews ❏ dozens of formal developer UX studies ❏ 7 months of real-world customer beta testing
  37. So began the journey ❏ 24+ engineers (core server, query,

    drivers, platforms, build) ❏ 3 independent security reviews ❏ dozens of formal developer UX studies ❏ 7 months of real-world customer beta testing ❏ 2 years from initial scope to GA
  38. So began the journey ❏ 24+ engineers (core server, query,

    drivers, platforms, build) ❏ 3 independent security reviews ❏ dozens of formal developer UX studies ❏ 7 months of real-world customer beta testing ❏ 2 years from initial scope to GA ❏ one of the largest engineering investments we've made
  39. So began the journey ❏ MongoDB client-side field level encryption

    (CSFLE) ❏ Most popular NoSQL database in the world
  40. So began the journey ❏ MongoDB client-side field level encryption

    (CSFLE) ❏ Most popular NoSQL database in the world ❏ Runs on 19+ platforms
  41. So began the journey ❏ MongoDB client-side field level encryption

    (CSFLE) ❏ Most popular NoSQL database in the world ❏ Runs on 19+ platforms - 12 MongoDB supported language drivers + 7 community drivers
  42. So began the journey ❏ MongoDB client-side field level encryption

    (CSFLE) ❏ Most popular NoSQL database in the world ❏ Runs on 19+ platforms - 12 MongoDB supported language drivers + 7 community drivers - Java, Reactive Native, Scala, Python, Node.js, Go, C, C++, C# .NET, PHP, Ruby, Swift...
  43. So began the journey ❏ MongoDB client-side field level encryption

    (CSFLE) ❏ Most popular NoSQL database in the world ❏ Runs on 19+ platforms - 12 MongoDB supported language drivers + 7 community drivers - Java, Reactive Native, Scala, Python, Node.js, Go, C, C++, C# .NET, PHP, Ruby, Swift... - Windows, MacOS, iOS, Android, Debian, Ubuntu, Red Hat, CentOS, Amazon Linux, SuSE
  44. So began the journey ❏ MongoDB client-side field level encryption

    (CSFLE) ❏ Most popular NoSQL database in the world ❏ Runs on 19+ platforms - 12 MongoDB supported language drivers + 7 community drivers - Java, Reactive Native, Scala, Python, Node.js, Go, C, C++, C# .NET, PHP, Ruby, Swift... - Windows, MacOS, iOS, Android, Debian, Ubuntu, Red Hat, CentOS, Amazon Linux, SuSE - x86, ARM, Power, IBM Z-Series mainframes
  45. The implementation ❏ CSFLE is enabled in drivers & integrated

    into shell ❏ All encrypt/decrypt is done in the driver, on client
  46. The implementation ❏ CSFLE is enabled in drivers & integrated

    into shell ❏ All encrypt/decrypt is done in the driver, on client ❏ Drivers have expanded MQL awareness for automatic encryption
  47. The implementation ❏ CSFLE is enabled in drivers & integrated

    into shell ❏ All encrypt/decrypt is done in the driver, on client ❏ Drivers have expanded MQL awareness for automatic encryption ❏ Individual fields within collections can be marked as encrypted
  48. The implementation ❏ CSFLE is enabled in drivers & integrated

    into shell ❏ All encrypt/decrypt is done in the driver, on client ❏ Drivers have expanded MQL awareness for automatic encryption ❏ Individual fields within collections can be marked as encrypted ❏ Keys can be used on a per-field or per-document basis
  49. The implementation ❏ CSFLE is enabled in drivers & integrated

    into shell ❏ All encrypt/decrypt is done in the driver, on client ❏ Drivers have expanded MQL awareness for automatic encryption ❏ Individual fields within collections can be marked as encrypted ❏ Keys can be used on a per-field or per-document basis ❏ Native subdocument & aggregation pipeline support
  50. Cryptography ❏ Cloud key services natively integrated ❏ Authenticated encryption:

    AEAD AES-256 HMAC-SHA512 ❏ Abuse- and misuse-resistant, derived HMACs
  51. Cryptography ❏ Cloud key services natively integrated ❏ Authenticated encryption:

    AEAD AES-256 HMAC-SHA512 ❏ Abuse- and misuse-resistant, derived HMACs ❏ Native OS libraries used for crypto primitives (no DIY)
  52. Cryptography ❏ Raw key material never persisted to disk (in-memory

    on app server only) ❏ Stored field keys protected by strong symmetric encryption server-side (opaque to operator)
  53. Cryptography ❏ Raw key material never persisted to disk (in-memory

    on app server only) ❏ Stored field keys protected by strong symmetric encryption server-side (opaque to operator) ❏ Field wrapping keys secured in HSM-backed external KMS
  54. Cryptography ❏ Raw key material never persisted to disk (in-memory

    on app server only) ❏ Stored field keys protected by strong symmetric encryption server-side (opaque to operator) ❏ Field wrapping keys secured in HSM-backed external KMS ❏ Outside cryptanalysis & design reviews
  55. Cryptography ❏ Raw key material never persisted to disk (in-memory

    on app server only) ❏ Stored field keys protected by strong symmetric encryption server-side (opaque to operator) ❏ Field wrapping keys secured in HSM-backed external KMS ❏ Outside cryptanalysis & design reviews ❏ Core constructions are Post Quantum resistant
  56. Encrypting Hello World on 19 platforms ❏ Lessons from developer

    ecosystems ❏ dependency hell challenges ❏ OS legacy package managers ❏ Python & pip ❏ Java, JVMs & Maven ❏ Adventures in NuGet ❏ Go & binaries
  57. Things they don't teach you in CS ❏ No one

    reads the docs (no, really) ❏ Operating systems will ship the oldest, weirdest system libraries you can imagine ❏ Never underestimate user experience, just to get to hello world ❏ Make copy/paste examples before the web does for you ❏ Every mistake in configuration that can be made will be made
  58. Current status ❏ Released for production GA: - Node, Python,

    C# .NET Core, Go, shell Java async, JVM Reactive Streams, Scala ❏ In beta: - C, C++, Ruby, PHP ❏ Experimental: Direct e2e S3 queries via Atlas Datalake ❏ Drivers & core cryptography framework Apache licensed ❏ Continuous pushes to GitHub for all platforms
  59. Lessons ❏ Encrypted search has costs ❏ Don't underestimate native

    DB platform features ❏ Make key mgmt as simple as possible, but no more
  60. Lessons ❏ Encrypted search has costs ❏ Don't underestimate native

    DB platform features ❏ Make key mgmt as simple as possible, but no more ❏ (Almost) no one really understands IAM
  61. Lessons ❏ Encrypted search has costs ❏ Don't underestimate native

    DB platform features ❏ Make key mgmt as simple as possible, but no more ❏ (Almost) no one really understands IAM ❏ <5% of the actual engineering involved cryptography
  62. Take away ❏ Engage professional cryptographers early in design ❏

    Homomorphic encryption will not save us ❏ Developer ease of use > technical properties
  63. Take away ❏ Engage professional cryptographers early in design ❏

    Homomorphic encryption will not save us ❏ Developer ease of use > technical properties ❏ Make technical choices easier
  64. Take away ❏ Engage professional cryptographers early in design ❏

    Homomorphic encryption will not save us ❏ Developer ease of use > technical properties ❏ Make technical choices easier ❏ Solving the 95% use case > offering impractical choices
  65. It takes a village Andrew Asya Bernie Clyde Craig Dave

    Davi Divjot Dmitri Emily Esha Jeff Jesse Julie Kaitlin Kevin Mark Matt Nathan Naomi Nick Oz Ravind Rachael Samantha Sara Shreyas Spencer Vincent
  66. Special thanks Kenny Paterson, ETH Zurich Seny Kamara, Brown/Aroki Tarik

    Moataz, Brown/Aroki Jean-Philippe Aumasson, Teserakt