Tuesday, July 10, 2018

Keeping secrets

There are so many ways to keep secrets but few ways to protect them.

HSM or Host Security Modules are probably the most robust system because they are typically a combination of physical security, network security, and access security. They also have a way to implement a DR or disaster recovery plan. The strategies are complex and expensive and so are the devices.

Home grown HSMs are interesting because the DR is typically easier, however, it usually means that the data is at rest some place and so it's a little more risky.

Expiration dates are the best and the worst. If you've decided that access to the data MUST be cut off by some date and that it's a universal policy for all things... and then someone approves an exception then all hell breaks loose as OPS tries to manage the exceptions.

In continuation when deploying several million unique keys with expiration dates one simply cannot manage the exceptions and so they typically fall-back on one key to drive them all. And that makes the data vulnerable.

Other secrets like Docker Secrets are interesting because they replicate the secrets and only the container can see the secrets that are assigned. The problem here is that if you can log into a swarm manager you can see the secrets by creating a simple container. Docker secrets are a very simple implementation and do not seem to have features like expiration dates or rolling keys. One challenge here is that the "names" of the secrets need to be provided on the CLI when deploying the service. If you have lots of secrets then that's a long command line.

Then there are tools like HashiCorp's Vault. While it has features like rolling keys, cluster networks, expiration dates it still has plenty of weaknesses. Once you have access to any of the nodes in the cluster you can delete or overwrite the existing data just like on swarm. And if you're already in the inner circle you'll find the various tokens etc for becoming a client. This is especially obvious when you have access to the source.

Hey but what about OpenPGP.  When that's great! OpenPGP is both a set of tools, libraries, and algorithms for doing crypto-like functions but in most case these libraries are already linked into your tools/apps and spawning to a shell to use their CLI tools only create a series of other vulnerabilities.

One attack vector not discussed is when the attacker manages to cause a core dump. A core dump is a file image of memory at the time the core was dumped. So if you have SSNs or credit card numbers in the clear in ram then an attacker need only cause a core dump and scoop up the file to get their treasure. Keep in mind that even today POS devices rarely print you card numbers on receipts.

All of this gets more complicated when going all DEVOPS and trying to embed secrets in the containers or when trying to deploy TEST actions in the pipeline. Anything that does not actually model production is a possible point of failure. My advice. Know what risks you're willing to live with and how you might live with the DR that fails.

UPDATE: let me add one other challenge and that is version control of the secrets. That's about as big of a deal as any.


No comments:

Post a Comment

another bad day for open source

One of the hallmarks of a good open source project is just how complicated it is to install, configure and maintain. Happily gitlab and the ...