The content of the article
It's good to be paranoid. Fun. You quickly come to the idea that you can’t trust anyone, and it’s better to keep yourself under suspicion just in case. It becomes quite joyful when with such a worldview you get into a large company and start designing key services from the point of view of information security. Therefore, I propose to discuss how to ensure the preservation of valuable secrets in an environment where everyone is a potential attacker.
Secrets are different
Passwords, API keys, certificates and other secrets are not equivalent. For any company, the risk of unauthorized access can be expressed in direct and indirect losses. If the sum of losses from a secret leak is multiplied by the probability of an attack, then we can break our passwords into several categories:
- No one needs. He picked up a virtual machine, tested something and forgot. The maximum that can be dragged away is the schedule of watering plants in the office from the script of one admin.
- Potentially significant. Test database, some kind of secondary server or something like that. Unauthorized access in itself will not bring losses, but it can be a “springboard” for deeper penetration into the company's infrastructure.
- Significant. The combat database, an important log server and other key systems. If an attacker penetrates here, he can either steal valuable information or significantly disrupt the company's work.
- Awesomely critical. What could be more unpleasant than compromising an important password? That's right – to poke the whole bunch of passwords entirely. For example, the Keepass database along with the access key. If an attacker gets to her, then the financial damage to the company can be irreparable.
We will talk about the last category that needs to be protected not only from outside attacks, but also from internal threats.
Everyone has a price
Unfortunately, not all people are honest and correct. Did you see the news about the leaked databases that employees leaked? And this, by the way, is quite an article of the Criminal Code. Let's look at the head of such employees.
A person from the regional branch receives a salary of notional 35 thousand rubles. He was given access to an important base so that he could carry out his work tasks. Quite suddenly, a tempting offer comes to him from the depths of the darknet to merge the entire base for 500 thousand rubles. The employee looks at his payroll, assesses his chances of being caught and takes this risk.
Darknet buyer also compares the costs of bribing an employee and the total benefit from the information received. If the benefits are more risks – he will take risks.
Hence a fairly simple conclusion: perfect protection does not exist. The main task is to make the attack unprofitable when bribery of employees and other events will require more expenses than the profit from the stolen data.
Accordingly, it is necessary to ensure that no employee can individually access critical systems such as centralized password storages. Let's take a look at how this is realized in life, and then back to our digital joys.
Red button for the general
There are quite real situations when it is necessary to share responsibility between several key people. Take something fun like launching a nuclear missile. Suppose that a conditional underground bunker, when the connection with the main headquarters has disappeared, may independently decide to strike back.
Quite a reasonable option would be to give keys to run for several people. For example, the duty officer and the head of the secret base with ICBMs. Thus, an officer who has suddenly gone mad will not be able to arrange a third world war, having made the decision alone. We reduce the likelihood of unauthorized access by sharing a secret between key people.
They do the same when they need to arrange access to a specially guarded bank vault. Permission to open doors must be simultaneously confirmed by several responsible persons. The cost of an attack on a vault immediately rises sharply, as it is necessary to bribe or rob a minimum of two people with access.
I want to immediately note that it is very difficult to find a good balance between the convenience of encrypting classified information and reliability. Any option of “backup access codes” in case the primary ones are lost, weakens protection and adds additional attack vectors. If we try to divide the secret into several responsible, then everything becomes even more complicated.
Safe and paper
Suppose we protect a conditional superprivileged secret that can only be used in exceptional cases. For example, mobile phones with access to corporate mail and resources are managed using the MDM system (Mobile device management) We do not want someone in one of the IS divisions to be able to access data from the employee’s phone. In this case, we need to be able to remotely destroy the contents of the phone or find out its current GPS coordinates if the device is stolen. Accordingly, we need a solution that will allow us to share responsibility between several people.
We can print the password on a slip of paper, put it in an envelope, fill it with sealing wax and solemnly put it in a safe. Already not bad. We will open and seal only in the presence of the commission. But the leaflet is difficult to backup, it keeps a secret in an open form, which increases the risks of its compromise. And it’s also a physical object – if one of the mandatory members of the commission is on a business trip, emergency access becomes problematic.
Matryoshka with passwords
To hell with paper and cardboard daddies. We will be modern. Let's go the simplest way and make the 7-Zip archive encrypted with AES-256 cryptographic. We do not want one employee to be able to individually access the secret, so we will construct a nested doll from the attached archives, where each layer closes a new person with its password. For example, the head of information security and the technical director.
At first glance, everything works fine. Reliability of protection against compromise is growing rapidly in proportion to the number of people. For example, if the probability of a password leak from one person is 0.05, then for six people it is already 0.056 = 1.5625 × 10-8.
Cool. But there's a problem. The likelihood of irreversibly losing the protected secret is growing in the same way. C some kind of garbage often happens to a person. Step, for example, unsuccessfully under the bus at a red light, or sclerosis will attack. If this is a centralized repository of data of particular value to the company, their loss can be fatal.
Break into fragments
Actually there is a good solution.
There is a very elegant implementation of dividing a secret into several parts – Shamir scheme. Yes, this is the same Adi Shamir, which is S in the abbreviation RSA. Using this method, the original password is broken into
k equivalent parts. The peculiarity of the scheme is that only a certain part of the fragments is required to restore the secret. For example, any four out of six. Moreover, if you know three parts out of six, then this will not help in any way to restore the original password.
The size of one fragment is equal to the original secret, therefore, as in cryptography with a public key, it usually makes no sense to split a large amount of data into pieces. It is much easier to cut the key to the fast symmetric encryption algorithm into slices and to encrypt the entire amount of data. This method scales well. You can add new people who store parts of the shared key. In this case, the size of the quorum will not change. That is, if earlier it was necessary to collect three keys out of five, now three out of eight are enough.
And there is also the possibility of rotating key fragments. The algorithm implies a scheme in which a sufficient number of people gather and generate a new set. The encrypted shared key remains unchanged. This is a very valuable property in case of compromise, dismissal of an employee or other problems.
Most importantly, it implies great flexibility when distributing parts of the key. For example, the CEO can be given three fragments, and all the rest one at a time. Thus, the degree of importance and reliability of each responsible person in the company can be taken into account.
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the Xakep.ru community.
Join the Xakep.ru Community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of Xakep.ru