Keys Under Doormats: Problems and Solutions for Securely Storing Credentials in Web Applications

Presented at Global AppSec - DC 2019, Sept. 13, 2019, 10:30 a.m. (45 minutes)

Encryption keys and passwords are truly "keys to the kingdom." Acquiring them allows attackers to open all kinds of doors, and yet developers are often careless about how they handle them. We often see passwords and keys hard coded in the application source, stored with minimal obfuscation in configuration files, and in plaintext in databases. As a result, they fall victim to reverse engineering and software vulnerabilities such as Path Traversal, XXE, Local File Inclusion, and others. To help illustrate these risks we review the most common methods of storing credentials in an application, and discuss best practices for storing them, such as using keystores. Once your secrets are properly secured, however, there is an important remaining issue -- how do you secure the Master Key? The security of this “key that secures other keys" (often referred to as the Key Encrypting Key or KEK) is critical to the security of the system. Would it not be vulnerable to the same issues we just tried to solve with keys and passwords? In our presentation we discuss preferred ways for securely storing KEKs, from hardware to software, and their relative costs. We propose several low cost ways for storing KEKs that any application can afford to implement, including what we believe is a novel approach that is resistant to remote attacks up to and including path traversal vulnerabilities where the attacker can obtain the contents of all relevant files. We then conclude by offering our open source library that helps to achieve that.

Presenters:

• Ron Craig - IBM
  Ron works to help bridge the gap between Security knowledge and practice. His passion is educating developers and business leaders in why secure engineering is important and how it affects all our lives. Ron has over 30 years of experience in development and engineering. His interests include high-performance driving, flying, safe cracking and whatever else gets the heart pumping. He's a serial entrepreneur and basically can't decide what he wants to do when he grows up.
• Dmitriy Beryoza - Vectra AI
  Dmitriy is a Senior Security Researcher at Vectra AI. He spent over 25 years of his life building software before realizing that breaking it is much more fun. :) Dmitriy is passionate about all things security, with a particular interest in web and binary exploitation, reverse engineering, secure software development, threat modeling, and CTF competitions. He holds an M.S. in Computer Science from RIT and a Ph.D. in Computer Science from FIU. LinkedIn: https://www.linkedin.com/in/beryozad/

Links:

• https://globalappsecdc2019.sched.com/event/Ur6K/keys-under-doormats-problems-and-solutions-for-securely-storing-credentials-in-web-applications

Similar Presentations:

• AppSec USA 2015 / Turtles All the Way Down: Storing Secrets in the Cloud and the Data Center
• The Eleventh HOPE (2016) / This Key is Your Key, This Key is My Key
• DEF CON 26 (2018) / Reaping and breaking keys at scale: when crypto meets big data