We're estimating the practicability to replace our conventional HTTPS/RESTful over cellular network (4G-LTE) with CoAP/DTLS over NB-IoT, to prolong the battery life of remote devices. The IoT application we've deployed only takes a tiny proportion of 4G-LTE data bandwidth and UDP over NB-IoT is good enough; so transmission performance is not our main concern.
But the problem is, we're now using mutual authentication in SSL/TLS layer and we assign different client certificates to different sub-groups. And I'm not sure how to do that in CoAP/DTLS.
I've learned that the default credential model of CoAP/DTLS is Pre-Shared Key (PSK) and I also learned from RFC4279 that I may use the PSK identity / shared-key pair as an easy alternative to username, which could just fit my needs. But when I'm trying to figure out how to implement this, I found the internet resource is very limited. So far I've surveyed node-coap.js and libcoap but I can't find any hints in the documents. Both seemed to support only one credential at the same time.
What is the best practice to deploy CoAP-DTLS server that can support multiple PSK identity/shared-key sets ? Or do I need to implement the whole authentication mechanism in application layer ?
One option for server/cloud side CoAP is Eclipse Californium. I am involved in that project and may thus be biased. That said, we have actually built Californium for exactly this purpose.
Related
I'm enhancing a commercial App which until now has used cloud AI models to analyse data and make predictions.
The enhancement is moving the models onto the app for applications with no or limited network access.
These models represent significant IP to our clients and it is essential that we secure any data downloaded to a device from theft.
The App is iOS only for now and I was intrigued by WWDC2020's CoreML update including support for encrypting models. This would be ideal but we can't use CoreML at the moment due to its API not supporting the methods our models require.
Nice to know though that this is a recognised issue with in-app ML model usage.
What is the best method and available options in iOS (>11.0) right now that won't run foul of encryption export laws or even Apple's app store rules etc?
Or models are Javascript which we run in a JavaScriptCore VM with additional data files loaded from json string files.
My current thinking is to use something like the iOS AES encryption. Not hardwire the private key in the app but instead pass it via https, after a user logs in, storing it in the keychain. Decrypt the data strings in memory before loading into the JS VM.
I can see the obvious weaknesses with this approach and would be keen to hear how others have approached this?
The Data
The enhancement is moving the models onto the app for applications with no or limited network access.
These models represent significant IP to our clients and it is essential that we secure any data downloaded to a device from theft.
From the moment you make the data/secrets public, in the sense you include it with your mobile app binary or later download it into the device and store it encrypted, you need to consider it compromised. No bullet proof around this, no matter what you try, you can only make it harder to steal, but with all the instrumentation frameworks available to introspect and instrument code at runtime, your encrypted data can be extracted from the function that decrypts it:
Decrypt the data strings in memory before loading into the JS VM.
An example of a very popular instrumentation framework is Frida:
Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
The Private Key
My current thinking is to use something like the iOS AES encryption. Not hardwire the private key in the app but instead pass it via https, after a user logs in, storing it in the keychain.
While not hard-coding the private key in the device is a wise decision it doesn't prevent the attacker from performing a man in the middle(MitM) attack to steal it, or use an instrumentation Framework to hook into the code that stores it in the keychain, but you may already be aware of this or not, because it's not clear from:
I can see the obvious weaknesses with this approach...
In my opinion, and as a side note, I think that first you and the business need to consider if the benefits for the user in having the predictions being made locally on their device outweighs the huge risk being taken of moving the data from the cloud into the device, and data protections laws need to be taken in consideration, because the fines when a data breach occurs can have a huge impact in the organization future.
iOS Solutions
What is the best method and available options in iOS (>11.0) right now that won't run foul of encryption export laws or even Apple's app store rules etc?
I am not an expert in iOS, thus I cannot help you much here, other then recommending you to use as many obfuscation techniques and run-time application self-protections(RASP) in top of the solution you already devised to protect your data, so that you can make an attacker life harder.
RASP:
Runtime application self-protection (RASP) is a security technology that uses runtime instrumentation to detect and block computer attacks by taking advantage of information from inside the running software.
RASP technology is said to improve the security of software by monitoring its inputs, and blocking those that could allow attacks, while protecting the runtime environment from unwanted changes and tampering.
You can also try to use advanced bio-metrics solutions to ensure that a real user is present while the mobile app is being used, but bearing in mind that the more skilled attackers will always find a way to extract the data to a command and control server. It's not a question if they will be able, but when it will happen, and when it happens it's a data breach, and you need to have planned ahead to deal with it's business and legal consequences.
So after you apply the most suitable in app defenses you still have an issue left to resolve, that boils down to ensure your API server knows what is making the request, because it seems you already have implemented user authentication to solve in behalf of who the request is being made.
The Difference Between WHO and WHAT is Accessing the API Server
When downloading the data into the device you need to consider how you will ensure that your API server is indeed accepting the download requests from what you expect, a genuine instance of your mobile app, not from a script, bot, etc., and I need to alert you that user authentication only says in behalf of who the request is being made, not what is doing it.
I wrote a series of articles around API and Mobile security, and in the article Why Does Your Mobile App Need An Api Key? you can read in detail the difference between who and what is accessing your API server, but I will extract here the main takes from it:
The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
Think about the who as the user your API server will be able to Authenticate and Authorize access to the data, and think about the what as the software making that request in behalf of the user.
I see this misconception arise over and over, even among experienced developers, devops and devsecops, because our industry is more geared towards identifying the who not the what.
Others approach
I can see the obvious weaknesses with this approach and would be keen to hear how others have approached this?
As I said previously I am not an expert in iOS and I don't have more to offer to you then what I have already mention in the iOS Solutions section, but if you want to learn how you can lock your mobile app to the API server in order to only reply with a very high degree of confidence to requests from a genuine instance of your mobile app, then I recommend you to read my accepted answer to the question How to secure an API REST for mobile app?, specifically the section Securing the API server and the section A Possible Better Solution, where you will learn how the Mobile App Attestation concept may be a possible solution for this problem.
Do you want to go the Extra Mile?
In any response to a security question I always like to reference the amazing work from the OWASP foundation.
For Mobile Apps
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
For APIS
OWASP API Security Top 10
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
I'm task to implement OWASP standard on my mvc projects. I've found documentation here also we have .Net space here .
My problem is that i don't understand couple of points and there is no online support (even in glossary section) for this (or i haven't found one)for example : point 1.9 Verify the application has a clear separation between the data layer, controller layer and the display layer, such that security decisions can be enforced on trusted systems. I'm working on MVC application so there is a separation between layers but what "security decisions" word mean in this context i don't understand - ?
Any help or point to the right directions in appreciated
Update : 2016-01-11
Also what this sentence means 10.13 - Ensure forward secrecy ciphers are in use to mitigate passive attackers recording traffic in context of mvc app.
Update : 2016-01-12
Another Problem : 19.4 Verify application deployments are adequately sandboxed, containerized orisolated to delay and deter attackers from attacking other applications. ?
I think that 10.13 relating to Forward Secrecy is probably referring to enabling SSL Forward Secrecy for your site, something like this.
This helps prevent an attacker from potentially using brute force decryption techniques that might be possible if they can capture large volumes of your traffic.
I am preparing a report on SAML and OAUTH for a comparative study on these two technologies.
I have got a few pages ready describing what SAML and OAUTH can do.
The next thing I need is the hardware and software requirements to implement SSO using SAML and OAUTH.
This would help analyis the costs involved and come to a decision on choosing any of the two technologies.
If you are aware of the H/W and S/W requirements please enumerate them.
Thanks,
david
On the software side, the cost will really depend on what solution you're using. Both technologies have good opensource and commercial implementations (and often, the same product supports both). So, I don't think that the software costs will make a difference.
On the hardware part, SAML is probably a little more power-consuming, because it implies XML parsing, XML digital signature (which needs more resources than a simple digital signature).
But if you have a reasonable number of concurrent users, the raw-power of the most basic servers will be able to absorb the load without problems in each case.
To give some figures, our SAML 2.0 solution (which admittely is performance and not features-oriented) is able to generate ~100 SAML responses per second on my workstation (a low-end sandy bridge pentium). The main factor determining performance is CPU. I/O and memory are somewhat negligeable.
How many authentications per second do you plan to have in production ?
I'm working on a web application and we are getting ready to launch it. Because it will hold sensitive data for users, I want this to be as secure as possible. Here is a list of what we are currently doing...
Running the app on Heroku (Ruby on Rails)
Site is encrypted with 256 SSL (with forced SSL turned on)
Cookies are encrypted and we pass the Firesheep test
Their password and everything in the database is one way encrypted.. so even if someone got access to the database it would be useless.
We do not store any keys or passwords openly in the source code but rather use Config Vars
Other than that what else should/could we be doing. We are considering McAfee's site scan but they quoted us $2,500 a year. I'm not sure it's worth it.
Does anyone have any suggestions at all?
Make sure to read the OWASP Top 10. Also $2,500 is a rip off, Sitewatch is free. You should also consider running a Web Application Firewall like mod_security, but keep in mind this will cause problems for testing tools like McAfee or Sitewatch. You should configure mod_security to allow specific ip addresses. Or test your application before enabling the WAF.
After ruling out the usual suspects (XSS, SQL injection, mass assignment, etc), client side is where most problems come from, and this is often overlooked. I don't know what your site is about, but things like telling your users that they shouldn't follow links on emails they did not explicitly request usually delivers highest bang-for-the-buck.
Best regards,
-- J. Fernandes
I'd recommend checking out the OWASP Top 10: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
To verify your SSL configuration, you can try https://www.ssllabs.com/ssldb/index.html.
If you're curious about the sheer variety of attacks, check out Jeremiah Grossman's post titled Top Ten Web Hacking Techniques of 2010 and scroll down until you see "The Complete List".
If you want to fire off a few web app vulnerability scans tools to catch the low hanging fruit you can try:
skipfish: http://code.google.com/p/skipfish/ (free)
netsparker community: http://www.mavitunasecurity.com/communityedition/ (free)
look here for more https://security.stackexchange.com/questions/32/what-tools-are-available-to-assess-the-security-of-a-web-application/
If you're really concerned about security then adopting a secure development plan and working with someone trained in app security would obviously boost your confidence things are being done right.
Regarding development, you may like the ideas presented in Microsoft's simplified SDL:
"The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development."
"The process outlined in this paper sets a minimum threshold for SDL compliance. That said, organizations aren’t uniform – development teams should apply the SDL in a way that is suitable to the human talent and resources available, but doesn’t compromise organizational security goals."
Also it is important to note automated vulnerability scan tools fail to identify most logical vulnerabilities so don't rely solely on automated tools. For example (taken from OWASP):
"Setting the quantity of a product on an e-commerce site as a negative number may result in funds being credited to the attacker. The countermeasure to this problem is to implement stronger data validation, as the application permits negative numbers to be entered in the quantity field of the shopping cart."
Human intelligence is key to spot logical issues.
Security is also all about maintenance. Assigning someone or a team the responsibility to astutely play continuous defense is important.
Note: Encrypting the passwords doesn't imply infallible security. Dictionary/password lists/brute force attacks work all the time to reveal weak passwords. A very common attack is to use SQL injection to dump the user table (with password hashes) then use a password cracker to discover legitimate user/password pairs.
You can find information about common Ruby on Rails application vulnerabilities and their countermeasures at the Zen Rails Security Checklist, including most of the OWASP Top 10 items.
I have some data that I need to share between multiple services on multiple machines. Stuffing the data into a database or shuffling it over http won't work in this situation and ideally the different pieces of software will need to communicate with each other directly (or through one central coordinator that can send and receive).
Is it recommended to create and implement a network protocol or use some tool to do the communication?
If I did go the route of creating a protocol myself, it wouldn't have to be very complex. Under 10 different message types, but it would have to be re-implemented in a few different languages for this project, and support unicode. I have read plenty (and done some) with handling sockets, but don't have much knowledge in handling a protocol I create. Are there any good resources on this?
There are also things like ICE and RPC that look intresting. The limit of my experience is using ICE and XMLRPC for a few days each. Is this the better route to go? If so what tools are out there?
Recently I've been using Google Protocol Buffers for encoding and shipping data between different machines running software written in different languages. It is quite easy to do, and takes away a lot of the hassle of designing a custom protocol.
Without knowing what technologies and platforms you are dealing with, it's difficult to give you a very specific answer - so I'll try to give you some general feedback.
If the system(s) you are wishing to connect span more than a single platform and/or technology you are probably better using an existing transport mechanism and protocol to maximize the chance your base platform will already have a library (or multiple) to interact over it. Also, integrating security and other features in a stack with known behaviors is more likely to be documented (with examples floating around). RPC (and ICE, though I've less familiarity with it) has some useful capabilities, but it also requires a lot of control over the environment and security can be convoluted (particularly if you are passing objects between different languages).
With regards to avoiding polling, this is a performance related issue; there are design patterns which can help you to handle such things - if you understand how you need the system to work (e.g. the observer pattern - kind of a dont-call-us-we'll-call-you approach). The network environment you are playing in will dictate which options are actually viable (e.g. a local LAN will have different considerations from something which runs over a WAN or the internet). Factors like firewall tunneling, VPN traversal, etc. should play part in your final selected technology profile.
The only other major consideration (that I can think of just now... ;-)) would be to consider the type of data you need to pass about. Is it just text, or do you need to stream binary objects? Would an encoding format (like XML or JSON or bJSON) do the trick? You mention "less than ten message types" as part of the question, but is that the only information which would ever need to be communicated by the system?
Either way, unless the overhead of existing protocols is unacceptable you're better of leveraging established work 99% of the time. Creativity is great - but commercial projects usually benefit from well-known behaviors, even if not the coolest or slickest (kind of the "as long as it works..." approach).
hth!