Cryptography As A Service

esophagusbunnyManagement

Nov 20, 2013 (3 years and 6 months ago)

131 views

Cryptography As A Service

Barclays Crypto Application Gateway and Beyond

23
rd

May 2013

George French


Barclays

Dan Cvrcek


Smart Architects

Unrestricted distribution


Unrestricted distribution

2

|
Cryptography as a Service

23
rd

May
2013

Cryptography As A Service

Application

Cryptography

Interface

Application

Cryptography

Audit Logging

Application

Authentication

BCAG /

CSG Service

Vendor

HSM

interfaces

Application Key

Management

Cryptography

Policy

Enforcement

Key

Management

Operations

and Audit

Applications


HSMs


Beginning … Cryptography and Business

Requirement

Solution
lead time

Encrypt data

(
... and decrypt possibly
)

day

Secure key generation and management,
recovery


months

Decryption after

30 years, huge data
collections (
tera

bytes), multiple application
support, integration

> year

Support and

recovery after incidents

Multiply by 2+

As surprising as it may sound there are very few security products that

would actually work and could be managed with a small operational

team. The main culprits:


-

integration, scalability, reliability, support


Unrestricted distribution

3

|
Cryptography as a Service
23
rd

May 2013

Crypto Service Must Provide For …


Audit

Cryptography is deployed as a control to mitigate a risk it is therefore
necessary to be able to demonstrate that the control is effective
.



Cryptographic Management


The problem with cryptography is the decryption process.


NEVER GIVE DEVELOPERS OPTIONS WHEN ENCRYPTING DATA


Centralised Management


Small teams even in multinational companies


Monitoring of usage / capacity


BAU operational tasks


Security audits


Information for business units




Unrestricted distribution

4

|
Cryptography as a Service
23
rd

May 2013

Problem Space for The Use of Cryptography

Business


Capturing Business Requirements


Provision of a defined operational
model


Project/Bespoke development


Testing



Unrestricted distribution

5

|
Cryptography as a Service
23
rd

May 2013

What we are trying to

manage

Problem Space for

The Use
of Cryptography

Business


Capturing Business
Requirements


Provision of a defined
service


Risk Mitigation


Bullet

Build


Requires Specialised knowledge


Meet requirements


Internal governance and standards
compliance


Infrastructure
build


Change management


Unrestricted distribution

6

| Cryptography as a Service 23
rd

May 2013

What we are trying to

manage

Problem Space for

The Use
of Cryptography

Business


Capturing Business
Requirements.


Provision of a defined
service.


Risk Mitigation


Bullet


Hardware Utilisation


Project model delivers variances


Patch and Security Vulnerability
Management


Operation impact of outages


“Non
-
functional” Requirements

Operation


Requires Specialised
knowledge


Meet requirements


Internal governance and
standards compliance


Infrastructure build


Change management

Build


Unrestricted distribution

7

|
Cryptography as a Service
23
rd

May 2013

What we are trying to

manage

Problem Space for

The Use
of Cryptography

Business


Capturing Business
Requirements.


Provision of a defined
service.


Risk Mitigation


Bullet

Operation


Hardware Utilisation


Project model delivers
variances


Patch and Security
Vulnerability
Management


Operation impact of
outages

Build


Requires Specialised
knowledge


“The usual suspects”


Internal governance and
standards compliance


Compliance


Regulatory and
scheme compliance


Internal Audit


Customer Due
diligence


Unrestricted distribution

8

|
Cryptography as a Service
23
rd

May
2013

What we are trying to

manage

Problem Space for

The Use
of Cryptography

Business


Capturing Business
Requirements.


Provision of a defined
service.


Risk Mitigation


Bullet

Operation


Hardware Utilisation


Project model delivers
variances


Patch and Security
Vulnerability
Management


Operation impact of
outages

Build


Requires Specialised
knowledge


“The usual suspects”


Internal governance and
standards compliance


Compliance


Regulatory and scheme
compliance


Internal Audit


Customer Due diligence


Unrestricted distribution

9

|
Cryptography as a Service
23
rd

May
2013

What we are trying to

manage

... I know nothing short of impossible but here we go

BCAG Cryptographic Approach


Separating
use
from
management

and
configuration


Use (business units):


Request system authentication credentials (e.g., password);


Do Crypto


e.g.,

Api.Encrypt(“CC_Number
”, “ME”, “
Main_DB
”, <transaction>)


Management (BU and Crypto Operations):


Policy


what business functions (e.g., encrypt credit card
number), how many parties (DB, web app, middleware, …).


Technical (Crypto Operations):


how many keys, algorithms, crypto modes, key lengths, key
validity, and so on.


Unrestricted distribution

10

|
Cryptography as a Service
23
rd

May
2013

BCAG Business Approach


Pay for what you use


Centralised use of resources (people, hardware, network, …)


HSMs

used “per operation”, not “per project”.


Commissioning of cryptographic system components by Crypto
Operations


skills;


volume; and


single place for deployment and management
-
> strategy.


Decoupling components (i.e., HSM) from applications


Eliminate vendor lock
-
in; and


Introduce service
-
based architecture with replaceable products.


Unrestricted distribution

11

|
Cryptography as a Service
23
rd

May
2013

What Does It Look Like


Architectural Blocks

Business

Crypto support

(1
st

line)

Solution support

(2
nd

line)

Product support

(3
rd

line)


Unrestricted distribution

12

|
Cryptography as a Service
23
rd

May
2013

System Mechanics
-

Onboarding

Administrative process for enrolling new business application to BCAG


1.
Capture Business Requirements


The most difficult part as the business does not usually have
a structured description of cryptographic requirements

2.
Convert BR to policy specification


Semi
-
automated process that generates a BCAG policy
definition

3.
Amend BCAG access control with new “user” privileges

4.
Key generation and deployment (manual or semi
-
automatic
process)

5.
Use.


Unrestricted distribution

13

|
Cryptography as a Service
23
rd

May
2013

Mechanics
-

Operation

And 3 pieces of information that have to align:

1.
Authentication
details = username and password

2.
Policy
= username and authorised operations and key locator data

3.
Crypto Key
definitions = key value and key locator data


Unrestricted distribution

14

|
Cryptography as a Service
23
rd

May
2013

Doing Crypto
-

Key Lookup


Traditionally


Key Label = Key Value


You change a key value, you get a new key label


The new key label has to be propagated to all applications
using the old key


BCAG Approach


Structured key locators: user, function,
base_function
, from, to


Algorithm for locating keys


Dynamic, as it does not use 1:1 mapping but lookup
algorithm


Efficient


2 layers of caching of recently used keys





Unrestricted distribution

15

|
Cryptography as a Service
23
rd

May
2013

Key Lookup


BCAG


Unrestricted distribution

16

|
Cryptography as a Service
23
rd

May
2013

Beyond


Large data processing; we talk about


Daily encryption of
giga

and terabytes of data


Protection of archives with 100,000s of DB tables


Composite cryptography


Grouping cryptographic operations into transactions that
require specific order of operations


Breach of a transaction is a potential data compromise


Centralised key management


Replacement of manual key loading to
HSMs

with an
automatic process to minimise human errors and increase
security





Unrestricted distribution

17

|
Cryptography as a Service
23
rd

May
2013

Beyond … banking


Platform for mobile app cryptography


Platform for financial services for future applications


Providing API and system for banking transactions to
developers without actually building a bank


Being able to build own virtual Central Bank with a few button
clicks



All this requires something like BCAG to:


Access to payment schemes (VISA, MasterCard)


Strong cryptographic system able to ensure pre
-
defined security
properties (like cheating, counterfeiting … within the model of a
virtual world)


In some cases compliance with financial regulations


Unrestricted distribution

18

|
Cryptography as a Service
23
rd

May
2013

Thank you for your attention!

Dan@SmartArchitects.co.uk

George.French@Barclays.com

Security Policy


Two Abstractions

Use
-

Visible for Business Units


Users


just names, possibly with domain (e.g., LDAP)


And authentication options (specs for tickets)


User groups


just names


Alias


just names for required crypto operations

Manage
-

Internal to Crypto Management


Params



the technical bit, e.g.


[PARAMS
CookieParams
]



ManagedEncryption
=false


Cipher=AES


KeySize
=128


ModeOfOperation
=CBC


IV=Random


Padding=
NoPad




Unrestricted distribution

20

|
Cryptography as a Service
23
rd

May
2013

Doing Crypto
-

Key Lookup as You Know It


Unrestricted distribution

21

|
Cryptography as a Service
23
rd

May
2013