Data Security BasicsPresented by Steve Ives

Data Security Basics• Main subject areas

• Why is encryption important?• HIPAA, PCI, etc.• EU General Data Privacy Regulation (GDPR)• California’s new Privacy Act• Protecting sensitive data

• Over-the-wire security• TLS for websites & web services• xfServer encryption• xfServerPlus encryption• SQL OpenNET encryption

• Encryption of data at rest

General Data Privacy Regulation (GDPR)• Privacy by default

• Enacted May 25, 2018• People must opt IN to data collection

• Affects ALL organizations holding data about people in the EU• Does your website or mobile app track

data identifiable to a specific person?

• Collecting some data without specific consent is illegal

• Some implementing globally• Facebook, Microsoft, and others

Too complex to adequately cover here, but if you hold personally identifiable

data on people in the EU, then you need to be in compliancehttps://gdpr-info.eu

GDPR• GDPR requires organizations to

• Justify reasons for collecting & storing personal data• Notify individuals how their personal data is processed• Delete personal data as soon as a business need for keeping it can no

longer be proved• Encryption not explicitly required

• Does require “enforce security measures and safeguards”• Repeatedly cites encryption as an “appropriate technical and

organizational measure” of personal data security• Potentially large fines for violators

• Recent Facebook breach, logged out 90M users to invalidate access tokens. May be facing a fine of up to $1.63B

California Consumer Privacy Act of 2018• Gives consumers sweeping control

over their personal data• What data is held• Why it was collected• Who it is being shared with• Bar companies from selling data• Under 16’s must opt IN

• Early criticism• Can’t prevent “sharing for free”• May charge opt-out customers more!

• A work in progress & expected to be altered before implementation in 2020

• Unanimous approval in the State Assembly and Senate

• Other states expected to follow

TLS for Websites & Web Services• TLS = Transport Layer Security

• Predecessor Secure Sockets Layer (SSL, HTTPS) deprecated

• Search engines & browsers actively promote TLS sites• Non-TLS sites considered potentially insecure• Users may not see your site without suppressing warnings!

• TLS should be used for ALL websites & services• Including internal & development sites• .NET Core 2.1 tools make it easy to develop & test using TLS

• No longer appropriate to secure only parts of a site

HTTP Strict Transport Security (HSTS)• Mechanism to further improve web security

• Helps prevent certain kinds of attacks

• One URL results in hundreds of requests• First request gets you the web page HTML• Contains URLs of images, CSS files, JS, etc.• Each requires ANOTHER HTTP request

• Man-in-the-middle attack• Routers between browser and server modify or

replace unencrypted content

• HSTS• Web app informs browser it supports HSTS

• Strict-Transport-Security header• Browser requires ALL requests to use TLS

https://tools.ietf.org/html/rfc6797

Synergy Encryption Capabilities• Over-the-wire data encryption

• xfServer• xfServerPlus• SQL OpenNet (xfODBC & SQL Connection)• HTTP API

• Encryption of data at rest (in data files)

• All encryption technologies are provided by third-party OpenSSL library

xfServer Encryption

Data Security with xfServer• Encrypt the transfer of sensitive data across

the network• Master encryption

• All packets to and from the server are encrypted• Slave encryption

• Packets relating to specific channels are encrypted

• OPEN statement /encrypt option to request encryption• $ERR_CLNTERR if encryption unavailable

• OPEN statement /scl option specifies encryption level• 0=system default, 1=TLS 1.0 minimum, 2=TLS 1.1 minimum

• SDMS file creation options to REQUIRE encryption for a file• ISAMC and XDL keywords• Patch existing file with ISUTL –p –qfile=network_encrypt• $ERR_NETCRYPT if encryption unavailable

Setting up for xfServer Encryption• Install & configure OpenSSL on server & client systems

• More later

• Use OpenSSL utility to create a cryptographic certificate file

• Name it DBLDIR:rsynd.pem to use by default when needed

• Or name it via –cert when starting xfServer• OpenVMS /CERTIFICATE

• Certificates expire; set reminders forreplacement!

• Start xfServer with encryption enabled https://www.openssl.org

Creating an Encryption Certificate• Create a local certification authority (CA)

• Create a certificate request

• Use the CA to sign the request, creating a certificate

• Configuration files provide additional information• Refer to HTTP API documentation for detailed examples

Configuring xfServer EncryptionSetting Windows & Unix OpenVMSEnable encryption -encrypt [ = MASTER | SLAVE ] /ENCRYPT [ = MASTER | SLAVE | OFF ]

Specify certificate -cert=filespec /CERTIFICATE=filespec

Cipher level -cipher [ = LOW | MEDIUM | HIGH ] /CIPHER [ = LOW | MEDIUM | HIGH ]

Security compliance level -scl = n /SCL = n

• Default values are insufficient!• SLAVE encryption• DBLDIR:rsynd.pem• MEDIUM cipher• SCL 0

Cipher Level

-cipher = option (OpenVMS /CIPHER = option)

• Determines which cipher suites will be used• LOW, MEDIUM, or HIGH

• Maps to groups of cipher suites defined by OpenSSL• Varies by operating system and OpenSSL version• Changes as new ciphers developed & older ones compromised

• On my Windows 10 system with latest OpenSSL• LOW DES-CBC-SHA 56-bit over SSLv3• MEDIUM SEED-SHA 128-bit over SSLv3• HIGH AES256-GCM-SHA384 256-bit over TLS 1.2

Security Compliance Level

-scl = n (OpenVMS /SCL=n)

• Defines what transport protocols are available for use• 0 = Use default protocols for current Synergy version (default)

• Current default is level 1• Could change in later Synergy versions

• 1 = Use protocols TLS1.0, TLS1.1, TLS1.2• 2 = Use protocols TLS1.1, TLS1.2

• Recommendation: Use the highest level you can

• Ineffective in versions through 10.3.3f• Will be implemented in version 11 (more later)

Runtime Encryption Verification• Is a channel encrypted?

• XCALL GETFA ( channel, “SLE”, encrypted )• Returns 1 if encrypted, 0 if not

• What cipher and protocol are being used?• XCALL GETFA ( channel, “SLC”, result )• Pass at least an A20, more info up to A128

• AES256-GCM-SHA384• AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD

• Verifying if a file REQUIRES an encrypted channel• result = %ISINFO ( channel, “NETCRYPT” )• Returns 1 if encryption required, 0 if not

Demonstration• Using xfServer with and without encryption

• Opening both encrypted and unencrypted channels

• Switching to more secure ciphers

• Switching from SLAVE to MASTER mode

• https://github.com/SteveIves/xfServerEncryption

xfServerPlus Encryption

Data Security with xfServerPlus• Encrypt the transfer of sensitive data across the network

• Very similar process to xfServer• Install & configure OpenSSL on xfServerPlus server system• Create a digital certificate• Start xfServerPlus with encryption (same as xfServer, same options)

• Master encryption• Parameter & return value data for all methods encrypted

• Slave encryption• Parameter & return value data for selected methods encrypted

xfServerPlus Encryption – Version Requirements• Synergy and .NET Clients

• Client and server must be 9.3 or higher

• Java Clients• Client and server must be 9.5.1a or higher

• All clients – to use “security compliance level” (-scl)• Client and server must be 10.3.1b or higher

Requiring Encryption in SLAVE Mode• In slave mode, selected method calls are encrypted

• Require encryption via attributes• {xfMethod(encrypt=true)}

• Require encryption in the MDU• Check the “Enable encryption” option

• Optional encryption (xfNetLink Synergy)• xcall rxsubr(netid, "mymethodid/encrypt", arg1, arg2)• Enables encryption even though not required in SMC

Configuring xfNetLink .NET Clients for Encryption• No additional software• Default “acceptable SSL cipher suites” settings• Optionally override default cipher suites via Group policy

Computer ConfigurationAdministrative Templates

NetworkSSL Configuration

SSL Cipher Suite Order

• Make sure you know what you’re doing before you mess with this!

• Certificate common name must match the “host” value used to identify the server• app.config / web.config / .connect()• If mismatched you’ll see “The remote certificate is invalid according to the validation

procedure”

Configuring xfNetLink Java Clients for Encryption• Java encryption doesn’t use your certificate directly

• JRE includes a key store file called cacerts• Trusted server certificate must be added to this file

• xfNetLink Java genCert utility• Copies distributed cacerts & adds certificate from xfServerPlus

• java genCert –h server_ip_or_name –p port –s certPassword –n newCertFile

• Configure xfNetLink client to use the file• xfNetLink Java properties file

• xf_SSLCertFile and xf_SSLPassword settings• Or at runtime

• setSSLCertFile() and setSSLPassword() methods

SQL OpenNet Encryption

SQL OpenNet Encryption• Over-the-wire encryption when connecting to

OpenNET (Vortex) server

• Network connections with• xfODBC• SQL Connection API

• Connect string starts “net:”

• Server and all clients must be 10.3.3 or higher

Enabling SQL OpenNet Encryption• Install OpenSSL on the server machine (more later)

• On Windows, OpenSSL libraries must also be in CONNECTDIR:

• Change the OpenNet server startup command• Use the –e option with vtxnetd or vtxnet2• Specify SSL certificate and private key files• Optionally specify transports to accept

• TLS 1.0, 1.1, 1.2 (default is all)

• Certificates must NOT include a pass phrase• Use OpenSSL req –nodes option when generating the certificate

• SQL Connection• Install & configure OpenSSL on client machines also

Enabling OpenNet Encryption on the Server

• Location• CONNECTDIR:

• File• Windows opennet.srv• UNIX / Linux startnet• OpenVMS net.com

vtxnetd … –e certificateFile keyFile 1.1,1.2

Verifying OpenNet Encryption• Start OpenNet with the log option, then vtxping the server and look

for:

• “SSL compile/library:…No such file or directory”• Certificate or key file not found

• “SSL compile/library:…problems getting password”• Password protected certificate (not supported)

Configuring DSNs to Ensure Encryption

• With encryption enabled, all connections are encrypted

• Optionally REQUIRE encryption by specifying DSN SSL settings• SSL Yes Fail if encryption not enabled• TLS Level Fail if specific TLS level not supported• Cert file Verify server is using specific certificate

• Encryption required and not available• ODBC: ERROR [HY000] [TOD][ODBC Driver]Server is not

running in SSL mode

HTTP API Encryption

Data Security with the HTTP API• This one is easy … insist on communicating

only with HTTPS servers!

• To enable HTTPS with the HTTP API• Use https: in the URL• Specify a “CA file” (trusted root CAs)

• Exporting a trusted CA’s file using certmgr (Windows)• Export all “Trusted Root Certification Authorities” certificates as a PKCS #7 (P7B)

file• Use OpenSSL to convert to a “PEM: file”

openssl pkcs7 -inform DER -outform PEM -in cafile.p7b -out cafile.pem -print_certs

• Try not to use http:// anywhere!

Encrypting Data at Rest

Encrypting Data at Rest• Encryption of sensitive data in long-term storage

• Files and databases• Targeted encryption

• Applied to selected fields• Personal information

• Names & addresses, account numbers, social security numbers, etc.

• DBL routines• XCALL DATA_ENCRYPT• XCALL DATA_DECRYPT• XCALL DATA_SALTIV

• Encrypt and decrypt data in memory, then written to files• Relies on OpenSSL library

• Industry standard cipher techniques• Introduced in Synergy 9.3

Encrypting & Decrypting Dataxcall DATA_ENCRYPT(type, password, source, [destination], [length], [salt, iv])xcall DATA_DECRYPT(type, password, source, [destination], [length], [salt, iv])

• Encrypt and decrypt data using a specified cipher and the data and password values provided• type Encryption cipher to use (more soon)• password Used to generate an encryption key• source Unencrypted data• destination Returned encrypted data• length Returned length of encrypted data• salt and iv Improve effectiveness of cipher (more soon)

• Encrypted data usually gets longer

Encryption CiphersEncryption Type Code DescriptionDC_3DES Triple DES CBC three-key mode

DC_128 AES 128-bit CBC mode

DC_AES192 AES 192-bit CBC mode

DC_AES256 AES 256-bit CBC mode

Data Padding• Ciphers process data in blocks

• 3DES 8 bytes• AES 16 bytes

• PKCS padding used if data isn’t a multiple of cipher block size• Between 1 byte and the number of bytes in a cipher block are always

• Added to the data when it is encrypted• Removed when decrypted

• Encrypting a field usually requires a field length change

• Padding can be suppressed only if data is an exact multiple of the cipher block size

Strengthening Encryptionxcall DATA_SALTIV(type, [salt], saltlen, [iv], ivlen)

• Generates random salt and/or initialization vector (IV) values• Passed to DATA_ENCRYPT to maximize effectiveness of cipher• Passed to DATA_DECRYPT to enable it to decrypt the data!• Salt used to derive the encryption key from the password• IV used to randomize the resulting encrypted data

• Not considered sensitive information• Generate once, write to a file and use later to decrypt the data

• If used, don’t lose the values• Without them you can’t decrypt your data!

Choosing and Storing Encryption Passwords• Choosing a password

• Make them LONG and RANDOM• And store them securely – it’s the key to your data

• Lose the password, lose access to your data!

• Storing a password• One of the hardest challenges of using encryption• Key must be securely stored and inaccessible• Yet is required by code at runtime

• One suggestion - Azure key vault via Microsoft Graph RESTful API• Obtain access token from Azure AD• Use access token to obtain “secret” from key vault• Keep it in memory, but never save it to disk

Demonstration• DataEncryptionDemo

• Encrypt and decrypt a field in a record• Hard-coded GUID used as password• Salt and IV generated one time• https://github.com/SteveIves/DataEncryptionDemo

• AzureKeyVaultDemo• Same app as previous demo• Obtains an access token for Azure Key Vault from Azure AD• Retrieves encryption password from Azure Key Vault• https://github.com/SteveIves/AzureKeyVaultDemo

Preparing to Use Data Encryption• Install OpenSSL

• Windows• Available binary packages listed at

https://wiki.openssl.org/index.php/Binaries

• Unix, Linux, and OpenVMS• Packages available from OS vendor• Or standard package manager

• Oh, and one added level of security• ERASE_ON_DELETE option• XCALL ISAMC option• XDL keyword• BLDISM file modifier

• Ensure OpenSSL shared libraries are available to your app

• Windows (DBR)• DBL\BIN and CONNECT (for

OpenNet)

• Windows (.NET)• DBLDIR:\bin (if set)• Current directory• Assembly directory (add a

manifest)• PATH (not recommended)

• UNIX & Linux• No configuration required

• OpenVMS• SYNSSLLIB:• Set during Synergy installation

OpenSSL Versions

• Latest stable version• 1.1.0 series

• Long Term Support (LTS) release• 1.0.2 series• Supported until 31 December 2019

• Out of support and should not be used• 0.9.8, 1.0.0, and 1.0.1 versions

The Cost of Encryption• Key management is hard!

• Keys required at runtime• Where to store them• How to make available to apps

• Performance impact• Encryption requires CPU cycles• Noticeable performance difference if used

inappropriately

• Binary data• Don’t be using ISLOAD, and use FCONVERT only

with counted files

• Use encryption• When you have to

• HIPPA, PCI, etc.• When you should

• Protect sensitive information

Operating System Security Updates• If you care about the data security enough to use

any of the techniques outlined in this presentation, then you MUST

1. Perform operating system security updates AT LEAST MONTHLY!

2. Keep up to date with Synergy releases3. Keep up to date with the OpenSSL version as

recommended by your Synergy version

• Synergy version 11• Default compliance level becomes level 2• Likely to enforce TLS 1.2 at that time• Some older clients won’t be supported

Who has the first question?Data Security Basics