Data Security Basics...Notify individuals how their personal data is processed • Delete personal...
Transcript of Data Security Basics...Notify individuals how their personal data is processed • Delete personal...
Data Security BasicsPresented by Steve Ives
Data Security Basics• Main subject areas
• Why is encryption important?• HIPAA, PCI, etc.• EU General Data Privacy Regulation (GDPR)• California’s new Privacy Act• Protecting sensitive data
• Over-the-wire security• TLS for websites & web services• xfServer encryption• xfServerPlus encryption• SQL OpenNET encryption
• Encryption of data at rest
General Data Privacy Regulation (GDPR)• Privacy by default
• Enacted May 25, 2018• People must opt IN to data collection
• Affects ALL organizations holding data about people in the EU• Does your website or mobile app track
data identifiable to a specific person?
• Collecting some data without specific consent is illegal
• Some implementing globally• Facebook, Microsoft, and others
Too complex to adequately cover here, but if you hold personally identifiable
data on people in the EU, then you need to be in compliancehttps://gdpr-info.eu
GDPR• GDPR requires organizations to
• Justify reasons for collecting & storing personal data• Notify individuals how their personal data is processed• Delete personal data as soon as a business need for keeping it can no
longer be proved• Encryption not explicitly required
• Does require “enforce security measures and safeguards”• Repeatedly cites encryption as an “appropriate technical and
organizational measure” of personal data security• Potentially large fines for violators
• Recent Facebook breach, logged out 90M users to invalidate access tokens. May be facing a fine of up to $1.63B
California Consumer Privacy Act of 2018• Gives consumers sweeping control
over their personal data• What data is held• Why it was collected• Who it is being shared with• Bar companies from selling data• Under 16’s must opt IN
• Early criticism• Can’t prevent “sharing for free”• May charge opt-out customers more!
• A work in progress & expected to be altered before implementation in 2020
• Unanimous approval in the State Assembly and Senate
• Other states expected to follow
TLS for Websites & Web Services• TLS = Transport Layer Security
• Predecessor Secure Sockets Layer (SSL, HTTPS) deprecated
• Search engines & browsers actively promote TLS sites• Non-TLS sites considered potentially insecure• Users may not see your site without suppressing warnings!
• TLS should be used for ALL websites & services• Including internal & development sites• .NET Core 2.1 tools make it easy to develop & test using TLS
• No longer appropriate to secure only parts of a site
HTTP Strict Transport Security (HSTS)• Mechanism to further improve web security
• Helps prevent certain kinds of attacks
• One URL results in hundreds of requests• First request gets you the web page HTML• Contains URLs of images, CSS files, JS, etc.• Each requires ANOTHER HTTP request
• Man-in-the-middle attack• Routers between browser and server modify or
replace unencrypted content
• HSTS• Web app informs browser it supports HSTS
• Strict-Transport-Security header• Browser requires ALL requests to use TLS
https://tools.ietf.org/html/rfc6797
Synergy Encryption Capabilities• Over-the-wire data encryption
• xfServer• xfServerPlus• SQL OpenNet (xfODBC & SQL Connection)• HTTP API
• Encryption of data at rest (in data files)
• All encryption technologies are provided by third-party OpenSSL library
xfServer Encryption
Data Security with xfServer• Encrypt the transfer of sensitive data across
the network• Master encryption
• All packets to and from the server are encrypted• Slave encryption
• Packets relating to specific channels are encrypted
• OPEN statement /encrypt option to request encryption• $ERR_CLNTERR if encryption unavailable
• OPEN statement /scl option specifies encryption level• 0=system default, 1=TLS 1.0 minimum, 2=TLS 1.1 minimum
• SDMS file creation options to REQUIRE encryption for a file• ISAMC and XDL keywords• Patch existing file with ISUTL –p –qfile=network_encrypt• $ERR_NETCRYPT if encryption unavailable
Setting up for xfServer Encryption• Install & configure OpenSSL on server & client systems
• More later
• Use OpenSSL utility to create a cryptographic certificate file
• Name it DBLDIR:rsynd.pem to use by default when needed
• Or name it via –cert when starting xfServer• OpenVMS /CERTIFICATE
• Certificates expire; set reminders forreplacement!
• Start xfServer with encryption enabled https://www.openssl.org
Creating an Encryption Certificate• Create a local certification authority (CA)
• Create a certificate request
• Use the CA to sign the request, creating a certificate
• Configuration files provide additional information• Refer to HTTP API documentation for detailed examples
Configuring xfServer EncryptionSetting Windows & Unix OpenVMSEnable encryption -encrypt [ = MASTER | SLAVE ] /ENCRYPT [ = MASTER | SLAVE | OFF ]
Specify certificate -cert=filespec /CERTIFICATE=filespec
Cipher level -cipher [ = LOW | MEDIUM | HIGH ] /CIPHER [ = LOW | MEDIUM | HIGH ]
Security compliance level -scl = n /SCL = n
• Default values are insufficient!• SLAVE encryption• DBLDIR:rsynd.pem• MEDIUM cipher• SCL 0
Cipher Level
-cipher = option (OpenVMS /CIPHER = option)
• Determines which cipher suites will be used• LOW, MEDIUM, or HIGH
• Maps to groups of cipher suites defined by OpenSSL• Varies by operating system and OpenSSL version• Changes as new ciphers developed & older ones compromised
• On my Windows 10 system with latest OpenSSL• LOW DES-CBC-SHA 56-bit over SSLv3• MEDIUM SEED-SHA 128-bit over SSLv3• HIGH AES256-GCM-SHA384 256-bit over TLS 1.2
Security Compliance Level
-scl = n (OpenVMS /SCL=n)
• Defines what transport protocols are available for use• 0 = Use default protocols for current Synergy version (default)
• Current default is level 1• Could change in later Synergy versions
• 1 = Use protocols TLS1.0, TLS1.1, TLS1.2• 2 = Use protocols TLS1.1, TLS1.2
• Recommendation: Use the highest level you can
• Ineffective in versions through 10.3.3f• Will be implemented in version 11 (more later)
Runtime Encryption Verification• Is a channel encrypted?
• XCALL GETFA ( channel, “SLE”, encrypted )• Returns 1 if encrypted, 0 if not
• What cipher and protocol are being used?• XCALL GETFA ( channel, “SLC”, result )• Pass at least an A20, more info up to A128
• AES256-GCM-SHA384• AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
• Verifying if a file REQUIRES an encrypted channel• result = %ISINFO ( channel, “NETCRYPT” )• Returns 1 if encryption required, 0 if not
Demonstration• Using xfServer with and without encryption
• Opening both encrypted and unencrypted channels
• Switching to more secure ciphers
• Switching from SLAVE to MASTER mode
• https://github.com/SteveIves/xfServerEncryption
xfServerPlus Encryption
Data Security with xfServerPlus• Encrypt the transfer of sensitive data across the network
• Very similar process to xfServer• Install & configure OpenSSL on xfServerPlus server system• Create a digital certificate• Start xfServerPlus with encryption (same as xfServer, same options)
• Master encryption• Parameter & return value data for all methods encrypted
• Slave encryption• Parameter & return value data for selected methods encrypted
xfServerPlus Encryption – Version Requirements• Synergy and .NET Clients
• Client and server must be 9.3 or higher
• Java Clients• Client and server must be 9.5.1a or higher
• All clients – to use “security compliance level” (-scl)• Client and server must be 10.3.1b or higher
Requiring Encryption in SLAVE Mode• In slave mode, selected method calls are encrypted
• Require encryption via attributes• {xfMethod(encrypt=true)}
• Require encryption in the MDU• Check the “Enable encryption” option
• Optional encryption (xfNetLink Synergy)• xcall rxsubr(netid, "mymethodid/encrypt", arg1, arg2)• Enables encryption even though not required in SMC
Configuring xfNetLink .NET Clients for Encryption• No additional software• Default “acceptable SSL cipher suites” settings• Optionally override default cipher suites via Group policy
Computer ConfigurationAdministrative Templates
NetworkSSL Configuration
SSL Cipher Suite Order
• Make sure you know what you’re doing before you mess with this!
• Certificate common name must match the “host” value used to identify the server• app.config / web.config / .connect()• If mismatched you’ll see “The remote certificate is invalid according to the validation
procedure”
Configuring xfNetLink Java Clients for Encryption• Java encryption doesn’t use your certificate directly
• JRE includes a key store file called cacerts• Trusted server certificate must be added to this file
• xfNetLink Java genCert utility• Copies distributed cacerts & adds certificate from xfServerPlus
• java genCert –h server_ip_or_name –p port –s certPassword –n newCertFile
• Configure xfNetLink client to use the file• xfNetLink Java properties file
• xf_SSLCertFile and xf_SSLPassword settings• Or at runtime
• setSSLCertFile() and setSSLPassword() methods
SQL OpenNet Encryption
SQL OpenNet Encryption• Over-the-wire encryption when connecting to
OpenNET (Vortex) server
• Network connections with• xfODBC• SQL Connection API
• Connect string starts “net:”
• Server and all clients must be 10.3.3 or higher
Enabling SQL OpenNet Encryption• Install OpenSSL on the server machine (more later)
• On Windows, OpenSSL libraries must also be in CONNECTDIR:
• Change the OpenNet server startup command• Use the –e option with vtxnetd or vtxnet2• Specify SSL certificate and private key files• Optionally specify transports to accept
• TLS 1.0, 1.1, 1.2 (default is all)
• Certificates must NOT include a pass phrase• Use OpenSSL req –nodes option when generating the certificate
• SQL Connection• Install & configure OpenSSL on client machines also
Enabling OpenNet Encryption on the Server
• Location• CONNECTDIR:
• File• Windows opennet.srv• UNIX / Linux startnet• OpenVMS net.com
vtxnetd … –e certificateFile keyFile 1.1,1.2
Verifying OpenNet Encryption• Start OpenNet with the log option, then vtxping the server and look
for:
• “SSL compile/library:…No such file or directory”• Certificate or key file not found
• “SSL compile/library:…problems getting password”• Password protected certificate (not supported)
Configuring DSNs to Ensure Encryption
• With encryption enabled, all connections are encrypted
• Optionally REQUIRE encryption by specifying DSN SSL settings• SSL Yes Fail if encryption not enabled• TLS Level Fail if specific TLS level not supported• Cert file Verify server is using specific certificate
• Encryption required and not available• ODBC: ERROR [HY000] [TOD][ODBC Driver]Server is not
running in SSL mode
HTTP API Encryption
Data Security with the HTTP API• This one is easy … insist on communicating
only with HTTPS servers!
• To enable HTTPS with the HTTP API• Use https: in the URL• Specify a “CA file” (trusted root CAs)
• Exporting a trusted CA’s file using certmgr (Windows)• Export all “Trusted Root Certification Authorities” certificates as a PKCS #7 (P7B)
file• Use OpenSSL to convert to a “PEM: file”
openssl pkcs7 -inform DER -outform PEM -in cafile.p7b -out cafile.pem -print_certs
• Try not to use http:// anywhere!
Encrypting Data at Rest
Encrypting Data at Rest• Encryption of sensitive data in long-term storage
• Files and databases• Targeted encryption
• Applied to selected fields• Personal information
• Names & addresses, account numbers, social security numbers, etc.
• DBL routines• XCALL DATA_ENCRYPT• XCALL DATA_DECRYPT• XCALL DATA_SALTIV
• Encrypt and decrypt data in memory, then written to files• Relies on OpenSSL library
• Industry standard cipher techniques• Introduced in Synergy 9.3
Encrypting & Decrypting Dataxcall DATA_ENCRYPT(type, password, source, [destination], [length], [salt, iv])xcall DATA_DECRYPT(type, password, source, [destination], [length], [salt, iv])
• Encrypt and decrypt data using a specified cipher and the data and password values provided• type Encryption cipher to use (more soon)• password Used to generate an encryption key• source Unencrypted data• destination Returned encrypted data• length Returned length of encrypted data• salt and iv Improve effectiveness of cipher (more soon)
• Encrypted data usually gets longer
Encryption CiphersEncryption Type Code DescriptionDC_3DES Triple DES CBC three-key mode
DC_128 AES 128-bit CBC mode
DC_AES192 AES 192-bit CBC mode
DC_AES256 AES 256-bit CBC mode
Data Padding• Ciphers process data in blocks
• 3DES 8 bytes• AES 16 bytes
• PKCS padding used if data isn’t a multiple of cipher block size• Between 1 byte and the number of bytes in a cipher block are always
• Added to the data when it is encrypted• Removed when decrypted
• Encrypting a field usually requires a field length change
• Padding can be suppressed only if data is an exact multiple of the cipher block size
Strengthening Encryptionxcall DATA_SALTIV(type, [salt], saltlen, [iv], ivlen)
• Generates random salt and/or initialization vector (IV) values• Passed to DATA_ENCRYPT to maximize effectiveness of cipher• Passed to DATA_DECRYPT to enable it to decrypt the data!• Salt used to derive the encryption key from the password• IV used to randomize the resulting encrypted data
• Not considered sensitive information• Generate once, write to a file and use later to decrypt the data
• If used, don’t lose the values• Without them you can’t decrypt your data!
Choosing and Storing Encryption Passwords• Choosing a password
• Make them LONG and RANDOM• And store them securely – it’s the key to your data
• Lose the password, lose access to your data!
• Storing a password• One of the hardest challenges of using encryption• Key must be securely stored and inaccessible• Yet is required by code at runtime
• One suggestion - Azure key vault via Microsoft Graph RESTful API• Obtain access token from Azure AD• Use access token to obtain “secret” from key vault• Keep it in memory, but never save it to disk
Demonstration• DataEncryptionDemo
• Encrypt and decrypt a field in a record• Hard-coded GUID used as password• Salt and IV generated one time• https://github.com/SteveIves/DataEncryptionDemo
• AzureKeyVaultDemo• Same app as previous demo• Obtains an access token for Azure Key Vault from Azure AD• Retrieves encryption password from Azure Key Vault• https://github.com/SteveIves/AzureKeyVaultDemo
Preparing to Use Data Encryption• Install OpenSSL
• Windows• Available binary packages listed at
https://wiki.openssl.org/index.php/Binaries
• Unix, Linux, and OpenVMS• Packages available from OS vendor• Or standard package manager
• Oh, and one added level of security• ERASE_ON_DELETE option• XCALL ISAMC option• XDL keyword• BLDISM file modifier
• Ensure OpenSSL shared libraries are available to your app
• Windows (DBR)• DBL\BIN and CONNECT (for
OpenNet)
• Windows (.NET)• DBLDIR:\bin (if set)• Current directory• Assembly directory (add a
manifest)• PATH (not recommended)
• UNIX & Linux• No configuration required
• OpenVMS• SYNSSLLIB:• Set during Synergy installation
OpenSSL Versions
• Latest stable version• 1.1.0 series
• Long Term Support (LTS) release• 1.0.2 series• Supported until 31 December 2019
• Out of support and should not be used• 0.9.8, 1.0.0, and 1.0.1 versions
The Cost of Encryption• Key management is hard!
• Keys required at runtime• Where to store them• How to make available to apps
• Performance impact• Encryption requires CPU cycles• Noticeable performance difference if used
inappropriately
• Binary data• Don’t be using ISLOAD, and use FCONVERT only
with counted files
• Use encryption• When you have to
• HIPPA, PCI, etc.• When you should
• Protect sensitive information
Operating System Security Updates• If you care about the data security enough to use
any of the techniques outlined in this presentation, then you MUST
1. Perform operating system security updates AT LEAST MONTHLY!
2. Keep up to date with Synergy releases3. Keep up to date with the OpenSSL version as
recommended by your Synergy version
• Synergy version 11• Default compliance level becomes level 2• Likely to enforce TLS 1.2 at that time• Some older clients won’t be supported
Who has the first question?Data Security Basics