- User submits KYC document via a web form
- Web form automatically encrypts document to a key held in KMS (with offline backups)
- Encrypted documents are submitted to an API gateway hook that triggers a lambda job which places the documents directly into an s3 bucket.
- A support agent opens the KYC review interface and clicks a document to decrypt.
- The support agent browser automatically generates a random encryption public key, and public key and the ID of the requested document they wish to decrypt to API Gateway
- API Gateway launches a lambda job which hashes the document request with a random challenge and returns it to the browser
- The browser prompts the support agent to tap their Yubikey which signs the challenge.
- The browser sends the signed challenge back to API Gateway.
- API gateway passes the signed document request payload to a lambda job which has access to the KMS role to use the KYC decryption key.
- Lambda job decrypts the one document, and then encrypts it to the encrypti
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#define _GNU_SOURCE | |
#include <fcntl.h> | |
#include <getopt.h> | |
#include <signal.h> | |
#include <stdio.h> | |
#include <stdint.h> | |
#include <stdlib.h> | |
#include <string.h> | |
#include <sys/mount.h> | |
#include <sys/reboot.h> |
- Implementation:
- M-of-n parties deterministically compile web interface bundle and sign it
- Interface installs service worker mandates all future updates are
- signed with m-of-n valid keys certified by a pinned CA
- newer timestamp than current version
- Protections
- Compromised insider tampering with frontends
- BGP attacks
- DNS takeover
- Hardware decryption with user interaction
- Tools:
- Password Store
- https://www.passwordstore.org/
- Shared git repo
- Yubikey with PGP keychain for each engineer
- Defense:
- Prevent theft of secrets not currently being used
- Usage:
- Encrypt secrets to Yubikey PGP keys of all holders as individual files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
reset == physically disconnect, reconnect, re-attach to target appvm, verify it shows up in "fido2-token -L" | |
/dev/hidraw3: vendor=0x096e, product=0x085d (FS BioPassFIDO2) | |
- fido2-tools: register 8x, then hang | |
- reset | |
- fido2-tools: register 1x, then hang | |
- reset | |
- chromium: successful register, hangs on auth | |
/dev/hidraw1: vendor=0x1ea8, product=0xf025 (ExcelSecu EsecuFIDO HID) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lrvick@personal:~$ fido2-token -L | |
/dev/hidraw1: vendor=0x1050, product=0x0406 (Yubico Yubikey 4 U2F+CCID) | |
lrvick@personal:~$ strace fido2-cred -M -i cred_param /dev/hidraw1 > cred | |
execve("/usr/bin/fido2-cred", ["fido2-cred", "-M", "-i", "cred_param", "/dev/hidraw1"], 0x7ffca72914a0 /* 51 vars */) = 0 | |
brk(NULL) = 0x5703cbf21000 | |
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) | |
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 | |
fstat(3, {st_mode=S_IFREG|0644, st_size=80772, ...}) = 0 | |
mmap(NULL, 80772, PROT_READ, MAP_PRIVATE, 3, 0) = 0x789d7f439000 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
basics: | |
name: Lance R. Vick | |
label: Security Engineer | |
picture: 'https://lance.dev/img/profile.jpg' | |
email: lance@lrvick.net | |
phone: 650.686.8819 | |
irc: lrvick@irc.freenode.net | |
url: 'https://lance.dev' | |
matrix: 'lrvick:matrix.org' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Example: Compromise a password protected SSH key: | |
``` | |
for pid in $(ps --no-headers -fC ssh-agent | awk '{print $2}'); do | |
mem="$( | |
grep stack "/proc/${pid}/maps" \ | |
| sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' \ | |
)" | |
begin=$(echo "$mem" | awk '{print $1}') | |
end=$(echo "$mem" | awk '{print $2}') |