Thursday, 4 September 2014

What if I were a cloud?

What if I were a cloud? I guess many security engeneers have been asking themselves this question in recent days. In this post I want to share my vision of the most critical steps in cloud storage for mobile devices.

I do not claim an absolute correctness and there are no strict requirements, I wish this article could be a starting point for some technical discussions, while the topic is hot.

Baseline:
  1. Š”ryptography is unbreakable,
  2. Devices are equipped with TPM (trusted platform module),
  3. Attacker has no inconspicuous physical access to victim's device.
I know, that not all devices are equipped with a TPM chip (by the way, iPhone is equipped), but I heard, that SIM card can be used, as a TPM in some cases. If you know how it technically works, please let me know. 


Enrollment

A new device enrollment is a critical step because Cloud should be sure that this device is authenticated and not a source of malicious activity. A device enrollment should be performed with two factor authentication. The second factor could be an OTP (one time password) sent as an SMS to the phone number associated with the account, or an OTP preset on any other device, which was already enrolled. For each new device the account owner should be notified by email.

How it works step by step:



  1. User generates an OTP on a device enrolled previously;
  2. Generated OTP goes to cloud;
  3. User enters the OTP on a new device;
  4. Device generates a TPM signe Certificate request (TPMCRT);
  5. If OTPs from steps 2 and 4 are equal, the enrollment is successful.
In the case of a new device:
  1. New device performs an enrollment request with a login and a password;
  2. Cloud sends SMS with an OTP to an associated phone number;
  3. New device sends TPMCRT + OTP;
  4. If OTPs from steps 2 and 3 are equal, the enrollment is successful.


What is TPMCRT :
  1. Client device generates a private key and a certificate request for each enrollment;
  2. TPM signs Certificate request (TPMCRT), so we get an unique device certificate.

Benefits:
  • In a case of credentials leak, an attacker can't enroll a new device, and get user's data;
  • If an attacker has an access to an enrolled device and can generate an OTP for a malicious device, the victim will get a notification.

Secure communication

First of all - certificate pinning, it should protect us from SSL MiTM. This kind of attacks could be a result not just of compromised Certificate Authority, using MDM mechanism, corrupt system administrators could distribute malicious Certificate Authority to devices, and then perform SSL MiTM.

Then Cloud should authenticate a device, in other words, Cloud should check that the device was enrolled:
  1. Device authenticates Cloud (with pinning);
  2. Device sends its certificate which was generated during enrollment.(?Https client-side authentication?);
  3. Cloud checks whether the certificate was enrolled;
  4. Cloud uses the TPM public key from the certificate and encrypts a CHALLENGE;
  5. Device receives the encrypted CHALLENGE and uses the TPM to decrypt it;
  6. Device generates a RESPONSE and encrypts it with the TPM;
  7. Device sends the encrypted RESPONSE to Cloud;
  8. Cloud decrypts it with the TPM public key, if it's ok, the authentication succeeded.

Benefits:
  • TPM doesn't allow an attacker to gain access to Cloud, even if he or she was able to steal the private enrollment key (with a malware or forensic boot).
  • We have the flexibility. For example, if we want to donate or sell the device, we can simply remove the enrollment key by device factory reset, or via Cloud web interface, if the device was stolen.


If you notice any mistakes or if you whould like to add anything, I will be happy to find your comment in Hackapp Facebook group or in any other place (plese leave link in comments).



13 comments:

  1. I know, that not all devices are equipped with TPM chip (by the way, iPhone equipped), but I heard, that SIM card can be used, as TPM in some cases, if you know how it technical works, please let me know. phone spy software

    ReplyDelete
  2. Cloud computing simply with a computer server capacity over the Internet. All that stuff is stored on the servers and you can use them and deal with them. Trendin

    ReplyDelete
  3. More and more businesses are now taking advantage of the most powerful tool for higher success: cloud-based software and computing systems.
    iDeals data room

    ReplyDelete
  4. Big data is the next big thing in the IT industry and it has created many job opportunities. Analysis of big data helps in making data driven decisions and to increase the profits of the business. Hadoop is the cloud based application which is used to analyse the big data.
    Big data training in Chennai | Hadoop training in Chennai | angularjs training in Chennai

    ReplyDelete
  5. Big data is extremely essential for the big enterprises to reach on a data driven decision. The importance of big data is increasing with every passing day. Hadoop is the best tool for analyzing the big data.
    Hadoop training in chennai | Hadoop training chennai | Big data training in chennai

    ReplyDelete
  6. Hey, I appreciate to your writing.

    ReplyDelete
  7. True, I'm agreed with guys.
    Thx for writing, keep going!

    Best regards
    Toby, security online

    ReplyDelete
  8. Another trend likely to dominate the competitive landscape of the cloud storage gateway market in the coming years is that of partnerships between cloud storage suppliers and data security firms, offering a comprehensive suite benefitting both the service providers as well as the consumer.
    compare cloud storage

    ReplyDelete
  9. Read about this hoverwatch keylogger and find out how you can easily monitor someone else's activity on any device.

    ReplyDelete