T5WTPYAFGP - Encrypt Sensitive Information

转载 2012年03月21日 10:11:57
At South by Southwest this year, during my talk Defense Against The Dark Arts - ESAPI I covered the "Top 5 Ways To Protect Your Application From Getting Pwnd" [T5WTPYAFGP]. After a couple offline conversations I decided that this would make an excellent series of follow-up blog posts so what follows is the adaptation of that presentation material from that talk. Unlike a lot of other Top-N lists, the goal of this one is not to iterate the flaws, but rather to iterate the solutions.

Additionally each post includes some samples on how you can use ESAPI to implement the solutions discussed and gives us the opportunity to dive into each area a little deeper than we were able to in a one-hour presentation.

You can use the navigation below to navigate between each of the posts.

[5] Encrypt Sensitive Information [current]
[4] Become Big Brother

5. Encrypt Sensitive Information
Number five on our list is to encrypt sensitive information. To understand this one we first need to define what actually constitutes sensitive information.

Most organizations that store credit card numbers are (hopefully) storing those credit card numbers in an encrypted format already, but what about the rest of the information that is stored. Think about your own organization or application - what information do you collect from your users?

According to published information, anything that is personally identifiable information, financial information, or medical information is to considered sensitive data and should be treated accordingly. Any organization that has to deal with standards verification will generally check the box for storage of sensitive information as long as that information is stored on an encrypted volume. This protects your customers from physical theft but what about run-time theft, which accounts for most of the largest breaches that occurred last year.

The key is to examine the risk for your application, determine what information would be damaging to release for your customers, and encrypt that data at rest. A lot of organizations simply don't want to incur the performance penalties of performing encryption and decryption of client data but some things are simply too important to ignore.

There are a number of ways to help mitigate the performance impact of using encryption in an application  and we will cover a few of them in this post.

The important thing is that once you have encryption configured (ie you have selected a provider and algorythm) actually performing the encryption and decryption of sensitive information is incredibly simple. 

  1. // Populate User Object from Request  
  2. // ...  
  3. // Encrypt Sensitive Information  
  4. CipherText encryptedSSN = ESAPI.encryptor().encrypt(new PlainText(userInfo.getSSN()));  
  5. userInfo.setSSN(new String(encryptedSSN.asPortableSerializedByteArray());  
  6. // Persist User Object  
  7. // ...  

To decrypt the data is just as simple. 
  1. // Retrieve persisted User Object  
  2. // ...  
  3. // Decrypt Sensitive Information  
  4. CipherText encryptedSSN = CipherText.fromPortableSerializedBytes(user.getSSN());  
  5. PlainText decryptedSSN = ESAPI.encryptor().decrypt(encryptedSSN);  
  6. userInfo.setSSN(decryptedSSN.toString());  
  7. // Prepare User Object for use in application  
  8. // ...  

Of course this can be abstracted into a service, added as an annotation processor in your persistence layer, and altered to be used in a more generic form that meets your specific platform needs. Additionally, depending on the type of information you are dealing with and the perceived risk of that information being leaked - it may make sense for the data to be encrypted all the time until it needs to be viewed or altered on the front end. This approach can also increase performance of the encryption and decryption because you are only ever performing this step when it is needed.

A comprehensive design is a little beyond the scope of this post, but when I do design I like to envision the end goal - that is what will the object I am protecting look like when I am done. To take the concept of the UserInfo object - here is what I envision as the end results:

  1. public class UserInfo implements Serializable {  
  2.    private final static long serialVersionID = 1L;  
  4.    private Long id;  
  5.    private String username;  
  7.    // This field will be stored in-memory and persisted as a hashed value using SHA-256   
  8.    @Sensative(type=SensitiveDataProtection.Type.HASH,  
  9.               algo=SensitiveDataProtection.Algo.SHA256  
  10.               mode=SensitiveDataProtection.Mode.RUNTIME)  
  11.    private String password;  
  13.    // This field will be stored in-memory and persisted as an encrypted value using the SecretKey "UserData.SSN" for encryption and decryption  
  14.    @Sensitive(type=SensitiveDataProtection.Type.ENCRYPTED,  
  15.               key="UserData.SSN",  
  16.               mode="SensitiveDataProtection.Mode.RUNTIME)  
  17.    private String ssn;  
  19.    // This field will be persisted as an encrypted value using the Master SecretKey but will be stored in-memory as a PlainText representation  
  20.    @Sensitive(type=SensitiveDataProtection.Type.ENCRYPTED,  
  21.               mode=SensitiveDataProtection.Mode.PERSIST)  
  22.    private String address;  
  23. }  

This looks pretty simple to implement for a developer and seems to address a lot of design needs, particularly the need to apply encryption only at the point where it is required. Annotations aren't for everyone however, so how can we accomplish a similar design goal without using Annotations? 

  1. public class UserInto implements Serializable {  
  2.    private final static long serialVersionID = 1L;  
  4.    private Long id;  
  5.    private String username;  
  7.    // This field will be stored in-memory and persisted as a hashed string  
  8.    private HashString password;  
  9.    // This field will be stored in-memory and persisted as an encrypted string  
  10.    private CipherText ssn;  
  11.    // This field will be persisted as an encrypted string  
  12.    private PlainText address;  
  13. }  

This example relies on the usage of data-types to specify the behavior of the data. While this breaks some rules in the world of design, it illustrates a possible solution to the problem.

Now do not be fooled into thinking that these solutions are simple to implement, they aren't - however the benefit of centralizing a standard control to perform this work is that you only have to write it once, you only have to maintain it in one place, and every developer of your application doesn't have to understand how the process works, just that it does.

In closing, here are each of the steps you should perform to address this problem and resolve it.

  1. Identify sensitive data in your application
  2. Design and implement a standard and centralized control
  3. Apply encryption to sensitive data in your application
Stay tuned for #4 on our top 5 list "Become Big Brother"!


前提:     1、主机需要先安装openssl     2、编译安装nginx时,要加上--with-http_ssl_module  这个ssl模块 现在开始配置:(我当时配置时...
  • ke7in1314
  • ke7in1314
  • 2018年01月06日 09:58
  • 86

申请免费的https证书-Let's Encrypt

背景 近来,互联网由http向https推进的步伐越来越快,除了各大浏览器之外,搜索引擎也特别的优待https,因此想着跟上步伐把自己的网站也弄成https。 想要弄成https,ssl证...
  • hj7jay
  • hj7jay
  • 2017年01月13日 09:25
  • 5778


在程序中调用这个类Encryption: using System; using System.Collections.Generic; using System.Linq; using System...
  • hdxyzlh_0225
  • hdxyzlh_0225
  • 2015年10月20日 10:58
  • 841

encrypt 加密解密

import javax.crypto.Cipher; import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.Secre...
  • u012635819
  • u012635819
  • 2015年10月20日 09:24
  • 3293

Lets Encrypt 最近很火的免费SSL 使用教程

2015年10月份,微博上偶然看到Let’s Encrypt 推出了beta版,作为一个曾经被https虐出血的码农来说,这无疑是一个重磅消息。并且在全站Https的大趋势下,Let’s Encryp...
  • github_26672553
  • github_26672553
  • 2016年03月28日 14:22
  • 11691

Let's Encrypt 给网站加 HTTPS 完全指南

使用 HTTPS 前的一些疑惑 现在是 2016 年,使用 HTTPS 已经不像几年前是一件昂贵的事情。当然我也是自己了解了一圈才消除了自己的疑惑,主要是: 我的网站(一个简单的博客)可能没必...
  • andylau00j
  • andylau00j
  • 2017年01月18日 19:26
  • 778

Let's Encrypt永久免费SSL证书过程教程及常见问题

Let's Encrypt作为一个公共且免费SSL的项目逐渐被广大用户传播和使用,是由Mozilla、Cisco、Akamai、IdenTrust、EFF等组织人员发起,主要的目的也是为了推进网站从H...
  • helen_shw
  • helen_shw
  • 2017年02月17日 11:57
  • 5461

https研究(四)用Let's Encrypt实现Https双向认证)

使用 Let's Encrypt申请SSL证书,在tomcat服务器中配置,实现https
  • qq_27424559
  • qq_27424559
  • 2017年03月28日 22:16
  • 759

Let's Encrypt 证书浏览器不支持(不识别)怎么办?

1、浏览器怎么判断支不支持某个证书? 流量器有内置一个根证书列表,如果您网站的证书授权机构的根证书在这个列表里,那么就支持,如果没在这个列表里,就不支持。 2、不支持应该怎么办? 1、换个浏览器可能就...
  • wzj0808
  • wzj0808
  • 2016年12月05日 13:51
  • 1693

Linux CentOS 7 下 Nginx 安装使用 Let’ s Encrypt 证书的完整过程

网站转成https是大势所趋。但是在国内,推进的过程显然要比国外慢很多。 现阶段如果将自己的网站改成https以后,会碰到这样的尴尬现象:如果在页面上引用了http://的链接或者图片,用户在浏览器上...
  • andylau00j
  • andylau00j
  • 2017年01月18日 20:40
  • 4866
您举报文章:T5WTPYAFGP - Encrypt Sensitive Information