Skip to content

Latest commit

 

History

History
112 lines (93 loc) · 8.08 KB

mitigations.md

File metadata and controls

112 lines (93 loc) · 8.08 KB

Mitigation Strategies Analysis for google/tink

Mitigation Strategy: Strict Key Management using Tink's KMS Integration

  • Description:

    1. KmsClient Interface: Use Tink's KmsClient interface to interact with the chosen Key Management System (KMS). This abstraction allows for switching KMS providers without significant code changes.
    2. Key Generation via KMS: Use the KmsClient to request key generation from the KMS. Do not generate keys directly within the application code. Use Tink's key templates (e.g., AeadKeyTemplates.AES128_GCM) when making the request to specify the key type and parameters. Example (conceptual): 
      KmsClient kmsClient = KmsClients.get(kmsUri);
KeysetHandle keysetHandle = KeysetHandle.generateNew(
    AeadKeyTemplates.AES128_GCM,
    KeyGenParameterSpec.newBuilder().setKmsKeyUri(kmsKeyUri).build() // Or similar KMS-specific parameters
);
    3. Load Encrypted Keysets: Load encrypted keysets from the KMS using the KmsClient. Tink handles the decryption transparently using the KMS. Example (conceptual): 
      KmsClient kmsClient = KmsClients.get(kmsUri);
KeysetHandle keysetHandle = KeysetHandle.read(
    BinaryKeysetReader.withFile(keysetFile), // Or other reader
    kmsClient.getAead(kmsKeyUri)
);
    4. Key Rotation (Loading New Keysets): The application should periodically load updated keysets from the KMS. This is how key rotation is practically implemented within the application using Tink. The KMS handles the actual rotation; Tink handles using the rotated keys. This often involves a background process or scheduled task that reloads the keyset.

  • Threats Mitigated:

    • Key Compromise (Severity: Critical): Reduces the risk of keys being stolen from application code or insecure storage.
    • Weak Key Generation (Severity: High): Ensures keys are generated using strong algorithms and randomness, as enforced by the KMS and Tink's templates.
    • Improper Key Rotation (Severity: High): Facilitates secure key rotation by allowing the application to seamlessly load new key versions from the KMS.

  • Impact:

    • Key Compromise: Risk significantly reduced.
    • Weak Key Generation: Risk eliminated (assuming KMS and templates are configured correctly).
    • Improper Key Rotation: Risk significantly reduced.

  • Currently Implemented:

    • KmsClient Interface: Partially implemented.
    • Key Generation via KMS: Fully implemented.
    • Load Encrypted Keysets: Fully implemented.
    • Key Rotation (Loading): Not implemented.

  • Missing Implementation:

    • Implementation of a mechanism (e.g., background task) to periodically reload keysets from the KMS to handle key rotation.

Mitigation Strategy: Proper KeysetHandle Usage within the Application Code

  • Description:

    1. KeysetHandle.write() for Encryption: Always use KeysetHandle.write() with a KeyWriter and an Aead primitive to encrypt a KeysetHandle before storing it in any untrusted location (database, file system, etc.). Example: 
      Aead aead = ...; // AEAD for encrypting the keyset
KeysetHandle keysetHandle = ...;
keysetHandle.write(BinaryKeysetWriter.withFile(outputFile), aead);
    2. KeysetHandle.read() for Decryption: Always use KeysetHandle.read() with a KeyReader and the corresponding Aead to decrypt an encrypted keyset. Example: 
      Aead aead = ...; // The same AEAD used for encryption
KeysetHandle keysetHandle = KeysetHandle.read(
    BinaryKeysetReader.withFile(inputFile), aead
);
    3. Minimize In-Memory Lifetime: Load KeysetHandle objects containing secret key material only when needed. Use them promptly and then clear any references to them to allow garbage collection. Avoid storing them as long-lived member variables or in caches.
    4. KeysetHandle.rotate() (with KMS): When using KeysetHandle.rotate(), ensure the new key template is appropriate and secure. Ideally, this should be driven by the KMS's rotation policy, and the application should simply load the new keyset. Avoid manual rotation within the application code if a KMS is used.
    5. Avoid getPrimitive() with custom primitives: Unless you are a cryptography expert and have thoroughly reviewed the security implications, do not use KeysetHandle.getPrimitive() with custom-built primitives. Use Tink's higher-level APIs (e.g., Aead, Mac, PublicKeySign, PublicKeyVerify).

  • Threats Mitigated:

    • Key Compromise from Storage (Severity: Critical): Prevents unauthorized access to keys stored persistently.
    • Key Compromise from Memory (Severity: High): Reduces the risk of key extraction from memory.
    • Incorrect Key Rotation (Severity: High): Ensures secure key rotation practices.
    • Misuse of Lower-Level Primitives (Severity: High): Avoids errors from incorrect custom primitive implementations.

  • Impact:

    • Key Compromise from Storage: Risk significantly reduced.
    • Key Compromise from Memory: Risk reduced.
    • Incorrect Key Rotation: Risk reduced.
    • Misuse of Lower-Level Primitives: Risk reduced.

  • Currently Implemented:

    • KeysetHandle.write(): Partially implemented (Aead needs review).
    • KeysetHandle.read(): Fully implemented.
    • Minimize In-Memory Lifetime: Not implemented.
    • KeysetHandle.rotate(): Not implemented (handled by KMS).
    • Avoid getPrimitive(): Fully implemented.

  • Missing Implementation:

    • Review the Aead used with KeysetHandle.write().
    • Implement a strategy to minimize the in-memory lifetime of KeysetHandle objects.

Mitigation Strategy: Use of Tink's Recommended Key Templates and High-Level APIs

  • Description:

    1. Key Templates: Always use Tink's pre-defined key templates (e.g., AeadKeyTemplates.AES128_GCM, SignatureKeyTemplates.ECDSA_P256, MacKeyTemplates.HMAC_SHA256) when generating new keys or keysets. These templates provide secure defaults and reduce the risk of misconfiguration. Avoid manually constructing key parameters unless absolutely necessary and you have deep cryptographic expertise.
    2. High-Level APIs: Use Tink's high-level APIs (e.g., Aead, DeterministicAead, Mac, PublicKeySign, PublicKeyVerify, HybridEncrypt, HybridDecrypt) for cryptographic operations. These APIs provide a more secure and user-friendly interface than directly working with lower-level primitives. They handle many of the complexities of cryptography, reducing the chance of errors.
    3. Avoid Deprecated APIs/Templates: Check Tink's documentation and avoid using any deprecated APIs or key templates.

  • Threats Mitigated:

    • Incorrect Algorithm Choice (Severity: High): Ensures appropriate cryptographic algorithms are used.
    • Improper Use of Primitives (Severity: High): Prevents misuse of Tink's primitives.
    • Use of Weak Cryptographic Primitives (Severity: High): Avoids outdated and insecure algorithms.

  • Impact:

    • Incorrect Algorithm Choice: Risk significantly reduced.
    • Improper Use of Primitives: Risk significantly reduced.
    • Use of Weak Cryptographic Primitives: Risk significantly reduced.

  • Currently Implemented:

    • Key Templates: Partially implemented (not strictly enforced).
    • High-Level APIs: Fully implemented.
    • Avoid Deprecated APIs/Templates: Partially Implemented.

  • Missing Implementation:

    • Strictly enforce the use of recommended key templates throughout the codebase.
    • Establish a process to regularly check for and avoid deprecated Tink features.