Geek Answers Handbook

How secure is this architecture?

I am creating a system that must collect some sensitive data using a secure web connection, securely store it on the server for subsequent automatic decryption and reuse. The system should also allow the user to view part of the protected data (for example, *****ze ) and / or completely change it via the Internet. The system should provide a reasonable level of security.

I was thinking about the following infrastructure:

Application Server (Web) 1

  • TLS-enabled web server for secure web connections.

  • Use a public key algorithm (for example, RSA) to encrypt the data entered by the user and send it to the application server 2 through a one-way outgoing secure channel (for example, ssh-2) without saving it anywhere in the application server 1 or DB Server 1.

  • Use a user-dependent password symmetric key algorithm to encrypt some part of the entered data (for example, the last few letters / numbers) and store it on the database server 1 for subsequent search by the application server 1 during a user web session.

  • Reuse step 2 to modify user data over the web.

Database server 1

  • Keep unprotected, insensitive data user.
  • Save some sensitive user data encrypted on application server 1 (see step 3 above).

Application server 2

  • Do NOT ALWAYS send anything TO Application Server 1 or Database Server 1.
  • Get encrypted user data from application server 1 and save it to DB Server 2.
  • Receive encrypted user-sensitive data from the database server 2 according to local charts, decrypt it using the private key (see Application Server 1, stage 2) locally on application server 2 with proper key management.

DB Server 2

  • Store encrypted confidential user data (see Application Server 2, step 2).

If the application server (Web) 1 or the database server 1 or both are compromised, the attacker will not be able to obtain user-sensitive data (either encrypted or not). All attackers have access to public keys and encryption algorithms, which are well known in any case. However, the attacker will be able to modify the web server to currently receive user passwords in clear text and decrypt some of the user-sensitive data stored in DB Server 1 (see Application Server 1, step 3), which I do not consider as a big deal. The attacker will also be able (by modifying the code) to intercept user-sensitive data entered by users through the network during a potential attack. Later I consider a higher risk, but on condition that it is difficult (is it?) For an attacker to change the code without noticing that I think I should not worry about it.

If the application server 2 and the private key are compromised, the attacker will have access to everything, but the application server 2 or database server 2 does not collide with the network, so this should not be a problem.

How secure is this architecture? My understanding of how encryption algorithms and secure protocols work correctly?

Thanks!

+4
source share
3 answers

I don’t think I can give the right answer, because I’m not sure that the purpose of your system is clear. Although I appreciate that you get design feedback, it's a little complicated without any purpose.

I would suggest you this:

Initially document and analyze your threat model

You need to come up with a fixed hard list of all possible attack scenarios. Local intruders, etc. Who are you trying to protect with? You also say things like “with proper key management”; but this is one of the most difficult things. Therefore, do not just assume that you can get this right; fully plan how you do it, with a specific reference to who will prevent the attacks.

The reason you need a threat model is because you will need to determine at what angles you will be vulnerable; because it will be so.

I also suggest that although the theory is good; in cryptorealization is also very important. Do not just assume that you will do everything right, you really need to take care of where the random numbers come from, and other similar things.

I know this is a little vague, but I think that, at least with a formal and strong threat model, will be very useful for you.

+3
source

So far so good. You are well on your way to a very secure architecture. There are other problems, such as firewalls, password policies, logging, monitoring, and warning, to consider, but everything you have described so far is very durable. If the data is sensitive enough, consider a third-party security check.

+1
source

I would not recommend using any form of public key to communicate with your web server on your application server. If you control both systems like a regular secret encryption system. You know the identity of your application server, so maintaining key security is not a problem. If you ever need to change or update your private key, just do it manually to prevent leakage through the connection.

What I would be very careful about is the direction of transferring data from your server to the DMZ, which should only be your web server, into those boxes that are inside your network. For legitimate domains, it is becoming more common to distribute malware to visitors. This is bad, but if the malware should have turned into a chamber on your network, and not just for your users, then your business will be completely closed.

I also did not see anything about preventing the implementation of sql or system hardening / patching to prevent the spread of malware. This should be your first and most important consideration. If security is important to you, then your architecture will be flexible for small server-to-server communications and frequent patches. Most websites, even large legitimate companies, never fix their security holes, even if they are compromised. You must constantly fix security holes and change things to prevent holes from occurring if you want to avoid compromising in the first place.

In order not to become a malware distributor, I propose to make strict and fast rules for using media files containing any types of client scripts. Client-side scripting can be found in JavaScript, ActiveX, Flash, Acrobat, Silverlight, and other codes or plug-ins that run on the client system. Policies for serving this content must exist in order to immediately identify abnormal code fragments. My recommendation is NEVER embed client-side code directly in the browser, but always refers to an external file. I also suggest that multimedia tools like-minded people provide you better control over your assets and save bandwidth, for example, one large JavaScript file instead of 8 small ones. I would also recommend forcing all such media to use an external content distribution system that references your domain in its directory structure. Thus, the media is not served directly from your servers, and if they are used directly from you, you can quickly identify it as potentially malicious and require a security check.

+1
source

More articles:


All Articles