‘Crypto Anchors’ Might Stop the Next Equifax-Style Megabreach
Firewalls, intrusion detection systems, and even encryption haven’t kept hackers out of hoards of data like the ones stolen in the catastrophic breaches of Equifax or Yahoo. But now, some Silicon Valley firms are trying a deeper approach, building security into the basic design of how data moves between a company’s servers. The method aims not to seal intruders out of sensitive systems, but to tighten the rim of the cookie jar around their wrist, trapping their grabby hands inside.
In a blog post Tuesday, security engineer Diogo Mónica put a name to an IT architecture idea that’s been technically possible for years, but only more recently adopted in firms that actually need to safeguard troves of sensitive user data: “Crypto Anchors.” The system, which Mónica and his colleague Nathan McCauley put into place at the payment firm Square before moving to enterprise software firm Docker in 2015, encrypts the contents of databases with a key that’s stored on a separate, single-purpose, hardened computer known as a Hardware Security Module, or HSM. When another computer in the company’s network tries to access a database’s records—whether it’s an innocent query from an employee’s PC, or a hacked web server hijacked by intruders to suck out a cache of secrets en masse—that HSM acts as a strict gatekeeper, decrypting each of those records one by one.
While that setup adds only some hundredths of a second to each request, companies can also set the HSM to throttle its decryptions, so that the data can’t be unscrambled faster than a certain set rate. That means even if the hackers have taken over a computer on a corporate network that has access to that target database, they can’t simply siphon out its data and leave. They remain “anchored” inside the network, painstakingly waiting for the HSM to decrypt each bit of data. And that can transform a rip-and-run attack lasting only hours or days into one that can take months or years—time during which the hackers must remain active on a victim’s network, and vulnerable to being detected and stopped.
“The core concept is to ensure that your data is not only encrypted, but that the only way it can be decrypted or accessed or operated on is physically in your data center,” says Mónica. “If someone compromises my database, if it gets leaked, it’s not useful unless they’re in my network, connecting to my system to parse the data.”
Slow Your Roll
To see how that safeguard would function in practice, look no further than the case of Equifax, which admitted to the loss of 143 million—now more than 145 million—Americans’ data last month. That breach, like so many others, likely started with the hijacking of an online web portal. Mónica points out that sort of compromised front-end web server is often used to query an underlying database and pull out data that shouldn’t be accessible—data like, say, half of all Americans’ Social Security numbers.
‘I’m not saying this will make you infallible forever, but you make them play on your turf, so you see them coming.’
Haroon Meer, Thinkst
Traditional encryption offers little defense against that sort of attack, Mónica argues. For the database to be usable in real-time, the web server has to possess the secret key to decrypt the data, so hackers who compromise the web server would have it, too. Cryptographic hashing, which irreversibly converts data to strings of scrambled characters, wouldn’t necessarily be much help, either; hashed secrets can often by stolen and then slowly cracked over time, particularly if companies use weak hashing methods. And since there are fewer than a billion possible Social Security numbers, the hackers could simply steal all the hashes, and then later generate hashes of all of them and match up the results with the hashes they’d stolen to decode the enciphered numbers.
But a system that uses a crypto anchor setup could add another safeguard to those hashing or encryption schemes: Instead, it would encrypt each social security number with a secret key that’s stored only in the HSM. Even if it were set to allow a million queries a day from Equifax customers, for example, any hackers who compromised that web server would be limited to that rate too, requiring them to linger inside the network well over six months to gather the whole collection of Equifax’s data. It would take far longer if the HSM’s rate-limiting were set close to the web portal’s rate of legitimate use by customers.
That sort of structural change in favor of defenders—not merely bolting on security hurdles, but developing it deep in systems’ architecture—makes ideas like crypto anchoring more appealing than adding yet another commercial security service, says Haroon Meer, the founder of security firm Thinkst. “I’m not saying this will make you infallible forever, but you make them play on your turf, so you see them coming,” he says. “That’s the sort of advantage defenders need.”
While the crypto anchor setup is hardly widespread, it’s already being used in some form by at least a few top-tier security teams at tech firms. Aside from the implementation he helped create at Square, Mónica says he’s learned in private conversations with Facebook and Uber engineers that they’ve implemented something similar. “Every security-engineering team that’s really good is using some form of this,” he says.
HSM sellers like Gemalto and Thales have made the implementation technically possible for years, and cloud versions of HSMs exist now, too, like Amazon’s CloudHSM and Microsoft’s Azure Key Vault. Johns Hopkin University cryptographer Matthew Green says he’s consulted for multiple major tech firms working on a version of the setup. “It’s old hat in the sense that people who design security systems know you can do these things,” Green says. “It’s new in the sense that very few people actually do them…Seeing them percolate up to the top now is really neat.”
Of course, crypto anchors alone are no panacea. They don’t, after all, actually stop hackers from stealing data, only slow them down and give defenders a chance to detect them and limit the damage. That means all the other tools, from intrusion-detection systems to antivirus to incident response, aren’t going away. But a network architecture that inherently limits how fast data can be decrypted and removed from the network could allow those tools to do their job far more effectively, Mónica argues.
Would crypto anchors have stopped the Equifax attack? Mónica says he can’t be sure—exact details of how the attack occurred are still hazy—but he believes they would have certainly impeded it. “It would have definitely helped with detection and understanding exactly what was accessed and compromised,” he says. “It would have slowed down the attacker. Maybe it wouldn’t have been 145 million records. Maybe it would have been less. Or maybe it would have been nothing.”