Though enterprises have never been more aware of the insider threat than since Edward Snowden's National Security Agency leaks, a newly open-sourced application may provide a simple method for securing enterprise data stored on corporate servers against rogue insiders.
Named for a scene in a Tom Clancy novel and movie, the Red October server encryption software was developed internally to improve security at San Francisco-based CloudFlare Inc. Inspired by the "two-man rule" used by militaries to prevent the unauthorized launch of nuclear missiles, Red October ensures that encrypted data can only be accessed when at least two authorized users provide the necessary passwords to unlock their private cryptographic keys. The number of users required for access can be scaled to meet specific needs.
CloudFlare CEO Matthew Prince said that Red October evolved from the company's need to protect sensitive customer data stored on its servers, including everything from simple user information to SSL keys. He noted the heightened awareness around the risk posed by rogue insiders to such data, including statistics from the "2013 Verizon Data Breach Investigations Report," which stated that insiders account for approximately 14% of data breaches.
"We do background checks and everything on employees," Prince said, "but, especially as an organization grows, it's hard to be 100% certain that you don't have a rogue employee or someone who would turn over some sensitive data that we're entrusted with."
Described by CloudFlare as a software-based encryption and decryption server, Red October is based around combinatorial techniques and cryptographic primitives, namely 128-bit AES and 2048-bit RSA. When accounts are created on a Red October server, each user is assigned a unique RSA key pair. From each pair, the private key is then encrypted with a password key based on the user's password and salted using the scrypt key derivation function. The public key remains unencrypted.
Data is encrypted by a random AES key generated by the server, and for each user that is authorized to access the data, a user-specific key is provided that encrypts the AES key, meaning the key used to decrypt the data will be encrypted multiple times. Those key encryption keys are then also encrypted with the public RSA key.
"So the way the Red October server works is [that] it's keys upon keys upon keys, sort of layers upon layers," said Nick Sullivan, a systems engineer and security architect with CloudFlare.
Though plenty of crypto expertise was behind Red October's development, including that of Sullivan and CloudFlare's John Graham-Cumming, the software had not been scrutinized by anyone outside of the company before it was open-sourced. Sullivan emphasized that the software was inherently secure because it had been based entirely on bedrocks of the cryptographic world, AES and RSA, which are as tried and tested as any algorithms available. In fact, CloudFlare chose to avoid Shamir's Secret Sharing, a crypto algorithm based on the two-man rule, because it hasn't been vetted outside the realm of academia.
"If we used the [implementations of Shamir's] that were out there, not only did we have not a lot of confidence that they were fundamentally secure -- even though academically, it's a very elegant system -- we're not sure the actual implementations are very good that exist today. And then if we tried to implement it ourselves, we're just as fallible at making mistakes around implementing fundamental cryptographic systems," Prince said. "And so, wherever possible, we like to rely on things that have been around for a long time and implementations that have been very widely tested and deployed. And if there is a flaw, that flaw can get patched and it's got a lot of eyes looking at it, not just because we're using it as part of Red October or something like that."
Beyond the use of AES and RSA, Prince also said that one of the primary reasons behind open-sourcing Red October was to get as many people to "kick the tires" as possible. With public input, he hopes that Red October will continue to be improved, both for the benefit of CloudFlare and the security of Web-based organizations generally.
Ran Canetti, a professor of computer science at Boston University and a cryptography expert, conceded that Red October isn't trying anything new, but still emphasized that the inherently tricky nature of crypto left questions to be answered about the security of the implementation.
"I'd be wary about using it … without public scrutiny and security analysis," Canetti said via email.
Red October's future
Open-sourcing Red October was not the only move CloudFlare made to ensure the server encryption software is improved by the public. Sullivan noted that the application was modular in nature, meaning it should be easy for developers to add on or swap out parts of Red October. CloudFlare themselves are exploring options to add two-factor authentication, including Google Authenticator and other time-based one-time password schemes, as well as methods that would avoid relying on passwords altogether.
Sullivan would also like to see Red October become more user-friendly. Though CloudFlare recently provided a Web interface that allows access to Red October servers via any browser, he said such features could easily be extended to mobile devices and other special applications. Interested parties could even add Shamir's Secret Sharing as a module if they so desired, Sullivan said.
Red October is available via CloudFlare's GitHub page.