PARSEC has been CSPN-certified for 1 year. To mark this anniversary, we'd like to take a look at PARSEC's CSPN security target, a document produced as part of the certification process and which identifies PARSEC's security functions (available here).
Parsec secures data in the cloud. What does this mean?
Before going into detail on the subject, it's important to remember that PARSEC is not limited to data encryption. Information is protected according to different criteria:
- Confidentiality: Make data inaccessible and protect it from unwanted readers.
- Integrity: Guarantee that a file has not been modified.
- Authentication/Non-repudiation: Allows you to verify the origin of a data item or modification.
- Historization: Track changes while preserving their integrity.
These security criteria are the basic paradigms analyzed in the security target.
How did we analyze PARSEC?
The PARSEC security target describes the software architecture, the technological and architectural choices made, and the functions performed by the software. PARSEC concepts are described, as well as their detailed functions.
This descriptive aspect of the PARSEC product is accompanied by a safety analysis, which identifies:
- sensitive assets to be protected (assets liable to attack) and protection measures in place (section 4)
- threats to the assets listed above and attack paths (section 5)
- security functions to protect each asset from various threats (section 6).
A few reminders about system architecture
PARSEC protects user-generated data. To achieve this, the system uses cryptographic methods, requiring the use of keys and secrets distributed between users.
Cryptographic secrets and data information are stored as metadata on client workstations or PARSEC servers. This metadata is protected in the same way as the data, with the same security guarantees. Metadata cannot be used by the PARSEC metadata server hosting it, and only clients can decrypt it and access its content.
These protections must be guaranteed for data, metadata and cryptographic secrets, wherever data is present or in transit:
- Data hosting service (public cloud)
- PARSEC metadata server
- Transport on the network
- Local storage on the client workstation (PARSEC guarantees that no unencrypted data transits the user workstation's hard disk).
Cryptographic secrets.
Confidentiality is ensured by encrypted keys. Encrypting data means that it can be used and understood by a third party who does not have the key.
PARSEC includes different encryption keys:
- Data encryption keys.
- Metadata encryption keys
- Encryption keys specific to a user's metadata
- Local encryption keys, specific to the user terminal
Integrity and authenticity are ensured by data signature mechanisms. Signature keys are specific to each client workstation. The signature is used to certify a modification.
Note: To guarantee the authenticity of signature keys, each signature key is itself signed during the enrolment procedure (details here https://parsec.cloud/sas-single-authentification-string/ ).
PARSEC's exhaustive list of keys and their functions are not detailed in this article. They are listed in part 8 Glossary of the security target.
The PARSEC safety study.
As mentioned above, the security target identifies the sensitive assets to be protected (data, metadata, encryption keys, administration secrets, etc.), the level of security (confidentiality, authenticity, etc.), the threats to these assets, and the functions protecting the assets from threats.
Protecting sensitive assets
Section 4 of the security target therefore summarizes all the elements in PARSEC that are susceptible to attack or alteration, and which may contain information.
Assets are identified along with their associated protections. For example, file content must be protected in terms of confidentiality, integrity, authenticity and history.
Metadata, on the other hand, are not historically protected, since a metadata corresponds to a modification to a piece of data, and is therefore only written once (WORM concept, Write Once Read Many). Each data modification creates a new metadata.
The private parts of user keys are only protected in terms of confidentiality and integrity, to ensure that they cannot be used by anyone other than the user.
Note on user keys :
Here we take the example of user keys. As explained above, each user has a signature key, used to certify that the user is the author of a modification, and an encryption key, to receive private messages and information.
These keys are asymmetrical.
(Reminder on asymmetric keys
An asymmetric key is made up of two keys: a public key, stored on the metadata server, and a private key stored locally by the user.
The private part of an asymmetric signature key is used to sign the data (adding information that depends on the data and the private key), while the public part is used to verify the signature.
In the case of encryption, the public part is used to send an encrypted message that only the private part can decrypt.)
In our example, only private parts are considered.
Asset status
The location of each property is then identified:
- Is the property local?
- How is it stored?
- Does the good transit?
- When does the good transit?
Let's continue with the example of user private keys.
The signature key is specific to the user terminal (a different key per workstation to identify the terminal making the modification), and is therefore stored locally on the user terminal. The key is not in transit, but is secured locally.
The user encryption key is common to all workstations belonging to the same user, and must therefore be shared when a new terminal is enrolled. This key is secured at rest, on the client workstation. It must also be secured by a temporary key, enabling the private key to be encrypted and exchanged between two user terminals during the invitation procedure for a new terminal.
This example illustrates the need to protect a property in different ways, depending on its location and condition.
Threats to property
The security target then identifies the threats targeting the application. These threats aim to attack, corrupt, alter... the application assets we listed earlier. Section 5 of the security target therefore links the threats to the sensitive assets to be protected.
One of the obvious threats to parsec is the alteration of encrypted data (the storage of encrypted data being the heart of the application. The M2 threat is therefore very specific and applies only to data (well, B_FIC).
On the other hand, the M1 threat, which aims to corrupt metadata, has an impact not only on the metadata itself, but also on the data itself. For example, tampering with file metadata containing encryption secrets can render the data it references indecipherable.
Taking the example of the user's private keys (code B_UK and B_DK), threat M3 (client terminal corruption) is a direct danger. This information is stored on the user's workstation and is therefore vulnerable to attacks on the client terminal.
Safety functions
Finally, the security target describes the application's security functions, and how these functions are ensured:
- F1_CONFIDENTIALITY : Data confidentiality
- F2_INTEGRITY: Data integrity
- F3_AUTHENTICITY: Non-repudiation and Authenticity
- F4_USER_AUTHENTICATION: User authentication
- F5_USER_CHAIN: chain of trust
- F6_DEVICE_NON_REPUDIATION : Responsible terminal control
- F7_DEVICE_AUTHENTICATION: Terminal authentication
- F8_ENROLLMENT_TRANSMISSION: transmission of private information when creating a new terminal or user
- F9_ACCESS_CONTROL: Access control security
- F10_WS_REENCRYPT: Full workspace encryption
- F11_USER_ROLE_MANAGEMENT: Managing users and their rights
- F12_BACKEND_ADMINISTRATION: Metadata server administration
The corruption threats identified above (M1, M2, M3) are therefore risks to data, metadata and cryptographic secrets. Function F2_INTEGRITY: Data integrity provides protection for the asset identified as requiring integrity protection (in section 4):
" Parsec guarantees the integrity of files stored in a workspace. Each piece of metadata, signed by DEVICE_SIG_S_KEY (Ed25519), has a unique fingerprint, enabling any modification to be detected. The fingerprints of a file's constituent blocks, generated by a hash mechanism (sha256), are stored in the metadata to guarantee its integrity. The assets to be protected are : B_FIC, B_MTD, B_UA, B_DA, B_ACC."
Conclusion
PARSEC's CSPN-certified security target is a comprehensive document describing the application's security mechanisms, listing the application's functionalities, the assets used to perform these functions, the threats to these assets, and the security functions guaranteeing protection against these threats.
This document was used as a basis for auditing PARSEC's application code. The software is certified by ANSSI as compliant with the mechanisms described in this document.
PARSEC is therefore recognized as a reliable and secure security product. No non-conformities or vulnerabilities were discovered during this in-depth audit.
References
- Detailed PARSEC enrolement: https://parsec.cloud/sas-single-authentification-string/
- PARSEC on the ANSSI website: https://www.ssi.gouv.fr/entreprise/certification_cspn/parsec-version-2-0-0/
- PARSEC CSPN security target: https://www.ssi.gouv.fr/uploads/2021/05/anssi-cible-cspn-2021_08fr.pdf
- PARSEC CSPN certification report: https://www.ssi.gouv.fr/uploads/2021/05/anssi-cspn-2021_08fr.pdf
