SLIDE 1
APPLIED CRYPTOGRAPHY:
FROM ALGORITHMS TO LIBRARIES
APPLIED CRYPTOGRAPHY: FROM ALGORITHMS TO LIBRARIES @ABSTRACTJ - - PowerPoint PPT Presentation
APPLIED CRYPTOGRAPHY: FROM ALGORITHMS TO LIBRARIES @ABSTRACTJ - - PowerPoint PPT Presentation
APPLIED CRYPTOGRAPHY: FROM ALGORITHMS TO LIBRARIES @ABSTRACTJ GOAL OF THIS PRESENTATION ALGORITHMS An algorithm must be seen to be believed. Donald E. Knuth THIS TALK IS NOT ABOUT ALGORITHMS, ONLY SECURITY the state of being
SLIDE 2
SLIDE 3
SLIDE 4
SLIDE 5
SLIDE 6
SLIDE 7
GOAL OF THIS PRESENTATION
SLIDE 8
ALGORITHMS
SLIDE 9
SLIDE 10
SLIDE 11
“ An algorithm must be seen to be
believed.
― Donald E. Knuth
SLIDE 12
SLIDE 13
SLIDE 14
SLIDE 15
SLIDE 16
SLIDE 17
THIS TALK IS NOT ABOUT ALGORITHMS, ONLY
SLIDE 18
SLIDE 19
SECURITY
“ the state of being free from danger or
threat
SLIDE 20
FEELING VS REALITY
SLIDE 21
“ Cryptography is the art and science of
encryption
― Cryptography Engineering
SLIDE 22
“ The study of codes, or the art of
writing and solving them.
― Oxford dictionaries
SLIDE 23
HISTORICALLY FOCUSED ON SECRET COMMUNICATIONS
SLIDE 24
SLIDE 25
VIGENÈRE CIPHER
~ 1553, Rome
SLIDE 26
ENIGMA
(1920)
SLIDE 27
DES
(1974)
Key size 2⁵⁶, block size 64 bits Short key sizes can be subject of brute force Should be avoided Broken in 22 hours
SLIDE 28
DES
(1974)
SLIDE 29
LIMITED PROCESSING POWER
SLIDE 30
TODAY
SLIDE 31
TODAY
SLIDE 32
TODAY
SLIDE 33
BROADER SCOPE
File integrity Random IDs API authentication Password storage JWTs Software updates Bank transactions
SLIDE 34
ALGORITHMS
Hashes Block ciphers Stream ciphers Digital signatures Message authentication codes Private key encryption Public key encryption
SLIDE 35
CRYPTO WON'T SOLVE ALL OF YOUR PROBLEMS
SLIDE 36
IT'S COMPLETELY TRICKY
SLIDE 37
MOST PART OF THE TIME IS LIKE
SLIDE 38
Source: Veracode
SLIDE 39
Source: Stackoverflow
SLIDE 40
DON'T ROLL YOUR OWN CRYPTO
SLIDE 41
“ A cryptosystem should be secure even
if everything about the system, except the key, is public knowledge
― Kerckhoffs's principle
SLIDE 42
SLIDE 43
SLIDE 44
HOW CRYPTO IS DONE TODAY?
SLIDE 45
LIBRARIES
Java Node.js & Ruby Web javax.crypto OpenSSL WebCrypto BouncyCastle libsodium sjcl Keyczar crypto-js Jasypt
SLIDE 46
LET'S GET OUR HANDS DIRTY
SLIDE 47
THE BADLY DESIGNED APP
SLIDE 48
Hmmm, I wish I had an app to share my notes
ALICE
SLIDE 49
Why not? Count me in
BOB
SLIDE 50
I like it!
EVE
SLIDE 51
#1 STORY
AS A USER OF THIS APP, ALICE WANTS TO CREATE AND SHARE NEW NOTES
SLIDE 52
Barbecue tomorrow? Yes, please!
SLIDE 53
Barbecue tomorrow 12 pm? Yes! Barbecue on Monday 9 am?
SLIDE 54
#2 STORY
AS A USER OF THIS APP, BOB WANTS TO VERIFY THE INTEGRITY OF ALICE'S FILES
SLIDE 55
CWE-327 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM
SLIDE 56
MD5
white.jpg e06723d4961a0a3f950e7786f3 766338 brown.jpg e06723d4961a0a3f950e7786f3 766338
SLIDE 57
SLIDE 58
SHA-224 SHA-256 SHA-384 SHA-512 ARE ALL GOOD CHOICES
SLIDE 59
BUT WHAT ABOUT INCLUDING A SALT?
SLIDE 60
CWE-916 PASSWORD HASH WITH INSUFFICIENT COMPUTATIONAL EFFORT
SLIDE 61
SLIDE 62
#3 STORY
AS A PARANOID, I WOULD LIKE NOT ONLY INTEGRITY, BUT ALSO AUTHENTICITY
SLIDE 63
#4 STORY
AS A USER OF THIS APP, I WANT TO ADD INTEGRITY, AUTHENTICITY, SECRECY AND PROTECT MY DATA
SLIDE 64
Alice Bob
SLIDE 65
MODES OF OPERATION
SLIDE 66
Source: Wikipedia Text Text Text Text
ECB IS NOT SECURE
SLIDE 67
SLIDE 68
Source: Wikipedia
CBC
SLIDE 69
Source: Wikipedia
CTR
SLIDE 70
#5 STORY
AS A USER I WANT TO HAVE PASSWORD PROTECTED ENTRIES
SLIDE 71
#6 STORY
AS SOMEONE VERY SOCIAL, I WANT TO SHARE MY ENTRIES WITH A FRIEND WITHOUT EXPOSING MY KEYS
SLIDE 72
Alice Bob sK pK sK pK
SLIDE 73
“ Privacy is an inherent human right, and a
requirement for maintaining the human condition with dignity and respect. It is about choice, and having the power to control how you present yourself to the world. Bruce Schneier
SLIDE 74
THANK YOU!
http://abstractj.org https://keycloak.org https://github.com/abstractj/krypto-playground