APPLIED CRYPTOGRAPHY: FROM ALGORITHMS TO LIBRARIES @ABSTRACTJ - PowerPoint PPT Presentation

APPLIED CRYPTOGRAPHY: FROM ALGORITHMS TO LIBRARIES

@ABSTRACTJ

GOAL OF THIS PRESENTATION

ALGORITHMS

“ An algorithm must be seen to be believed. ― Donald E. Knuth

THIS TALK IS NOT ABOUT ALGORITHMS, ONLY

SECURITY “ the state of being free from danger or threat

FEELING VS REALITY

“ Cryptography is the art and science of encryption ― Cryptography Engineering

“ The study of codes, or the art of writing and solving them. ― Oxford dictionaries

HISTORICALLY FOCUSED ON SECRET COMMUNICATIONS

VIGENÈRE CIPHER ~ 1553, Rome

ENIGMA (1920)

DES (1974) Key size 2 ⁵⁶ , block size 64 bits Short key sizes can be subject of brute force Should be avoided Broken in 22 hours

DES (1974)

LIMITED PROCESSING POWER

TODAY

TODAY

TODAY

BROADER SCOPE File integrity Random IDs API authentication Password storage JWTs Software updates Bank transactions

ALGORITHMS Hashes Block ciphers Stream ciphers Digital signatures Message authentication codes Private key encryption Public key encryption

CRYPTO WON'T SOLVE ALL OF YOUR PROBLEMS

IT'S COMPLETELY TRICKY

MOST PART OF THE TIME IS LIKE

Source: Veracode

Source: Stackover fl ow

DON'T ROLL YOUR OWN CRYPTO

“ A cryptosystem should be secure even if everything about the system, except the key, is public knowledge ― Kerckhoffs's principle

HOW CRYPTO IS DONE TODAY?

LIBRARIES Java Node.js & Web Ruby javax.crypto OpenSSL WebCrypto BouncyCastle libsodium sjcl Keyczar crypto-js Jasypt

LET'S GET OUR HANDS DIRTY

THE BADLY DESIGNED APP

Hmmm, I wish I had an app to share my notes ALICE

Why not? Count me in BOB

I like it! EVE

#1 STORY AS A USER OF THIS APP, ALICE WANTS TO CREATE AND SHARE NEW NOTES

Barbecue tomorrow? Yes, please!

Barbecue tomorrow 12 pm? Yes! Barbecue on Monday 9 am?

#2 STORY AS A USER OF THIS APP, BOB WANTS TO VERIFY THE INTEGRITY OF ALICE'S FILES

CWE-327 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM

MD5 white.jpg e06723d4961a0a3f950e7786f3 766338 brown.jpg e06723d4961a0a3f950e7786f3 766338

SHA-224 SHA-256 SHA-384 SHA-512 ARE ALL GOOD CHOICES

BUT WHAT ABOUT INCLUDING A SALT?

CWE-916 PASSWORD HASH WITH INSUFFICIENT COMPUTATIONAL EFFORT

#3 STORY AS A PARANOID, I WOULD LIKE NOT ONLY INTEGRITY, BUT ALSO AUTHENTICITY

#4 STORY AS A USER OF THIS APP, I WANT TO ADD INTEGRITY, AUTHENTICITY, SECRECY AND PROTECT MY DATA

Alice Bob

MODES OF OPERATION

ECB IS NOT SECURE Text Text Text Text Source: Wikipedia

CBC Source: Wikipedia

CTR Source: Wikipedia

#5 STORY AS A USER I WANT TO HAVE PASSWORD PROTECTED ENTRIES

#6 STORY AS SOMEONE VERY SOCIAL, I WANT TO SHARE MY ENTRIES WITH A FRIEND WITHOUT EXPOSING MY KEYS

sK pK sK pK Bob Alice

“ Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect. It is about choice, and having the power to control how you present yourself to the world. Bruce Schneier

THANK YOU! http://abstractj.org https://keycloak.org https://github.com/abstractj/krypto-playground