proper use of cryptography
play

Proper Use of Cryptography Never write your own crypto functions if - PowerPoint PPT Presentation

Aug 28, 2022 •259 likes •417 views

Proper Use of Cryptography Never write your own crypto functions if you have any choice Another favorite piece of advice from industry Never, ever, design your own encryption algorithm Unless thats your area of expertise

  1. Proper Use of Cryptography • Never write your own crypto functions if you have any choice – Another favorite piece of advice from industry • Never, ever, design your own encryption algorithm – Unless that’s your area of expertise • Generally, rely on tried and true stuff – Both algorithms and implementations Lecture 14 Page 1 CS 236 Online

  2. Proper Use of Crypto • Even with good crypto algorithms (and code), problems are possible • Proper use of crypto is quite subtle • Bugs possible in: – Choice of keys – Key management – Application of cryptographic ops Lecture 14 Page 2 CS 236 Online

  3. An Example • An application where RSA was used to distribute a triple-DES key • Seemed to work fine • Someone noticed that part of the RSA key exchange was always the same – That’s odd . . . Lecture 14 Page 3 CS 236 Online

  4. What Was Happening? • Bad parameters were handed to the RSA encryption code • It failed and returned an error • Which wasn’t checked for – Since it “couldn’t fail” • As a result, RSA encryption wasn’t applied at all • The session key was sent in plaintext . . . Lecture 14 Page 4 CS 236 Online

  5. Another Example • Many pieces of malware use cryptography • RC4 is a frequent choice of cipher – Seems easy and fast • So the hackers implement it themselves • Which often gives the defenders advantages • Because the hackers screw it up • Being evil doesn’t necessarily make you smart Lecture 14 Page 5 CS 236 Online

  6. Trust Management • Don’t trust anything you don’t need to • Don’t trust other programs • Don’t trust other components of your program • Don’t trust users • Don’t trust the data users provide you Lecture 14 Page 6 CS 236 Online

  7. Trust • Some trust required to get most jobs done • But determine how much you must trust the other – Don’t trust things you can independently verify • Limit the scope of your trust – Compartmentalization helps • Be careful who you trust Lecture 14 Page 7 CS 236 Online

  8. Two Important Lessons 1. Many security problems arise because of unverified assumptions – You think someone is going to do something he actually isn’t 2. Trusting someone doesn’t just mean trusting their honesty – It means trusting their caution, too Lecture 14 Page 8 CS 236 Online

  9. Input Verification • Never assume users followed any rules in providing you input • They can provide you with anything • Unless you check it, assume they’ve given you garbage – Or worse • Just because the last input was good doesn’t mean the next one will be Lecture 14 Page 9 CS 236 Online

  10. Treat Input as Hostile • If it comes from outside your control and reasonable area of trust • Probably even if it doesn’t • There may be code paths you haven’t considered • New code paths might be added • Input might come from new sources Lecture 14 Page 10 CS 236 Online

  11. For Example • Shopping cart exploits • Web shopping carts sometimes handled as a cookie delivered to the user • Some of these weren’t encrypted • So users could alter them • The shopping cart cookie included the price of the goods . . . Lecture 14 Page 11 CS 236 Online

  12. What Was the Problem? • The system trusted the shopping cart cookie when it was returned – When there was no reason to trust it • Either encrypt the cookie – Making the input more trusted – Can you see any problem with this approach? • Or scan the input before taking action on it – To find refrigerators being sold for 3 cents Lecture 14 Page 12 CS 236 Online

  13. Variable Synchronization • Often, two or more program variables have related values • Common example is a pointer to a buffer and a length variable • Are the two variables always synchronized? • If not, bad input can cause trouble Lecture 14 Page 13 CS 236 Online

  14. An Example • From Apache web server • cdata is a pointer to a buffer • len is an integer containing the length of that buffer • Programmer wanted to get rid of leading and trailing white spaces Lecture 14 Page 14 CS 236 Online

  15. The Problematic Code while (apr_isspace(*cdata)) ++cdata; while (len-- >0 && apr_isspace(cdata[len])) continue; cdata[len+1] = ‘/0’; • len is not decremented when leading white spaces are removed • So trailing white space removal can overwrite end of buffer with nulls • May or may not be serious security problem, depending on what’s stored in overwritten area Lecture 14 Page 15 CS 236 Online

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography & http://cseweb.ucsd.edu/users/mihir/cse207/ Brief History: Proliferation of computers and communication systems in 1960s brought with it a demand to protect

273 views • 24 slides
Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M,

Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M,

Karlstad University Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M, C, E, D, K) M: the set of plaintexts C: the set of ciphertexts E: M x K -> C enciphering functions D: C x K

446 views • 40 slides
Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY Plaintext Cyphertext More definitions block cipher stream cipher hash function shared key public key digital signature

383 views • 16 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Cryptography Concepts and Terminology Security Concepts Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and Terminology Cryptography School of Engineering and Technology CQUniversity

322 views • 11 slides
Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Cryptography Concepts and Terminology Security Concepts Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and Terminology Cryptography School of Engineering and Technology CQUniversity

453 views • 11 slides
Uses of Cryptography What can we use cryptography for? Lots of things Secrecy

Uses of Cryptography What can we use cryptography for? Lots of things Secrecy

Uses of Cryptography What can we use cryptography for? Lots of things Secrecy Authentication Prevention of alteration Lecture 4 Page 1 CS 236 Online Cryptography and Secrecy Pretty obvious Only those knowing the

303 views • 15 slides
Cryptography Modern cryptography was born in 1970s when computationally easy-to-verify but

Cryptography Modern cryptography was born in 1970s when computationally easy-to-verify but

Cryptography Modern cryptography was born in 1970s when computationally easy-to-verify but hard-to-solve problems were discovered. Computational Complexity, by Fu Yuxi Cryptography 1 / 75 Cryptography is closely related to some

785 views • 76 slides
Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information

1.95k views • 154 slides
Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography Symmetric cryptography DES 3DES AES Asymmetric cryptography Diffie-Hellman key exchange 2 Modern cryptography Moving into

338 views • 16 slides
Cryptography Basics Network Security Instructor: Haojin Zhu 1 Cryptography What is

Cryptography Basics Network Security Instructor: Haojin Zhu 1 Cryptography What is

Cryptography Basics Network Security Instructor: Haojin Zhu 1 Cryptography What is cryptography? Related fields: Cryptography ("secret writing"): Making secret messages Turning plaintext (an ordinary readable message)

1.2k views • 57 slides
Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9 CCA Security SIM-CCA Security (PKE) Recv Send PK/Enc SK/Dec Replay Filter Secure (and correct) if: s.t. output of is distributed

1.26k views • 101 slides
Public Key Cryptography Cryptography School of Engineering and Technology CQUniversity Australia

Public Key Cryptography Cryptography School of Engineering and Technology CQUniversity Australia

Cryptography Public Key Cryptography Concepts of Public Key Cryptography Public Key Cryptography Cryptography School of Engineering and Technology CQUniversity Australia Prepared by Steven Gordon on 20 Feb 2020, public.tex, r1803 1

421 views • 7 slides
Its Applications Aaram Yun, UNIST FIF presentation, 2015 1 Cryptography 2 Cryptography

Its Applications Aaram Yun, UNIST FIF presentation, 2015 1 Cryptography 2 Cryptography

Homomorphic Cryptography & Its Applications Aaram Yun, UNIST FIF presentation, 2015 1 Cryptography 2 Cryptography Bike lock of Internet Provides many important building blocks for security For example, encryption or

699 views • 31 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 19th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security fail?

758 views • 72 slides
Handout 8 Summary of this handout: Asymmetric Cryptography Public Key Cryptography

Handout 8 Summary of this handout: Asymmetric Cryptography Public Key Cryptography

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 15 November, 2012 Handout 8 Summary of this handout: Asymmetric Cryptography Public Key Cryptography Diffie-Hellman Key

207 views • 8 slides
Data Abstraction and Abstract Data Types Tessema M. Mengistu Department of Computer Science

Data Abstraction and Abstract Data Types Tessema M. Mengistu Department of Computer Science

Data Abstraction and Abstract Data Types Tessema M. Mengistu Department of Computer Science Southern Illinois University Carbondale tessema.mengistu@siu.edu Room - 3131 1 Outline Abstract Data types (ADT) ADT Design Specification

502 views • 28 slides
Testing and Integration !"#$%&'$(%)(*+

Testing and Integration !"#$%&'$(%)(*+

Testing and Integration !"#$%&'$(%)(*+ ,-(*.#$*/-&,01$0((#$01&/02&!3456.(#&7*$(0*( 8(/#0$01&7*$(0*(% 93#.":(%.(#0&;0$<(#%$.= 1 Thursday, October 25, 2012 Readings >"(%(&%-$2(%

892 views • 68 slides
Modeling Complex User Behavior with the Palladio Component Model Symposium on Software Performance

Modeling Complex User Behavior with the Palladio Component Model Symposium on Software Performance

Mnchen, 2015-11-06 Modeling Complex User Behavior with the Palladio Component Model Symposium on Software Performance 2015 Christian Vgele, Robert Heinrich, Robert Heilein, Andr van Hoorn, Helmut Krcmar fortiss GmbH An-Institut

3.14k views • 17 slides
Midway Milestone Shoppy CS 147 - Fall 2017 The Team James Lyons Hao Wang

Midway Milestone Shoppy CS 147 - Fall 2017 The Team James Lyons Hao Wang

Midway Milestone Shoppy CS 147 - Fall 2017 The Team James Lyons Hao Wang Yolanda Wang 2 Fewer choices, better products. Value Proposition 3 Problem/Solution Overview Problem Solution In store shopping:

259 views • 21 slides
Bloom: Using disorderly programming to build eventually- consistent distributed systems Bill

Bloom: Using disorderly programming to build eventually- consistent distributed systems Bill

Bloom: Using disorderly programming to build eventually- consistent distributed systems Bill Marczak UC Berkeley Why is dist. programming hard? Why is dist. programming hard? Concurrency Why is dist. programming hard? Concurrency

1.1k views • 83 slides
WELCOME ! Adult Career and Special Student Services (ACSSS) 21 N Park St, Suite 7101

WELCOME ! Adult Career and Special Student Services (ACSSS) 21 N Park St, Suite 7101

Senior Guest Auditing WELCOME ! Adult Career and Special Student Services (ACSSS) 21 N Park St, Suite 7101 608-263-6960 advising@dcs.wisc.edu University of Wisconsin Madison 2 Fast Facts Undergraduate Graduate 43,193 Total students

469 views • 32 slides
How to Make the Bilstein Website Work for You ThyssenKrupp Bilstein of America ThyssenKrupp

How to Make the Bilstein Website Work for You ThyssenKrupp Bilstein of America ThyssenKrupp

How to Make the Bilstein Website Work for You ThyssenKrupp Bilstein of America ThyssenKrupp Bilstein of America User Benefits How to Login Managing Your Account How to Find the Product You Need Part Number Search Year,

731 views • 50 slides
Introduction Model View controller ( MVC ) is a software architecture pattern which

Introduction Model View controller ( MVC ) is a software architecture pattern which

Introduction Model View controller ( MVC ) is a software architecture pattern which separates the representation of information from the user's interaction with it . First used in the Smalltalk-80 framework Used in making

406 views • 13 slides

More recommend