ruby monstas
play

Ruby Monstas Session 17: Interlude: Encryption Encryption What - PowerPoint PPT Presentation

Apr 11, 2024 •371 likes •837 views

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

  1. Ruby Monstas Session 17: Interlude: Encryption

  2. Encryption What comes to mind if you think about encryption?

  3. Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures Cryptography Encryption Keys Elliptic curves PGP/GPG NSA SHA-1 Enigma Caesar Cipher Symmetric Encryption Passwords End-to-end

  4. Encryption MAGIC!

  5. Encryption MAGIC! MATH!

  6. Mathematical Ingredients ● Long integers ● Multiplication ● Exponentiation ● Division ● Modulo ● Prime numbers No math details in this talk though!

  7. Topics ● Symmetric Encryption ● Random numbers ● Asymmetric (public key) Encryption ● Cryptographic Hash Functions

  8. A bit of history Caesar cipher Scytale Enigma Source: https://en.wikipedia.org/wiki/Cryptography

  9. Symmetric encryption

  10. Symmetric encryption

  11. Symmetric encryption Symmetric Symmetric encryption decryption algorithm algorithm

  12. Symmetric encryption Examples: ● AES (Rijndael) ● DES, 3DES ● Blowfish Advantage: Generally good performance Disadvantage: Both parties need to know the key

  13. Symmetric encryption Problem: People’s brains are terrible at generating keys! If the key or even only part of it can be guessed, it makes an attack easier (brute force).

  14. Random numbers Why random numbers? Keys (e.g. to encrypt things with) are generated from random numbers. Caveat: It’s hard to generate truly random numbers! Computers are deterministic machines by definition. Where can the randomness come from?

  15. Random numbers How not to do it: https://xkcd.com/221/

  16. Random numbers What to do instead: Collect truly random data (so-called entropy) and generate random numbers from it! % xxd -l 16 -p /dev/random 03515dce8971a29f6764c0c275784ec0

  17. Random numbers What can happen? Wikipedia: Prominent random number generator attacks When part of the key is predictable it can take attackers orders of magnitude less time to guess the key!

  18. Symmetric encryption % ruby aes_encrypt.rb require 'openssl' Enter message to encrypt: Hello, Bob! ALGORITHM = 'AES-256-CBC' Randomly generated key in puts 'Enter message to encrypt:' hexadecimal: message = gets.chomp 52b0278e72ef57afdfae73baf1145d4309 cipher = OpenSSL :: Cipher . new ( ALGORITHM ) 4c8ba071e8c5dd7449c99dfa0fe146 key = cipher.random_key Encrypted message in hexadecimal: hex_key = key.unpack('H*').first d789d4b1d816d150e146d857e927ac8b puts "Randomly generated key in hexadecimal: #{hex_key}" cipher.encrypt cipher.key = key encrypted_message = cipher.update(message) encrypted_message << cipher.final hex_encrypted_message = encrypted_message.unpack('H*').first puts "Encrypted message in hexadecimal: #{hex_encrypted_message}"

  19. Symmetric encryption % ruby aes_decrypt.rb require 'openssl' Enter key to decrypt with (in hexadecimal): ALGORITHM = 'AES-256-CBC' 52b0278e72ef57afdfae73baf1145d4309 puts 'Enter key to decrypt with (in hexadecimal):' 4c8ba071e8c5dd7449c99dfa0fe146 hex_key = gets.chomp Enter message to decrypt (in puts 'Enter message to decrypt (in hexadecimal):' hex_message = gets.chomp hexadecimal): d789d4b1d816d150e146d857e927ac8b cipher = OpenSSL :: Cipher . new ( ALGORITHM ) Decrypted message: Hello, Bob! key = [hex_key].pack('H*') message = [hex_message].pack('H*') cipher.decrypt cipher.key = key message = cipher.update(message) message << cipher.final puts "Decrypted message: #{message}"

  20. Asymmetric (public key) encryption 1. Generating a key pair Alice’s Bob’s private key private key Alice’s Key generation Bob’s Key generation public key algorithm public key algorithm

  21. Asymmetric (public key) encryption 2. Publishing keys Bob’s private key Alice’s private key Bob’s public key Alice’s public key

  22. Asymmetric (public key) encryption 3. Encryption using Bob’s public key Bob’s public key Asymmetric encryption algorithm

  23. Asymmetric (public key) encryption 4. Decryption using Bob’s private key Bob’s private key Asymmetric decryption algorithm

  24. Asymmetric (public key) encryption 5. Encryption using Alice’s public key Alice’s public key Asymmetric encryption algorithm

  25. Asymmetric (public key) encryption 5. Decryption using Alice’s private key Alice’s private key Asymmetric decryption algorithm

  26. Asymmetric (public key) encryption Examples: ● RSA ● ElGamal ● PGP Advantage: Public keys can be exchanged in the open Disadvantage: Generally slower than symmetric crypto

  27. Asymmetric (public key) encryption Public keys are public. Anyone can use them. How does Bob know the message is from Alice and vice versa? Enter: Cryptographic Hash Functions!

  28. Cryptographic Hash Functions Use: “Digesting” an arbitrary length text into a value of fixed length: % echo 'Hello, Bob!' | shasum -a 256 c4aaca0f9c0d691671659dfbcdf030d6009c2551fb53e4761a30cb29fc5f9ffb -

  29. Cryptographic Hash Functions The ideal cryptographic hash function has five main properties: ● it is deterministic so the same message always results in the same hash ● it is quick to compute the hash value for any given message ● it is infeasible to generate a message from its hash value except by trying all possible messages ● a small change to a message should change the hash value so extensively that the new hash value appears uncorrelated with the old hash value ● it is infeasible to find two different messages with the same hash value Source: Wikipedia: Cryptographic hash function

  30. Cryptographic Hash Functions How are passwords stored, e.g. for your Gmail account? Possibility: In plain text Disadvantage: If your database gets stolen, all your users’ passwords are compromised!

  31. Cryptographic Hash Functions Better idea: Use a cryptographic hash function! Sign up: Additional benefit: All the stored, hashed Data- passwords have the base same length! Cryptographic hash function

  32. Cryptographic Hash Functions Better idea: Use a cryptographic hash function! Data- Log in: base Cryptographic hash function

  33. Cryptographic Hash Functions What if two users choose the same password by chance? An attacker could use that information if the database gets compromised! Solution: Salt your password!

  34. Cryptographic Hash Functions Sign up: “Salt” Data- base Cryptographic hash function

  35. Cryptographic Hash Functions “Salt” Data- Log in: base Cryptographic hash function

  36. Cryptographic Hash Functions Password hashing and salting in Ruby using bcrypt gem: irb(main):001:0> require 'bcrypt' => true irb(main):005:0> password_hash = BCrypt::Password.create("Password123!") => "$2a$10$yxazpyL1iZ7lpLr/c8w4l.Eyii7oI3pRwmyw1gS/euLF4CJEtz6RK" irb(main):006:0> password_object = BCrypt::Password.new(password_hash) => "$2a$10$yxazpyL1iZ7lpLr/c8w4l.Eyii7oI3pRwmyw1gS/euLF4CJEtz6RK" irb(main):007:0> password_object == 'wrong password' => false irb(main):008:0> password_object == 'Password123!' => true Handy: bcrypt puts the password hash and the salt in the same String! Caveat: Bcrypt doesn’t actually use a cryptographic hash function, but the Blowfish symmetric cipher. The principle stays the same though!

  37. Cryptographic Hash Functions Security as of mid 2018: ● MD5 is considered broken ● SHA-1 is considered broken ● SHA256 or other SHA variants with longer bit lengths should be used

  38. Putting it all together 1. Calculating a cryptographic hash over the message Cryptographic hash function

  39. Putting it all together 2. Encrypting the hash using Alice’s private key Alice’s private key Asymmetric encryption algorithm

  40. Putting it all together 3. Encrypting message + signature using Bob’s public key Bob’s public key Asymmetric encryption algorithm

  41. Putting it all together 4. Decryption using Bob’s private key Bob’s private key Asymmetric decryption algorithm

  42. Putting it all together 5. Decryption of signature using Alice’s public key Alice’s public key Asymmetric decryption algorithm

  43. Putting it all together 6. Calculating a cryptographic hash over the message and comparing to Alice’s decrypted signature Cryptographic hash function

  44. PGP/GPG This is how PGP/GPG works!

  45. Bonus: Diffie-Hellman Key Exchange (public) Merkle Hellman Diffie Turing Award 2015: Whitfield Diffie, Martin E. Hellman Source: Wikipedia: Diffie-Hellman Key Exchange

  46. Take-home messages Use well-researched, public algorithms! Don’t implement your own crypto algorithms! Use secure sources of randomness! Keep your private keys private!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ruby Monstas Session 30 Agenda Recap: Ids ORM: Object-relational mapping Sequel: A Database

Ruby Monstas Session 30 Agenda Recap: Ids ORM: Object-relational mapping Sequel: A Database

Ruby Monstas Session 30 Agenda Recap: Ids ORM: Object-relational mapping Sequel: A Database Toolkit for Ruby Exercises Recap Identifiers (IDs) in databases users posts first_name ... title body published_date 1 Janet ... 1 Title

364 views • 12 slides
Ruby Monstas Session 25 Agenda Recap Layouts Exercises Recap

Ruby Monstas Session 25 Agenda Recap Layouts Exercises Recap

Ruby Monstas Session 25 Agenda Recap Layouts Exercises Recap https://docs.google.com/presentation/d/1rxHrB4wLk7TMMMtIwC9azwNgnYQAFrae620IxjLHygI/edit#slide=id.ge8e058835_0_0 DIV element Text around&lt;div&gt; Outer DIV element

531 views • 17 slides
Ruby Monstas Session 12 Agenda Recap / Questions The Ruby Standard Library

Ruby Monstas Session 12 Agenda Recap / Questions The Ruby Standard Library

Ruby Monstas Session 12 Agenda Recap / Questions The Ruby Standard Library Exercises Recap Example: Class Person class Person irb&gt; lucy = Person.new(&quot;Lucy&quot;, 1984) def initialize(name, year_born) =&gt;

458 views • 14 slides
Ruby Monstas Session 28 Agenda Introduction to databases, Part 1 Exercises Introduction to

Ruby Monstas Session 28 Agenda Introduction to databases, Part 1 Exercises Introduction to

Ruby Monstas Session 28 Agenda Introduction to databases, Part 1 Exercises Introduction to databases Part 1 CSV Recap users.csv first_name,last_name,city,shoe_size Tatjana,Abt,Bern,42 Kasimir,Spitznogle,Luzern,46

433 views • 14 slides
Ruby Monstas Session 29 Agenda Recap Databases Introduction to databases, Part 2 Exercises

Ruby Monstas Session 29 Agenda Recap Databases Introduction to databases, Part 2 Exercises

Ruby Monstas Session 29 Agenda Recap Databases Introduction to databases, Part 2 Exercises SQL Part 1 Recap Before SQL: CSV users.csv first_name,last_name,city,shoe_size Tatjana,Abt,Bern,42 Kasimir,Spitznogle,Luzern,46

743 views • 33 slides
Ruby Monstas Session 24 Agenda Recap Layout elements HTML 5 Exercises Recap

Ruby Monstas Session 24 Agenda Recap Layout elements HTML 5 Exercises Recap

Ruby Monstas Session 24 Agenda Recap Layout elements HTML 5 Exercises Recap https://docs.google.com/presentation/d/1rxHrB4wLk7TMMMtIwC9azwNgnYQAFrae620IxjLHygI/edit#slide=id.ge8e058835_0_0 Layout Elements DIV element Text

163 views • 14 slides
Ruby Monstas Session 18 Agenda Recap Rubygems Bundler Exercises Recap Enter: ERB!

Ruby Monstas Session 18 Agenda Recap Rubygems Bundler Exercises Recap Enter: ERB!

Ruby Monstas Session 18 Agenda Recap Rubygems Bundler Exercises Recap Enter: ERB! todos.html.erb erb_exporter.rb require 'erb' &lt;!DOCTYPE html&gt; &lt;html&gt; class ErbExporter &lt;head&gt; &lt;title&gt;Todo List

736 views • 15 slides
Ruby Monstas Session 20 Agenda Recap HTML Forms HTTP POST Development Tools Exercises

Ruby Monstas Session 20 Agenda Recap HTML Forms HTTP POST Development Tools Exercises

Ruby Monstas Session 20 Agenda Recap HTML Forms HTTP POST Development Tools Exercises Recap HTTP: Computing model evolution Client Server Request Response HTTP: Uniform Resource Locator (URL) DOMAIN NAME RESOURCE rubymonstas.ch

402 views • 22 slides
Ruby Monstas Session 19 Agenda Recap Networking: The Internet HTTP: The foundation of the web

Ruby Monstas Session 19 Agenda Recap Networking: The Internet HTTP: The foundation of the web

Ruby Monstas Session 19 Agenda Recap Networking: The Internet HTTP: The foundation of the web Sinatra: Simple way to create web apps Exercises Recap RubyGems &amp; Bundler What is RubyGems? What is Bundler? Rubygems &amp; Bundler

435 views • 32 slides
Ruby Monstas Session 14 Agenda Recap Standard Library: RSS Exercises Recap Recap: TodoList

Ruby Monstas Session 14 Agenda Recap Standard Library: RSS Exercises Recap Recap: TodoList

Ruby Monstas Session 14 Agenda Recap Standard Library: RSS Exercises Recap Recap: TodoList Exercise Dive into code Standard Library: RSS What is RSS? &lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot; ?&gt; RSS: Rich Site

218 views • 8 slides
Ruby Monstas Session 13 Agenda Recap Class Methods &amp; Class Variables Time (Standard

Ruby Monstas Session 13 Agenda Recap Class Methods &amp; Class Variables Time (Standard

Ruby Monstas Session 13 Agenda Recap Class Methods &amp; Class Variables Time (Standard Library) Exercises Recap Recap: Classes and Objects class Customer irb&gt; beat = Customer.new(1, Beat) =&gt;

542 views • 13 slides
Ruby Monstas Session 16 Agenda Apro Recap ERB CSS Exercises Recap HTML &lt;!DOCTYPE

Ruby Monstas Session 16 Agenda Apro Recap ERB CSS Exercises Recap HTML &lt;!DOCTYPE

Ruby Monstas Session 16 Agenda Apro Recap ERB CSS Exercises Recap HTML &lt;!DOCTYPE html&gt; &lt; html &gt; &lt; head &gt; &lt; title &gt;This is shown in the browser's title bar&lt;/ title &gt; &lt;/ head &gt; &lt; body &gt; &lt; h1

345 views • 12 slides
Ruby Monstas Session 8 Project: IRC Bot Recap IRC channel user list user channel message

Ruby Monstas Session 8 Project: IRC Bot Recap IRC channel user list user channel message

Ruby Monstas Session 8 Project: IRC Bot Recap IRC channel user list user channel message Client / Server Networking Client Internet (the Cloud) Server Client / Server Networking TCP connection A little help Our goal [18:25]

236 views • 20 slides
Ruby On Rails CSCI 5449 Submitted by: Bhaskar Vaish What is Ruby on Rails ? Ruby on Rails is a

Ruby On Rails CSCI 5449 Submitted by: Bhaskar Vaish What is Ruby on Rails ? Ruby on Rails is a

Ruby On Rails CSCI 5449 Submitted by: Bhaskar Vaish What is Ruby on Rails ? Ruby on Rails is a web application framework written in Ruby, a dynamic programming language. Ruby on Rails uses the Model-View-Controller (MVC) architecture pattern

645 views • 39 slides
Ruby On Rails James Reynolds Today Ruby on Rails introduction Run Enviornments MVC A little

Ruby On Rails James Reynolds Today Ruby on Rails introduction Run Enviornments MVC A little

Ruby On Rails James Reynolds Today Ruby on Rails introduction Run Enviornments MVC A little Ruby Exercises Installation Mac OS X 10.5 will include Rails Mac OS X 10.4 includes Ruby Most people reinstall it anyway From scratch Drag and

1.26k views • 66 slides
Ruby Movement on

Ruby Movement on

Ruby Movement on medical standard and its implementation by Ruby Shinji KOBAYASHI; Ehime University Agenda Who am I?

828 views • 58 slides
MIT KDC integration Andreas Schneider &lt;asn@samba.org&gt; G unther Deschner

MIT KDC integration Andreas Schneider &lt;asn@samba.org&gt; G unther Deschner

MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices MIT KDC integration Andreas Schneider &lt;asn@samba.org&gt; G unther Deschner &lt;gd@samba.org&gt; Red Hat May 21th, 2015 Andreas Schneider &lt;asn@samba.org&gt; G

1.17k views • 29 slides
User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

663 views • 40 slides
(username, password) ? x ? ? ? ? but (username,hash(password))

(username, password) ? x ? ? ? ? but (username,hash(password))

Hash Functions - Bart Preneel June 2016 Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 MD2, MD4, MD5 Introduction to the SHA-512 SHA-1 Design and Cryptanalysis of Cryptographic Hash Functions This is an input to a crypto-

517 views • 10 slides
Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 7

Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 7

Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 7 Page 1 CS 236 Online Outline Introduction Basic authentication mechanisms Lecture 7 Page 2 CS 236 Online Introduction Much of

799 views • 30 slides
Learning from Adobe Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013 Quickly,

Learning from Adobe Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013 Quickly,

Better PHP Security Learning from Adobe Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013 Quickly, about me Consultant Senior Engineer Developer Senior Developer Director of Tech Hosting Manager Support

478 views • 32 slides
Encryption The Problem Using HTTP , anyone with access to your packets can see everything you

Encryption The Problem Using HTTP , anyone with access to your packets can see everything you

Encryption The Problem Using HTTP , anyone with access to your packets can see everything you are doing online This includes your passwords! Who has access to my packets? Your ISP at home UBIT on campus Tier 1 Networks

232 views • 22 slides
AEAD Ciphers for Highly Constrained Networks Ren Struik e-mail: rstruik.ext@gmail.com Slide

AEAD Ciphers for Highly Constrained Networks Ren Struik e-mail: rstruik.ext@gmail.com Slide

August 13, 2013 DIAC 2013 AEAD Ciphers for Highly Constrained Networks Ren Struik e-mail: rstruik.ext@gmail.com Slide 1 Ren Struik (Struik Security Consultancy) August 13, 2013 DIAC 2013 Outline 1. Highly Constrained Networks

559 views • 30 slides
Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach;

Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach;

Securing Information Systems You re on LinkedIn? Watch Out! Problem: Massive data breach; using old security practices Solution: Initiative to use minimal up-to-date industry practices, for example, salting passwords Illustrates

1.38k views • 56 slides

More recommend