Ruby Monstas Session 17: Interlude: Encryption Encryption What - - PowerPoint PPT Presentation

ruby monstas
SMART_READER_LITE
LIVE PREVIEW

Ruby Monstas Session 17: Interlude: Encryption Encryption What - - PowerPoint PPT Presentation

Apr 11, 2024 371 likes •838 views

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

slide-1
SLIDE 1

Ruby Monstas

Session 17: Interlude: Encryption

slide-2
SLIDE 2

Encryption

What comes to mind if you think about encryption?

slide-3
SLIDE 3

Encryption

TLS HTTPS Caesar Cipher Enigma Public Key Encryption Symmetric Encryption Digital Signatures Passwords Encryption Keys AES PGP/GPG Certificates Crypto Currencies NSA End-to-end SHA-1 VPN Quantum Cryptography Elliptic curves SSH Privacy

slide-4
SLIDE 4

Encryption

MAGIC!

slide-5
SLIDE 5

Encryption

MAGIC! MATH!

slide-6
SLIDE 6

Mathematical Ingredients

  • Long integers
  • Multiplication
  • Exponentiation
  • Division
  • Modulo
  • Prime numbers

No math details in this talk though!

slide-7
SLIDE 7

Topics

  • Symmetric Encryption
  • Random numbers
  • Asymmetric (public key) Encryption
  • Cryptographic Hash Functions
slide-8
SLIDE 8

A bit of history

Source: https://en.wikipedia.org/wiki/Cryptography Caesar cipher Scytale Enigma

slide-9
SLIDE 9

Symmetric encryption

slide-10
SLIDE 10

Symmetric encryption

slide-11
SLIDE 11

Symmetric encryption

Symmetric encryption algorithm Symmetric decryption algorithm

slide-12
SLIDE 12

Symmetric encryption

Examples:

  • AES (Rijndael)
  • DES, 3DES
  • Blowfish

Advantage: Generally good performance Disadvantage: Both parties need to know the key

slide-13
SLIDE 13

Symmetric encryption

Problem: People’s brains are terrible at generating keys! If the key or even only part of it can be guessed, it makes an attack easier (brute force).

slide-14
SLIDE 14

Random numbers

Why random numbers? Keys (e.g. to encrypt things with) are generated from random numbers. Caveat: It’s hard to generate truly random numbers! Computers are deterministic machines by definition. Where can the randomness come from?

slide-15
SLIDE 15

Random numbers

https://xkcd.com/221/

How not to do it:

slide-16
SLIDE 16

Random numbers

What to do instead: Collect truly random data (so-called entropy) and generate random numbers from it!

% xxd -l 16 -p /dev/random 03515dce8971a29f6764c0c275784ec0

slide-17
SLIDE 17

Random numbers

What can happen?

Wikipedia: Prominent random number generator attacks

When part of the key is predictable it can take attackers orders of magnitude less time to guess the key!

slide-18
SLIDE 18

Symmetric encryption

require 'openssl' ALGORITHM = 'AES-256-CBC' puts 'Enter message to encrypt:' message = gets.chomp cipher = OpenSSL::Cipher.new(ALGORITHM) key = cipher.random_key hex_key = key.unpack('H*').first puts "Randomly generated key in hexadecimal: #{hex_key}" cipher.encrypt cipher.key = key encrypted_message = cipher.update(message) encrypted_message << cipher.final hex_encrypted_message = encrypted_message.unpack('H*').first puts "Encrypted message in hexadecimal: #{hex_encrypted_message}"

% ruby aes_encrypt.rb Enter message to encrypt: Hello, Bob! Randomly generated key in hexadecimal: 52b0278e72ef57afdfae73baf1145d4309 4c8ba071e8c5dd7449c99dfa0fe146 Encrypted message in hexadecimal: d789d4b1d816d150e146d857e927ac8b

slide-19
SLIDE 19

Symmetric encryption

require 'openssl' ALGORITHM = 'AES-256-CBC' puts 'Enter key to decrypt with (in hexadecimal):' hex_key = gets.chomp puts 'Enter message to decrypt (in hexadecimal):' hex_message = gets.chomp cipher = OpenSSL::Cipher.new(ALGORITHM) key = [hex_key].pack('H*') message = [hex_message].pack('H*') cipher.decrypt cipher.key = key message = cipher.update(message) message << cipher.final puts "Decrypted message: #{message}"

% ruby aes_decrypt.rb Enter key to decrypt with (in hexadecimal): 52b0278e72ef57afdfae73baf1145d4309 4c8ba071e8c5dd7449c99dfa0fe146 Enter message to decrypt (in hexadecimal): d789d4b1d816d150e146d857e927ac8b Decrypted message: Hello, Bob!

slide-20
SLIDE 20

Asymmetric (public key) encryption

  • 1. Generating a key pair

Key generation algorithm Alice’s private key Alice’s public key Key generation algorithm Bob’s private key Bob’s public key

slide-21
SLIDE 21

Asymmetric (public key) encryption

  • 2. Publishing keys

Alice’s private key Alice’s public key Bob’s private key Bob’s public key

slide-22
SLIDE 22

Asymmetric (public key) encryption

  • 3. Encryption using Bob’s public key

Asymmetric encryption algorithm Bob’s public key

slide-23
SLIDE 23

Asymmetric (public key) encryption

  • 4. Decryption using Bob’s private key

Asymmetric decryption algorithm Bob’s private key

slide-24
SLIDE 24

Asymmetric (public key) encryption

  • 5. Encryption using Alice’s public key

Asymmetric encryption algorithm Alice’s public key

slide-25
SLIDE 25

Asymmetric (public key) encryption

  • 5. Decryption using Alice’s private key

Asymmetric decryption algorithm Alice’s private key

slide-26
SLIDE 26

Asymmetric (public key) encryption

Examples:

  • RSA
  • ElGamal
  • PGP

Advantage: Public keys can be exchanged in the open Disadvantage: Generally slower than symmetric crypto

slide-27
SLIDE 27

Asymmetric (public key) encryption

Public keys are public. Anyone can use them. How does Bob know the message is from Alice and vice versa? Enter: Cryptographic Hash Functions!

slide-28
SLIDE 28

Use: “Digesting” an arbitrary length text into a value of fixed length:

% echo 'Hello, Bob!' | shasum -a 256 c4aaca0f9c0d691671659dfbcdf030d6009c2551fb53e4761a30cb29fc5f9ffb -

Cryptographic Hash Functions

slide-29
SLIDE 29

The ideal cryptographic hash function has five main properties:

  • it is deterministic so the same message always results in the same hash
  • it is quick to compute the hash value for any given message
  • it is infeasible to generate a message from its hash value except by trying

all possible messages

  • a small change to a message should change the hash value so extensively

that the new hash value appears uncorrelated with the old hash value

  • it is infeasible to find two different messages with the same hash value

Source: Wikipedia: Cryptographic hash function

Cryptographic Hash Functions

slide-30
SLIDE 30

Cryptographic Hash Functions

How are passwords stored, e.g. for your Gmail account? Possibility: In plain text Disadvantage: If your database gets stolen, all your users’ passwords are compromised!

slide-31
SLIDE 31

Better idea: Use a cryptographic hash function!

Cryptographic Hash Functions

Cryptographic hash function

Additional benefit: All the stored, hashed passwords have the same length!

Data- base Sign up:

slide-32
SLIDE 32

Better idea: Use a cryptographic hash function!

Cryptographic Hash Functions

Cryptographic hash function

Data- base Log in:

slide-33
SLIDE 33

What if two users choose the same password by chance? An attacker could use that information if the database gets compromised! Solution: Salt your password!

Cryptographic Hash Functions

slide-34
SLIDE 34

Cryptographic Hash Functions

Cryptographic hash function

Data- base Sign up: “Salt”

slide-35
SLIDE 35

Cryptographic Hash Functions

Cryptographic hash function

Data- base Log in: “Salt”

slide-36
SLIDE 36

Password hashing and salting in Ruby using bcrypt gem:

Cryptographic Hash Functions

Handy: bcrypt puts the password hash and the salt in the same String!

Caveat: Bcrypt doesn’t actually use a cryptographic hash function, but the Blowfish symmetric cipher. The principle stays the same though!

irb(main):001:0> require 'bcrypt' => true irb(main):005:0> password_hash = BCrypt::Password.create("Password123!") => "$2a$10$yxazpyL1iZ7lpLr/c8w4l.Eyii7oI3pRwmyw1gS/euLF4CJEtz6RK" irb(main):006:0> password_object = BCrypt::Password.new(password_hash) => "$2a$10$yxazpyL1iZ7lpLr/c8w4l.Eyii7oI3pRwmyw1gS/euLF4CJEtz6RK" irb(main):007:0> password_object == 'wrong password' => false irb(main):008:0> password_object == 'Password123!' => true

slide-37
SLIDE 37

Cryptographic Hash Functions

Security as of mid 2018:

  • MD5 is considered broken
  • SHA-1 is considered broken
  • SHA256 or other SHA variants with longer

bit lengths should be used

slide-38
SLIDE 38

Putting it all together

  • 1. Calculating a cryptographic hash over the message

Cryptographic hash function

slide-39
SLIDE 39

Putting it all together

Asymmetric encryption algorithm Alice’s private key

  • 2. Encrypting the hash using Alice’s private key
slide-40
SLIDE 40

Putting it all together

Asymmetric encryption algorithm

  • 3. Encrypting message + signature using Bob’s public key

Bob’s public key

slide-41
SLIDE 41

Putting it all together

  • 4. Decryption using Bob’s private key

Asymmetric decryption algorithm Bob’s private key

slide-42
SLIDE 42

Putting it all together

  • 5. Decryption of signature using Alice’s public key

Asymmetric decryption algorithm Alice’s public key

slide-43
SLIDE 43

Putting it all together

  • 6. Calculating a cryptographic hash over the message and

comparing to Alice’s decrypted signature

Cryptographic hash function

slide-44
SLIDE 44

PGP/GPG

This is how PGP/GPG works!

slide-45
SLIDE 45

Bonus: Diffie-Hellman Key Exchange

Turing Award 2015: Whitfield Diffie, Martin E. Hellman (public) Source: Wikipedia: Diffie-Hellman Key Exchange Diffie Merkle Hellman

slide-46
SLIDE 46

Take-home messages

Use well-researched, public algorithms! Don’t implement your own crypto algorithms! Use secure sources of randomness! Keep your private keys private!