Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ruby Kryptography (RubyConf Argentina 2013)

Andrés N. Robalino
November 28, 2013
0
220

Ruby Kryptography (RubyConf Argentina 2013)

Analizaremos problemas que enfrentamos cuando queremos incorporar seguridad en nuestras aplicaciones. La importancia de la criptografía, particularmente en estas fechas lo que hemos podido aprender de travesuras realizadas por cierta agencia. ¿Qué opciones tenemos en Ruby? La extensión OpenSSL tiene muchos obstáculos. Se desea una solución que nos permita tener control total de operaciones primitivas de cifrado para los expertos así como la alternativa de usar correctamente si uno no es experto. ¿No sería agradable una gema que ofrezca estas soluciones? Krypt es una gema "platform- and library-independent cryptography for Ruby" que solucionará nuestros problemas. Hasta la fecha se ha incorporado en JRuby core. Analizaremos como funciona y que ofrece para nuestras necesidades de seguridad.

Andrés N. Robalino

November 28, 2013
Tweet

More Decks by Andrés N. Robalino

See All by Andrés N. Robalino
La gallina que canta, pierde el huevo. (Regional Scrum Gathering México 2020)
andrasio
0
39
¿Por qué Rust?
andrasio
0
180
Deuda Técnica. Colabora y Entrega.
andrasio
0
86
Func Developeroa (VI Jornadas Tecnológicas e Industriales)
andrasio
0
77
Of Developers and Testers and cooking together the pepino ruby recipe test (Agiles 2013)
andrasio
0
87
Comunica el código en el mismo vocabulario del dominio (Campus Party Quito 2013)
andrasio
0
71
Name Your State State Your Thread (Nordic Ruby 2013)
andrasio
0
33
I can't see the popups and buttons to submit on this black screen. (La Conf 2013)
andrasio
0
230

Featured

See All Featured
Ruby is Unlike a Banana
tanoku
96
11k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Rails Girls Zürich Keynote
gr2m
93
13k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Navigating Team Friction
lara
183
14k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
390
4 Signs Your Business is Dying
shpigford
180
21k
A Philosophy of Restraint
colly
203
16k
A Modern Web Designer's Workflow
chriscoyier
693
190k
It's Worth the Effort
3n
183
27k
The Cult of Friendly URLs
andyhume
78
6k
Building Adaptive Systems
keathley
38
2.3k

Transcript

  1. Andrés N. Robalino @androbtech kryptography 1 Wednesday, December 4, 13

  2. @carlosjijon @sd @jera1618 @luinix 2 Wednesday, December 4, 13

  3. Cryptography is difficult. 3 Wednesday, December 4, 13

  4. Like any field, we have experts and “regular” users. 4

    Wednesday, December 4, 13

  5. We can use tools for applying them. 5 Wednesday, December

    4, 13

  6. Tools are not always the answer. 6 Wednesday, December 4,

    13

  7. Guidelines for using them are. 7 Wednesday, December 4, 13

  8. Examples in real life. 8 Wednesday, December 4, 13

  9. Your body composition! 9 Wednesday, December 4, 13

  10. What macro ratios? Suitable mm decreases? tempo? high intensity or

    high volume? carb cycling? 10 Wednesday, December 4, 13

  11. Which diet? Exercises? skinfold measurements, scale, how many times a

    day? 10 meals? 3 meals? 11 Wednesday, December 4, 13

  12. Does not matter if you are an expert or not,

    with the right guidelines you do great! 12 Wednesday, December 4, 13

  13. Programming Concurrency 13 Wednesday, December 4, 13

  14. Locks! 14 Wednesday, December 4, 13

  15. Mutable references (identities), managed references (STM), Actors languages for concurrency,

    lazy sequences to get memoization! 15 Wednesday, December 4, 13

  16. Tools, precisely. 16 Wednesday, December 4, 13

  17. Suitable design approaches? what guarantees good throughput, latency, where are

    my guidelines! 17 Wednesday, December 4, 13

  18. Let’s talk about Cryptography 18 Wednesday, December 4, 13

  19. Privacy is important. 19 Wednesday, December 4, 13

  20. Work on cryptanalysis is done all the time. 20 Wednesday,

    December 4, 13

  21. That includes turning the Internet into a massive surveillance tool.

    21 Wednesday, December 4, 13

  22. "Also, we are investing in groundbreaking cryptanalytic capabilities to defeat

    adversarial cryptography and exploit internet traffic." - Director of National Intelligence James Clapper 22 Wednesday, December 4, 13

  23. The NSA has a lot of people thinking about this

    problem full- time. According to the black budget summary, 35,000 people and $11 billion annually are part of the Department of Defense- wide Consolidated Cryptologic Program. Of that, 4 percent -- or $440 million -- goes to "Research and Technology." - Bruce Schneier 23 Wednesday, December 4, 13

  24. Backdoor attempts 24 Wednesday, December 4, 13

  25. The Linux Backdoor Attempt in 2003 https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/ 25 Wednesday, December

    4, 13

  26. DUAL_EC_DRGB http://www.wired.com/threatlevel/2013/09/nsa-backdoor/all/ They laid out a case showing that a

    new encryption standard, given a stamp of approval by the U.S. government, possessed a glaring weakness that made an algorithm in it susceptible to cracking. But the weakness they described wasn’t just an average vulnerability, it had the kind of properties one would want if one were intentionally inserting a backdoor to make the algorithm susceptible to cracking by design. Early this month the New York Times drew a connection between their talk and memos leaked by Edward Snowden, classified Top Secret, that apparently confirms that the weakness in the standard and so-called Dual_EC_DRBG algorithm was indeed a backdoor. The Times story implies that the backdoor was intentionally put there by the NSA as part of a $250-million, decade-long covert operation by the agency to weaken and undermine the integrity of a number of encryption systems used by millions of people around the world. 26 Wednesday, December 4, 13

  27. http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2006/CS/CS-2006-07.pdf 27 Wednesday, December 4, 13

  28. Rubygems.org compromised https://news.ycombinator.com/item?id=5139583 28 Wednesday, December 4, 13

  29. Integrity of gems in question 29 Wednesday, December 4, 13

  30. Should we worry about this? 30 Wednesday, December 4, 13

  31. Researchers have revealed, and Adobe has confirmed, that the millions

    passwords stolen during the breach in October were not originally stored according to industry best practices. Instead of being hashed, the passwords were encrypted, which could make things a little easier for those looking to crack them. http://www.csoonline.com/article/742570/adobe-confirms-stolen-passwords-were-encrypted-not-hashed 31 Wednesday, December 4, 13

  32. Let’s talk about very basic Cryptography 32 Wednesday, December 4,

    13

  33. ECB is bad, very bad. 33 Wednesday, December 4, 13

  34. What’s the big deal with ECB? 34 Wednesday, December 4,

    13

  35. 35 Wednesday, December 4, 13

  36. 36 Wednesday, December 4, 13

  37. Why I’m I allowed to call #iv=? 37 Wednesday, December

    4, 13

  38. What’s the big deal with ECB? 38 Wednesday, December 4,

    13

  39. Let’s study another mode, CBC 39 Wednesday, December 4, 13

  40. 40 Wednesday, December 4, 13

  41. 41 Wednesday, December 4, 13

  42. 42 Wednesday, December 4, 13

  43. Feistel cipher? anyone? 43 Wednesday, December 4, 13

  44. Just the tip of the iceberg. 44 Wednesday, December 4,

    13

  45. What is wanted here is a practical way to write

    secure applications without worrying about the details. 45 Wednesday, December 4, 13

  46. rbNaCl / libsodium 46 Wednesday, December 4, 13

  47. 47 Wednesday, December 4, 13

  48. Keyczar 48 Wednesday, December 4, 13

  49. What about legacy applications? 49 Wednesday, December 4, 13

  50. What was DES again? and 3DES? 50 Wednesday, December 4,

    13

  51. Block cipher based on a structure referred to a Feistel

    block cipher. 51 Wednesday, December 4, 13

  52. Finally proved insecure in 1998 52 Wednesday, December 4, 13

  53. 3DES was incorporated as part of the Data Encryption Standard

    in 1999 53 Wednesday, December 4, 13

  54. Three keys and three executions of the DES algorithm 54

    Wednesday, December 4, 13

  55. Follows an encrypt-decrypt- encrypt sequence 55 Wednesday, December 4, 13

  56. No cryptographic significance to the use of decryption for the

    second stage of 3DES encryption 56 Wednesday, December 4, 13

  57. It is there to allow users of 3DES to decrypt

    data encrypted by users of the older DES 57 Wednesday, December 4, 13

  58. 3DES raises the key length up to 168bits. If two

    keys are used (FIPS 46-3) the key length is 112bits 58 Wednesday, December 4, 13

  59. How can we work with crypto by allowing full control

    to the experts and enjoy a simple to use API for “regulars”? 59 Wednesday, December 4, 13

  60. Hard thing to do. There is this gem... 60 Wednesday,

    December 4, 13

  61. 61 Wednesday, December 4, 13

  62. Team: @nahi, @_emboss_, @vipulnsward, @qmx, @abstractj 62 Wednesday, December 4,

    13

  63. Is it any good? 63 Wednesday, December 4, 13

  64. https://github.com/jruby/jruby/ commit/cc9acbaf2 Incorporate Krypt and wire it up for OpenSSL::PKCS5.

    64 Wednesday, December 4, 13

  65. 65 Wednesday, December 4, 13

  66. Participating GSOC ’12 & ’13 66 Wednesday, December 4, 13

  67. Throughly tested, including fuzz testing. 67 Wednesday, December 4, 13

  68. Runs on all Rubies 68 Wednesday, December 4, 13

  69. Try to use as much Ruby as possible 69 Wednesday,

    December 4, 13

  70. Native code is used to wrap existing libraries to krypt

    interface (only happens in the background) 70 Wednesday, December 4, 13

  71. You are free to choose other crypto libraries. 71 Wednesday,

    December 4, 13

  72. The rest is Ruby. 72 Wednesday, December 4, 13

  73. openssl isn’t available everywhere 73 Wednesday, December 4, 13

  74. Focus is on Ruby code. Native parts might be needed

    but they interface with FFI, using java in addition. 74 Wednesday, December 4, 13

  75. FFI allows to work anything that work on MRI, Rubinious,

    directly on jruby. 75 Wednesday, December 4, 13

  76. openssl (C lib) can be used in jruby without changing

    any code thanks to FFI. 76 Wednesday, December 4, 13

  77. It is a framework that provides ciphers, digests, signatures, asn.1

    DSL 77 Wednesday, December 4, 13

  78. High-level APIs in case the only interest is writing secure

    applications. 78 Wednesday, December 4, 13

  79. Quick look again at encryption 79 Wednesday, December 4, 13

  80. 80 Wednesday, December 4, 13

  81. Quick look password hashing 81 Wednesday, December 4, 13

  82. 82 Wednesday, December 4, 13

  83. Enjoy looking up method signatures in the docs! 83 Wednesday,

    December 4, 13

  84. 84 Wednesday, December 4, 13

  85. Encrypting with Krypt 85 Wednesday, December 4, 13

  86. 86 Wednesday, December 4, 13

  87. Password Hashing with Krypt 87 Wednesday, December 4, 13

  88. 88 Wednesday, December 4, 13

  89. Validating Certificates 89 Wednesday, December 4, 13

  90. 90 Wednesday, December 4, 13

  91. Runs everywhere 91 Wednesday, December 4, 13

  92. 92 Wednesday, December 4, 13

  93. 93 Wednesday, December 4, 13

  94. 94 Wednesday, December 4, 13

  95. Thank you! @androbtech Questions 95 Wednesday, December 4, 13