Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cryptography for Rails Developers - RubyConfIndia

Christopher Rigor
April 04, 2015
Programming
0
1.8k

Cryptography for Rails Developers - RubyConfIndia

Slides for my talk at RubyConfIndia. April 4, 2015.
http://rubyconfindia.org/schedule.html

Christopher Rigor

April 04, 2015
Tweet

More Decks by Christopher Rigor

See All by Christopher Rigor
Deep Dive Into Docker Containers For Rails Developers
crigor
1
120
Cryptography for Rails Developers - TropicalRB
crigor
0
190
Cryptography for Rails Developers
crigor
0
96

Other Decks in Programming

See All in Programming
競技プログラミングへのお誘い@阪大BOOSTセミナー
kotamanegi
0
360
DevFest Tokyo 2025 - Flutter のアプリアーキテクチャ現在地点
wasabeef
5
900
責務を分離するための例外設計 - PHPカンファレンス 2024
kajitack
1
560
プロダクトの品質に コミットする / Commit to Product Quality
pekepek
2
770
CQRS+ES の力を使って効果を感じる / Feel the effects of using the power of CQRS+ES
seike460
PRO
0
120
アクターシステムに頼らずEvent Sourcingする方法について
j5ik2o
4
250
선언형 UI에서의 상태관리
l2hyunwoo
0
150
今年のアップデートで振り返るCDKセキュリティのシフトレフト/2024-cdk-security-shift-left
tomoki10
0
200
CSC305 Lecture 26
javiergs
PRO
0
140
複雑な仕様に立ち向かうアーキテクチャ
myohei
0
170
Zoneless Testing
rainerhahnekamp
0
120
急成長期の品質とスピードを両立するフロントエンド技術基盤
soarteclab
0
930

Featured

See All Featured
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
17
2.3k
Thoughts on Productivity
jonyablonski
67
4.4k
Into the Great Unknown - MozCon
thekraken
33
1.5k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
How GitHub (no longer) Works
holman
311
140k
Fireside Chat
paigeccino
34
3.1k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.3k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
45
2.2k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Mobile First: as difficult as doing things right
swwweet
222
9k
Visualization
eitanlees
146
15k

Transcript

  1. Cryptography for Rails Developers

  2. Christopher Rigor @crigor

  3. None
  4. None
  5. None
  6. None

  7. 1. Public-key Cryptography

  8. 2. SSL / TLS

  9. 3. Tips for Rails Applications

  10. None

  11. Symmetric-key Cryptography

  12. One key to encrypt and decrypt

  13. "hello" ------> "aslkdfjalskjd"

  14. ciphertext

  15. Public-key Cryptography

  16. public key to encrypt private key to decrypt

  17. privatekeycheck.com

  18. Why on earth would you post it here? Now it's

    surely not.

  19. RSA

  20. 3 numbers e, n, and d

  21. e = public key n = public key d =

    private key

  22. end

  23. "en"crypt "d"ecrypt

  24. e = 17 n = 3233 d = 2753

  25. 42 ** e % n

  26. 42 ** e % n 42 ** 17 % 3233

    2557

  27. 2557

  28. "d"ecrypt

  29. 2557 ** d % n

  30. 2557 ** d % n 2557 ** 2753 % 3233

    42

  31. 42 ** e % n 2557 ** d % n

  32. n = product of 2 prime numbers

  33. e = usually 65537

  34. None

  35. e = 65537

  36. d = computed from e, prime1 and prime2

  37. -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAwJ5g2RhxbKWq3PeS5EUIwemy1sYffQwn reUzryNwoB9/hqt0 NPAtq2vQftuko39VKw1hrpnk08bXWPqsN38HR9421q +nd0dgY1sG8EljSeG3dGvP 4rZ1EgUbac4WDAKvA+fhiebg4QS2bAaB9IEL +3rjQRhNsvaYgI2K3AHePbFVq0ut

    6Ey0WwN4m/yf8JYerJWPlHLyU8W4xtyHExuX/IK4g6Uf8Z9Av +WiK8mfHaw7Kge/ EO1UAGWOrd7RLx3A2WjOU7d0KtrshU1r64Xl4m1/ JbHQYBGkzYS0Mm7hhI5mnN/t 8h1hW2TksiVHrZ8rjOoYOrlkZOpVUwf7s2LYVQIDAQABAoIBA

  38. openssl rsa -text -in .ssh/id_rsa

  39. publicExponent: 65537 (0x10001)

  40. modulus: 00:c0:9e:60:d9:18:71:6c:a5:aa:dc:f7:92:e4:45: 08:c1:e9:b2:d6:c6:1f:7d:0c:27:ad:e5:33:af:23: 70:a0:1f:7f:86:ab:74:34:f0:2d:ab:6b:d0:7e:db: a4:a3:7f:55:2b:0d:61:ae:99:e4:d3:c6:d7:58:fa: ac:37:7f:07:47:de:36:d6:af:a7:77:47:60:63:5b: 06:f0:49:63:49:e1:b7:74:6b:cf:e2:b6:75:12:05: 1b:69:ce:16:0c:02:af:03:e7:e1:89:e6:e0:e1:04: b6:6c:06:81:f4:81:0b:fb:7a:e3:41:18:4d:b2:f6: 98:80:8d:8a:dc:01:de:3d:b1:55:ab:4b:ad:e8:4c:

    b4:5b:03:78:9b:fc:9f:f0:96:1e:ac:95:8f:94:72: f2:53:c5:b8:c6:dc:87:13:1b:97:fc:82:b8:83:a5: 1f:f1:9f:40:bf:e5:a2:2b:c9:9f:1d:ac:3b:2a:07: bf:10:ed:54:00:65:8e:ad:de:d1:2f:1d:c0:d9:68: ce:53:b7:74:2a:da:ec:85:4d:6b:eb:85:e5:e2:6d: 7f:25:b1:d0:60:11:a4:cd:84:b4:32:6e:e1:84:8e: 66:9c:df:ed:f2:1d:61:5b:64:e4:b2:25:47:ad:9f: 2b:8c:ea:18:3a:b9:64:64:ea:55:53:07:fb:b3:62: d8:55

  41. 2431585381023245243664330467172106030832010383116 4469677832495734668099074396651844271258357540051 3767266433204751301161494548152938586277693179979 9890466216086685504686094092324062775361449344083 8874077885512524472300856401934110431460528205155 8296721167524104278478378503629406922274058522565 4049522376109500926733651743749347006963603460324 4750405711451831483661181796223823470036752363791 8444923562030168749604532593343488635664366782360 4357641224346337617299750469531547237002599501779

    0644182536453093727509649248024164911346045419437 5737979721222481332470495918510303683249090717606

  42. privateExponent: 33:ed:7e:a6:88:54:6b:b9:ed:ea:4c:44:29:8e:02: e2:64:22:76:8c:4b:08:e7:31:fb:4b:83:37:80:12: 68:d8:95:04:b5:4c:4a:c9:45:46:a5:76:3b:fc:f2: d1:b1:0e:40:e1:06:a8:8f:8c:85:1b:62:0a:f6:e9: 5e:bc:bc:35:bf:ce:80:ea:31:f7:92:22:86:26:90: 24:4f:64:99:12:64:e6:d9:f9:dd:60:db:06:d4:a1: a3:50:8f:d9:05:10:31:b9:5d:b0:53:b1:e4:77:e4: c6:12:ab:0e:43:8b:fb:6c:11:c0:06:d1:4b:a1:f7: 53:10:d5:92:a2:5e:4b:ba:fe:e0:90:a6:17:44:8b:

    d3:1d:8e:f7:e6:64:a6:85:34:0e:87:b0:3b:bd:d0: 90:2a:b4:62:08:f3:fd:42:d8:73:e2:2d:54:10:8a: 5c:9c:6f:16:7f:d2:1f:8e:51:c5:14:12:91:bf:cc: 7e:34:14:e0:db:79:ee:05:45:22:de:3b:99:52:36: b1:ac:c0:e8:f6:df:02:44:b6:37:4b:f5:73:9d:41: c6:35:ba:b5:47:39:fb:d3:a2:90:80:ac:4c:0d:97: 4d:c8:8d:36:7f:ae:8e:1f:1e:e5:33:0b:51:8d:41: 35:e7:69:2a:f1:62:52:0c:fa:d4:f5:b9:7f:8d:03: 01

  43. 6555266568796053674269708820055353365692655972794 2055673580501799001476180850518758042722837636392 8351933006067037854787568194571939353701616354713 5887324275725095670658393033428680152446112426762 6108489567913588106964238660508089034140197495871 5227500433009731051490912217850124586529451451345 8923502958802219960425895673146838867589769393986 0556673632421808148038002771480134566168093718746 0473165736741978268341806296994087055044759829337 3573899404839955835464081022920152659481994084458

    0520520598913413928409545239844803823479590208225 3984444016315990695698402100055840447044896509668

  44. 42 ** e % n

  45. 7403918762823839092797670141313950212528994606053 3799517843086878229299923652258151711100231746381 6181786944539511010243166014190260358058104908205 7304340698199082430151945214069936900404923317185 5875418936265830788037850186423336723791573716176 6591077359161448282606674296267688726733192810543 3908133856731992683370184186601764915219096941742 8143523889081093181350050901295990484830674004492 0001520753653244602808387141190318409556217244506 4939370112341529423864414627775025027597348907780

    1135695002049594281938966058393001384364228739328 6572785551769536889192869044823881149520366525399

  46. c ** d % n

  47. 42

  48. Diffie-Hellman

  49. None

  50. Elliptic Curves

  51. SSL / TLS

  52. HTTPS

  53. 1995 - SSLv2 1996 - SSLv3 1999 - TLSv1 2006

    - TLSv1_1 2008 - TLSv1_2
  54. None

  55. 1. Server sends the public key 2. Browser encrypts shared

    key

  56. DES RC4 AES

  57. Attacks

  58. None
  59. None
  60. None

  61. BEAST (SSLv3, TLSv1) (DES, AES)

  62. POODLE (SSLv3) (DES, AES)

  63. Heartbleed

  64. None

  65. TLS 1.2, AES-GCM

  66. 1. Server sends the public key (RSA) 2. Browser encrypts

    shared key (RSA) 3. Browser encrypts data (AES-GCM)

  67. 1. Server sends the public key (RSA) 2. Browser encrypts

    shared key (RSA ECDHE) 3. Browser encrypts data (AES-GCM)

  68. PERFECT FORWARD SECRECY

  69. TLS 1.2 AES-GCM ECDHE

  70. Rails

  71. do not use SSLv3

  72. do not set ssl_version to TLSv1

  73. set it to SSLv23

  74. OpenSSL::SSL::OP_NO_SSLv3

  75. 2.1.4 2.0.0-p594 1.9.3-p550

  76. certificate verify failed

  77. VERIFY_NONE

  78. VERIFY_PEER

  79. ActiveSupport::MessageEncryptor

  80. key = Rails.configuration.secret_key_base crypt = ActiveSupport::MessageEncryptor.new(key) encrypted_data = crypt.encrypt_and_sign("my confidental

    data")

  81. salt = SecureRandom.random_bytes(64) key = ActiveSupport::KeyGenerator.new('password').generate_key(salt)

  82. RbNacl

  83. key = RbNaCl::Random.random_bytes(RbNaCl::SecretBox.key_bytes) box = RbNaCl::SimpleBox.from_secret_key(key) box.encrypt("my confidental data")

  84. end

  85. None

  86. Thank you [email protected] @crigor

  87. Resources https://www.flickr.com/photos/delgrossodotcom/3211643440 https://www.flickr.com/photos/ twosevenoneonenineeightthreesevenatenzerosix/6655759625 https://www.flickr.com/photos/nox_noctis_silentium/ 6315616870 https://www.flickr.com/photos/orqwith/2059728917 https://www.flickr.com/photos/37467370@N08/7606239970 https://www.flickr.com/photos/ul_marga/755378645 https://www.flickr.com/photos/richard-g/3549285383

  88. https://www.flickr.com/photos/brenda-starr/3509344100 https://www.flickr.com/photos/ 120600995@N07/14028600474 https://www.flickr.com/photos/13519089@N03/1380483002 https://www.flickr.com/photos/danielproulx/3426805996 https://www.flickr.com/photos/chrisinplymouth/4262775481 https://www.flickr.com/photos/chrisinplymouth/4117583864 https://www.flickr.com/photos/danielfoster/14758510078 https://www.flickr.com/photos/gamikun/2564208746 https://www.flickr.com/photos/nathaninsandiego/9339787996

    https://www.flickr.com/photos/dashupagla/2519031536 https://www.flickr.com/photos/imagesbywestfall/435