Implementing Encryption

Transcript

1. Implementing Encryption and Best Practices By: Gene Chorba

2. Who am I? š Gene Chorba š Lead Developer Evangelist

   at Atlanta based startup Ionic Security š Spends most weekends either speaking about security, or at a Hackathon š Loves Developer Conferences, Hackathons, and long walks on the beach š Find me on Twitter @dualpandas or GitHub @gchorba

3. Why Use Encryption? š Keep information secret š confidentiality š

   Protect information from tampering š integrity š Tell if person is who they say they are š authentication š Allow or deny access to data, etc. š authorization (access control) š Prove that person really did something š Non-repudiation

4. What Should You Using It For? š Secure Email –

   sign and/or encrypt messages š Secure browsing – SSL – authentication and encryption š Secure code – authenticode š Secure wireless – PEAP & EAP-TLS š Secure documents – Rights Management š Secure networks – segmentation via IPsec š Secure files – Encrypted File System(EFS)

5. Key Terms š Key: The piece of information that allows

   you to either encrypt or decrypt your data. š Plaintext: The information that you want to keep hidden, in its unencrypted form. The plaintext can be any data at all: a picture, a spreadsheet, or even a whole hard disk š Ciphertext: The information in encrypted form š Cipher: The algorithm that converts plaintext to ciphertext and vice-versa

6. Advanced Key Terms š Salt – randomizes the hash of

   the key; prevents rainbow table attacks against the key š IV (initialization vector) – randomizes the encrypted message; prevents rainbow table attacks against the message š Derived Key – lengthens and strengthens the key via hashing; used instead of the original key; slows down brute-force attacks against the key

7. Encryption š Encryption provides confidentiality š Data encrypted using an

   encryption algorithm together with the encryption key š Use an algorithm with decryption key to recover original data encrypt 0110111010010001 key Ke The quick brown fox 4f60ce544b43c13f1d decrypt 1001001100111010 key Kd 4f60ce544b43c13f1d The quick brown fox

8. Symmetric cryptography (Private Key) š In symmetric (or single key,

   or secret key) encryption algorithm š decryption key is same as encryption key (or can be easily derived from it) š Examples: RC4, DES, triple-DES, and AES š Problem: How do you securely distribute the key? – The more folks who have the key, the weaker the system encrypt 0110111010010001 key K The quick brown fox 4f60ce544b43c13f1d

9. Asymmetric cryptography (Public Key) š Asymmetric key cryptography uses two

   separate keys: one private and one public. š Asymmetric-key cryptography is based on personal secrecy. š Examples of algorithms: RSA, El Gamal, Diffie-Hellman š Examples of protocols using public key algorithms: PGP, Secure Socket Layer (SSL), Secure Shell (SSH), Bitcoin encrypt BOB Hello Alice! Alice’s Public Key 4f60ce544b43c13f1d Decrypt ALICE Hello Alice! Alice’s Private Key

10. Comparison SYMMETRIC ASYMMETRIC o The same algorithm with the same

    key is used for encryption and decryption. o The key must be kept secret. o One algorithm is used for encryption and decryption with a pair of keys, one for encryption and one for decryption. o One of the two keys must be kept secret.

11. Comparison SYMMETRIC ASYMMETRIC o Alice encrypts her message to Bob

    with KA and sends it to Trent o Trent decrypts the message with KA o Trent takes the decrypted message and a statement that he has received this message from Alice, and encrypts the whole bundle with KB o Trent sends the encrypted bundle to Bob o Bob decrypts the bundle with KB . He can now read both the message and Trent’s certification that Alice sent it o Alice encrypts the document with her private key, thereby signing the document o Alice sends the signed document to Bob o Bob decrypts the document with Alice’s public key, thereby verifying the signature

12. Encryption Libraries š Simple-Crypt - https://pypi.python.org/pypi/simple-crypt š Pycryptodome - https://www.pycryptodome.org

    š Cryptography - https://cryptography.io š OSCrypto- https://github.com/wbond/oscrypto

13. Encryption Libraries – simple-crypt š Simple-Crypt - https://pypi.python.org/pypi/simple-crypt š Install

    using pip install simple-crypt from simplecrypt import encrypt, decrypt ciphertext = encrypt(password, 'my secret message') plaintext = decrypt(password, ciphertext)

14. Encryption Libraries – simple-crypt

15. Encryption Libraries – simple-crypt password: ****** message: hello world ciphertext:

    b'73630001b1c39575390d5720f2a80e7a06fbddbf2c844d6b8eaf845d4a9e140d46a54c6729e74 b0ddeb1cb82dee81691123faf8f41900c5a6c5b755ed8ae195ff2410290bcb8dc2ee3a2126c594 b711d' plaintext: b'hello world\n' plaintext as string: hello world

16. Encryption Libraries – Pycryptodome o Pycryptodome is a replacement for

    pycrypto. Development stopped on pycrypto in 2012. o PyCryptodome can be used as a drop-in replacement for the old PyCrypto library. You install it with: o pip install pycryptodome

17. Cryptography o Support for Python 3 o Support for modern

    algorithms such as AESGCM and HKDF o Improved debugability and testability o Secure API design

18. Encryption Libraries - Cryptography

19. Encryption Libraries - Cryptography

20. Encryption Libraries - Cryptography

21. Encryption Libraries - Cryptography

22. Encryption Libraries - Cryptography

23. Encryption Libraries - Cryptography

24. Best Practices š Avoid hashing methods like MD5 or SHA-1,use

    at least SHA-2 or SHA-3 š Key Stretching for strong passwords š Preventing Brute-force or dictionary attacks for i in xrange(iterations): m = hashlib.sha512() m.update(key + password + salt) key = m.digest()

25. Viability š No encryption scheme is full proof! š Two

    requirements are needed to make encryption viable: š The cost of breaking exceeds the value of the encrypted information š The time required to break the cipher exceeds the useful lifetime of the information

26. Learn More š If you want to learn more encryption

    I highly recommend reading Crypto 101 by Laurens Van Houtven. - https://www.crypto101.io/ š Ask me questions on twitter: @dualpandas š Buy me a beer