Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keeping Secrets: Using Encryption Effectively

Keeping Secrets: Using Encryption Effectively

We all want to protect data that is entrusted to us. Whether we are required to protect sensitive information because of regulations or just to keep the trust of our users a good understanding of encryption is essential. In this session we will work through common data encryption scenarios and use encryption techniques to ensure that your data stays protected. We will also review common mistakes when using encryption and learn how to avoid them. Additionally, we will discuss techniques to guard against tampering and how to maintain the security of our data over the long term.

Fec6a312fc2dff26897c287bd941cdd8?s=128

Joe Kuemerle

March 02, 2015
Tweet

Transcript

  1. Keeping Secrets: Using Encryption Effectively Joe Kuemerle www.kuemerle.com @jkuemerle http://www.flickr.com/photos/28648582@N02/5766506970

  2. @jkuemerle / www.kuemerle.com Joe Kuemerle • Over 15 years of

    development experience with a broad range of technologies • Focused on application and data security, coding best practices and regulatory compliance • Presenter at community, regional and national events.
  3. @jkuemerle / www.kuemerle.com http://www.flickr.com/photos/28725326@N07/4928122690/

  4. @jkuemerle / www.kuemerle.com http://xkcd.com/1210/

  5. @jkuemerle / www.kuemerle.com https://en.wikipedia.org/wiki/Letter_frequency

  6. @jkuemerle / www.kuemerle.com http://www.flickr.com/photos/49889874@N05/6101434856

  7. @jkuemerle / www.kuemerle.com dABoAGkAcwBpAHMAYQBuAGkAYwBlAGwAbwBuAGcAcABhAHMAcwB3AG8Ac gBkAA== h0+i44Utl3zmixH5HEBTng== S+cORg3e4Fz7Ckxks8rd4CVmxPzNMa6v+1k+m6/VD/G/HMY/tQxWR98Ypap/sQED dBTfZP7FM1osrctYIphw/AGDyuE= nap/V8KGx/W+L4RXBo1qJhOq2vQ= yuhDQAoHe1BXszrRlT1jTX8nzqs=

    $2a$10$ip5k8Uu2UF7RD/oPUkVYluW8q5NSiQOl57FXuwqoGWVYqZG0lksvm thisisanicelongpassword $s0$e0801$ttAQ8v538tVoDxgCB2IqeoL9zgnsS19wx2BWCSOFoH0=$0isly2qWpQoaroZk a2e+uGykbd7YvifFlEeRxrFe7zE=
  8. @jkuemerle / www.kuemerle.com dABoAGkAcwBpAHMAYQBuAGkAYwBlAGwAbwBuAGcAcABhAHMAcwB3AG8Ac gBkAA== h0+i44Utl3zmixH5HEBTng== S+cORg3e4Fz7Ckxks8rd4CVmxPzNMa6v+1k+m6/VD/G/HMY/tQxWR98Ypap/sQED dBTfZP7FM1osrctYIphw/AGDyuE= nap/V8KGx/W+L4RXBo1qJhOq2vQ= yuhDQAoHe1BXszrRlT1jTX8nzqs=

    $2a$10$ip5k8Uu2UF7RD/oPUkVYluW8q5NSiQOl57FXuwqoGWVYqZG0lksvm thisisanicelongpassword $s0$e0801$ttAQ8v538tVoDxgCB2IqeoL9zgnsS19wx2BWCSOFoH0=$0isly2qWpQoaroZk a2e+uGykbd7YvifFlEeRxrFe7zE=
  9. @jkuemerle / www.kuemerle.com http://xkcd.com/1286/

  10. @jkuemerle / www.kuemerle.com

  11. @jkuemerle / www.kuemerle.com http://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html

  12. @jkuemerle / www.kuemerle.com http://www.nsa.gov/kids/

  13. @jkuemerle / www.kuemerle.com http://www.flickr.com/photos/rachelpasch/2480941823 http://www.flickr.com/photos/platform3/425683175

  14. @jkuemerle / www.kuemerle.com http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

  15. @jkuemerle / www.kuemerle.com public static string AESWeakImpl(string Data, byte[] Key,

    byte[] IV) { var byteData = Encoding.Unicode.GetBytes(Data); byte[] encrypted; var crypt = new AesManaged() { IV = IV, Key = Key, Mode = CipherMode.ECB }; using (var encrypter = crypt.CreateEncryptor()) { using (var to = new MemoryStream()) { using (var writer = new CryptoStream(to, encrypter, CryptoStreamMode.Write)) { writer.Write(byteData, 0, byteData.Length); writer.FlushFinalBlock(); encrypted = to.ToArray(); } } } return Convert.ToBase64String(encrypted); } public static string AESBetterImpl(string Data, byte[] Key, byte[] IV) { var byteData = Encoding.Unicode.GetBytes(Data); byte[] encrypted; var crypt = new AesManaged() { IV = IV, Key = Key, Mode = CipherMode.CBC }; using (var encrypter = crypt.CreateEncryptor()) { using (var to = new MemoryStream()) { using (var writer = new CryptoStream(to, encrypter, CryptoStreamMode.Write)) { writer.Write(byteData, 0, byteData.Length); writer.FlushFinalBlock(); encrypted = to.ToArray(); } } } return Convert.ToBase64String(encrypted); } http://www.codinghorror.com/blog/2009/05/why-isnt-my-encryption-encrypting.html
  16. @jkuemerle / www.kuemerle.com http://xkcd.com/1286/

  17. @jkuemerle / www.kuemerle.com public string AESConstantIV(string Data, byte[] Key) {

    byte[] IV = Convert.FromBase64String("jduM7QxU1IZch/sjNYB8Vw=="); var byteData = Encoding.Unicode.GetBytes(Data); byte[] encrypted; var crypt = new System.Security.Cryptography.AesManaged() { IV = IV, Key = Key, Mode = System.Security.Cryptography.CipherMode.CBC }; using (var encrypter = crypt.CreateEncryptor()) { using (var to = new MemoryStream()) { using (var writer = new CryptoStream(to, encrypter, CryptoStreamMode.Write)) { writer.Write(byteData, 0, byteData.Length); writer.FlushFinalBlock(); encrypted = to.ToArray(); } } } return Convert.ToBase64String(encrypted); }
  18. @jkuemerle / www.kuemerle.com public string AESWeakIV(string Data, string Password) {

    byte[] Key = new Rfc2898DeriveBytes(Password, Convert.FromBase64String("36rrsp0D4rkjg54ShyOOqA==")) .GetBytes(new System.Security.Cryptography.AesManaged().KeySize / 8); byte[] IV = new Rfc2898DeriveBytes(Password, Convert.FromBase64String("36rrsp0D4rkjg54ShyOOqA==")) .GetBytes(new System.Security.Cryptography.AesManaged().BlockSize / 8); var byteData = Encoding.Unicode.GetBytes(Data); byte[] encrypted; var crypt = new System.Security.Cryptography.AesManaged() { IV = IV, Key = Key, Mode = System.Security.Cryptography.CipherMode.CBC }; using (var encrypter = crypt.CreateEncryptor()) { using (var to = new MemoryStream()) { using (var writer = new CryptoStream(to, encrypter, CryptoStreamMode.Write)) { writer.Write(byteData, 0, byteData.Length); writer.FlushFinalBlock(); encrypted = to.ToArray(); } } } return Convert.ToBase64String(encrypted); }
  19. @jkuemerle / www.kuemerle.com byte[] Key = Convert.FromBase64String("q+/6kLVpkfMLoqEe+nc+tDKygEw zOJMI1FrNXcu9p9I="); byte[] IV

    = Convert.FromBase64String("aiUG8RBiea7/b9CaHsiahw=="); http://www.flickr.com/photos/mshades/225117359
  20. @jkuemerle / www.kuemerle.com http://www.flickr.com/photos/brhefele/5750117824

  21. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/metalriot/4279300557

  22. @jkuemerle / www.kuemerle.com https://www.flickr.com/photos/ehacke/4584255926

  23. @jkuemerle / www.kuemerle.com

  24. @jkuemerle / www.kuemerle.com

  25. @jkuemerle / www.kuemerle.com

  26. @jkuemerle / www.kuemerle.com http://azure.microsoft.com/en-us/services/key-vault/ http://aws.amazon.com/cloudhsm/

  27. @jkuemerle / www.kuemerle.com http://www.flickr.com/photos/morgantar/3548079597

  28. @jkuemerle / www.kuemerle.com

  29. @jkuemerle / www.kuemerle.com

  30. @jkuemerle / www.kuemerle.com

  31. @jkuemerle / www.kuemerle.com Resources • http://www.troyhunt.com/2012/06/our-password- hashing-has-no-clothes.html • http://www.codinghorror.com/blog/2009/05/why-isnt- my-encryption-encrypting.html

    • http://www.microsoft.com/security/sdl/default.aspx • http://www.bouncycastle.org/csharp/ • http://plaintextoffenders.com/ • http://securitydriven.net/ • https://github.com/viniciuschiele/scrypt • https://github.com/jkuemerle/EncryptedType • https://www.nuget.org/packages/EncryptedType • http://wp.sjkp.dk/securing-azure-web-job-secrets-with-azure-key- vault/