Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keeping Secrets: Using Encryption Effectively

Keeping Secrets: Using Encryption Effectively

We all want to protect data that is entrusted to us. Whether we are required to protect sensitive information because of regulations or just to keep the trust of our users a good understanding of encryption is essential. In this session we will work through common data encryption scenarios and use encryption techniques to ensure that your data stays protected. We will also review common mistakes when using encryption and learn how to avoid them. Additionally, we will discuss techniques to guard against tampering and how to maintain the security of our data over the long term.

Joe Kuemerle

March 02, 2015
Tweet

More Decks by Joe Kuemerle

Other Decks in Programming

Transcript

  1. @jkuemerle / www.kuemerle.com Joe Kuemerle • Over 15 years of

    development experience with a broad range of technologies • Focused on application and data security, coding best practices and regulatory compliance • Presenter at community, regional and national events.
  2. @jkuemerle / www.kuemerle.com dABoAGkAcwBpAHMAYQBuAGkAYwBlAGwAbwBuAGcAcABhAHMAcwB3AG8Ac gBkAA== h0+i44Utl3zmixH5HEBTng== S+cORg3e4Fz7Ckxks8rd4CVmxPzNMa6v+1k+m6/VD/G/HMY/tQxWR98Ypap/sQED dBTfZP7FM1osrctYIphw/AGDyuE= nap/V8KGx/W+L4RXBo1qJhOq2vQ= yuhDQAoHe1BXszrRlT1jTX8nzqs=

    $2a$10$ip5k8Uu2UF7RD/oPUkVYluW8q5NSiQOl57FXuwqoGWVYqZG0lksvm thisisanicelongpassword $s0$e0801$ttAQ8v538tVoDxgCB2IqeoL9zgnsS19wx2BWCSOFoH0=$0isly2qWpQoaroZk a2e+uGykbd7YvifFlEeRxrFe7zE=
  3. @jkuemerle / www.kuemerle.com dABoAGkAcwBpAHMAYQBuAGkAYwBlAGwAbwBuAGcAcABhAHMAcwB3AG8Ac gBkAA== h0+i44Utl3zmixH5HEBTng== S+cORg3e4Fz7Ckxks8rd4CVmxPzNMa6v+1k+m6/VD/G/HMY/tQxWR98Ypap/sQED dBTfZP7FM1osrctYIphw/AGDyuE= nap/V8KGx/W+L4RXBo1qJhOq2vQ= yuhDQAoHe1BXszrRlT1jTX8nzqs=

    $2a$10$ip5k8Uu2UF7RD/oPUkVYluW8q5NSiQOl57FXuwqoGWVYqZG0lksvm thisisanicelongpassword $s0$e0801$ttAQ8v538tVoDxgCB2IqeoL9zgnsS19wx2BWCSOFoH0=$0isly2qWpQoaroZk a2e+uGykbd7YvifFlEeRxrFe7zE=
  4. @jkuemerle / www.kuemerle.com public static string AESWeakImpl(string Data, byte[] Key,

    byte[] IV) { var byteData = Encoding.Unicode.GetBytes(Data); byte[] encrypted; var crypt = new AesManaged() { IV = IV, Key = Key, Mode = CipherMode.ECB }; using (var encrypter = crypt.CreateEncryptor()) { using (var to = new MemoryStream()) { using (var writer = new CryptoStream(to, encrypter, CryptoStreamMode.Write)) { writer.Write(byteData, 0, byteData.Length); writer.FlushFinalBlock(); encrypted = to.ToArray(); } } } return Convert.ToBase64String(encrypted); } public static string AESBetterImpl(string Data, byte[] Key, byte[] IV) { var byteData = Encoding.Unicode.GetBytes(Data); byte[] encrypted; var crypt = new AesManaged() { IV = IV, Key = Key, Mode = CipherMode.CBC }; using (var encrypter = crypt.CreateEncryptor()) { using (var to = new MemoryStream()) { using (var writer = new CryptoStream(to, encrypter, CryptoStreamMode.Write)) { writer.Write(byteData, 0, byteData.Length); writer.FlushFinalBlock(); encrypted = to.ToArray(); } } } return Convert.ToBase64String(encrypted); } http://www.codinghorror.com/blog/2009/05/why-isnt-my-encryption-encrypting.html
  5. @jkuemerle / www.kuemerle.com public string AESConstantIV(string Data, byte[] Key) {

    byte[] IV = Convert.FromBase64String("jduM7QxU1IZch/sjNYB8Vw=="); var byteData = Encoding.Unicode.GetBytes(Data); byte[] encrypted; var crypt = new System.Security.Cryptography.AesManaged() { IV = IV, Key = Key, Mode = System.Security.Cryptography.CipherMode.CBC }; using (var encrypter = crypt.CreateEncryptor()) { using (var to = new MemoryStream()) { using (var writer = new CryptoStream(to, encrypter, CryptoStreamMode.Write)) { writer.Write(byteData, 0, byteData.Length); writer.FlushFinalBlock(); encrypted = to.ToArray(); } } } return Convert.ToBase64String(encrypted); }
  6. @jkuemerle / www.kuemerle.com public string AESWeakIV(string Data, string Password) {

    byte[] Key = new Rfc2898DeriveBytes(Password, Convert.FromBase64String("36rrsp0D4rkjg54ShyOOqA==")) .GetBytes(new System.Security.Cryptography.AesManaged().KeySize / 8); byte[] IV = new Rfc2898DeriveBytes(Password, Convert.FromBase64String("36rrsp0D4rkjg54ShyOOqA==")) .GetBytes(new System.Security.Cryptography.AesManaged().BlockSize / 8); var byteData = Encoding.Unicode.GetBytes(Data); byte[] encrypted; var crypt = new System.Security.Cryptography.AesManaged() { IV = IV, Key = Key, Mode = System.Security.Cryptography.CipherMode.CBC }; using (var encrypter = crypt.CreateEncryptor()) { using (var to = new MemoryStream()) { using (var writer = new CryptoStream(to, encrypter, CryptoStreamMode.Write)) { writer.Write(byteData, 0, byteData.Length); writer.FlushFinalBlock(); encrypted = to.ToArray(); } } } return Convert.ToBase64String(encrypted); }
  7. @jkuemerle / www.kuemerle.com byte[] Key = Convert.FromBase64String("q+/6kLVpkfMLoqEe+nc+tDKygEw zOJMI1FrNXcu9p9I="); byte[] IV

    = Convert.FromBase64String("aiUG8RBiea7/b9CaHsiahw=="); http://www.flickr.com/photos/mshades/225117359
  8. @jkuemerle / www.kuemerle.com Resources • http://www.troyhunt.com/2012/06/our-password- hashing-has-no-clothes.html • http://www.codinghorror.com/blog/2009/05/why-isnt- my-encryption-encrypting.html

    • http://www.microsoft.com/security/sdl/default.aspx • http://www.bouncycastle.org/csharp/ • http://plaintextoffenders.com/ • http://securitydriven.net/ • https://github.com/viniciuschiele/scrypt • https://github.com/jkuemerle/EncryptedType • https://www.nuget.org/packages/EncryptedType • http://wp.sjkp.dk/securing-azure-web-job-secrets-with-azure-key- vault/