Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keeping Secrets: Using Encryption Effectively -...

Keeping Secrets: Using Encryption Effectively - CodeMash 2015

We all want to protect data that is entrusted to us. Whether we are required to protect sensitive information because of regulations or just to keep the trust of our users a good understanding of encryption is essential. In this session we will work through common data encryption scenarios and use encryption techniques to ensure that your data stays protected. We will also review common mistakes when using encryption and learn how to avoid them. Additionally, we will discuss techniques to guard against tampering and how to maintain the security of our data over the long term.

Joe Kuemerle

January 08, 2015
Tweet

More Decks by Joe Kuemerle

Other Decks in Programming

Transcript

  1. @jkuemerle / www.kuemerle.com Joe Kuemerle • Over 15 years of

    development experience with a broad range of technologies • Focused on application and data security, coding best practices and regulatory compliance • Presenter at community, regional and national events.
  2. @jkuemerle / www.kuemerle.com public static string AESWeakImpl(string Data, byte[] Key,

    byte[] IV) { var byteData = Encoding.Unicode.GetBytes(Data); byte[] encrypted; var crypt = new AesManaged() { IV = IV, Key = Key, Mode = CipherMode.ECB }; using (var encrypter = crypt.CreateEncryptor()) { using (var to = new MemoryStream()) { using (var writer = new CryptoStream(to, encrypter, CryptoStreamMode.Write)) { writer.Write(byteData, 0, byteData.Length); writer.FlushFinalBlock(); encrypted = to.ToArray(); } } } return Convert.ToBase64String(encrypted); } public static string AESBetterImpl(string Data, byte[] Key, byte[] IV) { var byteData = Encoding.Unicode.GetBytes(Data); byte[] encrypted; var crypt = new AesManaged() { IV = IV, Key = Key, Mode = CipherMode.CBC }; using (var encrypter = crypt.CreateEncryptor()) { using (var to = new MemoryStream()) { using (var writer = new CryptoStream(to, encrypter, CryptoStreamMode.Write)) { writer.Write(byteData, 0, byteData.Length); writer.FlushFinalBlock(); encrypted = to.ToArray(); } } } return Convert.ToBase64String(encrypted); } http://www.codinghorror.com/blog/2009/05/why-isnt-my-encryption-encrypting.html
  3. @jkuemerle / www.kuemerle.com public string AESConstantIV(string Data, byte[] Key) {

    byte[] IV = Convert.FromBase64String("jduM7QxU1IZch/sjNYB8Vw=="); var byteData = Encoding.Unicode.GetBytes(Data); byte[] encrypted; var crypt = new System.Security.Cryptography.AesManaged() { IV = IV, Key = Key, Mode = System.Security.Cryptography.CipherMode.CBC }; using (var encrypter = crypt.CreateEncryptor()) { using (var to = new MemoryStream()) { using (var writer = new CryptoStream(to, encrypter, CryptoStreamMode.Write)) { writer.Write(byteData, 0, byteData.Length); writer.FlushFinalBlock(); encrypted = to.ToArray(); } } } return Convert.ToBase64String(encrypted); }
  4. @jkuemerle / www.kuemerle.com public string AESWeakIV(string Data, string Password) {

    byte[] Key = new Rfc2898DeriveBytes(Password, Convert.FromBase64String("36rrsp0D4rkjg54ShyOOqA==")) .GetBytes(new System.Security.Cryptography.AesManaged().KeySize / 8); byte[] IV = new Rfc2898DeriveBytes(Password, Convert.FromBase64String("36rrsp0D4rkjg54ShyOOqA==")) .GetBytes(new System.Security.Cryptography.AesManaged().BlockSize / 8); var byteData = Encoding.Unicode.GetBytes(Data); byte[] encrypted; var crypt = new System.Security.Cryptography.AesManaged() { IV = IV, Key = Key, Mode = System.Security.Cryptography.CipherMode.CBC }; using (var encrypter = crypt.CreateEncryptor()) { using (var to = new MemoryStream()) { using (var writer = new CryptoStream(to, encrypter, CryptoStreamMode.Write)) { writer.Write(byteData, 0, byteData.Length); writer.FlushFinalBlock(); encrypted = to.ToArray(); } } } return Convert.ToBase64String(encrypted); }
  5. @jkuemerle / www.kuemerle.com byte[] Key = Convert.FromBase64String("q+/6kLVpkfMLoqEe+nc+tDKygEw zOJMI1FrNXcu9p9I="); byte[] IV

    = Convert.FromBase64String("aiUG8RBiea7/b9CaHsiahw=="); http://www.flickr.com/photos/mshades/225117359
  6. @jkuemerle / www.kuemerle.com Resources • http://www.troyhunt.com/2012/06/our-password- hashing-has-no-clothes.html • http://www.codinghorror.com/blog/2009/05/why- isnt-my-encryption-encrypting.html

    • http://www.microsoft.com/security/sdl/default.aspx • http://www.bouncycastle.org/csharp/ • http://plaintextoffenders.com/ • http://securitydriven.net/ • https://github.com/jkuemerle/EncryptedType • https://www.nuget.org/packages/EncryptedType