Crypto? been there, done that

Transcript

1. Marcin Krzyżanowski http://blog.krzyzanowskim.com @krzyzanowskim Crypto? been there, done that Mobile

   Warsaw 2015

2. American computer professional who leaked classified information from the National

   Security Agency (NSA) Edward Snowden

3. Edward Snowden

4. LEAKED! HOW ? Edward Snowden

5. PGP Edward Snowden

6. PGP for Journalists

7. PGP for Journalists

8. PGP for Journalists

9. PGP for Journalists

10. PGP for Journalists

11. PGP for Journalists

12. PGP for Journalists

13. PGP for Journalists

14. PGP for Journalists

15. PGP for Journalists

16. PGP for Journalists

17. PGP for Journalists

18. PGP for Journalists

19. PGP for Journalists

20. Glenn Greenwald* *not really

21. “I didn’t really know what PGP was,” he admits. “I

    had no idea how to install it or how to use it.” It seemed time- consuming and complicated. (RollingStone) Glenn Greenwald

22. •Geek tools •Tools build for nerds •By nerds for nerds

    PGP

23. PGP After this article appeared, Werner Koch informed us that

    last week he was awarded a one-time grant of $60,000 from Linux Foundation's Core Infrastructure Initiative. Werner told us he only received permission to disclose it after our article published. Meanwhile, since our story was posted, donations flooded Werner's website donation page and he reached his funding goal of $137,000. In addition, Facebook and the online payment processor Stripe each pledged to donate $50,000 a year to Koch’s project.

24. ask NSA IS IT GOOD?

25. NSA struggling to crack the AES encryption standard

26. some observers are worried that the NSA's efforts may have

    succeeded in the two years since.

27. • AES - symmetric algorithm • Shared key AES

28. "No decrypt available for this PGP encrypted message.” - NSA

    PGP

29. PGP Basics ALICE RABBIT public private public private

30. •Created in 1991 by Phil Zimmermann •OpenPGP •RFC 4880 in

    2007 PGP

31. •Pretty Good Privacy •Protocol •Web of trust PGP

32. •IDEA •TripleDES •CAST5 •Blowfish •AES •Twofish •Private/Experimental algorithms OpenPGP

33. •MD5 •SHA-1 •SHA-2 •RIPE-MD/160 •Private/Experimental algorithm OpenPGP

34. •RSA •Elgamal •DSA •Elliptic Curve •ECDSA •Diffie-Hellman •Private/Experimental algorithm OpenPGP

35. OpenPGP

36. “PGP 2.6.x - This version of PGP has many variants,

    hence the term PGP 2.6.x. It used only RSA, MD5, and IDEA for its cryptographic transforms.” OpenPGP

37. “PGP 5.x - This version of PGP is formerly known

    as "PGP 3" in the community and also in the predecessor of this document, RFC 1991. It has new formats and corrects a number of problems in the PGP 2.6.x design.” OpenPGP

38. “GnuPG is an OpenPGP implementation that avoids all encumbered algorithms.

    Consequently, early versions of GnuPG did not include RSA public keys. GnuPG may or may not have (depending on version) support for IDEA or other encumbered algorithms.” OpenPGP

39. • 17 packets (keys, subkeys, signatures, subsignatures, data packets) •

    12 variants of Signature packet • 7 variants of Key packet • 9 types of messages • versioned packet: version 3, version 4 OpenPGP

40. versioned headers •old format •new format OpenPGP

41. •hardcoded values •exceptions to the rules OpenPGP

42. how do I know? I was there been there, done

    that

43. Why? ObjectivePGP

44. ObjectivePGP •GPGME by GnuPG • licence issue •NetPGP by NetBSD

    • not maintained, crashing. •UNNetPGP (wrapper) •NetPGP based PGP library for iOS

45. •Native implementation ObjectivePGP

46. PGP is hard ObjectivePGP

47. •PGP is good •why not give it a try ObjectivePGP

48. •“for fun” implementation •Released • closed-source project •Available on Github

    • krzyzanowskim/ObjectivePGP ObjectivePGP

49. •Maintaining •A lof of people ask for sources •Not really

    interested in contribution •because it’s hard •nobody have budget for components ObjectivePGP

50. ObjectivePGP

51. ObjectivePGP

52. •Plans ObjectivePGP

53. None

54. !!!!!

55. There must me easier way. Privacy app is attempt to

    make PGP as easy as possible. privacyapp.io

56. Privacy

57. Privacy key server app e-mail address public key PROFIT

58. •What is it •encryptor •What it is NOT •decryptor (yet)

    Privacy

59. Privacy is driven by ObjectivePGP Privacy + ObjectivePGP

60. None

61. In Swift we trust CryptoSwift said no one ever

62. •Because I can •Because I’m engineer CryptoSwift

63. •Because I’m curious CryptoSwift

64. •What’s inside •AES •ChaCha20 CryptoSwift

65. •What’s inside •SHA-1, SHA2 •MD5, CRC CryptoSwift

66. •What’s inside •Poly1305 •HMAC CryptoSwift

67. •What’s inside •ECB Electronic codebook •CBC Cipher-block chaining •CFB Cipher

    feedback •PKCS7 CryptoSwift

68. •maintaining •fundamental questions are fine •code in PHP is fine

    •misusing AES is bad, but asking is fine •nobody really contribute back because everybody think it is too hard CryptoSwift

69. CryptoSwift

70. CryptoSwift

71. CryptoSwift

72. Build things! because you can You Marcin Krzyżanowski @krzyzanowskim http://krzyzanowskim.com

73. • http://cr.yp.to • https://privacyapp.io • https://github.com/krzyzanowskim/ObjectivePGP • https://github.com/krzyzanowskim/CryptoSwift • http://blog.krzyzanowskim.com

    links