Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crypto? been there, done that

Marcin Krzyzanowski
May 25, 2015
Programming
0
40

Crypto? been there, done that

Mobile Warsaw 2015. ObjectivePGP, CryptoSwift

Marcin Krzyzanowski

May 25, 2015
Tweet

More Decks by Marcin Krzyzanowski

See All by Marcin Krzyzanowski
Swiftly Swift manipulation... with Swift
krzyzanowskim
3
870
That Swift IDE
krzyzanowskim
1
490
Stories from the crypt(ography)
krzyzanowskim
0
57
Decipher the encoding
krzyzanowskim
0
130
Decipher the Encoding
krzyzanowskim
0
64
Slow Swift
krzyzanowskim
4
1.4k
The Mysterious Swift Performance
krzyzanowskim
6
1.6k
End-to-End encryption cookbook
krzyzanowskim
1
240
CloudKit Web Services
krzyzanowskim
1
310

Other Decks in Programming

See All in Programming
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
43
19k
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
190
Goのmultiple errorsについて (2024年4月版)
syumai
3
680
大規模Reactアプリのリアーキテクチャ~8万行のTanStack Query移行の軌跡~
kj455
4
960
Node.js v22 で変わること
yosuke_furukawa
PRO
9
3.2k
PHP8.3の機能を振り返る / Review of PHP 8.3 features
seike460
PRO
1
110
VS Code をプロダクトにどう取り込むか
onomax
1
360
Ruby Pattern Matching
bkuhlmann
0
930
ADRを一年運用してみた/adr_after_a_year
hanhan1978
7
2.4k
Git Lint
bkuhlmann
4
750
Behind VS Code Extensions for JavaScript / TypeScript Linnting and Formatting
unvalley
5
910
Java 22 Overview
kishida
1
180

Featured

See All Featured
Designing Experiences People Love
moore
136
23k
Raft: Consensus for Rubyists
vanstee
132
6.3k
Designing for Performance
lara
601
67k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
274
13k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
Done Done
chrislema
178
15k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
659
120k
Optimizing for Happiness
mojombo
370
69k
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
In The Pink: A Labor of Love
frogandcode
138
21k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
322
20k

Transcript

  1. Marcin Krzyżanowski http://blog.krzyzanowskim.com @krzyzanowskim Crypto? been there, done that Mobile

    Warsaw 2015

  2. American computer professional who leaked classified information from the National

    Security Agency (NSA) Edward Snowden

  3. Edward Snowden

  4. LEAKED! HOW ? Edward Snowden

  5. PGP Edward Snowden

  6. PGP for Journalists

  7. PGP for Journalists

  8. PGP for Journalists

  9. PGP for Journalists

  10. PGP for Journalists

  11. PGP for Journalists

  12. PGP for Journalists

  13. PGP for Journalists

  14. PGP for Journalists

  15. PGP for Journalists

  16. PGP for Journalists

  17. PGP for Journalists

  18. PGP for Journalists

  19. PGP for Journalists

  20. Glenn Greenwald* *not really

  21. “I didn’t really know what PGP was,” he admits. “I

    had no idea how to install it or how to use it.” It seemed time- consuming and complicated. (RollingStone) Glenn Greenwald

  22. •Geek tools •Tools build for nerds •By nerds for nerds

    PGP

  23. PGP After this article appeared, Werner Koch informed us that

    last week he was awarded a one-time grant of $60,000 from Linux Foundation's Core Infrastructure Initiative. Werner told us he only received permission to disclose it after our article published. Meanwhile, since our story was posted, donations flooded Werner's website donation page and he reached his funding goal of $137,000. In addition, Facebook and the online payment processor Stripe each pledged to donate $50,000 a year to Koch’s project.

  24. ask NSA IS IT GOOD?

  25. NSA struggling to crack the AES encryption standard

  26. some observers are worried that the NSA's efforts may have

    succeeded in the two years since.

  27. • AES - symmetric algorithm • Shared key AES

  28. "No decrypt available for this PGP encrypted message.” - NSA

    PGP

  29. PGP Basics ALICE RABBIT public private public private

  30. •Created in 1991 by Phil Zimmermann •OpenPGP •RFC 4880 in

    2007 PGP

  31. •Pretty Good Privacy •Protocol •Web of trust PGP

  32. •IDEA •TripleDES •CAST5 •Blowfish •AES •Twofish •Private/Experimental algorithms OpenPGP

  33. •MD5 •SHA-1 •SHA-2 •RIPE-MD/160 •Private/Experimental algorithm OpenPGP

  34. •RSA •Elgamal •DSA •Elliptic Curve •ECDSA •Diffie-Hellman •Private/Experimental algorithm OpenPGP

  35. OpenPGP

  36. “PGP 2.6.x - This version of PGP has many variants,

    hence the term PGP 2.6.x. It used only RSA, MD5, and IDEA for its cryptographic transforms.” OpenPGP

  37. “PGP 5.x - This version of PGP is formerly known

    as "PGP 3" in the community and also in the predecessor of this document, RFC 1991. It has new formats and corrects a number of problems in the PGP 2.6.x design.” OpenPGP

  38. “GnuPG is an OpenPGP implementation that avoids all encumbered algorithms.

    Consequently, early versions of GnuPG did not include RSA public keys. GnuPG may or may not have (depending on version) support for IDEA or other encumbered algorithms.” OpenPGP

  39. • 17 packets (keys, subkeys, signatures, subsignatures, data packets) •

    12 variants of Signature packet • 7 variants of Key packet • 9 types of messages • versioned packet: version 3, version 4 OpenPGP

  40. versioned headers •old format •new format OpenPGP

  41. •hardcoded values •exceptions to the rules OpenPGP

  42. how do I know? I was there been there, done

    that

  43. Why? ObjectivePGP

  44. ObjectivePGP •GPGME by GnuPG • licence issue •NetPGP by NetBSD

    • not maintained, crashing. •UNNetPGP (wrapper) •NetPGP based PGP library for iOS

  45. •Native implementation ObjectivePGP

  46. PGP is hard ObjectivePGP

  47. •PGP is good •why not give it a try ObjectivePGP

  48. •“for fun” implementation •Released • closed-source project •Available on Github

    • krzyzanowskim/ObjectivePGP ObjectivePGP

  49. •Maintaining •A lof of people ask for sources •Not really

    interested in contribution •because it’s hard •nobody have budget for components ObjectivePGP

  50. ObjectivePGP

  51. ObjectivePGP

  52. •Plans ObjectivePGP

  53. None

  54. !!!!!

  55. There must me easier way. Privacy app is attempt to

    make PGP as easy as possible. privacyapp.io

  56. Privacy

  57. Privacy key server app e-mail address public key PROFIT

  58. •What is it •encryptor •What it is NOT •decryptor (yet)

    Privacy

  59. Privacy is driven by ObjectivePGP Privacy + ObjectivePGP

  60. None

  61. In Swift we trust CryptoSwift said no one ever

  62. •Because I can •Because I’m engineer CryptoSwift

  63. •Because I’m curious CryptoSwift

  64. •What’s inside •AES •ChaCha20 CryptoSwift

  65. •What’s inside •SHA-1, SHA2 •MD5, CRC CryptoSwift

  66. •What’s inside •Poly1305 •HMAC CryptoSwift

  67. •What’s inside •ECB Electronic codebook •CBC Cipher-block chaining •CFB Cipher

    feedback •PKCS7 CryptoSwift

  68. •maintaining •fundamental questions are fine •code in PHP is fine

    •misusing AES is bad, but asking is fine •nobody really contribute back because everybody think it is too hard CryptoSwift

  69. CryptoSwift

  70. CryptoSwift

  71. CryptoSwift

  72. Build things! because you can You Marcin Krzyżanowski @krzyzanowskim http://krzyzanowskim.com

  73. • http://cr.yp.to • https://privacyapp.io • https://github.com/krzyzanowskim/ObjectivePGP • https://github.com/krzyzanowskim/CryptoSwift • http://blog.krzyzanowskim.com

    links