Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crypto? been there, done that

Crypto? been there, done that

Mobile Warsaw 2015. ObjectivePGP, CryptoSwift

7b2fdba8077c8495b3caa6f36d0928da?s=128

Marcin Krzyzanowski

May 25, 2015
Tweet

Transcript

  1. Marcin Krzyżanowski http://blog.krzyzanowskim.com @krzyzanowskim Crypto? been there, done that Mobile

    Warsaw 2015
  2. American computer professional who leaked classified information from the National

    Security Agency (NSA) Edward Snowden
  3. Edward Snowden

  4. LEAKED! HOW ? Edward Snowden

  5. PGP Edward Snowden

  6. PGP for Journalists

  7. PGP for Journalists

  8. PGP for Journalists

  9. PGP for Journalists

  10. PGP for Journalists

  11. PGP for Journalists

  12. PGP for Journalists

  13. PGP for Journalists

  14. PGP for Journalists

  15. PGP for Journalists

  16. PGP for Journalists

  17. PGP for Journalists

  18. PGP for Journalists

  19. PGP for Journalists

  20. Glenn Greenwald* *not really

  21. “I didn’t really know what PGP was,” he admits. “I

    had no idea how to install it or how to use it.” It seemed time- consuming and complicated. (RollingStone) Glenn Greenwald
  22. •Geek tools •Tools build for nerds •By nerds for nerds

    PGP
  23. PGP After this article appeared, Werner Koch informed us that

    last week he was awarded a one-time grant of $60,000 from Linux Foundation's Core Infrastructure Initiative. Werner told us he only received permission to disclose it after our article published. Meanwhile, since our story was posted, donations flooded Werner's website donation page and he reached his funding goal of $137,000. In addition, Facebook and the online payment processor Stripe each pledged to donate $50,000 a year to Koch’s project.
  24. ask NSA IS IT GOOD?

  25. NSA struggling to crack the AES encryption standard

  26. some observers are worried that the NSA's efforts may have

    succeeded in the two years since.
  27. • AES - symmetric algorithm • Shared key AES

  28. "No decrypt available for this PGP encrypted message.” - NSA

    PGP
  29. PGP Basics ALICE RABBIT public private public private

  30. •Created in 1991 by Phil Zimmermann •OpenPGP •RFC 4880 in

    2007 PGP
  31. •Pretty Good Privacy •Protocol •Web of trust PGP

  32. •IDEA •TripleDES •CAST5 •Blowfish •AES •Twofish •Private/Experimental algorithms OpenPGP

  33. •MD5 •SHA-1 •SHA-2 •RIPE-MD/160 •Private/Experimental algorithm OpenPGP

  34. •RSA •Elgamal •DSA •Elliptic Curve •ECDSA •Diffie-Hellman •Private/Experimental algorithm OpenPGP

  35. OpenPGP

  36. “PGP 2.6.x - This version of PGP has many variants,

    hence the term PGP 2.6.x. It used only RSA, MD5, and IDEA for its cryptographic transforms.” OpenPGP
  37. “PGP 5.x - This version of PGP is formerly known

    as "PGP 3" in the community and also in the predecessor of this document, RFC 1991. It has new formats and corrects a number of problems in the PGP 2.6.x design.” OpenPGP
  38. “GnuPG is an OpenPGP implementation that avoids all encumbered algorithms.

    Consequently, early versions of GnuPG did not include RSA public keys. GnuPG may or may not have (depending on version) support for IDEA or other encumbered algorithms.” OpenPGP
  39. • 17 packets (keys, subkeys, signatures, subsignatures, data packets) •

    12 variants of Signature packet • 7 variants of Key packet • 9 types of messages • versioned packet: version 3, version 4 OpenPGP
  40. versioned headers •old format •new format OpenPGP

  41. •hardcoded values •exceptions to the rules OpenPGP

  42. how do I know? I was there been there, done

    that
  43. Why? ObjectivePGP

  44. ObjectivePGP •GPGME by GnuPG • licence issue •NetPGP by NetBSD

    • not maintained, crashing. •UNNetPGP (wrapper) •NetPGP based PGP library for iOS
  45. •Native implementation ObjectivePGP

  46. PGP is hard ObjectivePGP

  47. •PGP is good •why not give it a try ObjectivePGP

  48. •“for fun” implementation •Released • closed-source project •Available on Github

    • krzyzanowskim/ObjectivePGP ObjectivePGP
  49. •Maintaining •A lof of people ask for sources •Not really

    interested in contribution •because it’s hard •nobody have budget for components ObjectivePGP
  50. ObjectivePGP

  51. ObjectivePGP

  52. •Plans ObjectivePGP

  53. None
  54. !!!!!

  55. There must me easier way. Privacy app is attempt to

    make PGP as easy as possible. privacyapp.io
  56. Privacy

  57. Privacy key server app e-mail address public key PROFIT

  58. •What is it •encryptor •What it is NOT •decryptor (yet)

    Privacy
  59. Privacy is driven by ObjectivePGP Privacy + ObjectivePGP

  60. None
  61. In Swift we trust CryptoSwift said no one ever

  62. •Because I can •Because I’m engineer CryptoSwift

  63. •Because I’m curious CryptoSwift

  64. •What’s inside •AES •ChaCha20 CryptoSwift

  65. •What’s inside •SHA-1, SHA2 •MD5, CRC CryptoSwift

  66. •What’s inside •Poly1305 •HMAC CryptoSwift

  67. •What’s inside •ECB Electronic codebook •CBC Cipher-block chaining •CFB Cipher

    feedback •PKCS7 CryptoSwift
  68. •maintaining •fundamental questions are fine •code in PHP is fine

    •misusing AES is bad, but asking is fine •nobody really contribute back because everybody think it is too hard CryptoSwift
  69. CryptoSwift

  70. CryptoSwift

  71. CryptoSwift

  72. Build things! because you can You Marcin Krzyżanowski @krzyzanowskim http://krzyzanowskim.com

  73. • http://cr.yp.to • https://privacyapp.io • https://github.com/krzyzanowskim/ObjectivePGP • https://github.com/krzyzanowskim/CryptoSwift • http://blog.krzyzanowskim.com

    links