Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crypto 101 (en)

875e2bcfb1dc37d05adebcf72269dc77?s=47 Oliver Milke
June 18, 2018
Technology
0
59

Crypto 101 (en)

875e2bcfb1dc37d05adebcf72269dc77?s=128

Oliver Milke

June 18, 2018
Tweet

More Decks by Oliver Milke

See All by Oliver Milke
875e2bcfb1dc37d05adebcf72269dc77?s=48 omilke
1
250
875e2bcfb1dc37d05adebcf72269dc77?s=48 omilke
0
43
875e2bcfb1dc37d05adebcf72269dc77?s=48 omilke
0
16
875e2bcfb1dc37d05adebcf72269dc77?s=48 omilke
0
12

Other Decks in Technology

See All in Technology
19fc8f6113c5c3d86e6176362ff29479?s=48 kanaugust
PRO
0
180
Dca4f8abd1e78940052ee52c85c4d2ed?s=48 shimacos
2
350
9b63847a4c413a2604e1d64e5d595dab?s=48 humank
0
220
4365312f9f662ab058e50d1459165e5f?s=48 y0hgi
1
400
979f8815a9d4604d87f54b8394c503bd?s=48 bufferings
2
3.4k
2ee165e506f59e3fe6f463bf7f150ccb?s=48 minamizaki
0
710
19fc8f6113c5c3d86e6176362ff29479?s=48 kanaugust
PRO
0
110
79c9f45e8a3cd4bfa9d7292adb3a6dc0?s=48 kraj
0
5.2k
1896b034326abb4bc429d6718dc6a42e?s=48 shomaekawa
3
1.3k
19fc8f6113c5c3d86e6176362ff29479?s=48 kanaugust
PRO
0
240
35f1e35d8c02c612e281c6c7a9d22341?s=48 hirosys
0
140
71c9ebde850996d2533c5df4df2c93c6?s=48 opdavies
0
1.6k

Featured

See All Featured
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
27
1.9k
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
5
660
D8fc2580cfaca035f666d9e4ee79a7f7?s=48 mongodb
23
3.8k
39488f9d172ab92fd352f2cd7b73258d?s=48 mza
80
4.1k
016edace78ffe826f2348d1e0c504afd?s=48 maggiecrowley
8
430
F29327647a9cff5c69618bae420792ea?s=48 tenderlove
52
3.4k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
437
28k
Aebc2d07a50011e2a30d38435fde564a?s=48 jrom
114
7.1k
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
26
1.3k
Aff5641764408271f7bc398f2097edd0?s=48 denniskardys
220
120k
Ba530e786553390f3fb271848485681c?s=48 3n
163
22k
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
4
550

Transcript

  1. @OliverMilke @cloudogu

  2. meta 1 Outline | Differentiation 2 About Key Pairs and

    Certificates 3 Cipher Suites 4

  3. Developers? 1 Dev Ops? 2

  4. Terms / Concepts • Things I stumbled over myself •

    Practise-oriented, not from Scratch  Crypto is hard to get right • Dutch Election Security Talk 

  5. • > 10 years of Software Development • Crypto and

    Security for Mobile Online Services @VW • Software Craftsman @Cloudogu EcoSystem • JUG Ostfalen • Fitness / Freeletics Oliver Milke Software Craftsman https://stackoverflow.com/users/2108 919/omilke https://twitter.com/OliverMilke http://oliver-milke.de/ https://github.com/omilke

  6. meta 1 Outline | Differentiation 2 About Key Pairs and

    Certificates 3 Cipher Suites 4

  7. Cryptology Security Cryptography Cryptanalysis … Awareness Processes

  8. https://www.xkcd.com/538/

  9. Confidentiality Integrity Authenticity

  10. SQL encrypted?  Authorization: Basic d2lraTpwZWRpYQ==  Security through secrecy

    of the keys • not secrecy of algorithm • Opposite: Security By Obscurity 

  11. Symmetric Encryption • 1 key for encryption / decryption •

    fast • Stream Cipher • Block Cipher • Various modes of operation • AES − Rijndael Cipher Cryptographic Hash • One-way function • Resistance to collions • MD*, SHA-*, bCyrpt

  12. Digital Signature • Asymmetrically encrypted hash Asymmetric Encryption • 2

    inverse keys (Key Pair) • Operations can be reversed with the other keys • slow

  13. Cryptographically Secure Pseudo-Random Number Generator • True randomness by a

    machine? • Nonces • Protection against Replay

  14. one-way functions • „forwards“ easy • „backwards“ hard as in

    computationally complex  Examples • Multiplication of large primes − RSA • Modular exponentiation − Diffie-Hellman, ElGamal − finite fields / elliptic curves • AES 

  15. Specification  Implementation Side Channel Attacks 

  16. https://www.xkcd.com/936/

  17. Storing for authentication ? Salt • Individual for each password

     Pepper • Common for all passwords ! Argon2  PBKDF2  sCrypt / bCrypt 

  18. One-way function  Integrity can be verified  Insecure transmission

    • Exchanging original and hash is possible  1010001 Hash

  19. Hash Insecure transmission • Exchanging requires secret  H-MAC +

    Shared Secret Integrity and Authenticity • Proves knowledge of secret  1010001 0110000

  20. meta 1 Outline | Differentiation 2 About Key Pairs and

    Certificates …or: what is a Trust Anchor? 3 Cipher Suites 4

  21. Server Client

  22. Intermediate Certificate Server Certificate Certificate Authority (CA) Root Certificate Client

    Server

  23. meta 1 Outline | Differentiation 2 About Key Pairs and

    Certificates 3 ECDHE-ECDSA-AES256-GCM-SHA384 …or: what is a Cipher Suite? 4

  24. Connection is encrypted  But how? TLS handshake for agreeing

    on Cipher Suite ? ECDHE-ECDSA-AES256-GCM-SHA384 ✓ ECDHE-ECDSA-AES256-GCM-SHA384 ✓

  25. Encrypted connection • AES256-GCM-SHA384  But which key? • ECDHE-ECDSA-AES256-GCM-SHA384

  26. Encrypted connection • AES256-GCM-SHA384 • Key Exchange via ECDHE 

    But is it the expected service? • ECDHE-ECDSA-AES256-GCM-SHA384 

  27. Crypto-System with employed primitves • constants describing details  Depending

    on the protocol • Example is TLS 1.2 • TLS 1.3 employs different concepts 
  28. None

  29. Storing passwords ? Mobile Online Services ?

  30. Crypto Lib (bCrypt) http://www.bouncycastle.org/java.html  Password Policy http://www.passay.org/ (formerly vt-password)

  31. Password Hashing security.stackexchange.com Thread  OWASP Password Storage Cheat Sheet

    https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet  OWASP Forgot Password Cheat Sheet https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet 

  32. Qualys SSL Lab Server Test https://www.ssllabs.com/ssltest/ ! Mozilla Config Generator

    https://mozilla.github.io/server-side-tls/ssl-config-generator/ ! Bruce Schneier https://www.schneier.com/  Security Assessment https://www.keylength.com/ 

  33. Thank you feedback plz Get in touch • https://twitter.com/OliverMilke •

    http://oliver-milke.de/ • dev@oliver-milke.de • https://cloudogu.com/en/blog/Crypto-101