Crypto 101 (en)

@OliverMilke @cloudogu

meta 1 Outline | Differentiation 2 About Key Pairs and
Certificates 3 Cipher Suites 4

Developers? 1 Dev Ops? 2

Terms / Concepts • Things I stumbled over myself •
Practise-oriented, not from Scratch  Crypto is hard to get right • Dutch Election Security Talk 

• > 10 years of Software Development • Crypto and
Security for Mobile Online Services @VW • Software Craftsman @Cloudogu EcoSystem • JUG Ostfalen • Fitness / Freeletics Oliver Milke Software Craftsman https://stackoverflow.com/users/2108 919/omilke https://twitter.com/OliverMilke http://oliver-milke.de/ https://github.com/omilke

Certificates 3 Cipher Suites 4

Cryptology Security Cryptography Cryptanalysis … Awareness Processes

https://www.xkcd.com/538/

Confidentiality Integrity Authenticity

SQL encrypted?  Authorization: Basic d2lraTpwZWRpYQ==  Security through secrecy
of the keys • not secrecy of algorithm • Opposite: Security By Obscurity 

Symmetric Encryption • 1 key for encryption / decryption •
fast • Stream Cipher • Block Cipher • Various modes of operation • AES − Rijndael Cipher Cryptographic Hash • One-way function • Resistance to collions • MD*, SHA-*, bCyrpt

Digital Signature • Asymmetrically encrypted hash Asymmetric Encryption • 2
inverse keys (Key Pair) • Operations can be reversed with the other keys • slow

Cryptographically Secure Pseudo-Random Number Generator • True randomness by a
machine? • Nonces • Protection against Replay

one-way functions • „forwards“ easy • „backwards“ hard as in
computationally complex  Examples • Multiplication of large primes − RSA • Modular exponentiation − Diffie-Hellman, ElGamal − finite fields / elliptic curves • AES 

Specification  Implementation Side Channel Attacks 

https://www.xkcd.com/936/

Storing for authentication ? Salt • Individual for each password
 Pepper • Common for all passwords ! Argon2  PBKDF2  sCrypt / bCrypt 

One-way function  Integrity can be verified  Insecure transmission
• Exchanging original and hash is possible  1010001 Hash

Hash Insecure transmission • Exchanging requires secret  H-MAC +
Shared Secret Integrity and Authenticity • Proves knowledge of secret  1010001 0110000

Certificates …or: what is a Trust Anchor? 3 Cipher Suites 4

Server Client

Intermediate Certificate Server Certificate Certificate Authority (CA) Root Certificate Client
Server

Certificates 3 ECDHE-ECDSA-AES256-GCM-SHA384 …or: what is a Cipher Suite? 4

Connection is encrypted  But how? TLS handshake for agreeing
on Cipher Suite ? ECDHE-ECDSA-AES256-GCM-SHA384 ✓ ECDHE-ECDSA-AES256-GCM-SHA384 ✓

Encrypted connection • AES256-GCM-SHA384  But which key? • ECDHE-ECDSA-AES256-GCM-SHA384


Encrypted connection • AES256-GCM-SHA384 • Key Exchange via ECDHE 
But is it the expected service? • ECDHE-ECDSA-AES256-GCM-SHA384 

Crypto-System with employed primitves • constants describing details  Depending
on the protocol • Example is TLS 1.2 • TLS 1.3 employs different concepts 

Storing passwords ? Mobile Online Services ?

Crypto Lib (bCrypt) http://www.bouncycastle.org/java.html  Password Policy http://www.passay.org/ (formerly vt-password)


Password Hashing security.stackexchange.com Thread  OWASP Password Storage Cheat Sheet
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet  OWASP Forgot Password Cheat Sheet https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet 

Qualys SSL Lab Server Test https://www.ssllabs.com/ssltest/ ! Mozilla Config Generator
https://mozilla.github.io/server-side-tls/ssl-config-generator/ ! Bruce Schneier https://www.schneier.com/  Security Assessment https://www.keylength.com/ 

Thank you feedback plz Get in touch • https://twitter.com/OliverMilke •
http://oliver-milke.de/ • [email protected] • https://cloudogu.com/en/blog/Crypto-101

Crypto 101 (en)

Crypto 101 (en)

Oliver Milke

More Decks by Oliver Milke

Other Decks in Technology

Featured

Transcript

@OliverMilke @cloudogu

meta 1 Outline | Differentiation 2 About Key Pairs and

Developers? 1 Dev Ops? 2

Terms / Concepts • Things I stumbled over myself •

• > 10 years of Software Development • Crypto and

meta 1 Outline | Differentiation 2 About Key Pairs and

Cryptology Security Cryptography Cryptanalysis … Awareness Processes

https://www.xkcd.com/538/

Confidentiality Integrity Authenticity

SQL encrypted?  Authorization: Basic d2lraTpwZWRpYQ==  Security through secrecy

Symmetric Encryption • 1 key for encryption / decryption •

Digital Signature • Asymmetrically encrypted hash Asymmetric Encryption • 2

Cryptographically Secure Pseudo-Random Number Generator • True randomness by a

one-way functions • „forwards“ easy • „backwards“ hard as in

Specification  Implementation Side Channel Attacks 

https://www.xkcd.com/936/

Storing for authentication ? Salt • Individual for each password

One-way function  Integrity can be verified  Insecure transmission

Hash Insecure transmission • Exchanging requires secret  H-MAC +

meta 1 Outline | Differentiation 2 About Key Pairs and

Server Client

Intermediate Certificate Server Certificate Certificate Authority (CA) Root Certificate Client

meta 1 Outline | Differentiation 2 About Key Pairs and

Connection is encrypted  But how? TLS handshake for agreeing

Encrypted connection • AES256-GCM-SHA384  But which key? • ECDHE-ECDSA-AES256-GCM-SHA384

Encrypted connection • AES256-GCM-SHA384 • Key Exchange via ECDHE 

Crypto-System with employed primitves • constants describing details  Depending

Storing passwords ? Mobile Online Services ?

Crypto Lib (bCrypt) http://www.bouncycastle.org/java.html  Password Policy http://www.passay.org/ (formerly vt-password)

Password Hashing security.stackexchange.com Thread  OWASP Password Storage Cheat Sheet

Qualys SSL Lab Server Test https://www.ssllabs.com/ssltest/ ! Mozilla Config Generator

Thank you feedback plz Get in touch • https://twitter.com/OliverMilke •