Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Crypto 101 (en)
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Oliver Milke
June 18, 2018
Technology
310
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Crypto 101 (en)
Oliver Milke
June 18, 2018
More Decks by Oliver Milke
See All by Oliver Milke
Crypto 101
omilke
2
900
Jenkins Pipelines in Continuous Action
omilke
0
96
Jenkins Pipelines in Continuous Action (english)
omilke
0
69
4 Kids - Nachwuchsförderung unter der Lupe
omilke
0
63
Other Decks in Technology
See All in Technology
なぜ人は自分のプロジェクトを 「なんちゃってアジャイル」と 自嘲するのか
kozotaira
0
250
背中から、背中へ /paying forward to community
naitosatoshi
0
220
5分でわかる Amazon Connect_20260608
hwangbyeonghun
0
180
依頼文化をやめる日 EM視点で語るPlatform EngineeringとInclusive SRE / Discussing Platform Engineering and Inclusive SRE from an EM's Perspective
shin1988
3
1.7k
「ちゃんとやっている」は独りよがりだった ― 不安に寄り添うインシデント対応へ / Towards incident response that addresses anxieties
chmikata
1
520
Keeping applications secure by evolving OAuth 2.0 and OpenID Connect
ahus1
PRO
1
140
初めてのDatabricks勉強会
taka_aki
2
230
ループエンジニアリングでE2Eテストを実践
noriyukitakei
0
270
飲食店もAIで。レジ締めやハンディシステムをつくってる話 / Using AI for restaurant management
vtryo
0
240
組織における AI-DLC 実践
askul
0
310
インフラ寄りSREでも 開発に踏み出せる〜境界を越えてユーザー体験に向き合いたい〜
sansantech
PRO
0
480
Mastraエージェント、どのクラウドにデプロイする?
minorun365
PRO
2
170
Featured
See All Featured
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
31
3.2k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
akashhashmi
0
380
Agile Actions for Facilitating Distributed Teams - ADO2019
mkilby
0
220
How to build an LLM SEO readiness audit: a practical framework
nmsamuel
1
800
The SEO Collaboration Effect
kristinabergwall1
1
500
sira's awesome portfolio website redesign presentation
elsirapls
0
290
Agile that works and the tools we love
rasmusluckow
331
22k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
46
2.9k
BBQ
matthewcrist
89
10k
Beyond borders and beyond the search box: How to win the global "messy middle" with AI-driven SEO
davidcarrasco
3
180
Bioeconomy Workshop: Dr. Julius Ecuru, Opportunities for a Bioeconomy in West Africa
akademiya2063
PRO
1
170
Building a A Zero-Code AI SEO Workflow
portentint
PRO
0
620
Transcript
@OliverMilke @cloudogu
meta 1 Outline | Differentiation 2 About Key Pairs and
Certificates 3 Cipher Suites 4
Developers? 1 Dev Ops? 2
Terms / Concepts • Things I stumbled over myself •
Practise-oriented, not from Scratch Crypto is hard to get right • Dutch Election Security Talk
• > 10 years of Software Development • Crypto and
Security for Mobile Online Services @VW • Software Craftsman @Cloudogu EcoSystem • JUG Ostfalen • Fitness / Freeletics Oliver Milke Software Craftsman https://stackoverflow.com/users/2108 919/omilke https://twitter.com/OliverMilke http://oliver-milke.de/ https://github.com/omilke
meta 1 Outline | Differentiation 2 About Key Pairs and
Certificates 3 Cipher Suites 4
Cryptology Security Cryptography Cryptanalysis … Awareness Processes
https://www.xkcd.com/538/
Confidentiality Integrity Authenticity
SQL encrypted? Authorization: Basic d2lraTpwZWRpYQ== Security through secrecy
of the keys • not secrecy of algorithm • Opposite: Security By Obscurity
Symmetric Encryption • 1 key for encryption / decryption •
fast • Stream Cipher • Block Cipher • Various modes of operation • AES − Rijndael Cipher Cryptographic Hash • One-way function • Resistance to collions • MD*, SHA-*, bCyrpt
Digital Signature • Asymmetrically encrypted hash Asymmetric Encryption • 2
inverse keys (Key Pair) • Operations can be reversed with the other keys • slow
Cryptographically Secure Pseudo-Random Number Generator • True randomness by a
machine? • Nonces • Protection against Replay
one-way functions • „forwards“ easy • „backwards“ hard as in
computationally complex Examples • Multiplication of large primes − RSA • Modular exponentiation − Diffie-Hellman, ElGamal − finite fields / elliptic curves • AES
Specification Implementation Side Channel Attacks
https://www.xkcd.com/936/
Storing for authentication ? Salt • Individual for each password
Pepper • Common for all passwords ! Argon2 PBKDF2 sCrypt / bCrypt
One-way function Integrity can be verified Insecure transmission
• Exchanging original and hash is possible 1010001 Hash
Hash Insecure transmission • Exchanging requires secret H-MAC +
Shared Secret Integrity and Authenticity • Proves knowledge of secret 1010001 0110000
meta 1 Outline | Differentiation 2 About Key Pairs and
Certificates …or: what is a Trust Anchor? 3 Cipher Suites 4
Server Client
Intermediate Certificate Server Certificate Certificate Authority (CA) Root Certificate Client
Server
meta 1 Outline | Differentiation 2 About Key Pairs and
Certificates 3 ECDHE-ECDSA-AES256-GCM-SHA384 …or: what is a Cipher Suite? 4
Connection is encrypted But how? TLS handshake for agreeing
on Cipher Suite ? ECDHE-ECDSA-AES256-GCM-SHA384 ✓ ECDHE-ECDSA-AES256-GCM-SHA384 ✓
Encrypted connection • AES256-GCM-SHA384 But which key? • ECDHE-ECDSA-AES256-GCM-SHA384
Encrypted connection • AES256-GCM-SHA384 • Key Exchange via ECDHE
But is it the expected service? • ECDHE-ECDSA-AES256-GCM-SHA384
Crypto-System with employed primitves • constants describing details Depending
on the protocol • Example is TLS 1.2 • TLS 1.3 employs different concepts
None
Storing passwords ? Mobile Online Services ?
Crypto Lib (bCrypt) http://www.bouncycastle.org/java.html Password Policy http://www.passay.org/ (formerly vt-password)
Password Hashing security.stackexchange.com Thread OWASP Password Storage Cheat Sheet
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet OWASP Forgot Password Cheat Sheet https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
Qualys SSL Lab Server Test https://www.ssllabs.com/ssltest/ ! Mozilla Config Generator
https://mozilla.github.io/server-side-tls/ssl-config-generator/ ! Bruce Schneier https://www.schneier.com/ Security Assessment https://www.keylength.com/
Thank you feedback plz Get in touch • https://twitter.com/OliverMilke •
http://oliver-milke.de/ •
[email protected]
• https://cloudogu.com/en/blog/Crypto-101