Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
Crypto 101 (en)
Oliver Milke
June 18, 2018
Technology
0
59
Crypto 101 (en)
Oliver Milke
June 18, 2018
Tweet
Share
More Decks by Oliver Milke
See All by Oliver Milke
omilke
1
250
omilke
0
43
omilke
0
16
omilke
0
12
Other Decks in Technology
See All in Technology
kanaugust
PRO
0
180
shimacos
2
350
humank
0
220
y0hgi
1
400
bufferings
2
3.4k
minamizaki
0
710
kanaugust
PRO
0
110
kraj
0
5.2k
shomaekawa
3
1.3k
kanaugust
PRO
0
240
hirosys
0
140
opdavies
0
1.6k
Featured
See All Featured
reverentgeek
27
1.9k
productmarketing
5
660
mongodb
23
3.8k
mza
80
4.1k
maggiecrowley
8
430
tenderlove
52
3.4k
lauravandoore
437
28k
jrom
114
7.1k
carmenhchung
26
1.3k
denniskardys
220
120k
3n
163
22k
thoeni
4
550
Transcript
@OliverMilke @cloudogu
meta 1 Outline | Differentiation 2 About Key Pairs and
Certificates 3 Cipher Suites 4
Developers? 1 Dev Ops? 2
Terms / Concepts • Things I stumbled over myself •
Practise-oriented, not from Scratch Crypto is hard to get right • Dutch Election Security Talk
• > 10 years of Software Development • Crypto and
Security for Mobile Online Services @VW • Software Craftsman @Cloudogu EcoSystem • JUG Ostfalen • Fitness / Freeletics Oliver Milke Software Craftsman https://stackoverflow.com/users/2108 919/omilke https://twitter.com/OliverMilke http://oliver-milke.de/ https://github.com/omilke
meta 1 Outline | Differentiation 2 About Key Pairs and
Certificates 3 Cipher Suites 4
Cryptology Security Cryptography Cryptanalysis … Awareness Processes
https://www.xkcd.com/538/
Confidentiality Integrity Authenticity
SQL encrypted? Authorization: Basic d2lraTpwZWRpYQ== Security through secrecy
of the keys • not secrecy of algorithm • Opposite: Security By Obscurity
Symmetric Encryption • 1 key for encryption / decryption •
fast • Stream Cipher • Block Cipher • Various modes of operation • AES − Rijndael Cipher Cryptographic Hash • One-way function • Resistance to collions • MD*, SHA-*, bCyrpt
Digital Signature • Asymmetrically encrypted hash Asymmetric Encryption • 2
inverse keys (Key Pair) • Operations can be reversed with the other keys • slow
Cryptographically Secure Pseudo-Random Number Generator • True randomness by a
machine? • Nonces • Protection against Replay
one-way functions • „forwards“ easy • „backwards“ hard as in
computationally complex Examples • Multiplication of large primes − RSA • Modular exponentiation − Diffie-Hellman, ElGamal − finite fields / elliptic curves • AES
Specification Implementation Side Channel Attacks
https://www.xkcd.com/936/
Storing for authentication ? Salt • Individual for each password
Pepper • Common for all passwords ! Argon2 PBKDF2 sCrypt / bCrypt
One-way function Integrity can be verified Insecure transmission
• Exchanging original and hash is possible 1010001 Hash
Hash Insecure transmission • Exchanging requires secret H-MAC +
Shared Secret Integrity and Authenticity • Proves knowledge of secret 1010001 0110000
meta 1 Outline | Differentiation 2 About Key Pairs and
Certificates …or: what is a Trust Anchor? 3 Cipher Suites 4
Server Client
Intermediate Certificate Server Certificate Certificate Authority (CA) Root Certificate Client
Server
meta 1 Outline | Differentiation 2 About Key Pairs and
Certificates 3 ECDHE-ECDSA-AES256-GCM-SHA384 …or: what is a Cipher Suite? 4
Connection is encrypted But how? TLS handshake for agreeing
on Cipher Suite ? ECDHE-ECDSA-AES256-GCM-SHA384 ✓ ECDHE-ECDSA-AES256-GCM-SHA384 ✓
Encrypted connection • AES256-GCM-SHA384 But which key? • ECDHE-ECDSA-AES256-GCM-SHA384
Encrypted connection • AES256-GCM-SHA384 • Key Exchange via ECDHE
But is it the expected service? • ECDHE-ECDSA-AES256-GCM-SHA384
Crypto-System with employed primitves • constants describing details Depending
on the protocol • Example is TLS 1.2 • TLS 1.3 employs different concepts
None
Storing passwords ? Mobile Online Services ?
Crypto Lib (bCrypt) http://www.bouncycastle.org/java.html Password Policy http://www.passay.org/ (formerly vt-password)
Password Hashing security.stackexchange.com Thread OWASP Password Storage Cheat Sheet
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet OWASP Forgot Password Cheat Sheet https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
Qualys SSL Lab Server Test https://www.ssllabs.com/ssltest/ ! Mozilla Config Generator
https://mozilla.github.io/server-side-tls/ssl-config-generator/ ! Bruce Schneier https://www.schneier.com/ Security Assessment https://www.keylength.com/
Thank you feedback plz Get in touch • https://twitter.com/OliverMilke •
http://oliver-milke.de/ • dev@oliver-milke.de • https://cloudogu.com/en/blog/Crypto-101