Crypto 101 (en)

875e2bcfb1dc37d05adebcf72269dc77?s=47 Oliver Milke
June 18, 2018
Technology
0
53

Crypto 101 (en)

875e2bcfb1dc37d05adebcf72269dc77?s=128

Oliver Milke

June 18, 2018
Tweet

Want more?

875e2bcfb1dc37d05adebcf72269dc77?s=48 omilke
0
42
875e2bcfb1dc37d05adebcf72269dc77?s=48 omilke
0
15
875e2bcfb1dc37d05adebcf72269dc77?s=48 omilke
0
10
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
8
430
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
1
240
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
150
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
6
290
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
6
200
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
3
290
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
4
540
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
150
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
4
240

Transcript

  1. 1.

    @OliverMilke @cloudogu

  2. 2.

    meta 1 Outline | Differentiation 2 About Key Pairs and

    Certificates 3 Cipher Suites 4
  3. 3.

    Developers? 1 Dev Ops? 2

  4. 4.

    Terms / Concepts • Things I stumbled over myself •

    Practise-oriented, not from Scratch  Crypto is hard to get right • Dutch Election Security Talk 
  5. 5.

    • > 10 years of Software Development • Crypto and

    Security for Mobile Online Services @VW • Software Craftsman @Cloudogu EcoSystem • JUG Ostfalen • Fitness / Freeletics Oliver Milke Software Craftsman https://stackoverflow.com/users/2108 919/omilke https://twitter.com/OliverMilke http://oliver-milke.de/ https://github.com/omilke
  6. 6.

    meta 1 Outline | Differentiation 2 About Key Pairs and

    Certificates 3 Cipher Suites 4
  7. 7.

    Cryptology Security Cryptography Cryptanalysis … Awareness Processes

  8. 8.

    https://www.xkcd.com/538/

  9. 9.

    Confidentiality Integrity Authenticity

  10. 10.

    SQL encrypted?  Authorization: Basic d2lraTpwZWRpYQ==  Security through secrecy

    of the keys • not secrecy of algorithm • Opposite: Security By Obscurity 
  11. 11.

    Symmetric Encryption • 1 key for encryption / decryption •

    fast • Stream Cipher • Block Cipher • Various modes of operation • AES − Rijndael Cipher Cryptographic Hash • One-way function • Resistance to collions • MD*, SHA-*, bCyrpt
  12. 12.

    Digital Signature • Asymmetrically encrypted hash Asymmetric Encryption • 2

    inverse keys (Key Pair) • Operations can be reversed with the other keys • slow
  13. 13.

    Cryptographically Secure Pseudo-Random Number Generator • True randomness by a

    machine? • Nonces • Protection against Replay
  14. 14.

    one-way functions • „forwards“ easy • „backwards“ hard as in

    computationally complex  Examples • Multiplication of large primes − RSA • Modular exponentiation − Diffie-Hellman, ElGamal − finite fields / elliptic curves • AES 
  15. 15.

    Specification  Implementation Side Channel Attacks 

  16. 16.

    https://www.xkcd.com/936/

  17. 17.

    Storing for authentication ? Salt • Individual for each password

     Pepper • Common for all passwords ! Argon2  PBKDF2  sCrypt / bCrypt 
  18. 18.

    One-way function  Integrity can be verified  Insecure transmission

    • Exchanging original and hash is possible  1010001 Hash
  19. 19.

    Hash Insecure transmission • Exchanging requires secret  H-MAC +

    Shared Secret Integrity and Authenticity • Proves knowledge of secret  1010001 0110000
  20. 20.

    meta 1 Outline | Differentiation 2 About Key Pairs and

    Certificates …or: what is a Trust Anchor? 3 Cipher Suites 4
  21. 21.

    Server Client

  22. 22.

    Intermediate Certificate Server Certificate Certificate Authority (CA) Root Certificate Client

    Server
  23. 23.

    meta 1 Outline | Differentiation 2 About Key Pairs and

    Certificates 3 ECDHE-ECDSA-AES256-GCM-SHA384 …or: what is a Cipher Suite? 4
  24. 24.

    Connection is encrypted  But how? TLS handshake for agreeing

    on Cipher Suite ? ECDHE-ECDSA-AES256-GCM-SHA384 ✓ ECDHE-ECDSA-AES256-GCM-SHA384 ✓
  25. 25.

    Encrypted connection • AES256-GCM-SHA384  But which key? • ECDHE-ECDSA-AES256-GCM-SHA384

  26. 26.

    Encrypted connection • AES256-GCM-SHA384 • Key Exchange via ECDHE 

    But is it the expected service? • ECDHE-ECDSA-AES256-GCM-SHA384 
  27. 27.

    Crypto-System with employed primitves • constants describing details  Depending

    on the protocol • Example is TLS 1.2 • TLS 1.3 employs different concepts 
  28. 28.
    None
  29. 29.

    Storing passwords ? Mobile Online Services ?

  30. 30.

    Crypto Lib (bCrypt) http://www.bouncycastle.org/java.html  Password Policy http://www.passay.org/ (formerly vt-password)

  31. 31.

    Password Hashing security.stackexchange.com Thread  OWASP Password Storage Cheat Sheet

    https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet  OWASP Forgot Password Cheat Sheet https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet 
  32. 32.

    Qualys SSL Lab Server Test https://www.ssllabs.com/ssltest/ ! Mozilla Config Generator

    https://mozilla.github.io/server-side-tls/ssl-config-generator/ ! Bruce Schneier https://www.schneier.com/  Security Assessment https://www.keylength.com/ 
  33. 33.

    Thank you feedback plz Get in touch • https://twitter.com/OliverMilke •

    http://oliver-milke.de/ • dev@oliver-milke.de • https://cloudogu.com/en/blog/Crypto-101