Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Anastasiia Vixentael - Don’t Waste Time on Learning Cryptography: Better Use It Properly

OWASP Kyiv
December 04, 2017
Technology
0
120

Anastasiia Vixentael - Don’t Waste Time on Learning Cryptography: Better Use It Properly

Video: https://www.youtube.com/watch?v=SfuN-r3FpdY
OWASP Kyiv Winter 2017 Meetup, Dec 2, 2017
https://www.owasp.org/index.php/Kyiv

OWASP Kyiv

December 04, 2017
Tweet

More Decks by OWASP Kyiv

See All by OWASP Kyiv
Vlad Styran - OWASP Kyiv 2017 Report
owaspkyiv
0
56
Vlada Kulish - Why So Serial?
owaspkyiv
1
53
Roman Borodin - ISC2 & ISACA certification programs first-hand experience
owaspkyiv
0
66
Yevhen Teleshyk - OAuth Phishing
owaspkyiv
0
97
Ihor Blum - WebSockets
owaspkyiv
0
31
Vlad Styran - Cyber Security Economics 101
owaspkyiv
2
140
Dima Kovalenko - Modern SSL Pinning
owaspkyiv
0
70
Pavel Radchuk - SAMM: Understanding Agile in Security
owaspkyiv
0
270
Ivan Vyshnevskyi - Not So Quiet git push
owaspkyiv
0
130

Other Decks in Technology

See All in Technology
VSCodeの拡張機能を作っている話
ebarakazuhiro
1
810
社内アプリで Cloudflare D1を プロダクト運用してみた体験談(Tokyo)
haochenx
0
120
M5と自作基板をくっつけてみた〜M5 Japan Tour 2024 Spring 福冈 (Fukuoka|福岡)〜
keropiyo
0
130
【基本】データベース設計
oracle4engineer
PRO
2
180
GrafanaMeetup_AmazonManagedGrafanaのアクセス制御機能とマルチテナント環境下でのアクセス制御について
daitak
0
400
Max out Local LLM in Challenging Environments
sashimimochi
1
110
本当のAWS基礎
toru_kubota
1
630
One engineer company with Ruby on Rails
rstankov
2
430
EMとして2023年度に頑張ったこと / What we did well in FY2023 as a EM
pauli
1
250
LayerXにおけるLLMプロダクト開発の今までとこれから
layerx
PRO
4
700
BPStudyの200回を中心にIT業界を振り返る。そしてこれから
haru860
3
410
今さら聞けないDocker入門 〜 Dockerfileのベストプラクティス編
devops_vtj
4
540

Featured

See All Featured
Git: the NoSQL Database
bkeepers
PRO
423
63k
Practical Orchestrator
shlominoach
183
9.7k
[RailsConf 2023] Rails as a piece of cake
palkan
27
4k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
242
1.2M
A Modern Web Designer's Workflow
chriscoyier
689
190k
What the flash - Photography Introduction
edds
64
11k
The Cost Of JavaScript in 2023
addyosmani
20
3.9k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
21
1.9k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.7k
Large-scale JavaScript Application Architecture
addyosmani
504
110k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
14
1.5k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
14
1.5k

Transcript

  1. DON’T WASTE TIME ON LEARNING CRYPTOGRAPHY: BETTER USE IT PROPERLY

    #owaspkyiv @vixentael

  2. @vixentael Product Engineer Feel free to reach me with any

    mobile security questions. I do check my inbox :)
  3. None

  4. We want to protect our users’ data

  5. We want developers to protect data

  6. We want to protect our users’ data HOW? We want

    developers to protect data

  7. WE HAVE USER DATA. WHAT SHALL WE DO?

  8. #owaspkyiv @vixentael 1. DEFINING THE DATA SCOPE sensitive user data

    GDPR / HIPAA / PCI DSS tech data (keys, logs)

  9. #owaspkyiv @vixentael 1. DEFINING THE DATA SCOPE sensitive user data

    GDPR / HIPAA / PCI DSS tech data (keys, logs) mistake 1. wrong scope definition

  10. #owaspkyiv @vixentael 2. SELECTING ALGORITHM twofish sha1 des md5

  11. twofish sha1 des md5 #owaspkyiv @vixentael 2. SELECTING ALGORITHM mistake

    2. bad algo selection

  12. #owaspkyiv @vixentael THINGS TO DECIDE ON KEY LENGTH DATA SCOPE

    ALGORITHM

  13. #owaspkyiv @vixentael https://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption 3. USING ALGORITHM

  14. #owaspkyiv @vixentael https://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption 3. USING ALGORITHM

  15. #owaspkyiv @vixentael https://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption 3. USING ALGORITHM mistake 3. wrong params

  16. #owaspkyiv @vixentael THINGS TO DECIDE ON PADDING KEY LENGTH MODE

    DATA SCOPE ALGORITHM IV

  17. #owaspkyiv @vixentael 4. KEY MANAGEMENT user password keys KDF

  18. #owaspkyiv @vixentael 4. KEY MANAGEMENT user password keys KDF mistake

    4. bad key management

  19. #owaspkyiv @vixentael THINGS TO DECIDE ON PADDING KEY LENGTH KEY

    ROTATION MODE KEY DERIVATION KEY STORAGE KEY EXCHANGE DATA SCOPE ALGORITHM IV KEY REVOCATION

  20. #owaspkyiv @vixentael 5. INFRASTRUCTURE

  21. #owaspkyiv @vixentael PADDING KEY LENGTH KEY ROTATION MODE KEY DERIVATION

    KEY STORAGE THINGS TO DECIDE ON KEY EXCHANGE BACKUPS PLATFORMS DATA SCOPE ALGORITHM IV KEY REVOCATION
  22. None

  23. #owaspkyiv @vixentael https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf 269 CVEs from 2011-2014 17% 83% bugs

    inside crypto libs misuses of crypto libs by individual apps

  24. AS USERS WE WANT… more ciphers? #owaspkyiv @vixentael

  25. AES DES 3DES CBC CFB SEAL Salsa20 RSA DSA #owaspkyiv

    @vixentael

  26. AES DES 3DES CBC CFB SEAL Salsa20 RSA DSA OFB

    SHARK RC4 DSS ECB CTR SEED #owaspkyiv @vixentael Blowfish

  27. AES DES 3DES CBC CFB SEAL Salsa20 RSA DSA OFB

    Blowfish SHARK RC4 DSS ECB CTR Twofish Camelia SEED Rabbit ECDSA #owaspkyiv @vixentael

  28. AS USERS WE WANT… more ciphers! more vulnerabilities! more side

    channel attacks! more attacks! more constant time checks :) more protocols! more patches! #owaspkyiv @vixentael
  29. None

  30. EXCITING, BUT FOR CRYPTO RESEARCHERS ONLY

  31. AS USERS WE WANT… more ciphers! BORING CRYPTO #owaspkyiv @vixentael

  32. BORING CRYPTO #owaspkyiv @vixentael — crypto that simply works, solidly

    resists attacks, never needs any upgrades https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf Daniel J. Bernstein

  33. BORING CRYPTO #owaspkyiv @vixentael PLUG & PLAY

  34. WHAT DO WE WANT? instead of adjusting our resources —

    SOLVE USE-CASES!

  35. WHAT DO WE WANT? — HIGH-LEVEL FUNCTIONS I want to

    store data securely I want to send data securely I want to verify data integrity #owaspkyiv @vixentael

  36. WHAT DO WE WANT? store data securely send data securely

    verify data integrity key derivation key exchange key rotation sign/verify ephemeral keys encr / decr #owaspkyiv @vixentael — HIGH-LEVEL FUNCTIONS

  37. NOBODY READS DOCS #owaspkyiv @vixentael

  38. NOBODY READS DOCS #owaspkyiv @vixentael “docs are for experts” “I

    just want to try” “gimme code!”

  39. 1. HOW TO START? #owaspkyiv @vixentael pod try BoringSSL cmake

    -DANDROID_ABI=armeabi-v7a \ -DCMAKE_TOOLCHAIN_FILE=../third_party/ android-cmake/android.toolchain.cmake \ -DANDROID_NATIVE_API_LEVEL=16 \ -GNinja .. https://boringssl.googlesource.com/boringssl/+/HEAD/BUILDING.md

  40. #owaspkyiv @vixentael easy, architecture-independent installation 1. HOW TO START?

  41. 2. SUPPORTED PLATFORMS? #owaspkyiv @vixentael *nix OSX web browsers embedded

    iOS Android Windows minimum expected:

  42. #owaspkyiv @vixentael cross-platform is not an option anymore cross-platform is

    a must have 2. SUPPORTED PLATFORMS?

  43. OPTIONS WE HAVE

  44. #owaspkyiv @vixentael HSM

  45. #owaspkyiv @vixentael HARDWARE SECURITY MODULE key generation provides cryptoprocessing key

    storage portable

  46. #owaspkyiv @vixentael TRUSTED PLATFORM MODULE key management disk protection trust

    anchor built-in remote attestation provides cryptoprimitives

  47. #owaspkyiv @vixentael HSM & TPM: PROS fast hardware crypto! trusted

    environment known security guarantees keys calculations

  48. #owaspkyiv @vixentael HSM & TPM: CONS vendor lock / vendor

    trust bad for interactive encryption complicated to maintain (install, upgrade, support, not cross-platform)

  49. #owaspkyiv @vixentael HSM & TPM: PRO & CONS HSM app

    plaintext data plaintext data is far away from the place it is used

  50. #owaspkyiv @vixentael SOFTWARE CRYPTO SYSTEMS https://github.com/sobolevn/awesome-cryptography any kind of encryption

    plaintext data is closer to its usage cross-platform

  51. #owaspkyiv @vixentael SOFTWARE CRYPTO SYSTEMS https://github.com/sobolevn/awesome-cryptography any kind of encryption

    plaintext data is closer to its usage cross-platform NO DEVICE TRUST

  52. #owaspkyiv @vixentael WEBBROWSER CRYPTO: CONS DOM, XSS, NO CODE TRUST

  53. #owaspkyiv @vixentael HSM/TPM + SOFTWARE CS keys calculations TPM /

    HSM own software cross-platform take best from both
  54. None

  55. #owaspkyiv @vixentael cross-platform easy to install easy to use USING

    CRYPTO SHOULD BE LIKE.. audited open source time proven well-documented

  56. #owaspkyiv @vixentael crypto-libs crypto-systems boxed solutions

  57. #owaspkyiv @vixentael 1. CRYPTO-LIBS libsodium themis https://github.com/sobolevn/awesome-cryptography implements single or

    multiple security functions keyczar noise

  58. #owaspkyiv @vixentael EXAMPLE https://github.com/cossacklabs/themis/wiki/Python-Howto secure messaging with forward secrecy

  59. #owaspkyiv @vixentael 2. CRYPTO-SYSTEMS axolotl hermes combines security functions for

    solving exact use-case SSL/TLS ZeroKit

  60. #owaspkyiv @vixentael EXAMPLE https://github.com/cossacklabs/hermes-core/wiki/Python-tutorial data access control based on crypto-keys

    python docs/examples/python/hermes_client.py --id user1 --config=docs/examples/python/config.json --private_key user1.priv --doc testfile --read

  61. #owaspkyiv @vixentael 3. BOXED SOLUTIONS truecrypt ssh acra vault unites

    crypto-systems and user functions for solving problems

  62. #owaspkyiv @vixentael EXAMPLE https://github.com/cossacklabs/acra/wiki/Trying-Acra-with-Docker database proxy for encrypting / decrypting

    go run cmd/acra_genkeys/acra_genkeys.go docker-compose -f docker/docker-compose.yml up -d

  63. #owaspkyiv @vixentael CAN I SOLVE MY USE-CASE USING… boxed solutions

  64. #owaspkyiv @vixentael CAN I SOLVE MY USE-CASE USING… crypto-systems boxed

    solutions no :(

  65. #owaspkyiv @vixentael CAN I SOLVE MY USE-CASE USING… crypto-libs crypto-systems

    boxed solutions no :( no :(

  66. https://www.cossacklabs.com/choose-your-ios-crypto.html

  67. THE WORLD DOESN’T HAVE A PROBLEM WITH NEW CRYPTO-ALGORITHMS.

  68. THE WORLD DOESN’T HAVE A PROBLEM WITH NEW CRYPTO-ALGORITHMS. PROBLEM

    IS THAT THEY ARE NOT BORING ENOUGH

  69. #owaspkyiv @vixentael

  70. #owaspkyiv @vixentael VS

  71. #owaspkyiv @vixentael make the light controllable

  72. #owaspkyiv @vixentael

  73. #owaspkyiv @vixentael make the crypto security controllable

  74. #owaspkyiv @vixentael make the crypto security controllable and booooring

  75. #owaspkyiv @vixentael

  76. LINKS 1 Boring crypto, Daniel J. Bernstein https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf Why does

    cryptographic software fail? https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf API design for cryptography https://2017.hack.lu/archive/2017/hacklu-crypto-api.pdf

  77. LINKS 2 Encrypting strings in Android: Let’s make better mistakes

    https://tozny.com/blog/encrypting-strings-in-android-lets-make-better-mistakes/ Awesome crypto papers https://github.com/pFarb/awesome-crypto-papers 12 And 1 Ideas How To Enhance Backend Data Security https://www.cossacklabs.com/backend-data-security-modern-ideas.html Attestation and Trusted Computing https://courses.cs.washington.edu/courses/csep590/06wi/finalprojects/bare.pdf

  78. MY OTHER SECURITY SLIDES https://github.com/ vixentael/my-talks …and more

  79. @vixentael Product Engineer Feel free to reach me with any

    mobile security questions. I do check my inbox :)