meta
1
Outline | Differentiation
2
About Key Pairs and Certificates
3
Cipher Suites
4
Slide 3
Slide 3 text
Developers?
1
Dev Ops?
2
Slide 4
Slide 4 text
Terms / Concepts
• Things I stumbled over myself
• Practise-oriented, not from Scratch
Crypto is hard to get right
• Dutch Election Security Talk
Slide 5
Slide 5 text
• > 10 years of Software Development
• Crypto and Security for Mobile Online Services @VW
• Software Craftsman @Cloudogu EcoSystem
• JUG Ostfalen
• Fitness / Freeletics
Oliver Milke
Software Craftsman
https://stackoverflow.com/users/2108
919/omilke
https://twitter.com/OliverMilke
http://oliver-milke.de/
https://github.com/omilke
Slide 6
Slide 6 text
meta
1
Outline | Differentiation
2
About Key Pairs and Certificates
3
Cipher Suites
4
SQL encrypted?
Authorization: Basic d2lraTpwZWRpYQ==
Security through secrecy of the keys
• not secrecy of algorithm
• Opposite: Security By Obscurity
Slide 11
Slide 11 text
Symmetric Encryption
• 1 key for encryption / decryption
• fast
• Stream Cipher
• Block Cipher
• Various modes of operation
• AES
− Rijndael Cipher
Cryptographic Hash
• One-way function
• Resistance to collions
• MD*, SHA-*, bCyrpt
Slide 12
Slide 12 text
Digital Signature
• Asymmetrically encrypted hash
Asymmetric Encryption
• 2 inverse keys (Key Pair)
• Operations can be reversed with the other keys
• slow
Slide 13
Slide 13 text
Cryptographically Secure
Pseudo-Random Number Generator
• True randomness by a machine?
• Nonces
• Protection against Replay
Slide 14
Slide 14 text
one-way functions
• „forwards“ easy
• „backwards“ hard
as in computationally complex
Examples
• Multiplication of large primes
− RSA
• Modular exponentiation
− Diffie-Hellman, ElGamal
− finite fields / elliptic curves
• AES
Slide 15
Slide 15 text
Specification
Implementation
Side Channel Attacks
Slide 16
Slide 16 text
https://www.xkcd.com/936/
Slide 17
Slide 17 text
Storing for authentication
?
Salt
• Individual for each password
Pepper
• Common for all passwords
!
Argon2
PBKDF2
sCrypt / bCrypt
Slide 18
Slide 18 text
One-way function
Integrity can be verified
Insecure transmission
• Exchanging original and
hash is possible
1010001
Hash
meta
1
Outline | Differentiation
2
About Key Pairs and Certificates
…or: what is a Trust Anchor?
3
Cipher Suites
4
Slide 21
Slide 21 text
Server
Client
Slide 22
Slide 22 text
Intermediate
Certificate
Server Certificate
Certificate Authority
(CA)
Root
Certificate
Client Server
Slide 23
Slide 23 text
meta
1
Outline | Differentiation
2
About Key Pairs and Certificates
3
ECDHE-ECDSA-AES256-GCM-SHA384
…or: what is a Cipher Suite?
4
Slide 24
Slide 24 text
Connection is encrypted
But how?
TLS handshake for agreeing on Cipher Suite
?
ECDHE-ECDSA-AES256-GCM-SHA384
✓ ECDHE-ECDSA-AES256-GCM-SHA384
✓
Slide 25
Slide 25 text
Encrypted connection
• AES256-GCM-SHA384
But which key?
• ECDHE-ECDSA-AES256-GCM-SHA384
Slide 26
Slide 26 text
Encrypted connection
• AES256-GCM-SHA384
• Key Exchange via ECDHE
But is it the expected service?
• ECDHE-ECDSA-AES256-GCM-SHA384
Slide 27
Slide 27 text
Crypto-System with employed primitves
• constants describing details
Depending on the protocol
• Example is TLS 1.2
• TLS 1.3 employs different concepts
Qualys SSL Lab Server Test
https://www.ssllabs.com/ssltest/
!
Mozilla Config Generator
https://mozilla.github.io/server-side-tls/ssl-config-generator/
!
Bruce Schneier
https://www.schneier.com/
Security Assessment
https://www.keylength.com/
Slide 33
Slide 33 text
Thank you
feedback plz
Get in touch
• https://twitter.com/OliverMilke
• http://oliver-milke.de/
• [email protected]
• https://cloudogu.com/en/blog/Crypto-101