Slide 1
Slide 1 text
Matt Aimonetti
Splice:
Go, Ruby, JS, Obj-C, C#, C++, C
Matt Aimonetti - splice.com - @mattetti
Slide 2
Slide 2 text
No content
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
“Knowledge is power”
France is Bacon
Slide 6
Slide 6 text
“Crypto is hard”
Bruce Schneier
Slide 7
Slide 7 text
“Barcelona is awesome”
My wife
Slide 8
Slide 8 text
No content
Slide 9
Slide 9 text
The events depicted in this presentation
took place in California in 2014.
!
At the request of the survivors, the names have been changed.
Out of respect for the dead, the rest has been told exactly as it
occurred.
Slide 10
Slide 10 text
Bob
Alice
Slide 11
Slide 11 text
Abe
Slide 12
Slide 12 text
No content
Slide 13
Slide 13 text
No content
Slide 14
Slide 14 text
No content
Slide 15
Slide 15 text
No content
Slide 16
Slide 16 text
No content
Slide 17
Slide 17 text
No content
Slide 18
Slide 18 text
Conchita
Slide 19
Slide 19 text
No content
Slide 20
Slide 20 text
No content
Slide 21
Slide 21 text
No content
Slide 22
Slide 22 text
Dave
Slide 23
Slide 23 text
No content
Slide 24
Slide 24 text
No content
Slide 25
Slide 25 text
No content
Slide 26
Slide 26 text
{}
Slide 27
Slide 27 text
session.current_user
Slide 28
Slide 28 text
No content
Slide 29
Slide 29 text
No content
Slide 30
Slide 30 text
Frank
Slide 31
Slide 31 text
No content
Slide 32
Slide 32 text
No content
Slide 33
Slide 33 text
No content
Slide 34
Slide 34 text
No content
Slide 35
Slide 35 text
No content
Slide 36
Slide 36 text
ActiveSupport::MessageVerifier
Slide 37
Slide 37 text
Splice::Application.config.secret_key_base =
"f7b5763636f4c1f3ff4bd444eaccaca295d87b
990cc104124017ad70550edcfd22b8e89465398
254e0b608592a9aac29025440bfd9ce42579835
ba06a86f85f9"
config/initializers/secret_token.rb
config/secrets.yml
Before Rails 4.1
After Rails 4.1
Slide 38
Slide 38 text
No content
Slide 39
Slide 39 text
key_generator =
ActiveSupport::CachingKeyGenerator.new(
ActiveSupport::KeyGenerator.new(
secret_key_base,
iterations: 1000
)
)
Slide 40
Slide 40 text
Password-Based Key Derivation Function 2
!
AKA
!
PBKDF2
Slide 41
Slide 41 text
derived_secret = key_generator.
generate_key("Rails salt")
Slide 42
Slide 42 text
No content
Slide 43
Slide 43 text
SHA-‐1(Secret, Salt +1)
SHA-‐1(Secret, Salt)
SHA-‐1(Secret, Salt)
Slide 44
Slide 44 text
verifier = ActiveSupport::MessageVerifier.
new(derived_secret)
!
msg = { user: "Matt",
role: "villain"}
!
signed_message = verifier.generate(msg)
!
# =>
"BAh7BzoKd2hlcmVJIg5CYXJjZWxvbmEGOgZFVDoJd
2hhdEkiC0JhcnVjbwY7BlQ=--
ad7af07ad5b384d458b7cf8a962c04fc53ed81d1"
Slide 45
Slide 45 text
BAh7BzoKd2hlcmVJIg5CYXJjZWxvbmEGOgZFV
DoJd2hhdEkiC0JhcnVjbwY7BlQ=
--
ad7af07ad5b384d458b7cf8a962c04fc53ed8
1d1
Base 64 encoded version of the
dumped message
Signature of encoded message
Slide 46
Slide 46 text
Marshal.load(Base64.decode64(“BAh7…”))
# => {:user=>"Matt", :role=>"Villain"}
Slide 47
Slide 47 text
ActiveSupport::MessageEncryptor
Slide 48
Slide 48 text
crypt_secret = key_generator.generate_key(
"signed encrypted cookie")
!
encryptor =
ActiveSupport::MessageEncryptor.new(
secret, crypt_secret)
!
message = encryptor.
encrypt_and_sign({msg: "hello world"})
!
encryptor.decrypt_and_verify(message)
# => {:msg => "hello world"}
Slide 49
Slide 49 text
No content
Slide 50
Slide 50 text
No content
Slide 51
Slide 51 text
No content
Slide 52
Slide 52 text
No content
Slide 53
Slide 53 text
No content
Slide 54
Slide 54 text
No content
Slide 55
Slide 55 text
No content
Slide 56
Slide 56 text
No content
Slide 57
Slide 57 text
No content
Slide 58
Slide 58 text
No content
Slide 59
Slide 59 text
Wendy
Slide 60
Slide 60 text
Eve
Slide 61
Slide 61 text
Splice::Application.config.secret_key_base =
"f7b5763636f4c1f3ff4bd444eaccaca295d87b
990cc104124017ad70550edcfd22b8e89465398
254e0b608592a9aac29025440bfd9ce42579835
ba06a86f85f9"
config/initializers/secret_token.rb
config/secrets.yml
Slide 62
Slide 62 text
No content
Slide 63
Slide 63 text
No content
Slide 64
Slide 64 text
No content
Slide 65
Slide 65 text
No content
Slide 66
Slide 66 text
class ::Pwned
def marshal_load(*args)
end
def marshal_dump
end
end
Slide 67
Slide 67 text
class ::Pwned
def marshal_load(*args)
ActiveRecord::Base.connection.tables.each do |t|
ActiveRecord::Base.connection.drop_table(t)
end
end
def marshal_dump; end
def by
"Eve"
end
end
!
session[:pwned] = ::Pwned.new
Slide 68
Slide 68 text
No content
Slide 69
Slide 69 text
request.cookie_jar.
signed_or_encrypted.
send(:serializer)
!
=> Marshal
Slide 70
Slide 70 text
Rails.application.config.action_dispatch.
cookies_serializer = :hybrid
only store simple objects!
Slide 71
Slide 71 text
No content
Slide 72
Slide 72 text
No content
Slide 73
Slide 73 text
No content
Slide 74
Slide 74 text
http://godoc.org/github.com/mattetti/goRailsYourself/crypto
Slide 75
Slide 75 text
type Person struct {
Id int `json:"id"`
FirstName string `json:”first_name"`
LastName string `json:”last_name"`
Age int `json:"age"`
}
!
!
john := Person{Id: 12,
FirstName: "John",
LastName: "Doe",
Age: 42}
Slide 76
Slide 76 text
railsSecret := "fromYourConfig"
cookieSalt := []byte(“cookie_salt")
signedCookieSalt := []byte("scookie")
Slide 77
Slide 77 text
kg := KeyGenerator{Secret: railsSecret}
!
// derived keys
secret := kg.CacheGenerate(cookieSalt, 32)
signSecret :=
kg.CacheGenerate(signedCookieSalt, 64)
!
e := MessageEncryptor{ Key: secret,
SignKey: signSecret}
Slide 78
Slide 78 text
/*
john := Person{Id: 12,
FirstName: "John",
LastName: "Doe",
Age: 42}
*/
!
msg, err = e.EncryptAndSign(john)
if err != nil {
log.Fatal(err)
}
Slide 79
Slide 79 text
// decrypting the person object contained in
//the session
var sessionContent Person
err = e.DecryptAndVerify(msg, &sessionContent)
if err != nil {
log.Fatal(err)
}
// Person{Id:12, FirstName:"John",
// LastName:”Doe”, Age:42}
Slide 80
Slide 80 text
No content
Slide 81
Slide 81 text
No content
Slide 82
Slide 82 text
No content
Slide 83
Slide 83 text
No content
Slide 84
Slide 84 text
No content
Slide 85
Slide 85 text
No content
Slide 86
Slide 86 text
No content
Slide 87
Slide 87 text
Questions
@mattetti
!
!
splice.com