@rdegges @oktadev
Useful Cryptography
An Introduction
Slide 2
Slide 2 text
@rdegges @oktadev
Hey, I'm Randall
Builder Python / JS /
Go Hacker
Author
Open Source
Chief Hacker @ Okta
Slide 3
Slide 3 text
@rdegges @oktadev
I am not a cryptographer!
Slide 4
Slide 4 text
@rdegges @oktadev
Why even?
you website
database
website
"how to store passwords"
password hashing
god
Slide 5
Slide 5 text
@rdegges @oktadev
I literally can't even.
Developers should never
do crypto.
Slide 6
Slide 6 text
@rdegges @oktadev
Hashing
Slide 7
Slide 7 text
@rdegges @oktadev
What is a Hash Function?
hash(s)
Input Hash (Digest)
"ilovemymom" "6cd7c44ad701d00aa59b4225978e9c7ddf00c682"
"ilovemymom" "6cd7c44ad701d00aa59b4225978e9c7ddf00c682"
"wooooboyyyyyyyyy" "968360efa4e572ba34504af1d438b1fc60871943"
deterministic
unique
irreversible
Slide 8
Slide 8 text
@rdegges @oktadev
Hahes are great for information that
you need to verify but never persist.
web server
Email: r@rdegges.com
Password: ilovemymom
db
Password:
pwn3d!
Password: ilovemymom
I want to create an account.
Slide 9
Slide 9 text
@rdegges @oktadev
How User Login Works with Hashing
web server
Email: r@rdegges.com
Password: ilovemymom
db
Email: r@rdegges.com
I want to log into my account.
Password:
Compute hash("ilovemymom")
Compare hash("ilovemymom") ==
Equal? Login successful!
Unequal? No login for you!
Slide 10
Slide 10 text
@rdegges @oktadev
There are two types of
hashing algorithms.
??!?!
Cryptographic hash
functions
Password hash
functions
Oh my!
@rdegges @oktadev
Cryptographic hash functions
are useful for verifying the
integrity of data.
MD5 (1991) SHA-1 (1995)
SHA-2 (2001)
SHA-3 (2015) BLAKE 2 (2012)
*Latacora (2018)
*
Ron Rivest
RSA!
Slide 13
Slide 13 text
@rdegges @oktadev
Password Hash Functions
AKA: the slow ones
Password: "ilovemymom"
db
sha2("ilovemymom")
sha2(pass)
??!?!
Brute force!
for pw in pw_generator():
if sha2(pw) == stolen_hash:
print 'Password found!'
Dictionary lists
Sequential
Breached password databases
Slide 14
Slide 14 text
@rdegges @oktadev
Slide 15
Slide 15 text
@rdegges @oktadev
Password hash functions are
useful for storing sensitive
password data and keys.
PBKDF2 (2000)
bcrypt (1999)
scrypt (2009)
argon2 (2015)
argon2i
argon2d
argon2id
hash(pass)
hash( )
Slide 16
Slide 16 text
@rdegges @oktadev
Slide 17
Slide 17 text
@rdegges @oktadev
Randomness
API Keys
Random Numbers
Passphrases
Database IDs
Slide 18
Slide 18 text
@rdegges @oktadev
There are two "kinds" of security.
computational
information-theoretic
Slide 19
Slide 19 text
@rdegges @oktadev
The best way to generate random
numbers is /dev/urandom.
OS kernel
keyboard timings
mouse movements
storage timings
random pool
/dev/random
/dev/urandom
app
OSX
FreeBSD
Linux
NetBSD
CSPRNG
Slide 20
Slide 20 text
@rdegges @oktadev
Slide 21
Slide 21 text
@rdegges @oktadev
Encryption
Slide 22
Slide 22 text
@rdegges @oktadev
Encryption is useful for hiding data
you need to eventually see again.
app
s3
passwords.txt
passwords.txt.enc
shit :/
ciphertext
Slide 23
Slide 23 text
@rdegges @oktadev
There are two types of encryption.
symmetric
asymmetric
Slide 24
Slide 24 text
@rdegges @oktadev
Symmetric Encryption
data
secret
ciphertext secret
data
ciphertext
Encryption Decryption
Long, random string.
Slide 25
Slide 25 text
@rdegges @oktadev
Symmetric encryption is useful in
circumstances where you can keep a
trusted secret safe.
web server
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
SIGNING_KEY
ENCRYPTION_KEY
...
Slide 26
Slide 26 text
@rdegges @oktadev
How should you do symmetric encryption?
* Amazon KMS
*Latacora (2018)
AWS Encryption SDK
KMS
master key(s)
data
data key
encryption
algorithm ciphertext
encryption
algorithm
encrypted data key
encrypted
message
Slide 27
Slide 27 text
@rdegges @oktadev
How should you do symmetric decryption?
KMS
master key(s)
data
data key
decryption
algorithm
ciphertext
encrypted data key
encrypted
message
decryption
algorithm
Slide 28
Slide 28 text
@rdegges @oktadev
It sounds complex, but...
aws.encrypt(plaintext)
aws.decrypt(encrypted message)
Slide 29
Slide 29 text
@rdegges @oktadev
Asymmetric encryption is useful in
circumstances where you need to
exchange data securely between
untrusted parties.
inbox
email
rdegges.com
tls
Slide 30
Slide 30 text
@rdegges @oktadev
Asymmetric Encryption
ciphertext
data
public
key
private
key
Bob Alice
ciphertext
data
public
key
private
key
shareable
Slide 31
Slide 31 text
@rdegges @oktadev
How should you do asymmetric encryption?
* NaCl/libsodium
*Latacora (2018)
Box API
Bob Alice
public
key
private
key
public
key
private
key
box(bs, ap)
ciphertext
data
box.encrypt(data)
Slide 32
Slide 32 text
@rdegges @oktadev
How should you do asymmetric decryption?
Bob Alice
public
key
private
key
public
key
private
key
ciphertext
data
box(as, bp)
box.decrypt(c)
Slide 33
Slide 33 text
@rdegges @oktadev
Don't roll your own crypto. Use crypto
and be smart about it.
Slide 34
Slide 34 text
@rdegges @oktadev
Slide 35
Slide 35 text
@rdegges @oktadev
Thank You
rdegges.com
developer.okta.com
Slide 36
Slide 36 text
@rdegges @oktadev
Sources
● "Cryptographic Right Answers":
https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html
● "Password Hashing Competition": https://password-hashing.net/
● "Myths About /dev/urandom": https://www.2uo.de/myths-about-urandom/
● "When to use /dev/random vs /dev/urandom":
https://unix.stackexchange.com/questions/324209/when-to-use-dev-random-vs-dev-urandom
● "djb" on /dev/urandom:
https://www.mail-archive.com/cryptography@randombit.net/msg04763.html
● KMS FAQ: https://aws.amazon.com/kms/faqs/
● PyNaCl: https://pynacl.readthedocs.io/en/stable/public/