Slide 1

Slide 1 text

@rdegges @oktadev Useful Cryptography An Introduction

Slide 2

Slide 2 text

@rdegges @oktadev Hey, I'm Randall Builder Python / JS / Go Hacker Author Open Source Chief Hacker @ Okta

Slide 3

Slide 3 text

@rdegges @oktadev I am not a cryptographer!

Slide 4

Slide 4 text

@rdegges @oktadev Why even? you website database website "how to store passwords" password hashing god

Slide 5

Slide 5 text

@rdegges @oktadev I literally can't even. Developers should never do crypto.

Slide 6

Slide 6 text

@rdegges @oktadev Hashing

Slide 7

Slide 7 text

@rdegges @oktadev What is a Hash Function? hash(s) Input Hash (Digest) "ilovemymom" "6cd7c44ad701d00aa59b4225978e9c7ddf00c682" "ilovemymom" "6cd7c44ad701d00aa59b4225978e9c7ddf00c682" "wooooboyyyyyyyyy" "968360efa4e572ba34504af1d438b1fc60871943" deterministic unique irreversible

Slide 8

Slide 8 text

@rdegges @oktadev Hahes are great for information that you need to verify but never persist. web server Email: [email protected] Password: ilovemymom db Password: pwn3d! Password: ilovemymom I want to create an account.

Slide 9

Slide 9 text

@rdegges @oktadev How User Login Works with Hashing web server Email: [email protected] Password: ilovemymom db Email: [email protected] I want to log into my account. Password: Compute hash("ilovemymom") Compare hash("ilovemymom") == Equal? Login successful! Unequal? No login for you!

Slide 10

Slide 10 text

@rdegges @oktadev There are two types of hashing algorithms. ??!?! Cryptographic hash functions Password hash functions Oh my!

Slide 11

Slide 11 text

@rdegges @oktadev Cryptographic Hash Functions AKA: the fast ones ubuntu-18.04.2-desktop-amd64.iso (1.9 GB) $ sha1sum ubuntu-18.04.2-desktop-amd64.iso bcdb9099024c468047f3f31c7d23e68a35ea4de2 (3.176 seconds) ubuntu ubuntu-18.04.2-desktop-amd64.iso Hash: bcdb9099024c468047f3f31c7d23e68a35ea4de2

Slide 12

Slide 12 text

@rdegges @oktadev Cryptographic hash functions are useful for verifying the integrity of data. MD5 (1991) SHA-1 (1995) SHA-2 (2001) SHA-3 (2015) BLAKE 2 (2012) *Latacora (2018) * Ron Rivest RSA!

Slide 13

Slide 13 text

@rdegges @oktadev Password Hash Functions AKA: the slow ones Password: "ilovemymom" db sha2("ilovemymom") sha2(pass) ??!?! Brute force! for pw in pw_generator(): if sha2(pw) == stolen_hash: print 'Password found!' Dictionary lists Sequential Breached password databases

Slide 14

Slide 14 text

@rdegges @oktadev

Slide 15

Slide 15 text

@rdegges @oktadev Password hash functions are useful for storing sensitive password data and keys. PBKDF2 (2000) bcrypt (1999) scrypt (2009) argon2 (2015) argon2i argon2d argon2id hash(pass) hash( )

Slide 16

Slide 16 text

@rdegges @oktadev

Slide 17

Slide 17 text

@rdegges @oktadev Randomness API Keys Random Numbers Passphrases Database IDs

Slide 18

Slide 18 text

@rdegges @oktadev There are two "kinds" of security. computational information-theoretic

Slide 19

Slide 19 text

@rdegges @oktadev The best way to generate random numbers is /dev/urandom. OS kernel keyboard timings mouse movements storage timings random pool /dev/random /dev/urandom app OSX FreeBSD Linux NetBSD CSPRNG

Slide 20

Slide 20 text

@rdegges @oktadev

Slide 21

Slide 21 text

@rdegges @oktadev Encryption

Slide 22

Slide 22 text

@rdegges @oktadev Encryption is useful for hiding data you need to eventually see again. app s3 passwords.txt passwords.txt.enc shit :/ ciphertext

Slide 23

Slide 23 text

@rdegges @oktadev There are two types of encryption. symmetric asymmetric

Slide 24

Slide 24 text

@rdegges @oktadev Symmetric Encryption data secret ciphertext secret data ciphertext Encryption Decryption Long, random string.

Slide 25

Slide 25 text

@rdegges @oktadev Symmetric encryption is useful in circumstances where you can keep a trusted secret safe. web server AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY SIGNING_KEY ENCRYPTION_KEY ...

Slide 26

Slide 26 text

@rdegges @oktadev How should you do symmetric encryption? * Amazon KMS *Latacora (2018) AWS Encryption SDK KMS master key(s) data data key encryption algorithm ciphertext encryption algorithm encrypted data key encrypted message

Slide 27

Slide 27 text

@rdegges @oktadev How should you do symmetric decryption? KMS master key(s) data data key decryption algorithm ciphertext encrypted data key encrypted message decryption algorithm

Slide 28

Slide 28 text

@rdegges @oktadev It sounds complex, but... aws.encrypt(plaintext) aws.decrypt(encrypted message)

Slide 29

Slide 29 text

@rdegges @oktadev Asymmetric encryption is useful in circumstances where you need to exchange data securely between untrusted parties. inbox email rdegges.com tls

Slide 30

Slide 30 text

@rdegges @oktadev Asymmetric Encryption ciphertext data public key private key Bob Alice ciphertext data public key private key shareable

Slide 31

Slide 31 text

@rdegges @oktadev How should you do asymmetric encryption? * NaCl/libsodium *Latacora (2018) Box API Bob Alice public key private key public key private key box(bs, ap) ciphertext data box.encrypt(data)

Slide 32

Slide 32 text

@rdegges @oktadev How should you do asymmetric decryption? Bob Alice public key private key public key private key ciphertext data box(as, bp) box.decrypt(c)

Slide 33

Slide 33 text

@rdegges @oktadev Don't roll your own crypto. Use crypto and be smart about it.

Slide 34

Slide 34 text

@rdegges @oktadev

Slide 35

Slide 35 text

@rdegges @oktadev Thank You rdegges.com developer.okta.com

Slide 36

Slide 36 text

@rdegges @oktadev Sources ● "Cryptographic Right Answers": https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html ● "Password Hashing Competition": https://password-hashing.net/ ● "Myths About /dev/urandom": https://www.2uo.de/myths-about-urandom/ ● "When to use /dev/random vs /dev/urandom": https://unix.stackexchange.com/questions/324209/when-to-use-dev-random-vs-dev-urandom ● "djb" on /dev/urandom: https://www.mail-archive.com/[email protected]/msg04763.html ● KMS FAQ: https://aws.amazon.com/kms/faqs/ ● PyNaCl: https://pynacl.readthedocs.io/en/stable/public/