Slide 1
Slide 1 text
Cryptography for
Rails Developers
Slide 2
Slide 2 text
Christopher Rigor
@crigor
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
1. Public-key
Cryptography
Slide 8
Slide 8 text
2. SSL / TLS
Slide 9
Slide 9 text
3. Tips for Rails
Applications
Slide 10
Slide 10 text
No content
Slide 11
Slide 11 text
Symmetric-key
Cryptography
Slide 12
Slide 12 text
One key to encrypt
and decrypt
Slide 13
Slide 13 text
"hello" ------> "aslkdfjalskjd"
Slide 14
Slide 14 text
ciphertext
Slide 15
Slide 15 text
Public-key
Cryptography
Slide 16
Slide 16 text
public key to encrypt
private key to decrypt
Slide 17
Slide 17 text
privatekeycheck.com
Slide 18
Slide 18 text
Why on earth would
you post it here?
Now it's surely not.
Slide 19
Slide 19 text
RSA
Slide 20
Slide 20 text
3 numbers e, n, and d
Slide 21
Slide 21 text
e = public key
n = public key
d = private key
Slide 22
Slide 22 text
end
Slide 23
Slide 23 text
"en"crypt
"d"ecrypt
Slide 24
Slide 24 text
e = 17
n = 3233
d = 2753
Slide 25
Slide 25 text
42 ** e % n
Slide 26
Slide 26 text
42 ** e % n
42 ** 17 % 3233
2557
Slide 27
Slide 27 text
2557
Slide 28
Slide 28 text
"d"ecrypt
Slide 29
Slide 29 text
2557 ** d % n
Slide 30
Slide 30 text
2557 ** d % n
2557 ** 2753 % 3233
42
Slide 31
Slide 31 text
42 ** e % n
2557 ** d % n
Slide 32
Slide 32 text
n = product of 2
prime numbers
Slide 33
Slide 33 text
e = usually 65537
Slide 34
Slide 34 text
No content
Slide 35
Slide 35 text
e = 65537
Slide 36
Slide 36 text
d = computed from e, prime1 and
prime2
Slide 37
Slide 37 text
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAwJ5g2RhxbKWq3PeS5EUIwemy1sYffQwn
reUzryNwoB9/hqt0
NPAtq2vQftuko39VKw1hrpnk08bXWPqsN38HR9421q
+nd0dgY1sG8EljSeG3dGvP
4rZ1EgUbac4WDAKvA+fhiebg4QS2bAaB9IEL
+3rjQRhNsvaYgI2K3AHePbFVq0ut
6Ey0WwN4m/yf8JYerJWPlHLyU8W4xtyHExuX/IK4g6Uf8Z9Av
+WiK8mfHaw7Kge/
EO1UAGWOrd7RLx3A2WjOU7d0KtrshU1r64Xl4m1/
JbHQYBGkzYS0Mm7hhI5mnN/t
8h1hW2TksiVHrZ8rjOoYOrlkZOpVUwf7s2LYVQIDAQABAoIBA
Slide 38
Slide 38 text
openssl rsa -text -in .ssh/id_rsa
Slide 39
Slide 39 text
publicExponent:
65537 (0x10001)
Slide 40
Slide 40 text
modulus:
00:c0:9e:60:d9:18:71:6c:a5:aa:dc:f7:92:e4:45:
08:c1:e9:b2:d6:c6:1f:7d:0c:27:ad:e5:33:af:23:
70:a0:1f:7f:86:ab:74:34:f0:2d:ab:6b:d0:7e:db:
a4:a3:7f:55:2b:0d:61:ae:99:e4:d3:c6:d7:58:fa:
ac:37:7f:07:47:de:36:d6:af:a7:77:47:60:63:5b:
06:f0:49:63:49:e1:b7:74:6b:cf:e2:b6:75:12:05:
1b:69:ce:16:0c:02:af:03:e7:e1:89:e6:e0:e1:04:
b6:6c:06:81:f4:81:0b:fb:7a:e3:41:18:4d:b2:f6:
98:80:8d:8a:dc:01:de:3d:b1:55:ab:4b:ad:e8:4c:
b4:5b:03:78:9b:fc:9f:f0:96:1e:ac:95:8f:94:72:
f2:53:c5:b8:c6:dc:87:13:1b:97:fc:82:b8:83:a5:
1f:f1:9f:40:bf:e5:a2:2b:c9:9f:1d:ac:3b:2a:07:
bf:10:ed:54:00:65:8e:ad:de:d1:2f:1d:c0:d9:68:
ce:53:b7:74:2a:da:ec:85:4d:6b:eb:85:e5:e2:6d:
7f:25:b1:d0:60:11:a4:cd:84:b4:32:6e:e1:84:8e:
66:9c:df:ed:f2:1d:61:5b:64:e4:b2:25:47:ad:9f:
2b:8c:ea:18:3a:b9:64:64:ea:55:53:07:fb:b3:62:
d8:55
Slide 41
Slide 41 text
2431585381023245243664330467172106030832010383116
4469677832495734668099074396651844271258357540051
3767266433204751301161494548152938586277693179979
9890466216086685504686094092324062775361449344083
8874077885512524472300856401934110431460528205155
8296721167524104278478378503629406922274058522565
4049522376109500926733651743749347006963603460324
4750405711451831483661181796223823470036752363791
8444923562030168749604532593343488635664366782360
4357641224346337617299750469531547237002599501779
0644182536453093727509649248024164911346045419437
5737979721222481332470495918510303683249090717606
Slide 42
Slide 42 text
privateExponent:
33:ed:7e:a6:88:54:6b:b9:ed:ea:4c:44:29:8e:02:
e2:64:22:76:8c:4b:08:e7:31:fb:4b:83:37:80:12:
68:d8:95:04:b5:4c:4a:c9:45:46:a5:76:3b:fc:f2:
d1:b1:0e:40:e1:06:a8:8f:8c:85:1b:62:0a:f6:e9:
5e:bc:bc:35:bf:ce:80:ea:31:f7:92:22:86:26:90:
24:4f:64:99:12:64:e6:d9:f9:dd:60:db:06:d4:a1:
a3:50:8f:d9:05:10:31:b9:5d:b0:53:b1:e4:77:e4:
c6:12:ab:0e:43:8b:fb:6c:11:c0:06:d1:4b:a1:f7:
53:10:d5:92:a2:5e:4b:ba:fe:e0:90:a6:17:44:8b:
d3:1d:8e:f7:e6:64:a6:85:34:0e:87:b0:3b:bd:d0:
90:2a:b4:62:08:f3:fd:42:d8:73:e2:2d:54:10:8a:
5c:9c:6f:16:7f:d2:1f:8e:51:c5:14:12:91:bf:cc:
7e:34:14:e0:db:79:ee:05:45:22:de:3b:99:52:36:
b1:ac:c0:e8:f6:df:02:44:b6:37:4b:f5:73:9d:41:
c6:35:ba:b5:47:39:fb:d3:a2:90:80:ac:4c:0d:97:
4d:c8:8d:36:7f:ae:8e:1f:1e:e5:33:0b:51:8d:41:
35:e7:69:2a:f1:62:52:0c:fa:d4:f5:b9:7f:8d:03:
01
Slide 43
Slide 43 text
6555266568796053674269708820055353365692655972794
2055673580501799001476180850518758042722837636392
8351933006067037854787568194571939353701616354713
5887324275725095670658393033428680152446112426762
6108489567913588106964238660508089034140197495871
5227500433009731051490912217850124586529451451345
8923502958802219960425895673146838867589769393986
0556673632421808148038002771480134566168093718746
0473165736741978268341806296994087055044759829337
3573899404839955835464081022920152659481994084458
0520520598913413928409545239844803823479590208225
3984444016315990695698402100055840447044896509668
Slide 44
Slide 44 text
42 ** e % n
Slide 45
Slide 45 text
7403918762823839092797670141313950212528994606053
3799517843086878229299923652258151711100231746381
6181786944539511010243166014190260358058104908205
7304340698199082430151945214069936900404923317185
5875418936265830788037850186423336723791573716176
6591077359161448282606674296267688726733192810543
3908133856731992683370184186601764915219096941742
8143523889081093181350050901295990484830674004492
0001520753653244602808387141190318409556217244506
4939370112341529423864414627775025027597348907780
1135695002049594281938966058393001384364228739328
6572785551769536889192869044823881149520366525399
Slide 46
Slide 46 text
c ** d % n
Slide 47
Slide 47 text
42
Slide 48
Slide 48 text
Diffie-Hellman
Slide 49
Slide 49 text
No content
Slide 50
Slide 50 text
Elliptic Curves
Slide 51
Slide 51 text
SSL / TLS
Slide 52
Slide 52 text
HTTPS
Slide 53
Slide 53 text
1995 - SSLv2
1996 - SSLv3
1999 - TLSv1
2006 - TLSv1_1
2008 - TLSv1_2
Slide 54
Slide 54 text
No content
Slide 55
Slide 55 text
1. Server sends the public key
2. Browser encrypts shared key
Slide 56
Slide 56 text
DES
RC4
AES
Slide 57
Slide 57 text
Attacks
Slide 58
Slide 58 text
No content
Slide 59
Slide 59 text
No content
Slide 60
Slide 60 text
No content
Slide 61
Slide 61 text
BEAST
(SSLv3, TLSv1)
(DES, AES)
Slide 62
Slide 62 text
POODLE
(SSLv3)
(DES, AES)
Slide 63
Slide 63 text
Heartbleed
Slide 64
Slide 64 text
No content
Slide 65
Slide 65 text
TLS 1.2, AES-GCM
Slide 66
Slide 66 text
1. Server sends the public key (RSA)
2. Browser encrypts shared key (RSA)
3. Browser encrypts data (AES-GCM)
Slide 67
Slide 67 text
1. Server sends the public key (RSA)
2. Browser encrypts shared key (RSA
ECDHE)
3. Browser encrypts data (AES-GCM)
Slide 68
Slide 68 text
PERFECT FORWARD
SECRECY
Slide 69
Slide 69 text
TLS 1.2
AES-GCM
ECDHE
Slide 70
Slide 70 text
Rails
Slide 71
Slide 71 text
do not use SSLv3
Slide 72
Slide 72 text
do not set ssl_version
to TLSv1
Slide 73
Slide 73 text
set it to SSLv23
Slide 74
Slide 74 text
OpenSSL::SSL::OP_NO_SSLv3
Slide 75
Slide 75 text
2.1.4
2.0.0-p594
1.9.3-p550
Slide 76
Slide 76 text
certificate verify failed
Slide 77
Slide 77 text
VERIFY_NONE
Slide 78
Slide 78 text
VERIFY_PEER
Slide 79
Slide 79 text
ActiveSupport::MessageEncryptor
Slide 80
Slide 80 text
key = Rails.configuration.secret_key_base
crypt = ActiveSupport::MessageEncryptor.new(key)
encrypted_data = crypt.encrypt_and_sign("my confidental data")
Slide 81
Slide 81 text
salt = SecureRandom.random_bytes(64)
key = ActiveSupport::KeyGenerator.new('password').generate_key(salt)
Slide 82
Slide 82 text
RbNacl
Slide 83
Slide 83 text
key = RbNaCl::Random.random_bytes(RbNaCl::SecretBox.key_bytes)
box = RbNaCl::SimpleBox.from_secret_key(key)
box.encrypt("my confidental data")
Slide 84
Slide 84 text
end
Slide 85
Slide 85 text
No content
Slide 87
Slide 87 text
Resources
https://www.flickr.com/photos/delgrossodotcom/3211643440
https://www.flickr.com/photos/
twosevenoneonenineeightthreesevenatenzerosix/6655759625
https://www.flickr.com/photos/nox_noctis_silentium/
6315616870
https://www.flickr.com/photos/orqwith/2059728917
https://www.flickr.com/photos/37467370@N08/7606239970
https://www.flickr.com/photos/ul_marga/755378645
https://www.flickr.com/photos/richard-g/3549285383
Slide 88
Slide 88 text
https://www.flickr.com/photos/brenda-starr/3509344100
https://www.flickr.com/photos/
120600995@N07/14028600474
https://www.flickr.com/photos/13519089@N03/1380483002
https://www.flickr.com/photos/danielproulx/3426805996
https://www.flickr.com/photos/chrisinplymouth/4262775481
https://www.flickr.com/photos/chrisinplymouth/4117583864
https://www.flickr.com/photos/danielfoster/14758510078
https://www.flickr.com/photos/gamikun/2564208746
https://www.flickr.com/photos/nathaninsandiego/9339787996
https://www.flickr.com/photos/dashupagla/2519031536
https://www.flickr.com/photos/imagesbywestfall/435