Tweet
Tweet

Slide 1

Slide 1 text

NSCONFIDENTIAL

Slide 2

Slide 2 text

WAIT

Slide 3

Slide 3 text

were you followed?

Slide 4

Slide 4 text

(ARE YOU SURE?)

Slide 5

Slide 5 text

I HAVE REASON TO BELIEVE THAT THIS TALK IS BEING recorded. (ACTUALLY, I DON'T THINK THIS ONE IS)

Slide 6

Slide 6 text

...

Slide 7

Slide 7 text

JUST ACT NATURAL

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

NSCONFIDENTIAL HOW TO SURVIVE IN A SURVEILLANCE STATE, WITH OBJECTIVE-C & COCOA

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

goto fail;

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

KNOWING ABOUT NETWORK SECURITY HAS NEVER BEEN MORE IMPORTANT

Slide 14

Slide 14 text

AND YET...

Slide 15

Slide 15 text

THIS IS TOO HARD TO UNDERSTAND

Slide 16

Slide 16 text

EXPERTS ONLY

Slide 17

Slide 17 text

TRUST US

Slide 18

Slide 18 text

YOU KNOW WHAT'S better THAN TRUST?

Slide 19

Slide 19 text

UNDERSTANDING

Slide 20

Slide 20 text

THAT SAID...

Slide 21

Slide 21 text

▸ I am not a security expert ▸ I do not assume to know what I'm doing ▸ Don't take my word for it

Slide 22

Slide 22 text

SECURITY IS ABOUT keeping secrets

Slide 23

Slide 23 text

STEGANOGRAPHY CRYPTOGRAPHY

Slide 24

Slide 24 text

STEGANOGRAPHY Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud ullamco nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor information hiding in plain sight velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id.

Slide 25

Slide 25 text

CRYPTOGRAPHY F2 80 FF 09 F3 F3 E8 00 00 FF 00 8F A6 A6 80 F2 80 FF 05 F3 F3 D2 00 00 FF 8C 00 00 FF 8C 00 00 FF 8C 00 00 FF 8C 00 08 FF 00 9F 9D 8D 1E 1A 16 A8 84 00 09 FF 00 A4 A4 9C 23 1E 1A F2 AF 83 00 01 FF 00 80 A4 05 26 23 1E FF F2 AB 82 00 01 FF 00 80 6E 06 FF F3 DC FF FF F2 A9 81 00 01 FF 00 80 6E 02 FF FF F3 80 FF 01 F2 AB 80 00 01 FF 00 80 6E 84 FF 05 F2 AD 00 00 FF 00 80 FF 80 6E 09 FE F2 DC 45 3B 3B 00 00 FF 00 80 FF 80 6E 09 FE FE F2 4F 45 3B 00 00 FF 00 80 FF 80 6E 80 FE 06 57 4F 45 00 00 FF 00 80 93 80 F2 80 52 06 8F 88 7D 00 00 FF 00 80 93 80 F2 80 52 09 8F 8F 88 00 00 FF 00 7F 93 93 80 F2 80 52 05 8F 8F 7B 00 00 FF 8C 00 00 FF 8C 00 00 FF 8C 00 00 FF 8C 00 08 FF 00 C4 C1 AE 34 2D 26 A8 84 00 09 FF 00 CA CA C0 3C 34 2D F2 AF 83 00 01 FF 00 80 CA 05 42 3C 34 FF F2 AB 82 00 01 FF 00 80 F1 06 1D 1C 19 FF FF F2 A9 81

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

STEGANOGRAPHY

Slide 29

Slide 29 text

্ि࢛߈㐝

Slide 30

Slide 30 text

- --- .-. - ..- .-. .

Slide 31

Slide 31 text

CODE STEGANOGRAPHY

Slide 32

Slide 32 text

(Whitespace)

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

IMAGE STEGANOGRAPHY

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

HIDING NSDATA IN NSBITMAPIMAGEREP

Slide 37

Slide 37 text

NSString *string = @"hello"; NSData *data = [string dataUsingEncoding:NSUTF8StringEncoding]; const uint8_t *bytes = [data bytes];

Slide 38

Slide 38 text

for (NSUInteger x = 0; x < bitmap.pixelsWide; x++) { for (NSUInteger y = 0; y < bitmap.pixelsHigh; y++) { if ([data length] < (x * bitmap.pixelsWide) + y) { break; } unsigned long pixel[numberOfComponents]; [bitmap getPixel:pixel atX:x y:y]; { // Flip parity bit } [bitmap setPixel:pixel atX:x y:y]; } }

Slide 39

Slide 39 text

const uint8_t byte = bytes[(x * bitmap.pixelsWide) + y]; for (NSUInteger c = 0; c < numberOfComponents; c++) { if ((byte & (1 << c) >> c)) { pixel[c] &= 254; // 0b11111110 } else { pixel[c] |= 1; // 0b00000001 } }

Slide 40

Slide 40 text

AUDIO STEGANOGRAPHY

Slide 41

Slide 41 text

No content

Slide 42

Slide 42 text

No content

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

NOPE

Slide 45

Slide 45 text

CRYPTOGRAPHY

Slide 46

Slide 46 text

P ≟ NP

Slide 47

Slide 47 text

IF THE SOLUTION TO A PROBLEM CAN BE QUICKLY verified BY A COMPUTER, CAN THE COMPUTER ALSO solve THAT PROBLEM QUICKLY?

Slide 48

Slide 48 text

e.g. DIVIDE THE ROOM UP INTO 2 GROUPS, SUCH THAT EACH GROUP HAS THE SAME COMBINED AGE IN YEARS. THIS IS AN EXAMPLE OF THE Partition Problem, WHICH IS REFERRED TO AS "THE EASIEST HARD PROBLEM"

Slide 49

Slide 49 text

e.g. FIND THE SHORTEST ROUTE TO VISIT ALL OF THE COFFEE SHOPS IN SAN FRANCISCO EXACTLY ONCE. THIS IS A VERSION OF THE Traveling Salesman Problem, A CLASSIC PROBLEM IN COMPUTER SCIENCE.

Slide 50

Slide 50 text

SECURITY THROUGH HARD MATH PROBLEMS

Slide 51

Slide 51 text

SYMMETRIC or ASYMMETRIC

Slide 52

Slide 52 text

SYMMETRIC ENCRYPTION KEY AND DECRYPTION KEY ARE THE same

Slide 53

Slide 53 text

No content

Slide 54

Slide 54 text

No content

Slide 55

Slide 55 text

ASYMMETRIC ENCRYPTION KEY AND DECRYPTION KEY ARE different

Slide 56

Slide 56 text

No content

Slide 57

Slide 57 text

DIFFIE-HELLMAN KEY EXCHANGE

Slide 58

Slide 58 text

No content

Slide 59

Slide 59 text

COCOA

Slide 60

Slide 60 text

ENCRYPTION TECHNOLOGIES COMMON TO IOS AND OS X ▸ Keychain Services API ▸ Cryptographic Message Syntax ▸ Certificate, Key, and Trust Services

Slide 61

Slide 61 text

KEYCHAIN SERVICES API SECURE STORAGE OF CREDENTIALS (PASSWORDS, KEYS, ETC.) BUILT ON THE COMMON DATA SECURITY ARCHITECTURE (CDSA) AND ITS PROGRAMMING INTERFACE, COMMON SECURITY SERVICES MANAGER (CSSM)

Slide 62

Slide 62 text

CRYPTOGRAPHIC MESSAGE SYNTAX SERVICES DIGITAL SIGNATURES AND ENCRYPTION FOR S/MIME MESSAGES. CMS IS THE IETF'S STANDARD FOR CRYPTOGRAPHICALLY PROTECTED MESSAGES

Slide 63

Slide 63 text

CERTIFICATE, KEY, AND TRUST SERVICES AUTHENTICATE AND AUTHORIZE USERS AND PROCESSES USING KEYS AND CERTIFICATES MANY OF THE FUNCTIONS IN THIS API MUST BE USED IN CONJUNCTION WITH KEYCHAIN SERVICES API.

Slide 64

Slide 64 text

SecKeyEncrypt Encrypts data using the specified key. SecKeyDecrypt Decrypts data using the specified key.

Slide 65

Slide 65 text

SecKeyRawSign Signs data using the specified key. SecKeyRawVerify Verifies a signature against data and a specified key.

Slide 66

Slide 66 text

COMMONCRYPTO LOW-LEVEL C SUPPORT FOR ENCRYPTION AND DECRYPTION MD5 / SHA DIGESTS & HMAC

Slide 67

Slide 67 text

CREATING A SHA-1 CHECKSUM NSData *data = ...; uint8_t output[CC_SHA1_DIGEST_LENGTH]; CC_SHA1(data.bytes, data.length, output); NSData *checksum = [NSData dataWithBytes:output length:CC_SHA1_DIGEST_LENGTH];

Slide 68

Slide 68 text

No content

Slide 69

Slide 69 text

CREATING SHA-1 HMAC NSData *data, *key; unsigned int length = CC_SHA1_DIGEST_LENGTH; unsigned char output[length]; CCHmac(kCCHmacAlgSHA1, key.bytes, key.length, data.bytes, data.length, output);

Slide 70

Slide 70 text

WRITING DATA TO KEYCHAIN NSString *key, service; NSData *data; NSMutableDictionary *mutableQuery = [NSMutableDictionary dictionary]; mutableQuery[(__bridge id)kSecClass] = (__bridge id)kSecClassGenericPassword; mutableQuery[(__bridge id)kSecAttrService]= service; mutableQuery[(__bridge id)kSecAttrGeneric]= key; mutableQuery[(__bridge id)kSecAttrAccount]= key; OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)mutableQuery, NULL);

Slide 71

Slide 71 text

if (status == errSecSuccess) { NSMutableDictionary *attributesToUpdate = [[NSMutableDictionary alloc] init]; [attributesToUpdate setObject: forKey:]; NSDictionary *updatedAttributes = @{(__bridge id)kSecValueData: data}; SecItemUpdate((__bridge CFDictionaryRef)query, (__bridge CFDictionaryRef)updatedAttributes); }

Slide 72

Slide 72 text

else { NSMutableDictionary *mutableAttributes = [NSMutableDictionary dictionary]; mutableAttributes[(__bridge id)kSecClass] = (__bridge id)kSecClassGenericPassword; mutableAttributes[(__bridge id)kSecAttrService] = service; mutableAttributes[(__bridge id)kSecAttrGeneric] = key; mutableAttributes[(__bridge id)kSecAttrAccount] = key; mutableAttributes[(__bridge id)kSecAttrAccessible] = (__bridge id)kSecAttrAccessibleAfterFirstUnlock; mutableAttributes[(__bridge id)kSecValueData] = data; SecItemAdd((__bridge CFDictionaryRef)attributes, NULL); }

Slide 73

Slide 73 text

cocoapods.org/?q=keychain

Slide 74

Slide 74 text

VERIFYING SSL CERTIFICATE SecTrustRef trust; SecPolicyRef X509Policy = SecPolicyCreateBasicX509(); SecTrustSetPolicies(serverTrust, (__bridge CFArrayRef)@[(__bridge id)X509Policy]); SecTrustResultType result; __Require_noErr(SecTrustEvaluate(trust, &result), exit);

Slide 75

Slide 75 text

X.509 CERTIFICATE $ openssl x509 -in freesoft-certificate.pem -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: 7829 (0x1e95) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/[email protected] Validity Not Before: Jul 9 16:04:02 1998 GMT Not After : Jul 9 16:04:02 1999 GMT Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb:... Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d:...

Slide 76

Slide 76 text

SSL PINNING PREVENT MAN-IN-THE-MIDDLE ATTACKS VALIDATES CERTIFICATE OR PUBLIC KEY CHAIN

Slide 77

Slide 77 text

AFSECURITYPOLICY GITHUB.COM/AFNETWORKING

Slide 78

Slide 78 text

ZZZZZZZZ.....

Slide 79

Slide 79 text

LET'S MAKE SOMETHING

Slide 80

Slide 80 text

MULTIPEERCONNECTIVITY SECURITY CORE IMAGE AVFOUNDATION

Slide 81

Slide 81 text

MULTIPEERCONNECTIVITY

Slide 82

Slide 82 text

NSString *name = [[UIDevice currentDevice] name]; MCPeerID *localPeerID = [[MCPeerID alloc] initWithDisplayName:name];

Slide 83

Slide 83 text

MCNearbyServiceAdvertiser *advertiser = [[MCNearbyServiceAdvertiser alloc] initWithPeer:localPeerID discoveryInfo:nil serviceType:XXServiceType]; advertiser.delegate = self; [advertiser startAdvertisingPeer];

Slide 84

Slide 84 text

#pragma mark - MCNearbyServiceAdvertiserDelegate - (void)advertiser:(MCNearbyServiceAdvertiser *)advertiser didReceiveInvitationFromPeer:(MCPeerID *)peerID withContext:(NSData *)context invitationHandler:(void(^)(BOOL accept, MCSession *session))invitationHandler { if ([context isEqualToData:self.secret) { MCSession *session = [[MCSession alloc] initWithPeer:localPeerID securityIdentity:identity encryptionPreference:MCEncryptionRequired]; session.delegate = self; if (invitationHandler) { invitationHandler(YES, session); } } else { if (invitationHandler) { invitationHandler(NO, nil); } } }

Slide 85

Slide 85 text

NSString *message = @"Hello, World!"; NSData *data = [message dataUsingEncoding:NSUTF8StringEncoding]; NSError *error = nil; if (![self.session sendData:data toPeers:peers withMode:MCSessionSendDataReliable error:&error]) { NSLog(@"[Error] %@", error); }

Slide 86

Slide 86 text

#pragma mark - MCSessionDelegate - (void)session:(MCSession *)session didReceiveData:(NSData *)data fromPeer:(MCPeerID *)peerID { NSString *message = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding]; NSLog(@"%@", message); }

Slide 87

Slide 87 text

SECURITY

Slide 88

Slide 88 text

SECURELY GETTING RANDOM BYTES NSUInteger length = 1024; NSMutableData *mutableData = [NSMutableData dataWithLength:length]; OSStatus success = SecRandomCopyBytes(kSecRandomDefault, length, mutableData.mutableBytes); __Require_noErr(success, exit);

Slide 89

Slide 89 text

No content

Slide 90

Slide 90 text

COREIMAGE

Slide 91

Slide 91 text

NSData *oneTimePad; CIFilter *QRCodeGenerator = [CIFilter filterWithName:@"CIQRCodeGenerator"]; [QRCodeGenerator setValue:oneTimePad forKey:@"inputMessage"]; [QRCodeGenerator setValue:@"H" forKey:@"inputCorrectionLevel"];

Slide 92

Slide 92 text

"ASCII ARMOR"

Slide 93

Slide 93 text

BASE64-ENCODING DATA SecTransformRef transform = SecEncodeTransformCreate(kSecBase64Encoding, NULL); SecTransformSetAttribute(transform, kSecTransformInputAttributeName, (__bridge CFDataRef)data, NULL); NSData *encodedData = (__bridge_transfer NSData *)SecTransformExecute(transform, NULL); CFRelease(transform);

Slide 94

Slide 94 text

AVFOUNDATION

Slide 95

Slide 95 text

AVCaptureSession *session = [[AVCaptureSession alloc] init]; AVCaptureDevice *device = [AVCaptureDevice defaultDeviceWithMediaType:AVMediaTypeVideo]; NSError *error = nil; AVCaptureDeviceInput *input = [AVCaptureDeviceInput deviceInputWithDevice:device error:&error]; if (input) { [session addInput:input]; } else { NSLog(@"Error: %@", error); } AVCaptureMetadataOutput *output = [[AVCaptureMetadataOutput alloc] init]; [session addOutput:output]; [output setMetadataObjectsDelegate:self queue:dispatch_get_main_queue()]; [output setMetadataObjectTypes:@[AVMetadataObjectTypeQRCode]]; [session startRunning];

Slide 96

Slide 96 text

- (void)captureOutput:(AVCaptureOutput *)captureOutput didOutputMetadataObjects:(NSArray *)metadataObjects fromConnection:(AVCaptureConnection *)connection { NSString *QRCode = nil; for (AVMetadataObject *metadata in metadataObjects) { if ([metadata.type isEqualToString:AVMetadataObjectTypeQRCode]) { QRCode = [(AVMetadataMachineReadableCodeObject *)metadata stringValue]; break; } } NSLog(@"QR Code: %@", QRCode); }

Slide 97

Slide 97 text

BASE64-DECODING DATA SecTransformRef transform = SecEncodeTransformCreate(kSecBase64Decoding, NULL); NSData *data = [QRCode dataUsingEncoding:NSUTF8StringEncoding]; SecTransformSetAttribute(transform, kSecTransformInputAttributeName, (__bridge CFDataRef)data, NULL); NSData *decodedData = (__bridge_transfer NSData *)SecTransformExecute(transform, NULL); CFRelease(transform);

Slide 98

Slide 98 text

(BUT SERIOUSLY, YOU'RE MUCH, MUCH BETTER OFF ROLLING AN EXISTING, TESTED SECURITY IMPLEMENTATION)

Slide 99

Slide 99 text

IN CONCLUSION

Slide 100

Slide 100 text

RESOURCES ▸ Apple's "Introduction to Secure Coding Guide" ▸ Stanford University Cryptography I on Coursera ▸ ChatSecure & OTRKit

Slide 101

Slide 101 text

THANKS! Stay Safe!