Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Crypto 101 by Laurens Van Houtven
Search
PyCon 2013
March 16, 2013
Programming
10
1.3k
Crypto 101 by Laurens Van Houtven
PyCon 2013
March 16, 2013
Tweet
Share
More Decks by PyCon 2013
See All by PyCon 2013
Bayesian statistics made simple by Allen Downey
pyconslides
32
6.1k
Python for Humans
pyconslides
40
6.5k
Contribute with me! Getting started with the tools of free software development by Jessica McKellar
pyconslides
11
1.9k
ApplePy: An Apple ][ emulator in Python by James Tauber
pyconslides
3
1.5k
Use curses, don't swear by Sean Zicari
pyconslides
2
1.4k
Namespaces in Python by Eric Snow
pyconslides
9
1.7k
Internationalization and Localization Done Right by Ruchi Varshney
pyconslides
9
1.1k
"Good Enough" is good enough! by Alex Martelli
pyconslides
13
2.4k
Plover: Thought to Text at 240 WPM by Mirabai Knight
pyconslides
1
1.2k
Other Decks in Programming
See All in Programming
document.write再考
brn
5
2.5k
WebComponentsで フレームワークを1ページに共存させる
webuilder240
0
150
クソコード動画『カプセル化 Mk-II』 で考える 上手くカプセル化できない理由 / encapsulation2
minodriven
11
8.1k
Enhancing Applications with Accessibility API
kishikawakatsumi
3
1.1k
Some Quick Ideas To Improve Your Tests ( #jassttokyo )
teyamagu
PRO
2
2.3k
ONE WEDGE_Company_Information
1wedge
0
180
Understanding Ast By Looking
inouehi
0
120
Ruby製社内ツールのGo移行
bgpat
2
270
脱・初心者!脱・マネコン!AWS CDKを使ってみませんか!?
har1101
0
180
とにかくHTTP3をライトニングに話す / Anyway, I'll talk to Lightning about HTTP3.
seike460
PRO
0
120
受託開発でGitLab CI を活用していく
xiombatsg
1
130
LLMチャットボットのアプリケーション設計Tips
os1ma
4
670
Featured
See All Featured
How GitHub Uses GitHub to Build GitHub
holman
467
290k
We Have a Design System, Now What?
morganepeng
42
6.7k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
The World Runs on Bad Software
bkeepers
PRO
60
6.6k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Designing on Purpose - Digital PM Summit 2013
jponch
109
6.4k
Building Flexible Design Systems
yeseniaperezcruz
317
37k
Typedesign – Prime Four
hannesfritz
36
2k
Done Done
chrislema
178
15k
Visualization
eitanlees
135
14k
Navigating Team Friction
lara
177
13k
Large-scale JavaScript Application Architecture
addyosmani
501
110k
Transcript
Crypto 101 @lvh
@lvh
[email protected]
None
None
None
POST /quantum HTTP/1.1
None
Lightning Talk Version
In motion: TLS
At rest: GPG
(Py)NaCl KeyCzar cryptlib
If you are typing the letters A-E-S into your code,
you’re doing it wrong.
DES: extra wrong MD5, SHA: maybe wrong
Why stay?
Recognizing wrong stuff still matters
Understanding stuff still matters
None
None
xor
1 ^ 0 == 1 0 ^ 1 == 1
1 ^ 1 == 0 0 ^ 0 == 0
Invert? Input Output
Invert: yes (1) Input: 1 Output: 0
Invert: no (0) Input: 1 Output: 1
One-time Pad
1110010101010110 1010100000111101 0100101010101010 ...
OTP crypto XWCVPR
Perfect secrecy
0? 1? 1
1? 0? 1
None
None
None
Victory!
len(one_time_pad)
== len(all_data_ever)
== very_big_number
Exchange?
Ciphers
Block Ciphers
Block Cipher Key abc XYZ Ciphertext Same fixed size Plaintext
Fixed size
P C
Random permutation
000: 001 001: 010 010: 111 011: 000 100: 110
101: 011 110: 100 111: 101
x, C(k, x) vs y, C(k, y)
P C
AES
Blowfish/Twofish
DES/3DES
Victory!
“Hello”
with open(“x.jpg”) as f: send(f, you)
Block Cipher
len(message) > block_size
aes.block_size == 128 (16 bytes)
Stream Ciphers
Native stream ciphers
RC4
Salsa20 ChaCha20
Implemented as construction with block ciphers
abcdefghijklmnopqrstuvw C k C k C k C k C
k C k C k { { { { { { { { C k padding KEGASVTPCFDRUWBOJNMHXQIL { { { { { { { {
ECB
plaintext chunk ciphertext chunk
None
None
None
None
Replay Attacks
None
None
Block Cipher Modes of Operation
ECB, (P)CBC, CFB, OFB, CTR
ECB, (P)CBC, CFB, OFB, CTR
CBC
Most common in the wild
BEAST
CTR
{nonce}{count:08d}
D501320200000000 D501320200000001 D501320200000002 Nonce Count . . .
C k C k D501320200000000, D501320200000001, ... D1DC4D1FE3679212, 0FD25C7B1CF46485, ...
D1DC4D1FE3679212 0FD25C7B1CF46485 ...
Keystream
Pseudo-OTP
GCM, EAX, OCB, IAPM, CCM, CWC
GCM, EAX, OCB, IAPM, CCM, CWC
PATENT PENDING
Victory!
None
Key exchange?
In person?
None
O(n2)
Diffie-Hellman Key Exchange
None
= +
= + +
- =
Internet Me You
None
+ = + =
None
None
+ = + =
= + + + +
Victory!
None
Cease fire! ZSTAMUTJMEFFILH Cease fire!
Attack at dawn! HUWKEMMQTXMR Attack at dawn!
Authenticity
sender == expected_sender
message == expected_message
Encryption without authentication
Almost certainly wrong
Attackers don’t need to decrypt to modify
Cryptographic hash functions
lorem ipsum 358d846c39 digest (state) fixed size message arbitrary size
Hash Function
lorem ipsum 358d846c39 Hash Function
lorem ipsum 358d846c39 Hash Function
lorem python 358d846c39 lorem ipsum 358d846c39 Hash Function Hash Function
lorem python 358d846c39 lorem ipsum 358d846c39 Hash Function Hash Function
That’s it.
H(x) can be used to compute H(f(x))
Extension attacks
hf = HF(“hello pycon\n”) hf.update(“how are you”) hf.hexdigest()
hf = HF(state=your_hash) hf.update(my_string) hf.hexdigest()
my_string = “\nI am not attending, because I have switched
to PHP”
Payment processor
MD5(secret + amount)
$12.00: “1200”
hf = HF(state=your_hash) hf.update(“0” * 12) hf.hexdigest()
bwall/HashPump
SHA-3 era: fixed (SHA-3, BLAKE2)
SHA-256, SHA-3 (both are fine)
BLAKE2
MAC
H(x) can be used to compute H(f(x))
MAC(k, x) says nothing about MAC(k, f(x))
MAC(k, x) says nothing about MAC(k, y)
HMAC
hmac(k, hf, msg)
import hmac
Password storage
CHFs are WRONG
password 45ed8f8c31 Hash Function
Brute force?
None
ATI HD 5970, 2GB 5.6e9 MD5/s 2.3e9 SHA2/s
None
SHA-3?
lorem ipsum 358d846c39 Hash Function
SHA-2-256: 14 cpb SHA-3-256: 11 cpb (Intel Ivy Bridge/Sandy Bridge)
Salts?
Dictionary attacks
KDFs should be hard to compute
bcrypt (tunably) time-hard
scrypt time- and space-hard
Sender authentication?
None
Public key Cryptography
None
None
None
Key generation
me me you you
me you
Encryption
PK Enc you hello world BXUWD VWQEF
Decryption
PK Dec you hello world BXUWD VWQEF you
Signing
Anyone can use my public key
How do I know you’re you?
PK Dec you Signature HF(m) you
PK Enc you Signature HF(m)
RSA
Victory!
“me” == actually me?
Chains of signatures
I don’t trust you.
But X trusts you.
And I trust X.
So I trust you.
GPG key signing
SSL
TLS
None
version, ciphersuites, ...
Key exchange method (RSA, DH, ...)
Signing algorithm (RSA, DSA, ECDSA)
Bulk encryption algorithm (AES-CBC, RC4...)
MAC algorithm (HMAC-{MD5, SHA2})
version, ciphersuites, ...
✓
RSA Enc srvr random secret OUTDX BHXUS
OUTDXBHXUS
RSA Dec srvr random secret OUTDX BHXUS srvr
random secret AES MAC random secret AES MAC
MAC
None
Encrypted + Authenticated
✓
None
CAs
...
None
valid vs trustworthy?
valid vs trustworthy?
What if I plant a root cert?
sslbump
ICAP/eCAP
lvh/minitrue
Questions?
Timing attacks
Side-channel
Implementation, not theory
None
None
None
None
None
provided == password
compare length
compare byte by byte
“abc” == “xyz”
“abc” == “ayz”
“abc” == “abz”
len(alpha) ** len(pw)
X * X * X * .... len(alpha) possibilities len(pwd)
times
k * len(alpha) * len(pw) possibilities measurements characters
More TLS
Client certificates
Ephemeral Diffie-Hellman
Elliptic Curves ECDH/ECDSA