$30 off During Our Annual Pro Sale. View Details »

Useful Cryptography, An Introduction

Useful Cryptography, An Introduction

Cryptography is often thought of as a scary topic, but it doesn't have to be. In this talk, you'll learn about different types of useful cryptography, how they work (without needing a PhD in mathematics), and how to immediately start applying these concepts in your projects.

Randall Degges

February 29, 2020
Tweet

More Decks by Randall Degges

Other Decks in Technology

Transcript

  1. @rdegges @oktadev Useful Cryptography An Introduction

  2. @rdegges @oktadev Hey, I'm Randall Builder Python / JS /

    Go Hacker Author Open Source Chief Hacker @ Okta
  3. @rdegges @oktadev I am not a cryptographer!

  4. @rdegges @oktadev Why even? you website database website "how to

    store passwords" password hashing god
  5. @rdegges @oktadev I literally can't even. Developers should never do

    crypto.
  6. @rdegges @oktadev Hashing

  7. @rdegges @oktadev What is a Hash Function? hash(s) Input Hash

    (Digest) "ilovemymom" "6cd7c44ad701d00aa59b4225978e9c7ddf00c682" "ilovemymom" "6cd7c44ad701d00aa59b4225978e9c7ddf00c682" "wooooboyyyyyyyyy" "968360efa4e572ba34504af1d438b1fc60871943" deterministic unique irreversible
  8. @rdegges @oktadev Hahes are great for information that you need

    to verify but never persist. web server Email: r@rdegges.com Password: ilovemymom db Password: <hash(pw)> pwn3d! Password: ilovemymom I want to create an account.
  9. @rdegges @oktadev How User Login Works with Hashing web server

    Email: r@rdegges.com Password: ilovemymom db Email: r@rdegges.com I want to log into my account. Password: <hash> Compute hash("ilovemymom") Compare hash("ilovemymom") == <hash> Equal? Login successful! Unequal? No login for you!
  10. @rdegges @oktadev There are two types of hashing algorithms. ??!?!

    Cryptographic hash functions Password hash functions Oh my!
  11. @rdegges @oktadev Cryptographic Hash Functions AKA: the fast ones ubuntu-18.04.2-desktop-amd64.iso

    (1.9 GB) $ sha1sum ubuntu-18.04.2-desktop-amd64.iso bcdb9099024c468047f3f31c7d23e68a35ea4de2 (3.176 seconds) ubuntu ubuntu-18.04.2-desktop-amd64.iso Hash: bcdb9099024c468047f3f31c7d23e68a35ea4de2
  12. @rdegges @oktadev Cryptographic hash functions are useful for verifying the

    integrity of data. MD5 (1991) SHA-1 (1995) SHA-2 (2001) SHA-3 (2015) BLAKE 2 (2012) *Latacora (2018) * Ron Rivest RSA!
  13. @rdegges @oktadev Password Hash Functions AKA: the slow ones Password:

    "ilovemymom" db sha2("ilovemymom") sha2(pass) ??!?! Brute force! for pw in pw_generator(): if sha2(pw) == stolen_hash: print 'Password found!' Dictionary lists Sequential Breached password databases
  14. @rdegges @oktadev

  15. @rdegges @oktadev Password hash functions are useful for storing sensitive

    password data and keys. PBKDF2 (2000) bcrypt (1999) scrypt (2009) argon2 (2015) argon2i argon2d argon2id hash(pass) hash( )
  16. @rdegges @oktadev

  17. @rdegges @oktadev Randomness API Keys Random Numbers Passphrases Database IDs

  18. @rdegges @oktadev There are two "kinds" of security. computational information-theoretic

  19. @rdegges @oktadev The best way to generate random numbers is

    /dev/urandom. OS kernel keyboard timings mouse movements storage timings random pool /dev/random /dev/urandom app OSX FreeBSD Linux NetBSD CSPRNG
  20. @rdegges @oktadev

  21. @rdegges @oktadev Encryption

  22. @rdegges @oktadev Encryption is useful for hiding data you need

    to eventually see again. app s3 passwords.txt passwords.txt.enc shit :/ ciphertext
  23. @rdegges @oktadev There are two types of encryption. symmetric asymmetric

  24. @rdegges @oktadev Symmetric Encryption data secret ciphertext secret data ciphertext

    Encryption Decryption Long, random string.
  25. @rdegges @oktadev Symmetric encryption is useful in circumstances where you

    can keep a trusted secret safe. web server AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY SIGNING_KEY ENCRYPTION_KEY ...
  26. @rdegges @oktadev How should you do symmetric encryption? * Amazon

    KMS *Latacora (2018) AWS Encryption SDK KMS master key(s) data data key encryption algorithm ciphertext encryption algorithm encrypted data key encrypted message
  27. @rdegges @oktadev How should you do symmetric decryption? KMS master

    key(s) data data key decryption algorithm ciphertext encrypted data key encrypted message decryption algorithm
  28. @rdegges @oktadev It sounds complex, but... aws.encrypt(plaintext) aws.decrypt(encrypted message)

  29. @rdegges @oktadev Asymmetric encryption is useful in circumstances where you

    need to exchange data securely between untrusted parties. inbox email rdegges.com tls
  30. @rdegges @oktadev Asymmetric Encryption ciphertext data public key private key

    Bob Alice ciphertext data public key private key shareable
  31. @rdegges @oktadev How should you do asymmetric encryption? * NaCl/libsodium

    *Latacora (2018) Box API Bob Alice public key private key public key private key box(bs, ap) ciphertext data box.encrypt(data)
  32. @rdegges @oktadev How should you do asymmetric decryption? Bob Alice

    public key private key public key private key ciphertext data box(as, bp) box.decrypt(c)
  33. @rdegges @oktadev Don't roll your own crypto. Use crypto and

    be smart about it.
  34. @rdegges @oktadev

  35. @rdegges @oktadev Thank You rdegges.com developer.okta.com

  36. @rdegges @oktadev Sources • "Cryptographic Right Answers": https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html • "Password

    Hashing Competition": https://password-hashing.net/ • "Myths About /dev/urandom": https://www.2uo.de/myths-about-urandom/ • "When to use /dev/random vs /dev/urandom": https://unix.stackexchange.com/questions/324209/when-to-use-dev-random-vs-dev-urandom • "djb" on /dev/urandom: https://www.mail-archive.com/cryptography@randombit.net/msg04763.html • KMS FAQ: https://aws.amazon.com/kms/faqs/ • PyNaCl: https://pynacl.readthedocs.io/en/stable/public/