Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Useful Cryptography, An Introduction

Randall Degges
February 29, 2020
Technology
0
510

Useful Cryptography, An Introduction

Cryptography is often thought of as a scary topic, but it doesn't have to be. In this talk, you'll learn about different types of useful cryptography, how they work (without needing a PhD in mathematics), and how to immediately start applying these concepts in your projects.

Randall Degges

February 29, 2020
Tweet

More Decks by Randall Degges

See All by Randall Degges
How to Lose 500k in 5 Minutes
rdegges
0
240
12 Factors of Pain and Suffering
rdegges
3
690
An Introduction to PASETO Tokens
rdegges
0
1.2k
JWTs Suck
rdegges
24
24k
Almost Everything You Ever Wanted to Know About Web Authentication in Python
rdegges
7
920
Almost Everything You Ever Wanted to Know About Web Authentication in Node
rdegges
13
1.9k
WTF Are APIs?!
rdegges
4
810
Fuck It: Let's Have Fun - Building a Top Torrents API
rdegges
2
610
Storing User Files with Express, Stormpath, and Amazon S3
rdegges
0
190

Other Decks in Technology

See All in Technology
Stable Diffusion Web UI, Let Your Fave Eat Ramen
payanotty
1
570
ハッカソンにおけるiOSアプリ開発での学びと楽しさ
ojun9
1
160
Snowflake×dbt×Terraformでモダンなデータ基盤開発してみた
kevinrobot34
0
270
Spring I/O 2023 - Barcelona
bnasslahsen
0
120
つくばチャレンジ2023全体概要
tsukubachallenge
0
110
20230520_ChatGPT入門と意思決定への活用(20min版)_v1
doradora09
0
170
初学者が1ヶ月ほどAWS CDKを勉強してみた - AWS CDK Conference Japan 2023
sakaguchi
0
570
CDKを使って爆速でナレッジサイトを公開した話
nyankotaro
1
760
SQLを活用したデータ分析におけるChatGPTの活用法
hikarut
6
2.3k
CyberAgent AI事業本部MLOps研修応用編
nsakki55
32
16k
Nx CloudでCIを爆速にした話
puku0x
0
320
5 Essential Rules for Effective Prioritization in Agile
eiki
0
280

Featured

See All Featured
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
217
21k
Clear Off the Table
cherdarchuk
81
300k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
Music & Morning Musume
bryan
37
4.8k
Designing with Data
zakiwarfel
91
4.3k
Unsuck your backbone
ammeep
660
56k
Debugging Ruby Performance
tmm1
68
11k
A designer walks into a library…
pauljervisheath
199
17k
Making the Leap to Tech Lead
cromwellryan
118
7.8k
Documentation Writing (for coders)
carmenintech
52
3.1k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.7k
Being A Developer After 40
akosma
49
580k

Transcript

  1. @rdegges @oktadev
    Useful Cryptography
    An Introduction

    View Slide

  2. @rdegges @oktadev
    Hey, I'm Randall
    Builder Python / JS /
    Go Hacker
    Author
    Open Source
    Chief Hacker @ Okta

    View Slide

  3. @rdegges @oktadev
    I am not a cryptographer!

    View Slide

  4. @rdegges @oktadev
    Why even?
    you website
    database
    website
    "how to store passwords"
    password hashing
    god

    View Slide

  5. @rdegges @oktadev
    I literally can't even.
    Developers should never
    do crypto.

    View Slide

  6. @rdegges @oktadev
    Hashing

    View Slide

  7. @rdegges @oktadev
    What is a Hash Function?
    hash(s)
    Input Hash (Digest)
    "ilovemymom" "6cd7c44ad701d00aa59b4225978e9c7ddf00c682"
    "ilovemymom" "6cd7c44ad701d00aa59b4225978e9c7ddf00c682"
    "wooooboyyyyyyyyy" "968360efa4e572ba34504af1d438b1fc60871943"
    deterministic
    unique
    irreversible

    View Slide

  8. @rdegges @oktadev
    Hahes are great for information that
    you need to verify but never persist.
    web server
    Email: [email protected]
    Password: ilovemymom
    db
    Password:
    pwn3d!
    Password: ilovemymom
    I want to create an account.

    View Slide

  9. @rdegges @oktadev
    How User Login Works with Hashing
    web server
    Email: [email protected]
    Password: ilovemymom
    db
    Email: [email protected]
    I want to log into my account.
    Password:
    Compute hash("ilovemymom")
    Compare hash("ilovemymom") ==
    Equal? Login successful!
    Unequal? No login for you!

    View Slide

  10. @rdegges @oktadev
    There are two types of
    hashing algorithms.
    ??!?!
    Cryptographic hash
    functions
    Password hash
    functions
    Oh my!

    View Slide

  11. @rdegges @oktadev
    Cryptographic Hash Functions
    AKA: the fast ones
    ubuntu-18.04.2-desktop-amd64.iso
    (1.9 GB)
    $ sha1sum ubuntu-18.04.2-desktop-amd64.iso
    bcdb9099024c468047f3f31c7d23e68a35ea4de2
    (3.176 seconds)
    ubuntu
    ubuntu-18.04.2-desktop-amd64.iso
    Hash: bcdb9099024c468047f3f31c7d23e68a35ea4de2

    View Slide

  12. @rdegges @oktadev
    Cryptographic hash functions
    are useful for verifying the
    integrity of data.
    MD5 (1991) SHA-1 (1995)
    SHA-2 (2001)
    SHA-3 (2015) BLAKE 2 (2012)
    *Latacora (2018)
    *
    Ron Rivest
    RSA!

    View Slide

  13. @rdegges @oktadev
    Password Hash Functions
    AKA: the slow ones
    Password: "ilovemymom"
    db
    sha2("ilovemymom")
    sha2(pass)
    ??!?!
    Brute force!
    for pw in pw_generator():
    if sha2(pw) == stolen_hash:
    print 'Password found!'
    Dictionary lists
    Sequential
    Breached password databases

    View Slide

  14. @rdegges @oktadev

    View Slide

  15. @rdegges @oktadev
    Password hash functions are
    useful for storing sensitive
    password data and keys.
    PBKDF2 (2000)
    bcrypt (1999)
    scrypt (2009)
    argon2 (2015)
    argon2i
    argon2d
    argon2id
    hash(pass)
    hash( )

    View Slide

  16. @rdegges @oktadev

    View Slide

  17. @rdegges @oktadev
    Randomness
    API Keys
    Random Numbers
    Passphrases
    Database IDs

    View Slide

  18. @rdegges @oktadev
    There are two "kinds" of security.
    computational
    information-theoretic

    View Slide

  19. @rdegges @oktadev
    The best way to generate random
    numbers is /dev/urandom.
    OS kernel
    keyboard timings
    mouse movements
    storage timings
    random pool
    /dev/random
    /dev/urandom
    app
    OSX
    FreeBSD
    Linux
    NetBSD
    CSPRNG

    View Slide

  20. @rdegges @oktadev

    View Slide

  21. @rdegges @oktadev
    Encryption

    View Slide

  22. @rdegges @oktadev
    Encryption is useful for hiding data
    you need to eventually see again.
    app
    s3
    passwords.txt
    passwords.txt.enc
    shit :/
    ciphertext

    View Slide

  23. @rdegges @oktadev
    There are two types of encryption.
    symmetric
    asymmetric

    View Slide

  24. @rdegges @oktadev
    Symmetric Encryption
    data
    secret
    ciphertext secret
    data
    ciphertext
    Encryption Decryption
    Long, random string.

    View Slide

  25. @rdegges @oktadev
    Symmetric encryption is useful in
    circumstances where you can keep a
    trusted secret safe.
    web server
    AWS_ACCESS_KEY_ID
    AWS_SECRET_ACCESS_KEY
    SIGNING_KEY
    ENCRYPTION_KEY
    ...

    View Slide

  26. @rdegges @oktadev
    How should you do symmetric encryption?
    * Amazon KMS
    *Latacora (2018)
    AWS Encryption SDK
    KMS
    master key(s)
    data
    data key
    encryption
    algorithm ciphertext
    encryption
    algorithm
    encrypted data key
    encrypted
    message

    View Slide

  27. @rdegges @oktadev
    How should you do symmetric decryption?
    KMS
    master key(s)
    data
    data key
    decryption
    algorithm
    ciphertext
    encrypted data key
    encrypted
    message
    decryption
    algorithm

    View Slide

  28. @rdegges @oktadev
    It sounds complex, but...
    aws.encrypt(plaintext)
    aws.decrypt(encrypted message)

    View Slide

  29. @rdegges @oktadev
    Asymmetric encryption is useful in
    circumstances where you need to
    exchange data securely between
    untrusted parties.
    inbox
    email
    rdegges.com
    tls

    View Slide

  30. @rdegges @oktadev
    Asymmetric Encryption
    ciphertext
    data
    public
    key
    private
    key
    Bob Alice
    ciphertext
    data
    public
    key
    private
    key
    shareable

    View Slide

  31. @rdegges @oktadev
    How should you do asymmetric encryption?
    * NaCl/libsodium
    *Latacora (2018)
    Box API
    Bob Alice
    public
    key
    private
    key
    public
    key
    private
    key
    box(bs, ap)
    ciphertext
    data
    box.encrypt(data)

    View Slide

  32. @rdegges @oktadev
    How should you do asymmetric decryption?
    Bob Alice
    public
    key
    private
    key
    public
    key
    private
    key
    ciphertext
    data
    box(as, bp)
    box.decrypt(c)

    View Slide

  33. @rdegges @oktadev
    Don't roll your own crypto. Use crypto
    and be smart about it.

    View Slide

  34. @rdegges @oktadev

    View Slide

  35. @rdegges @oktadev
    Thank You
    rdegges.com
    developer.okta.com

    View Slide

  36. @rdegges @oktadev
    Sources
    ● "Cryptographic Right Answers":
    https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html
    ● "Password Hashing Competition": https://password-hashing.net/
    ● "Myths About /dev/urandom": https://www.2uo.de/myths-about-urandom/
    ● "When to use /dev/random vs /dev/urandom":
    https://unix.stackexchange.com/questions/324209/when-to-use-dev-random-vs-dev-urandom
    ● "djb" on /dev/urandom:
    https://www.mail-archive.com/[email protected]/msg04763.html
    ● KMS FAQ: https://aws.amazon.com/kms/faqs/
    ● PyNaCl: https://pynacl.readthedocs.io/en/stable/public/

    View Slide