Useful Cryptography, An Introduction

Useful Cryptography, An Introduction

Cryptography is often thought of as a scary topic, but it doesn't have to be. In this talk, you'll learn about different types of useful cryptography, how they work (without needing a PhD in mathematics), and how to immediately start applying these concepts in your projects.

56badf521701d4f9b3a394d3ef6e90c4?s=128

Randall Degges

February 29, 2020
Tweet

Transcript

  1. @rdegges @oktadev Useful Cryptography An Introduction

  2. @rdegges @oktadev Hey, I'm Randall Builder Python / JS /

    Go Hacker Author Open Source Chief Hacker @ Okta
  3. @rdegges @oktadev I am not a cryptographer!

  4. @rdegges @oktadev Why even? you website database website "how to

    store passwords" password hashing god
  5. @rdegges @oktadev I literally can't even. Developers should never do

    crypto.
  6. @rdegges @oktadev Hashing

  7. @rdegges @oktadev What is a Hash Function? hash(s) Input Hash

    (Digest) "ilovemymom" "6cd7c44ad701d00aa59b4225978e9c7ddf00c682" "ilovemymom" "6cd7c44ad701d00aa59b4225978e9c7ddf00c682" "wooooboyyyyyyyyy" "968360efa4e572ba34504af1d438b1fc60871943" deterministic unique irreversible
  8. @rdegges @oktadev Hahes are great for information that you need

    to verify but never persist. web server Email: r@rdegges.com Password: ilovemymom db Password: <hash(pw)> pwn3d! Password: ilovemymom I want to create an account.
  9. @rdegges @oktadev How User Login Works with Hashing web server

    Email: r@rdegges.com Password: ilovemymom db Email: r@rdegges.com I want to log into my account. Password: <hash> Compute hash("ilovemymom") Compare hash("ilovemymom") == <hash> Equal? Login successful! Unequal? No login for you!
  10. @rdegges @oktadev There are two types of hashing algorithms. ??!?!

    Cryptographic hash functions Password hash functions Oh my!
  11. @rdegges @oktadev Cryptographic Hash Functions AKA: the fast ones ubuntu-18.04.2-desktop-amd64.iso

    (1.9 GB) $ sha1sum ubuntu-18.04.2-desktop-amd64.iso bcdb9099024c468047f3f31c7d23e68a35ea4de2 (3.176 seconds) ubuntu ubuntu-18.04.2-desktop-amd64.iso Hash: bcdb9099024c468047f3f31c7d23e68a35ea4de2
  12. @rdegges @oktadev Cryptographic hash functions are useful for verifying the

    integrity of data. MD5 (1991) SHA-1 (1995) SHA-2 (2001) SHA-3 (2015) BLAKE 2 (2012) *Latacora (2018) * Ron Rivest RSA!
  13. @rdegges @oktadev Password Hash Functions AKA: the slow ones Password:

    "ilovemymom" db sha2("ilovemymom") sha2(pass) ??!?! Brute force! for pw in pw_generator(): if sha2(pw) == stolen_hash: print 'Password found!' Dictionary lists Sequential Breached password databases
  14. @rdegges @oktadev

  15. @rdegges @oktadev Password hash functions are useful for storing sensitive

    password data and keys. PBKDF2 (2000) bcrypt (1999) scrypt (2009) argon2 (2015) argon2i argon2d argon2id hash(pass) hash( )
  16. @rdegges @oktadev

  17. @rdegges @oktadev Randomness API Keys Random Numbers Passphrases Database IDs

  18. @rdegges @oktadev There are two "kinds" of security. computational information-theoretic

  19. @rdegges @oktadev The best way to generate random numbers is

    /dev/urandom. OS kernel keyboard timings mouse movements storage timings random pool /dev/random /dev/urandom app OSX FreeBSD Linux NetBSD CSPRNG
  20. @rdegges @oktadev

  21. @rdegges @oktadev Encryption

  22. @rdegges @oktadev Encryption is useful for hiding data you need

    to eventually see again. app s3 passwords.txt passwords.txt.enc shit :/ ciphertext
  23. @rdegges @oktadev There are two types of encryption. symmetric asymmetric

  24. @rdegges @oktadev Symmetric Encryption data secret ciphertext secret data ciphertext

    Encryption Decryption Long, random string.
  25. @rdegges @oktadev Symmetric encryption is useful in circumstances where you

    can keep a trusted secret safe. web server AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY SIGNING_KEY ENCRYPTION_KEY ...
  26. @rdegges @oktadev How should you do symmetric encryption? * Amazon

    KMS *Latacora (2018) AWS Encryption SDK KMS master key(s) data data key encryption algorithm ciphertext encryption algorithm encrypted data key encrypted message
  27. @rdegges @oktadev How should you do symmetric decryption? KMS master

    key(s) data data key decryption algorithm ciphertext encrypted data key encrypted message decryption algorithm
  28. @rdegges @oktadev It sounds complex, but... aws.encrypt(plaintext) aws.decrypt(encrypted message)

  29. @rdegges @oktadev Asymmetric encryption is useful in circumstances where you

    need to exchange data securely between untrusted parties. inbox email rdegges.com tls
  30. @rdegges @oktadev Asymmetric Encryption ciphertext data public key private key

    Bob Alice ciphertext data public key private key shareable
  31. @rdegges @oktadev How should you do asymmetric encryption? * NaCl/libsodium

    *Latacora (2018) Box API Bob Alice public key private key public key private key box(bs, ap) ciphertext data box.encrypt(data)
  32. @rdegges @oktadev How should you do asymmetric decryption? Bob Alice

    public key private key public key private key ciphertext data box(as, bp) box.decrypt(c)
  33. @rdegges @oktadev Don't roll your own crypto. Use crypto and

    be smart about it.
  34. @rdegges @oktadev

  35. @rdegges @oktadev Thank You rdegges.com developer.okta.com

  36. @rdegges @oktadev Sources • "Cryptographic Right Answers": https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html • "Password

    Hashing Competition": https://password-hashing.net/ • "Myths About /dev/urandom": https://www.2uo.de/myths-about-urandom/ • "When to use /dev/random vs /dev/urandom": https://unix.stackexchange.com/questions/324209/when-to-use-dev-random-vs-dev-urandom • "djb" on /dev/urandom: https://www.mail-archive.com/cryptography@randombit.net/msg04763.html • KMS FAQ: https://aws.amazon.com/kms/faqs/ • PyNaCl: https://pynacl.readthedocs.io/en/stable/public/