Steve Marx
August 09, 2016
160

# Enough Cryptography to Be Dangerous

This introductory talk aims to demystify cryptography. We’ll define and discuss concepts such as password hashing, cryptographic signatures, and encryption. We’ll also work through examples of what tool to use for what kind of job. This talk won’t make you an expert in cryptography, but it will give you working knowledge and a jumping off point to learn more on your own.

August 09, 2016

## Transcript

1. None

3. None
4. None
5. ### I’m perfectly qualified to give this talk • Not an

expert • Definitely dangerous
6. ### My goals • Get you interested in cryptography • Get

you familiar with concepts and terminology • Encourage use of known, tested solutions

8. ### Secrets • Unguessable random numbers • GUID example: f82038a2-ddf4-4cad-b8c1-b7346f34c69c •

340,282,366,920,938,463,463,374,607,431,768,211,456 possiblities • If you generate 10 trillion GUIDs this year… • Passwords • Threats • Online attacks • Offline attacks
9. ### Hash functions • One-way function • Maps arbitrary data to

a fixed-size bit string • Bad (for cryptography) example: f(x) = f mod 100 • Cryptographic hash functions • Given h, it should be hard to find m such that h = hash(m) • Given m1 , it should be hard to find m2 such that hash(m1 ) = hash(m2 ) • It should be hard to find m1 and m2 such that hash(m1 ) = hash(m2 ) • Good example: SHA256
10. ### Password hashing • Cryptographic hash function + expensive • “Expensive”

is relative, ideally has configurable work factor • Salt: random additional input to the hash • Prevents cracking with a precomputed table • Good example: bcrypt
11. ### How would you attack this? isit(password) à boolean • 20-character

password, all uppercase letters • 2620 = 19,928,148,895,209,409,152,340,197,376 possibilities • My laptop can guess 500,000 passwords per second • 1.2 quadrillion years to guess them all • I wrote a program to do it in 4 minutes

13. ### Implementation of isit(password) def isit(text): for i in range(len(password)): if

len(text) <= i: return False if text[i] != password[i]: return False return len(text) == len(password)
14. ### Timing attacks • The time your algorithm takes can be

source of leaks • Don’t hash and compare, use a provided “check” method >>> bcrypt.hashpw(b'correct horse battery staple', salt=bcrypt.gensalt(rounds=12)) b'\$2b\$12\$qeYnf…' >>> bcrypt.checkpw(b'correct horse battery staple', b'\$2b\$12\$qeYnf…') True

17. ### Encryption • Encode a message such that only authorized parties

can read it • Unguessable key • Infeasible to break without knowing the key • Two major types • Symmetric key • Public key
18. ### Symmetric encryption • Same key (shared secret) used for encryption

and decryption • One-time pad • Provably perfect • Random bit string at least the length of the message • XOR message and OTP together • Good example: AES
19. ### Public key encryption • Public key / private key •

Things encrypted with one can be decrypted by the other • Rely on some process difficult to reverse • Integer factorization • Discrete logarithm • Elliptic curve relationships • Sometimes used just to establish a symmetric “session” key • Good example: RSA
20. ### Key exchange • How do two people agree on a

key over an insecure channel? • Good example: Diffie-Hellman key exchange
21. ### Diffie-Hellman example p = 23, g = 5 ALICE chooses

a=6, computes A = ga mod p = 56 mod 23 = 8 ALICE tells Bob 8 BOB chooses b=15, computes B = gb mod p = 515 mod 23 = 19 BOB tells Alice 19 ALICE computes s = Ba mod p = 196 mod 23 = 2 BOB computes s = Ab mod p = 815 mod 23 = 2
22. ### Signatures • HMAC • Keyed-hash message authentication code • Don’t

do this: SHA256(secret + message) • Or this: SHA256(message + secret) • Or this: SHA256(secret + message + secret) • See “length extension attack”
23. ### Time-based one-time passwords (TOTP) • Used for 2-factor authentication, e.g.

Google Authenticator • Roughly HMAC-SHA1(secret, timestamp)
24. None
25. None
26. None

28. ### Python implementation of TOTP data = struct.pack('>Q', int(time.time()) // 30)

signature = hmac.new(secret, data, hashlib.sha1).digest() offset = signature[-1] & 0xF b = bytearray(signature[offset:offset+4]) b[0] &= 0x7F print('{:0>6}'.format( struct.unpack('>L', b)[0] % 10**6))
29. ### JSON web tokens (JWT) • Message is JSON • Signature

concatenated to message